From wk at gnupg.org Fri Jul 1 11:49:25 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jul 1 11:46:17 2005 Subject: "--for-your-eyes-only" In-Reply-To: <20050630113421.GE470@syjon.fantastyka.net> (Janusz A. Urbanowicz's message of "Thu, 30 Jun 2005 13:34:21 +0200") References: <129A7D8C-15BA-49F6-B1AD-44923A5CA727@mac.com> <20050627043230.GB12582@jabberwocky.com> <42BF8BBF.30704@mac.com> <20050628031826.GA17400@jabberwocky.com> <42C1114C.6070702@mac.com> <20050629085502.GC24772@syjon.fantastyka.net> <87fyv19qm2.fsf@wheatstone.g10code.de> <20050629145439.GF24772@syjon.fantastyka.net> <87acl99j78.fsf@wheatstone.g10code.de> <20050630113421.GE470@syjon.fantastyka.net> Message-ID: <87hdfe6el6.fsf@wheatstone.g10code.de> On Thu, 30 Jun 2005 13:34:21 +0200, Janusz A Urbanowicz said: > Yes, but if the threat model involves TEMPEST, should it also involve > TEMPEST from optical wavelenghts (reflected light)? I depends on your needs; closing the shutters is one solution against it. Shalom-Salam, Werner From huehn-ml at arcor.de Fri Jul 1 19:06:02 2005 From: huehn-ml at arcor.de (=?ISO-8859-1?Q?Thomas_H=FChn?=) Date: Fri Jul 1 19:57:38 2005 Subject: OpenPGP card and GnuPG with Fedora Core 4 Message-ID: <42C577FA.5030200@mid.thomas-huehn.de> Hi I've installed FC4 on a "test machine" to see whether everything that I'd like to have works with FC4. The smartcard does not, so far. :-( I have installed the libpcsclite-Package and the cm2020-module-Package from rpm.livna.org, symlinked /usr/lib/libpcsclite.so.0 to /usr/lib/pcsclite.so (that seemed to solve my first problem) and tried gpg --card-status and other card-related commands. Result: | gpg: pcsc_connect failed: unknown reader (0x80100009) | gpg: card reader not available | *** glibc detected *** gpg: corrupted double-linked list: 0x0023c8b8 *** and then a backtrace, that I only have on my other computer, not available here right now. If there's need for it, I can provide it later. pcscd correctly recognizes insertion and removal of the card (and the reader, of course). And if I set $MALLOC_CHECK_ (documented in http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/release-notes/as-x86/) to "0", the glibc-line and the backtrace disappear. Any ideas why pcscd finds my reader, but gnupg does not? Thomas From DBSMITH at OhioHealth.com Fri Jul 1 21:08:42 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Fri Jul 1 21:04:20 2005 Subject: automating signing of keys In-Reply-To: Message-ID: I have not seen any responses. But I have an add'l question: after importing, and verifying is it required to sign the new key prior to encrypting? derek Derek Smith/Staff/OhioH ealth To gnupg-users@gnupg.org, 06/30/2005 05:22 gnupg-users-bounces@gnupg.org PM cc Subject automating signing of keys gpg users: I am running gpg 1.2.1 on AIX 5.2 I saw on the archive list ( http://marc.theaimsgroup.com/?t=105352149400003&r=1&w=2) for automating key signing after an expiration of an individual key: gpg - -command-fd 0 - -status-fd 2 [...] but what is the full functional string: I tried gpg - -options "file" - -command-fd 0 - -status-fd 2 - -sign-key talx and it returned: [GNUPG:] GET_LINE sign_uid.expire I then exited and got a return code of 130 after typing echo $? please help! thank you, derek Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams 614-566-4145 From sk at intertivity.com Fri Jul 1 23:58:34 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Fri Jul 1 23:54:07 2005 Subject: automating signing of keys In-Reply-To: Message-ID: <000701c57e88$092aa950$f500a8c0@HOME> Hi. Well, i think you have to trust the key somehow by default, Or try using the option "--always-trust" HTH --sk > I have not seen any responses. But I have an add'l question: > after importing, and verifying is it required to sign the new > key prior to encrypting? From mus1876 at gmx.info Sun Jul 3 22:54:07 2005 From: mus1876 at gmx.info (mus1876@gmx.info) Date: Sun Jul 3 22:50:09 2005 Subject: No subject Message-ID: <24441.1120424047@www12.gmx.net> Hi list, I'm using GnuPG 1.4.1 on WinXP Service Pack 2. Whenever I --clearsign a text message containing some kind of list, dash characters get duplicated. Is that a feature or bug? See yourself ... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - A dash followed by a space character at the beginning of the line as it is commonly used in enumerations produces an extra dash. - -Second test with a dash and no whitespace in between yields the same result. - - Third test with a dash and a tab character has the same effect. - Fourth test with a space character followed by a dash character. - Fith test with a tab character followed by a dash character. Lastly a dash anywhere inside the text like this one - isn't duplicated. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCyEwoF64dOS3//CwRAp/SAJ9kgz6GyNx/Fzk/aap85N8jWyVHfACfd1a5 xTdO4Ue2fWP3VU2sDvKdhbA= =FZy1 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Jul 3 23:02:43 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 3 22:59:00 2005 Subject: your mail In-Reply-To: <24441.1120424047@www12.gmx.net> References: <24441.1120424047@www12.gmx.net> Message-ID: <20050703210243.GA5062@jabberwocky.com> On Sun, Jul 03, 2005 at 10:54:07PM +0200, mus1876@gmx.info wrote: > Hi list, > > I'm using GnuPG 1.4.1 on WinXP Service Pack 2. Whenever I --clearsign a text > message containing some kind of list, dash characters get duplicated. Is > that a feature or bug? See yourself ... Feature. Those dashes are part of the protocol, and are necessary to protect your text from the clearsigning armor header lines. Note that when you verify the signature, the extra dashes are removed. David From linux at codehelp.co.uk Sun Jul 3 23:11:50 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sun Jul 3 23:07:24 2005 Subject: Windows artefacts In-Reply-To: <24441.1120424047@www12.gmx.net> References: <24441.1120424047@www12.gmx.net> Message-ID: <200507032211.54532.linux@codehelp.co.uk> On Sunday 03 July 2005 9:54 pm, mus1876@gmx.info wrote: > Hi list, > > I'm using GnuPG 1.4.1 on WinXP Service Pack 2. Whenever I --clearsign a > text message containing some kind of list, dash characters get duplicated. > Is that a feature or bug? See yourself ... > Nothing wrong at this end. - just one -- that's two - - two with a space. ----------- 12 together something and a dash - then something else. > > - A dash followed by a space character at the beginning of the line as it > is commonly used in enumerations produces an extra dash. As you can see from the quoted output, the dash is NOT duplicated. > -Second test with a dash and no whitespace in between yields the same > result. Only a single dash exists. > - Third test with a dash and a tab character has the same effect. Nope. > - Fourth test with a space character followed by a dash character. Just the one -. > - Fith test with a tab character followed by a dash character. Same. > Lastly a dash anywhere inside the text like this one - isn't duplicated. None of them were. This appears to be an artefact at your end. > gpgkeys: key 17AE1D392DFFFC2C not found on keyserver BTW. Please send your key 0x2DFFFC2C to subkeys.pgp.net so that people can verify your signature. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050703/5e33210a/attachment-0001.pgp From cmauch at gmail.com Mon Jul 4 04:28:50 2005 From: cmauch at gmail.com (Charles Mauch) Date: Mon Jul 4 05:28:28 2005 Subject: policy url's Message-ID: <20050704022850.GB20392@localhost.localdomain> Could someone explain to me the practical differences between --sig-policy-url and --cert-policy-url? The manpage for GnuPG says [cut] --set-policy-url string Use string as a Policy URL for signatures (rfc2440:5.2.3.19). If you prefix it with an exclamation mark (!), the policy URL packet will be flagged as critical. --sig-policy-url sets a policy url for data signatures. --cert-policy-url sets a policy url for key signatures (certifications). --set-pol? icy-url sets both. The same %-expandos used for notation data are available here as well. [/cut] I ask because i'm guessing that the --sig-policy points to a document that describes your personal keysigning policies, and --cert-policy would point to the notes that describe the validity and process you went through to validate someone's identity and match it to their fingerprint. Am I right? Is this just one of many interpretations? When would one need to use the critical flag? Just curious. -- Take it easy, [cmauch@taclug.org] Charles Mauch, FSF Apologist, Debian/Ubuntu/Gentoo user, etc. Every message PGP or S/MIME signed to verify authenticity. Many Bothans died to bring you this information. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050703/c2029ec4/attachment.pgp From samuel at Update.UU.SE Mon Jul 4 09:21:41 2005 From: samuel at Update.UU.SE (Samuel ]slund) Date: Mon Jul 4 12:48:02 2005 Subject: Dash escape (Was no subject) In-Reply-To: <24441.1120424047@www12.gmx.net> References: <24441.1120424047@www12.gmx.net> Message-ID: <20050704072141.GD22092@Update.UU.SE> On Sun, Jul 03, 2005 at 10:54:07PM +0200, mus1876@gmx.info wrote: > Hi list, > > I'm using GnuPG 1.4.1 on WinXP Service Pack 2. Whenever I --clearsign a text > message containing some kind of list, dash characters get duplicated. Is > that a feature or bug? See yourself ... As you can see OpenPGP use lines beginning with dashes to separate parts of the message. To avoid the risk for ambiguity any line beginning with a dash is escaped with a "- " tis is removed when the message is verified. HTH //Samuel > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - - A dash followed by a space character at the beginning of the line as it > is commonly used in enumerations produces an extra dash. > > - -Second test with a dash and no whitespace in between yields the same > result. > > - - Third test with a dash and a tab character has the same effect. > > - Fourth test with a space character followed by a dash character. > > - Fith test with a tab character followed by a dash character. > > Lastly a dash anywhere inside the text like this one - isn't duplicated. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (MingW32) > > iD8DBQFCyEwoF64dOS3//CwRAp/SAJ9kgz6GyNx/Fzk/aap85N8jWyVHfACfd1a5 > xTdO4Ue2fWP3VU2sDvKdhbA= > =FZy1 > -----END PGP SIGNATURE----- From sk at intertivity.com Mon Jul 4 17:22:58 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Mon Jul 4 17:18:47 2005 Subject: Outlook and S/MIME Message-ID: <42C95452.6000703@intertivity.com> Hi, this is a more Outlook S/MIME realted question, but maybe somebody has an answer. I received a S/MIME encrypted message from an external partner. By replying to this message, Outlook keeps the security - means that the response will also be encrypted (if a public key of the receiver is available). Is it possible to diable this "feature" without navigating through all the menus and without disableing it everytime i reply to an encrypted message? Thanks --sk From sk at intertivity.com Mon Jul 4 23:01:19 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Mon Jul 4 22:56:50 2005 Subject: Outlook and S/MIME In-Reply-To: <20050704154712.GB30533@mail.gasops.co.uk> Message-ID: <000801c580db$8895f7d0$f500a8c0@HOME> Well, the person does not have a public key in the first place. But outlook does not know that in advance. After clicking on "Send" an error is raised that the mail can not be send encrypted because of the missing public key. :) > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Shaun Lipscombe > Sent: Montag, 4. Juli 2005 17:47 > To: gnupg-users@gnupg.org > Subject: Re: Outlook and S/MIME > > > * Sascha Kiefer wrote: > > > Hi, > > > > this is a more Outlook S/MIME realted question, but maybe > somebody has > > an answer. > > > > I received a S/MIME encrypted message from an external partner. By > > replying to this message, Outlook keeps the security - > means that the > > response will also be encrypted (if a public key of the receiver is > > available). > > I dont use "Lookout" so I cant really offer any advice, > but.... a thought did occur to me. Why not just delete that > person's public key? > > Shaun > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From messtic at oreka.com Tue Jul 5 14:29:09 2005 From: messtic at oreka.com (Alain Bench) Date: Tue Jul 5 15:05:35 2005 Subject: UTF-8 support In-Reply-To: <200507041328.35351.bruno@clisp.org> References: <23460.1116509668@www39.gmx.net> <25355.1116660061@www56.gmx.net> <20050624155206.GA4380@oreka.com> <200507041328.35351.bruno@clisp.org> Message-ID: <20050705122909.GA27586@oreka.com> Hello Bruno, On Monday, July 4, 2005 at 1:28:35 PM +0200, Bruno Haible wrote: > Please use the appended patch, which I'll also use in libiconv-1.10. >| localcharset.c (get_charset_aliases) [WIN32]: Add CP65001 and others. >| Reported by via Alain Bench . >| "CP20936" "\0" "GB2312" "\0" >| "CP38598" "\0" "ISO-8859-8" "\0" >| "CP51932" "\0" "EUC-JP" "\0" >| "CP51936" "\0" "GB2312" "\0" >| "CP51949" "\0" "EUC-KR" "\0" >| "CP51950" "\0" "EUC-TW" "\0" >| "CP54936" "\0" "GB18030" "\0" >| "CP65001" "\0" "UTF-8" "\0"; Much thanks, Bruno! BTW how is a Win32 console app supposed to use libcharset? I mean libcharset uses GetACP() only, getting graphic mode default charset (typically 1252), while console apps use a usually different text mode default charset (typically 850, given by GetConsoleOutputCP()). More complicated yet for apps like GnuPG, usable both directly in console with 850, or thru a graphic frontend interacting in 1252. GnuPG doesn't use libcharset, but on Win32 uses directly GetConsoleOutputCP(), unless it fails then GetACP(), then canonicalizes names (28591 ==> ISO-8859-1) with the same table as libcharset. There are still cases where forcing charset with --charset option becomes necessary. I keep the crosspost gnupg-users, because I believe it's not way off-topic, being a continuation of an old January 2005 "current charset guessing" thread. Bye! Alain. -- Hotmail users break umlauts for everyone else on a mailing list! They should stop doing so immediately! ??MSN considered HARMFUL?? PCC CB on MU. ? June 2002 From bruno at clisp.org Mon Jul 4 13:28:35 2005 From: bruno at clisp.org (Bruno Haible) Date: Tue Jul 5 16:16:28 2005 Subject: UTF-8 support In-Reply-To: <20050624155206.GA4380@oreka.com> References: <23460.1116509668@www39.gmx.net> <25355.1116660061@www56.gmx.net> <20050624155206.GA4380@oreka.com> Message-ID: <200507041328.35351.bruno@clisp.org> > > when setting utf-8 for cmd.exe, gpg switches back to its default > > character set. In cmd.exe I do the follwoing to change the codepage: > > [chcp 65001] Active Codepage: 65001. > > gpg: conversion from `utf-8' to `CP65001' not available > > gpg: using character set `iso-8859-1' > > The name mapping between 65001 local CP and UTF-8 standard name is > lacking both in GnuPG util/strgutil.c, and in libiconv-1.9.2 > libcharset/lib/localcharset.c. This lack should be easy to correct. Regarding localcharset.c, you are right. Please use the appended patch, which I'll also use in libiconv-1.10. Bruno -------------- next part -------------- A non-text attachment was scrubbed... Name: libiconv-patch06 Type: text/x-diff Size: 13198 bytes Desc: not available Url : /pipermail/attachments/20050704/f0e02c55/libiconv-patch06-0001.bin From hawke at hawkesnest.net Tue Jul 5 22:00:24 2005 From: hawke at hawkesnest.net (Alex Mauer) Date: Tue Jul 5 21:58:23 2005 Subject: imported smart-card keys In-Reply-To: <8764vzgefd.fsf__21848.2916862287$1119941455$gmane$org@wheatstone.g10code.de> References: <8764vzgefd.fsf__21848.2916862287$1119941455$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: >>>From what I can google, I should be able to (re)generate the stub keys >> >>by using 'gpg --card-status'. But, this seems not to work. > > > I need to see what happens; will get back to you later. Had a chance to look at this yet? Also, I found some more .. stuff that strikes me as weird. My Elgamal encryption key expired over the weekend, so I was playing around a bit, trying to decide whether to just utilize the smart card keys I have or generate a new elgamal key. I don't yet fully trust the smart card setup to work the way I want, and don't have a reader everywhere. But I digress. I encrypted a (test) file to myself, to see which key it would be using by default: $ gpg -v -e -r hawke@hawkesnest.net foo.txt gpg: using PGP trust model gpg: using subkey F40CACBA instead of primary key 51192FF2 ... gpg: RSA/AES256 encrypted for: "F40CACBA Alex L. Mauer (Jabber) " OK, this makes sense, it's using my smart card key rather than an expired key. but then when I go to [try to] decrypt it, which I know won't work due to not having the card reader installed: $ gpg foo.txt.gpg gpg: card reader not available gpg: encrypted with RSA key, ID 9150664F Huh? Yeah, it's encrypted with an RSA key, but from where did it get 9150664f?? It isn't even an RSA key! It is the key that just expired though, which may have some bearing. This is still on the same machine which displays the weird "imported smart-card keys" problem described in my initial post. -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 0x51192FF2 @ subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 264 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050705/3c3daef8/signature.pgp From johnmoore3rd at joimail.com Tue Jul 5 20:31:57 2005 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Tue Jul 5 22:23:24 2005 Subject: Outlook & S/MIME In-Reply-To: <200507051022.1dPOjo1XK3Nl3pK0@gideon.mail.atl.earthlink.net> References: <200507051022.1dPOjo1XK3Nl3pK0@gideon.mail.atl.earthlink.net> Message-ID: <42CAD21D.3040301@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 When you have composed your email, but before hitting SEND; click on the little down arrow next to the S/MIME button and remove the check mark next to Digitally Sign and Digitally Encrypt. Then hit SEND! JOHN :) Timestamp: Tue 05 July 2005, 0231 PM --400 (Eastern Daylight Time) - -- My Keys Available at: http://home.joimail.com/~johnmoore3rd/ Gossamer Spider Web of Trust: http://www.gswot.org Encrypted Email is a Courtesy & an Obligation!! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2rc2 (MingW32) Comment: My Keys: http://home.joimail.com/~johnmoore3rd/ Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iEYEAREDAAYFAkLK0hcACgkQnCmZhrerneVJNgCgz0nasXZ/AUNvJO43aDmXZR5C fPoAnROwuBZEAYs5c6JzYEwIg3oyhVBR =E8kN -----END PGP SIGNATURE----- From sk at intertivity.com Tue Jul 5 23:05:58 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Tue Jul 5 23:01:36 2005 Subject: Outlook & S/MIME In-Reply-To: <42CAD21D.3040301@joimail.com> Message-ID: <005001c581a5$58cc2d10$f500a8c0@HOME> Well, I thought about a makro or something similar. But thanks anyway! > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of John W. Moore III > Sent: Dienstag, 5. Juli 2005 20:32 > To: gnupg-users@gnupg.org > Subject: Re: Outlook & S/MIME > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > When you have composed your email, but before hitting SEND; > click on the little down arrow next to the S/MIME button and > remove the check mark next to Digitally Sign and Digitally > Encrypt. Then hit SEND! > > JOHN :) > Timestamp: Tue 05 July 2005, 0231 PM --400 (Eastern Daylight Time) > - -- > My Keys Available at: http://home.joimail.com/~johnmoore3rd/ > Gossamer Spider Web of Trust: http://www.gswot.org > > Encrypted Email is a Courtesy & an Obligation!! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2rc2 (MingW32) > Comment: My Keys: http://home.joimail.com/~johnmoore3rd/ > Comment: Gossamer Spider Web of Trust: http://www.gswot.org > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iEYEAREDAAYFAkLK0hcACgkQnCmZhrerneVJNgCgz0nasXZ/AUNvJO43aDmXZR5C > fPoAnROwuBZEAYs5c6JzYEwIg3oyhVBR > =E8kN > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From sean.sieger at gmail.com Tue Jul 5 23:14:14 2005 From: sean.sieger at gmail.com (Sean Sieger) Date: Tue Jul 5 23:16:57 2005 Subject: test Message-ID: <87br5hj6qh.fsf@gmail.com> please ignore -- Sean Sieger From sean.sieger at gmail.com Tue Jul 5 23:30:27 2005 From: sean.sieger at gmail.com (Sean Sieger) Date: Tue Jul 5 23:28:52 2005 Subject: libpth-dev Message-ID: <8764vpj5zg.fsf@gmail.com> Please forgive me and correct me if this is not an appropriate question for this mail list. Where can I get a current or cvs version of libpth-dev? -- Sean Sieger From adam00f at ducksburg.com Wed Jul 6 14:14:04 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Wed Jul 6 14:09:42 2005 Subject: Relying on gpg exit code 0? Message-ID: <200507061314.04921.adam00f@ducksburg.com> Should I be confident about using gpg's return code 0 in a script (run automatically by at or cron) to make encrypted backups? Example: cd /backup/directory tar cf user1.tar /home/user1 gpg -er 0x01234567 user1.tar && rm user1.tar Thanks, Adam From hiamal at nic.se Wed Jul 6 15:00:54 2005 From: hiamal at nic.se (Hiamal) Date: Wed Jul 6 16:01:08 2005 Subject: pgp and gpg Message-ID: <1120654854.21588.12.camel@kontiki> I'm a litle bit confused about two different messages, one from gnupg 1.4.1(Debian sid) an one from PGPfreeware 6.5.3(Win) for the same e-mail. gnupg> gpg: BAD signature from "....." pgp> *** Status: Good Signature from Invalid Key It dosn't look for me the same but does it mean the same? Hiamal From dshaw at jabberwocky.com Wed Jul 6 16:21:23 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jul 6 16:17:30 2005 Subject: pgp and gpg In-Reply-To: <1120654854.21588.12.camel@kontiki> References: <1120654854.21588.12.camel@kontiki> Message-ID: <20050706142123.GA14142@jabberwocky.com> On Wed, Jul 06, 2005 at 03:00:54PM +0200, Hiamal wrote: > I'm a litle bit confused about two different messages, one from gnupg > 1.4.1(Debian sid) an one from PGPfreeware 6.5.3(Win) for the same > e-mail. > > gnupg> gpg: BAD signature from "....." > > pgp> *** Status: Good Signature from Invalid Key > > > It dosn't look for me the same but does it mean the same? No, they are different. In the first case, the signature did not verify. In the second case, it did. I'd need a lot more information (if possible, a copy of the message) to say why. David From sbt at megacceso.com Wed Jul 6 17:35:52 2005 From: sbt at megacceso.com (=?UTF-8?B?U2VyZ2kgQmxhbmNoIGkgVG9ybsOp?=) Date: Wed Jul 6 18:31:58 2005 Subject: Relying on gpg exit code 0? In-Reply-To: <200507061314.04921.adam00f@ducksburg.com> References: <200507061314.04921.adam00f@ducksburg.com> Message-ID: <42CBFA58.8090703@megacceso.com> Hi, Could be better: tar cf - /home/user1/* | gpg -er 0x01234567 - > /backup/directory/user1.tar.gpg And in $? you should have the return code. isn't it? /Sergi. En/na Adam Funk ha escrit: > Should I be confident about using gpg's return code 0 in a script (run > automatically by at or cron) to make encrypted backups? Example: > > cd /backup/directory > tar cf user1.tar /home/user1 > gpg -er 0x01234567 user1.tar && rm user1.tar > > Thanks, > Adam > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From shavital at mac.com Wed Jul 6 19:21:04 2005 From: shavital at mac.com (Charly Avital) Date: Wed Jul 6 19:16:48 2005 Subject: pgp and gpg In-Reply-To: <1120654854.21588.12.camel@kontiki> References: <1120654854.21588.12.camel@kontiki> Message-ID: <42CC1300.4020708@mac.com> Hiamal wrote the following on 7/6/05 9:00 AM: > I'm a litle bit confused about two different messages, one from gnupg > 1.4.1(Debian sid) an one from PGPfreeware 6.5.3(Win) for the same > e-mail. > > gnupg> gpg: BAD signature from "....." > > pgp> *** Status: Good Signature from Invalid Key > > > It dosn't look for me the same but does it mean the same? It is not the same and it does not mean the same. For the same e-mail, gnupg indicates that the signature is bad, e.g. it does not verify (the reason is not specified), whereas PGP 6.5.3 indicates that the signature is good (it verifies correctly) but the key used to verify that signature is invalid *in your keyring* because you have not validated that key, either by signing it (even a local non-exportable signature) and/or you have not set a trust value to it. These kind of conflicting results (one BAD signature, one good signature) can and do happen, the causes can be many, and different, like the encryption software that was used to sign the incoming e-mail, and how the verifying software "reads" the signed message. The e-mail client very often plays an important part in this kind of problem. I have no experience with Debian aid or with Windows (I am a Mac user), but I have seen this kind of conflict when verifying the same email with two different e-mail clients using different different encryption software: e.g. Thunderbird + GnuPG will indicate a BAD signature, whereas Mail.app with GnuPG or with PGP will indicate a good signature. If you can post to the list how the e-mail was signed (MUA and encryption software) and your own MUA (is it Evolution 2.2.2?), you might get better answers. Charly From oskar at rbgi.net Thu Jul 7 00:17:45 2005 From: oskar at rbgi.net (Oskar L.) Date: Thu Jul 7 00:13:56 2005 Subject: Patenting software in EU remains divisive Message-ID: <1774.213.169.2.241.1120688265.squirrel@mail.rbgi.net> http://www.euronews.net/create_html.php?page=detail_europa&lng=1&option=0,europa Patenting software in EU remains divisive - EP kills directive on harmonising Using its muscle like never before, the European Parliament has thrown out a controversial bill to harmonise patents on software. This was in the face of a united position of the 25 member states. Such a rejection at only the second reading for the EU legislature was unprecedented. The assembly was too divided to muster the absolute majority needed to amend the bill; And so the lawmakers decided 648 votes to 14 to kill it. The European Commission warned that the result would cause fragmentation among 25 competing patenting systems in Europe. The bill's main handler in parliament, Michel Rocard, said: "The argument which brought about such a broad-based and firm decision to reject was the parliament's wish to send the member states and the Commission a strong signal: don't keep treating parliament in this way." Advocates for free software had feared the Directive on the Patentability of Computer Implemented Inventions would choke innovation... that this would let big firms patent software that small operators feel should be publicly available. But both sides drew some comfort from the outcome. A leading policy voice among the main big firms said that at least innovators' intellectual property protection was still in place, which is critical for European competitiveness. One supporter of free software and small developers said reverting to the current system was better than having to accept a bad bill. From SeidlS at schneider.com Thu Jul 7 18:29:07 2005 From: SeidlS at schneider.com (SeidlS@schneider.com) Date: Thu Jul 7 20:17:41 2005 Subject: FTP Issues Message-ID: Can you please verify that there are no issues with the FTP Server at gnupg.org. I am trying to download the 1.4.1 code, but am unable to get through. I am unsure if I am being blocked, or if it is an issue with the FTP server. Any help is appreciated. Also, what is the best version to install on an AIX system? Will 1.4.1 work? Thanks Scott Seidl Electronic Communication Services seidls@schneider.com Tel) 920-592-2163 This document, and any attachments therein, contains proprietary and confidential information that may not be disclosed without the prior written permission of Schneider National, Inc. and its subsidiaries. Unauthorized use or misuse of this information and its contents is strictly prohibited. Schneider National, Inc. vigorously protects its rights. From johanw at vulcan.xs4all.nl Thu Jul 7 23:17:48 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Jul 7 23:14:53 2005 Subject: Security problem with zlib Message-ID: <200507072117.j67LHnMu002561@vulcan.xs4all.nl> Hello, I just read on www.tweakers.net that there was a new security problem with zlib. Patches for several OSes are out and the maintainer has announced an update. Does this problem has any implication for GnuPG, like the previous hole, or is GnuPG safe? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From eric.tanguy at univ-nantes.fr Thu Jul 7 22:47:58 2005 From: eric.tanguy at univ-nantes.fr (Eric Tanguy) Date: Thu Jul 7 23:21:46 2005 Subject: gpa problem Message-ID: <1120769278.2845.9.camel@bureau.maison> I have gpa 0.7.0 installed on FC4 system. When i try to search a key a window saying connecting to the server hkp://yyy please wait and that's all. I have tried all the available servers and this is always the same. gpa keep this window as long as i closed gpa. Any idea ? Thanks -- Eric Tanguy | Nantes, France Key : A4B8368F | Key Server : subkeys.pgp.net Fedora Core release 4 (Stentz) sur athlon kernel 2.6.12-1.1387_FC4 From shavital at mac.com Thu Jul 7 23:28:13 2005 From: shavital at mac.com (Charly Avital) Date: Thu Jul 7 23:23:55 2005 Subject: FTP Issues In-Reply-To: References: Message-ID: On Jul 7, 2005, at 12:29 PM, SeidlS@schneider.com wrote: > > Can you please verify that there are no issues with the FTP Server at > gnupg.org. I am trying to download the 1.4.1 code, but am unable > to get > through. I am unsure if I am being blocked, or if it is an issue > with the > FTP server. Any help is appreciated. Please try the mirrors: > > Also, what is the best version to install on an AIX system? Will > 1.4.1 > work? Sorry, I'm a Mac user. Charly > > > > Thanks > Scott Seidl > Electronic Communication Services > seidls@schneider.com > Tel) 920-592-2163 > From dshaw at jabberwocky.com Thu Jul 7 23:35:12 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jul 7 23:31:16 2005 Subject: Security problem with zlib In-Reply-To: <200507072117.j67LHnMu002561@vulcan.xs4all.nl> References: <200507072117.j67LHnMu002561@vulcan.xs4all.nl> Message-ID: <20050707213512.GB19854@jabberwocky.com> On Thu, Jul 07, 2005 at 11:17:48PM +0200, Johan Wevers wrote: > Hello, > > I just read on www.tweakers.net that there was a new security problem > with zlib. Patches for several OSes are out and the maintainer has > announced an update. Does this problem has any implication for GnuPG, > like the previous hole, or is GnuPG safe? Yes and no. If you compile GnuPG on a system that has no zlib (or build with --with-included-zlib), the zlib that is included with the GnuPG distribution is used. This zlib is NOT vulnerable to the recent problem. If you compile GnuPG on a system that has a zlib, the system zlib is used. Your system zlib may or may not be vulnerable to the recent problem. If your system zlib is vulnerable, then I strongly recommend that you upgrade :) David From dshaw at jabberwocky.com Thu Jul 7 23:36:19 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jul 7 23:32:21 2005 Subject: FTP Issues Message-ID: <20050707213618.GC19854@jabberwocky.com> > Also, what is the best version to install on an AIX system? Will > 1.4.1 work? It should, yes. David From cmauch at taclug.org Fri Jul 8 03:25:51 2005 From: cmauch at taclug.org (Charles Mauch) Date: Fri Jul 8 03:55:31 2005 Subject: set-policy-url Message-ID: <20050708012551.GA9615@redbox.lan.nerdhurd.com> I was browsing through the gnupg manual the other day and was wondering about what (if any) conventions are in use for the --sig-policy-url and --cert-policy-url options. From what I guess, --cert-policy-url should point to a textfile on a website describing any details you noted when signing someone's key, for example at a keysigning and type types of id presented, etc. --sig-policy-url would is where I'm a little unsure. Is this meant to point to a url with the detached signature of the note listed in --cert-policy-url? I'm thinking that if I chose to use this, my signing commandline would change to look something like: gpg --cert-policy-url http://website/PGPLONGID \ --sig-policy-url htpt://website/PGPLONGID.sig --sign-key KEYID Or does --sig-policy-url point to a document (probably html) which describes your procedure for keysignings, how you assign trust, etc? Just trying to make sure I understand these options... Thanks... -- Take it easy, [cmauch@taclug.org] Charles Mauch, FSF Apologist, Debian/Ubuntu/Gentoo user, etc. Every message PGP or S/MIME signed to verify authenticity. If PacMan had affected us as kids we'd be running around in dark rooms, munching pills and listening to electronic music. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050707/d4e1ef2b/attachment.pgp From dshaw at jabberwocky.com Fri Jul 8 05:32:44 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jul 8 05:29:04 2005 Subject: set-policy-url In-Reply-To: <20050708012551.GA9615@redbox.lan.nerdhurd.com> References: <20050708012551.GA9615@redbox.lan.nerdhurd.com> Message-ID: <20050708033244.GA20805@jabberwocky.com> On Thu, Jul 07, 2005 at 06:25:51PM -0700, Charles Mauch wrote: > I was browsing through the gnupg manual the other day and was wondering > about what (if any) conventions are in use for the --sig-policy-url and > --cert-policy-url options. > > From what I guess, --cert-policy-url should point to a textfile on a website > describing any details you noted when signing someone's key, for example at > a keysigning and type types of id presented, etc. > > --sig-policy-url would is where I'm a little unsure. Is this meant > to point to a url with the detached signature of the note listed in > --cert-policy-url? No. They both mean the same thing. The only difference is that --sig-policy-url is used when signing a file (i.e. --sign), and --cert-policy-url is used when signing a key (i.e. --sign-key). David From johanw at vulcan.xs4all.nl Fri Jul 8 09:44:32 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Jul 8 12:08:17 2005 Subject: Security problem with zlib In-Reply-To: <20050707213512.GB19854@jabberwocky.com> Message-ID: <200507080744.j687iWdW005085@vulcan.xs4all.nl> David Shaw wrote: >If you compile GnuPG on a system that has a zlib, the system zlib is >used. Your system zlib may or may not be vulnerable to the recent >problem. If your system zlib is vulnerable, then I strongly recommend >that you upgrade :) OK, so I assume GnuPG is exploitable with this bug. I assume it is only vulnerable when deliberately corrupt data is fed into it, like with a buffer overflow (I could not determine if the bug is a buffer overflow, although the description suggested it)? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Sat Jul 9 04:23:51 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jul 9 04:20:08 2005 Subject: Security problem with zlib In-Reply-To: <200507080744.j687iWdW005085@vulcan.xs4all.nl> References: <20050707213512.GB19854@jabberwocky.com> <200507080744.j687iWdW005085@vulcan.xs4all.nl> Message-ID: <20050709022351.GA24250@jabberwocky.com> On Fri, Jul 08, 2005 at 09:44:32AM +0200, Johan Wevers wrote: > David Shaw wrote: > > >If you compile GnuPG on a system that has a zlib, the system zlib is > >used. Your system zlib may or may not be vulnerable to the recent > >problem. If your system zlib is vulnerable, then I strongly recommend > >that you upgrade :) > > OK, so I assume GnuPG is exploitable with this bug. I assume it is only > vulnerable when deliberately corrupt data is fed into it, like with a > buffer overflow (I could not determine if the bug is a buffer overflow, > although the description suggested it)? Basically, yes. It's unclear if the bug is exploitable beyond crashing the process that is using zlib, but the crash is certainly possible. Oddly, I haven't seen any mention of this on the zlib main web site - just on bugtraq and the CVE site. David From eric.tanguy at univ-nantes.fr Sat Jul 9 13:59:16 2005 From: eric.tanguy at univ-nantes.fr (Eric Tanguy) Date: Sat Jul 9 14:34:36 2005 Subject: gpa problem Message-ID: <1120910356.2822.9.camel@bureau.maison> I retry to send it because i received no answer : I have gpa 0.7.0 installed on FC4 system. When i try to search a key a window saying connecting to the server hkp://yyy please wait and that's all. I have tried all the available servers and this is always the same. gpa keep this window as long as i closed gpa. Any idea ? Thanks -- Eric Tanguy | Nantes, France Key : A4B8368F | Key Server : subkeys.pgp.net Fedora Core release 4 (Stentz) sur athlon kernel 2.6.12-1.1387_FC4 From henkdebruijn at wanadoo.nl Sun Jul 10 09:15:45 2005 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Sun Jul 10 09:11:21 2005 Subject: CRC error encrypted_mdc packet with unkown version 255 Message-ID: <981855454.20050710091545@wanadoo.nl> Hi all, Next to Windows XP I am using GnuPG 1.4.2rc2 and GPGshell 3.44. After trying to encrypt a message containing a signed key, I am getting this message, does anybody know what it means? gpg: CRC error; 4BF535 - 4F6694 gpg: encrypted_mdc packet with unknown version 255 TIA -- Henk M. de Bruijn ______________________________________________________________________ The Bat! Natural E-Mail System version 3.51 Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : /pipermail/attachments/20050710/679e9efd/attachment.pgp From gct3 at f2s.com Sun Jul 10 13:22:54 2005 From: gct3 at f2s.com (Graham) Date: Sun Jul 10 13:54:29 2005 Subject: Revoking Keys Message-ID: <200507101222.54606.gct3@f2s.com> Recently I generated some keypairs with their relevant revocation certificates, but was not able to save my new keyrings before the PC crashed :-( I am therefore dependent on using an old keyring without these new keys plus the revocation certificates. I am not clear exactly how to revoke the keys I've generated and now have lost. I've looked up the man pages and the html howto but they just refer to generating a revocation certificate and use revuid But how do I revoke keys on the keyserver so I can generate new ones? -- Graham From shavital at mac.com Sun Jul 10 14:09:56 2005 From: shavital at mac.com (Charly Avital) Date: Sun Jul 10 14:05:40 2005 Subject: Revoking Keys In-Reply-To: <200507101222.54606.gct3@f2s.com> References: <200507101222.54606.gct3@f2s.com> Message-ID: <42D11014.1050706@mac.com> Upload the revocation certificates to a keyserver. They will be disseminated to other keyservers automatically. Charly Graham wrote the following on 7/10/05 7:22 AM: > Recently I generated some keypairs with their relevant revocation > certificates, but was not able to save my new keyrings before the PC > crashed :-( > > I am therefore dependent on using an old keyring without these new keys > plus the revocation certificates. I am not clear exactly how to revoke > the keys I've generated and now have lost. I've looked up the man > pages and the html howto but they just refer to generating a revocation > certificate and use > > revuid > > But how do I revoke keys on the keyserver so I can generate new ones? From dshaw at jabberwocky.com Sun Jul 10 15:54:10 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 10 15:50:21 2005 Subject: Revoking Keys In-Reply-To: <200507101222.54606.gct3@f2s.com> References: <200507101222.54606.gct3@f2s.com> Message-ID: <20050710135410.GC24250@jabberwocky.com> On Sun, Jul 10, 2005 at 12:22:54PM +0100, Graham wrote: > Recently I generated some keypairs with their relevant revocation > certificates, but was not able to save my new keyrings before the PC > crashed :-( > > I am therefore dependent on using an old keyring without these new keys > plus the revocation certificates. I am not clear exactly how to revoke > the keys I've generated and now have lost. I've looked up the man > pages and the html howto but they just refer to generating a revocation > certificate and use > > revuid > > But how do I revoke keys on the keyserver so I can generate new ones? I'm afraid I don't understand exactly what you do and don't have left from your crash. Do you have the secret keys for the keys you want to revoke or not? David From mailinglists at bebout.net Sun Jul 10 16:00:37 2005 From: mailinglists at bebout.net (Nicholas E. Bebout) Date: Sun Jul 10 17:18:03 2005 Subject: Development version warning Message-ID: <42D12A05.60902@bebout.net> Is there a option for gpg.conf to disable the "This is a development version, etc...." warning? From gct3 at f2s.com Sun Jul 10 17:29:23 2005 From: gct3 at f2s.com (Graham) Date: Sun Jul 10 17:25:35 2005 Subject: Revoking Keys In-Reply-To: <20050710135410.GC24250@jabberwocky.com> References: <200507101222.54606.gct3@f2s.com> <20050710135410.GC24250@jabberwocky.com> Message-ID: <200507101629.23834.gct3@f2s.com> On Sunday 10 Jul 2005 14:54, David Shaw wrote: > I'm afraid I don't understand exactly what you do and don't have left > from your crash. ?Do you have the secret keys for the keys you want > to revoke or not? > > David No, that's just the point. I have the revocation certificates, I can get the public keys from keyservers but (obviously) not the secret keys and I didn't have a chance to save them. Using an old saved keyring I have some old public and secret keys, but not the recently generated ones. If I can revoke the keys then I can generate new keypairs (and save them this time!) -- Graham From linux at codehelp.co.uk Sun Jul 10 17:49:33 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sun Jul 10 17:44:53 2005 Subject: Revoking Keys In-Reply-To: <200507101629.23834.gct3@f2s.com> References: <200507101222.54606.gct3@f2s.com> <20050710135410.GC24250@jabberwocky.com> <200507101629.23834.gct3@f2s.com> Message-ID: <200507101649.38388.linux@codehelp.co.uk> On Sunday 10 July 2005 4:29 pm, Graham wrote: > On Sunday 10 Jul 2005 14:54, David Shaw wrote: > > I'm afraid I don't understand exactly what you do and don't have left > > from your crash. ?Do you have the secret keys for the keys you want > > to revoke or not? > > > > David > > No, that's just the point. I have the revocation certificates, I can > get the public keys from keyservers That's all you need. Import the public keys from keyservers into your local keyring. Import the revocation certificate into the local keyring. Send the now revoked key to the keyservers. The point of a revocation certificate is that you don't need the secret key to revoke the key - that's why the certificate must be kept SAFE! -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050710/bd76689f/attachment.pgp From dshaw at jabberwocky.com Sun Jul 10 20:27:21 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 10 20:23:24 2005 Subject: Development version warning In-Reply-To: <42D12A05.60902@bebout.net> References: <42D12A05.60902@bebout.net> Message-ID: <20050710182721.GD24250@jabberwocky.com> On Sun, Jul 10, 2005 at 09:00:37AM -0500, Nicholas E. Bebout wrote: > Is there a option for gpg.conf to disable the "This is a development > version, etc...." warning? No. David From folkert at vanheusden.com Sun Jul 10 20:49:26 2005 From: folkert at vanheusden.com (Folkert van Heusden) Date: Sun Jul 10 20:44:57 2005 Subject: revokation thing In-Reply-To: <200507101649.38388.linux@codehelp.co.uk> References: <200507101222.54606.gct3@f2s.com> <20050710135410.GC24250@jabberwocky.com> <200507101629.23834.gct3@f2s.com> <200507101649.38388.linux@codehelp.co.uk> Message-ID: <20050710184925.GK30746@vanheusden.com> Hi, How do I create such a revocation certificate without revoking my key yet? Could not find it. Folkert van Heusden -- Auto te koop, zie: http://www.vanheusden.com/daihatsu.php Op zoek naar een IT of Finance baan? Mail me voor de mogelijkheden. -------------------------------------------------------------------- UNIX admin? Then give MultiTail (http://vanheusden.com/multitail/) a try, it brings monitoring logfiles to a different level! See http://vanheusden.com/multitail/features.html for a feature-list. -------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE Get your PGP/GPG key signed at www.biglumber.com! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 282 bytes Desc: Digital signature Url : /pipermail/attachments/20050710/251305c5/attachment.pgp From dshaw at jabberwocky.com Sun Jul 10 20:57:22 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 10 20:53:34 2005 Subject: revokation thing In-Reply-To: <20050710184925.GK30746@vanheusden.com> References: <200507101222.54606.gct3@f2s.com> <20050710135410.GC24250@jabberwocky.com> <200507101629.23834.gct3@f2s.com> <200507101649.38388.linux@codehelp.co.uk> <20050710184925.GK30746@vanheusden.com> Message-ID: <20050710185722.GE24250@jabberwocky.com> On Sun, Jul 10, 2005 at 08:49:26PM +0200, Folkert van Heusden wrote: > Hi, > > How do I create such a revocation certificate without revoking my key > yet? Could not find it. gpg --gen-revoke (thekey) This outputs the revocation certificate. Save it somewhere, and you're done. David From gct3 at f2s.com Sun Jul 10 21:06:08 2005 From: gct3 at f2s.com (Graham) Date: Sun Jul 10 21:02:24 2005 Subject: revokation thing In-Reply-To: <20050710184925.GK30746@vanheusden.com> References: <200507101222.54606.gct3@f2s.com> <200507101649.38388.linux@codehelp.co.uk> <20050710184925.GK30746@vanheusden.com> Message-ID: <200507102006.09060.gct3@f2s.com> On Sunday 10 Jul 2005 19:49, Folkert van Heusden wrote: > Hi, > > How do I create such a revocation certificate without revoking my key > yet? Could not find it. > > > Folkert van Heusden First of all, are you using Windows or Linux, and if Linux, which desktop (KDE, Gnome, etc)? -- Graham From wdfears at gmail.com Sun Jul 10 21:09:21 2005 From: wdfears at gmail.com (Bill Fears) Date: Sun Jul 10 21:05:20 2005 Subject: how do I excrypt a file so that it can be opened with CA PGP Message-ID: Gnupg has a fact that referers to PGP compatiblity, but does anyone have any experinses they can share? I used gpg -r --compress-algo 1 --cipher-algo cast5 -e -- -------------------------------------------------- william fears williamfears.com o(-_-)o -------------------------------------------------- From dshaw at jabberwocky.com Mon Jul 11 04:11:42 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jul 11 04:07:53 2005 Subject: how do I excrypt a file so that it can be opened with CA PGP In-Reply-To: References: Message-ID: <20050711021142.GF24250@jabberwocky.com> On Sun, Jul 10, 2005 at 03:09:21PM -0400, Bill Fears wrote: > Gnupg has a fact that referers to PGP compatiblity, but does anyone > have any experinses they can share? > > I used gpg -r --compress-algo 1 --cipher-algo cast5 -e There are many different versions of PGP. What you are doing will work with some, but not others. In general, if the version of PGP you are using is even vaguely recent, you don't need any options at all. David From jharris at widomaker.com Mon Jul 11 04:51:07 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Jul 11 04:46:59 2005 Subject: new (2005-07-10) keyanalyze results (+sigcheck) Message-ID: <20050711025107.GT356@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-07-10/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: a69ec150d415097cc85c992256fb20d03fdab7eb 12509676 preprocess.keys a1cdc922d7de0be310c3bebc95a7185bb4680b01 7784908 othersets.txt 3422908cd44faad17df224fcdb0c23d1dbc3e737 3145068 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html c20868dae5cbc87ea2966c7d712fcc44a39b2229 2291 keyring_stats 43e902605bf34511d8aac8b6ce4fcd3b945f7fe5 1235961 msd-sorted.txt.bz2 8a0f380f82ca7fd513a98051391aac04c830083f 26 other.txt 66022fbb396656b749d277afc1203e2c7b725f39 1677319 othersets.txt.bz2 e6e074eaf29fae4063c8021a9db26dc8d8922886 5084242 preprocess.keys.bz2 df7a997e16d47c605d143cd5d618214409e974fc 12543 status.txt 1b7cc30fa163e40aeda7e3142f2aae20cc88217e 210298 top1000table.html 76a25f6578c0044a723ead174bce9e4a02d11a3c 30101 top1000table.html.gz 32a420454f06a3d181233cc8c8239c3d20158087 10895 top50table.html c710731bd1ef697ba6db1a2436231303904af8ff 2639 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20050710/4ae4e32d/attachment.pgp From cstacy at dtpq.com Mon Jul 11 09:58:42 2005 From: cstacy at dtpq.com (Christopher C. Stacy) Date: Mon Jul 11 11:07:11 2005 Subject: Windows (WinPT etc.) In-Reply-To: <20041215150024.GC1218@daredevil.joesixpack.net> (message from Timo Schulz on Wed, 15 Dec 2004 16:00:24 +0100) References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> <20041215150024.GC1218@daredevil.joesixpack.net> Message-ID: <200507110758.j6B7wgCT081068@grant.org> On winpt.sourceforge.net, I find a "Windows Privacy Tools" aka "WinPT" project; this seems to be the one that Timo maintains. (That is, it seems to be the "official" WinPT.) The latest released version is 0.9.11. There is also 1.0rc2 (2nd release candidate). On www.gnupg.org, I find what seems to be the official GPG home page. This includes a link to WinPT, but it points to a third place. The third place is www.equipmente.de, which is a German web site. The suggested download is "gnupt-int.exe". This seems to be the same file as "gnupt-2.6.2.1_gpg1.4.1-wpt0.9.92-gpgrelay0.959-int.exe" (although I'm not sure where I found the file under that name). As best as I can tell, this "gnupt" is a conglomerate package containing GPG 1.4.1, WinPT 0.9.92, and GPGRelay 0.959. At some point, I installed WinPT (from SourceForge), and this gave me a Windows Explorer context menu. It mostly worked, but there are some bugs that will crash Windows Explorer. These bugs have been reported (not very completely) by other people on SourceForge. However, when I install GnuPT instead, I do not get any Explorer menu items. How come the GnuPT version doesn't hack the Explorer menu? Is that a bug? Is there something else I was supposed to download to add that functionality? Hmmm, on the EQUIPMENTE site, I found something called "GPGee" which provides the Windows Explorer functionality; it seems to work. Well, that worked. So maybe I'm done. But I'm still slightly confused about what I've downloaded. But what's going on here? How does WinPT 0.9.11 relate to 0.9.92 and to 1.0rc2? Why doesn't gnupg.org point to winpt.sourceforge.net? Am I looking at competing forks of WinPT? Politics? On the SourceForge page, Fabian Rodriguez says that was managing the WinPT project, but that he needs a replacement. And what's EQUIPMENTE? (It's all in German, so I have no idea what I'm looking at there. I was very brave in downloading!) How are all these projects related to each other? Chris From alphasigmax at gmail.com Mon Jul 11 11:34:22 2005 From: alphasigmax at gmail.com (Alphax) Date: Mon Jul 11 11:31:48 2005 Subject: Windows (WinPT etc.) In-Reply-To: <200507110758.j6B7wgCT081068@grant.org> References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> <20041215150024.GC1218@daredevil.joesixpack.net> <200507110758.j6B7wgCT081068@grant.org> Message-ID: <42D23D1E.1000102@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Christopher C. Stacy wrote: > On winpt.sourceforge.net, I find a "Windows Privacy Tools" > aka "WinPT" project; this seems to be the one that Timo maintains. > (That is, it seems to be the "official" WinPT.) > The latest released version is 0.9.11. > There is also 1.0rc2 (2nd release candidate). > I've got 0.9.92.0 (I don't remember where from). I was under the impression that the sourceforge version was no longer being maintained. > On www.gnupg.org, I find what seems to be the official GPG home page. > This includes a link to WinPT, but it points to a third place. > > The third place is www.equipmente.de, which is a German web site. > The suggested download is "gnupt-int.exe". > This seems to be the same file as > "gnupt-2.6.2.1_gpg1.4.1-wpt0.9.92-gpgrelay0.959-int.exe" > (although I'm not sure where I found the file under that name). > As best as I can tell, this "gnupt" is a conglomerate package > containing GPG 1.4.1, WinPT 0.9.92, and GPGRelay 0.959. > I already had GPG, and wasn't interested in GPGRelay. I wondered where I got that from :) > At some point, I installed WinPT (from SourceForge), > and this gave me a Windows Explorer context menu. > It mostly worked, but there are some bugs that will > crash Windows Explorer. These bugs have been reported > (not very completely) by other people on SourceForge. > Obviously I didn't get the entire package then... > However, when I install GnuPT instead, > I do not get any Explorer menu items. > How come the GnuPT version doesn't hack the Explorer menu? > Is that a bug? Is there something else I was supposed > to download to add that functionality? > GnuPT? Huh? Haven't heard of that one... > Hmmm, on the EQUIPMENTE site, I found something called "GPGee" > which provides the Windows Explorer functionality; it seems to work. > > Well, that worked. So maybe I'm done. > But I'm still slightly confused about what I've downloaded. > > But what's going on here? How does WinPT 0.9.11 relate to 0.9.92 > and to 1.0rc2? Why doesn't gnupg.org point to winpt.sourceforge.net? > Am I looking at competing forks of WinPT? Politics? > On the SourceForge page, Fabian Rodriguez says that was > managing the WinPT project, but that he needs a replacement. > And what's EQUIPMENTE? (It's all in German, so I have no idea > what I'm looking at there. I was very brave in downloading!) > How are all these projects related to each other? > I also was confused about this. However, WinPT is extraordinarily slow for me to use - it caches the entire keyring when it loads/anything changes, and with 700 keys it becomes unusable (actually, I gave up when my keyring hit 400). I would suggest checking out GPGShell from http://www.jumaros.de/rsoft/index.html - it appears to handle things in a reasonable manner, and has reasonable clipboard support. - -- Alphax OpenPGP key: 0xF874C613 - http://tinyurl.com/cc9up http://en.wikipedia.org/wiki/User:Alphax There are two kinds of people: those who say to God, 'Thy will be done,' and those to whom God says, 'All right, then, have it your way.' - C. S. Lewis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFC0j0e/RxM5Ph0xhMRAx5QAKCIrfp6Rf1wGqZiYqaUA1V/ND41PQCXf6ru BX73StofUoiF+JUpIBAH0g== =KcgK -----END PGP SIGNATURE----- From twoaday at freakmail.de Mon Jul 11 11:51:57 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Mon Jul 11 12:47:25 2005 Subject: Windows (WinPT etc.) In-Reply-To: <42D23D1E.1000102@gmail.com> References: <20D152299AA73D47941BC3A94EDFF5DE04703C@WMRI000166.corp.wmdata.net> <20041215150024.GC1218@daredevil.joesixpack.net> <200507110758.j6B7wgCT081068@grant.org> <42D23D1E.1000102@gmail.com> Message-ID: <1121075516.1298.4.camel@colt> Alphax wrote: > I've got 0.9.92.0 (I don't remember where from). I was under the > impression that the sourceforge version was no longer being maintained. That's right. The sf.net site of WinPT is currently not actively maintained. To download WinPT, please use http://www.winpt.org. > > How come the GnuPT version doesn't hack the Explorer menu? > > Is that a bug? Is there something else I was supposed > > to download to add that functionality? > > > > GnuPT? Huh? Haven't heard of that one... IMHO GnuPT is just the name of the installer which combines all the GPG relevant applications. > I also was confused about this. However, WinPT is extraordinarily slow > for me to use - it caches the entire keyring when it loads/anything > changes, and with 700 keys it becomes unusable (actually, I gave up when I actually changed the caching scheme in the current CVs version. The next version (0.9.93) will be much faster with larger keyrings. . Timo From wk at gnupg.org Tue Jul 12 16:02:17 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 12 16:01:13 2005 Subject: gpa problem In-Reply-To: <1120769278.2845.9.camel@bureau.maison> (Eric Tanguy's message of "Thu, 07 Jul 2005 22:47:58 +0200") References: <1120769278.2845.9.camel@bureau.maison> Message-ID: <87zmssqg0m.fsf@wheatstone.g10code.de> On Thu, 07 Jul 2005 22:47:58 +0200, Eric Tanguy said: > I have gpa 0.7.0 installed on FC4 system. When i try to search a key a > window saying connecting to the server hkp://yyy please wait and that's > all. I have tried all the available servers and this is always the same. > gpa keep this window as long as i closed gpa. Any idea ? Try it on the command line gpg --keyserver hkp://yyy --search-keys foo if this works, the problem is in GPA. An strace (with -f) might help here. Shalom-Salam, Werner From eric.tanguy at univ-nantes.fr Tue Jul 12 18:11:18 2005 From: eric.tanguy at univ-nantes.fr (Eric Tanguy) Date: Tue Jul 12 18:07:19 2005 Subject: gpa problem In-Reply-To: <87zmssqg0m.fsf@wheatstone.g10code.de> References: <1120769278.2845.9.camel@bureau.maison> <87zmssqg0m.fsf@wheatstone.g10code.de> Message-ID: <1121184679.3039.1.camel@bureau.maison> Le mardi 12 juillet 2005 ? 16:02 +0200, Werner Koch a ?crit : > On Thu, 07 Jul 2005 22:47:58 +0200, Eric Tanguy said: > > > I have gpa 0.7.0 installed on FC4 system. When i try to search a key a > > window saying connecting to the server hkp://yyy please wait and that's > > all. I have tried all the available servers and this is always the same. > > gpa keep this window as long as i closed gpa. Any idea ? > > Try it on the command line > > gpg --keyserver hkp://yyy --search-keys foo > > if this works, the problem is in GPA. An strace (with -f) might help here. > > > Shalom-Salam, > > Werner > I tried the command line and it worked fine : gpg --keyserver hkp://pgp.mit.edu --search-keys 0xA4B8368F gpg: recherche de ? 0xA4B8368F ? du serveur hkp pgp.mit.edu (1) Eric Tanguy Eric Tanguy 1024 bit DSA key A4B8368F, cr??: 2004-06-22 Entrez le(s) nombre(s), S)uivant, ou Q)uitter > I tried with the same server and same key with gpa without any answer. Find enclosed the strace file. Thanks a lot. -- Eric Tanguy | Nantes, France Key : A4B8368F | Key Server : subkeys.pgp.net Fedora Core release 4 (Stentz) sur athlon kernel 2.6.12-1.1390_FC4 From wespvp at syntegra.com Tue Jul 12 17:31:48 2005 From: wespvp at syntegra.com (Wes) Date: Tue Jul 12 18:14:11 2005 Subject: Direct LDAP access In-Reply-To: <87zmssqg0m.fsf@wheatstone.g10code.de> Message-ID: I hope this isn't a duplicate question. I can't believe it hasn't come up before, but I searched the 70MB archive file and found nothing. I tweaked (contorted?) our LDAP server to respond to PGP/GPG key retrieval requests. However, it appears that GPG can only access the key server for the purposes of importing a key into (or exporting from) a key ring. I can find no way to get GPG to encrypt or decrypt using direct queries to the directory instead of using a disk file key chain. We have a requirement to implement a distributed server application where the keys (probably both public and private) are in an LDAP directory. Transferring keychain files around is not an option, both from a firewall perspective and because at any given time each system could have a different keychain. Only the application will have access to the entries in LDAP - users will not have access. Performance will not be a problem. We need to be able to do encryption and decryption with GPG directly accessing LDAP to get the keys. Additionally, since the directory is hierarchical and a given key could occur in multiple subtrees, we need to be able to specify the searchbase instead of relying on the cn=PGPServerInfo entry. Am I overlooking something? Is this possible today? If not, and we developed the code, would be it something that could be integrated into GPG for others to use? Wes From dshaw at jabberwocky.com Wed Jul 13 00:23:26 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jul 13 00:19:41 2005 Subject: Direct LDAP access In-Reply-To: References: <87zmssqg0m.fsf@wheatstone.g10code.de> Message-ID: <20050712222326.GD31530@jabberwocky.com> On Tue, Jul 12, 2005 at 10:31:48AM -0500, Wes wrote: > I hope this isn't a duplicate question. I can't believe it hasn't come up > before, but I searched the 70MB archive file and found nothing. > > I tweaked (contorted?) our LDAP server to respond to PGP/GPG key retrieval > requests. However, it appears that GPG can only access the key server for > the purposes of importing a key into (or exporting from) a key ring. I can > find no way to get GPG to encrypt or decrypt using direct queries to the > directory instead of using a disk file key chain. A very easy way to do this is to write your code to "import" the key from the LDAP server into a brand new empty keyring, and then delete it afterwards. > We need to be able to do encryption and decryption with GPG directly > accessing LDAP to get the keys. Additionally, since the directory is > hierarchical and a given key could occur in multiple subtrees, we need to be > able to specify the searchbase instead of relying on the cn=PGPServerInfo > entry. The current LDAP code can specify the base. Use something like keyserver-options basedn=whatever-you-like David From wespvp at syntegra.com Wed Jul 13 03:31:15 2005 From: wespvp at syntegra.com (Wes) Date: Wed Jul 13 03:30:57 2005 Subject: Direct LDAP access In-Reply-To: <20050712222326.GD31530@jabberwocky.com> Message-ID: On 7/12/05 5:23 PM, "David Shaw" wrote: > A very easy way to do this is to write your code to "import" the key > from the LDAP server into a brand new empty keyring, and then delete > it afterwards. Hmm... That seems a bit kludgy, but certainly something to consider. I assume it would require two gpg commands - one to retrieve/import the key and one to do the encryption? I don't think this would help with accessing private keys, though? > The current LDAP code can specify the base. Use something like > keyserver-options basedn=whatever-you-like I didn't see that in the keyserver options. I'll try it out. Thanks Wes From bruno at clisp.org Tue Jul 5 19:50:54 2005 From: bruno at clisp.org (Bruno Haible) Date: Wed Jul 13 10:45:39 2005 Subject: UTF-8 support In-Reply-To: <20050705122909.GA27586@oreka.com> References: <23460.1116509668@www39.gmx.net> <200507041328.35351.bruno@clisp.org> <20050705122909.GA27586@oreka.com> Message-ID: <200507051950.54866.bruno@clisp.org> Alain Bench wrote: > BTW how is a Win32 console app supposed to use libcharset? I mean > libcharset uses GetACP() only, getting graphic mode default charset > (typically 1252), while console apps use a usually different text mode > default charset (typically 850, given by GetConsoleOutputCP()). The application needs to know where it intends to send a certain string of text. As a rule of thumb, when writing to a GUI or to a file, GetACP() is appropriate, and when writing to a console, GetOEMCP() or GetConsoleOutputCP() (I don't know the difference) is appropriate. There will always be cases where this heuristic doesn't work, such as when writing to a pipe whose output ends on the console. If in the application, you are not able to know in advance whether a string will end up in the GUI or on a console, a possible implementation is to work with strings in GetACP() encoding, and recode the output on the fly in your output routines, immediately before calling WriteFile or WriteConsole. > ... on Win32 uses directly GetConsoleOutputCP(), > unless it fails then GetACP(), then canonicalizes names (28591 ==> > ISO-8859-1) with the same table as libcharset. Sounds reasonable. > There are still cases > where forcing charset with --charset option becomes necessary. Such cases will always remain, but one can try to minimize them. Bruno From kernel at pkts.ca Wed Jul 6 02:40:54 2005 From: kernel at pkts.ca (Penelope Fudd) Date: Wed Jul 13 10:45:44 2005 Subject: How to check fingerprint without importing? Message-ID: <1120610454.28686.19.camel@S010600032d00065e.vc.shawcable.net> Hi.. I've got a pair of closely related problems, and I'm confident that someone with the answer is on this list. === The first problem is: I'm installing rpm files on my snazzy new Fooble-Bar '05 (tm) Linux system, and it complains that I don't have the GPG key installed for a given rpm file, so it can't check the signature. It says I need the GPG key with the fingerprint 'aabbccddeeff'. On this system, there are about three dozen GPG key files that can be loaded into my rpm database, and I'm pretty sure that one of them is the right one, but I don't want to load them all. How do I find which GPG key file is the right one? === The second (hypothetical) problem is: I've just received a GPG key file from an anonymous source, stripped of all plaintext. According to what I've read, I need to import the key file before I can display anything about it, but I really don't want to do that, for fear of 'discovering' a new security exploit. (I'm sure none of us here can say there are no bugs in any given program, owing to the fact that God doesn't use mailing lists AFAIK.) How do I print out details of GPG key files (fingerprints, owner, etc) without importing them? === Thanks! -- Penelope Fudd (A non-subscriber to this mailing list since... the dawn of time!) From gellert at dfn-cert.de Thu Jul 7 14:25:01 2005 From: gellert at dfn-cert.de (Olaf Gellert) Date: Wed Jul 13 10:45:46 2005 Subject: USB-Token Report published Message-ID: <20050707122501.GA3654@procert.cert.dfn.de> Hi all, FYI: In the last months we did some testing of USB hardware tokens. We tested tokens of different vendors with a whole bunch of operating systems and applications. The report is publicly available, see: http://www.dfn-pca.de/bibliothek/reports/pki-token/ The work was a joint effort of SURFnet and DFN-CERT. Another report about cross certificates and other methods of linking PKIs was published a few weeks ago: http://www.dfn-pca.de/bibliothek/reports/pki-linking/ Cheers, Olaf -- Dipl. Inform. Olaf Gellert (PKI Team), DFN-CERT Services GmbH https://www.dfn-cert.de, +49 40 808077-616 / +49 40 808077-555 (Hotline) PGP RSA/2048, 4403EB31, 47 09 F3 36 7E 9E 3B CE 6A 6B 12 AB F0 D4 B8 CF From rhodes69 at cotse.net Sat Jul 9 04:45:23 2005 From: rhodes69 at cotse.net (Ronald J. Burk) Date: Wed Jul 13 10:45:48 2005 Subject: Security problem with zlib In-Reply-To: <20050709022351.GA24250@jabberwocky.com> References: <20050707213512.GB19854@jabberwocky.com><200507080744.j687iWdW005085@vulcan.xs4all.nl> <20050709022351.GA24250@jabberwocky.com> Message-ID: > On Fri, Jul 08, 2005 at 09:44:32AM +0200, Johan Wevers wrote: >> David Shaw wrote: >> >> >If you compile GnuPG on a system that has a zlib, the system zlib is >> >used. Your system zlib may or may not be vulnerable to the recent >> >problem. If your system zlib is vulnerable, then I strongly recommend >> >that you upgrade :) >> >> OK, so I assume GnuPG is exploitable with this bug. I assume it is only >> vulnerable when deliberately corrupt data is fed into it, like with a >> buffer overflow (I could not determine if the bug is a buffer overflow, >> although the description suggested it)? > > Basically, yes. It's unclear if the bug is exploitable beyond > crashing the process that is using zlib, but the crash is certainly > possible. > > Oddly, I haven't seen any mention of this on the zlib main web site - > just on bugtraq and the CVE site. > > David Interestingly, Fedora Core4 (And I assume other Linux distros) just rec'd an upgrade patch today for zlib. I guess this is for the bug. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From wk at gnupg.org Wed Jul 13 13:26:55 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jul 13 13:26:14 2005 Subject: Direct LDAP access In-Reply-To: (wespvp@syntegra.com's message of "Tue, 12 Jul 2005 20:31:15 -0500") References: Message-ID: <87u0iz9cao.fsf@wheatstone.g10code.de> On Tue, 12 Jul 2005 20:31:15 -0500, Wes said: > Hmm... That seems a bit kludgy, but certainly something to consider. I > assume it would require two gpg commands - one to retrieve/import the key > and one to do the encryption? > I don't think this would help with accessing private keys, though? Private keys are - private and thus it is in general dangerous to keep them on an LDAP server. From your problem description I have some doubts that you are going for the correct solution. If you want to talk about this, please feel free to contact me at wk at g10code.com. Shalom-Salam, Werner From wk at gnupg.org Wed Jul 13 13:32:08 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jul 13 13:31:11 2005 Subject: How to check fingerprint without importing? In-Reply-To: <1120610454.28686.19.camel@S010600032d00065e.vc.shawcable.net> (Penelope Fudd's message of "Tue, 05 Jul 2005 17:40:54 -0700") References: <1120610454.28686.19.camel@S010600032d00065e.vc.shawcable.net> Message-ID: <87ll4b9c1z.fsf@wheatstone.g10code.de> On Tue, 05 Jul 2005 17:40:54 -0700, Penelope Fudd said: > On this system, there are about three dozen GPG key files that can be > loaded into my rpm database, and I'm pretty sure that one of them is the > right one, but I don't want to load them all. Import them all. It doesn't matter becuase the trust validatiobn won't allow you to use a key which isn't trustworthy enough. > How do I print out details of GPG key files (fingerprints, owner, etc) > without importing them? gpg --with-fingerprint foo.asc Shalom-Salam, Werner From wk at gnupg.org Wed Jul 13 13:34:04 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jul 13 13:31:24 2005 Subject: CRC error encrypted_mdc packet with unkown version 255 In-Reply-To: <981855454.20050710091545@wanadoo.nl> (Henk M. de Bruijn's message of "Sun, 10 Jul 2005 09:15:45 +0200") References: <981855454.20050710091545@wanadoo.nl> Message-ID: <87hdez9byr.fsf@wheatstone.g10code.de> On Sun, 10 Jul 2005 09:15:45 +0200, Henk M de Bruijn said: > gpg: CRC error; 4BF535 - 4F6694 The ASCII armor has been garbled somewhere on the transport. Salam-Shalom, Werner From mwlucas at blackhelicopters.org Wed Jul 13 13:31:57 2005 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Wed Jul 13 14:23:42 2005 Subject: How to check fingerprint without importing? In-Reply-To: <1120610454.28686.19.camel@S010600032d00065e.vc.shawcable.net> References: <1120610454.28686.19.camel@S010600032d00065e.vc.shawcable.net> Message-ID: <20050713113157.GA71068@bewilderbeast.blackhelicopters.org> On Tue, Jul 05, 2005 at 05:40:54PM -0700, Penelope Fudd wrote: > The second (hypothetical) problem is: > > I've just received a GPG key file from an anonymous source, stripped > of all plaintext. According to what I've read, I need to import the key > file before I can display anything about it, but I really don't want to > do that, for fear of 'discovering' a new security exploit. (I'm sure > none of us here can say there are no bugs in any given program, owing to > the fact that God doesn't use mailing lists AFAIK.) > > How do I print out details of GPG key files (fingerprints, owner, etc) > without importing them? I usually import questionable stuff into a different $GPGHOME if I'm that concerned. Mind you, there's probably a more elegant way to do this... ==ml -- Michael W. Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ "The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur From greg at turnstep.com Wed Jul 13 15:45:35 2005 From: greg at turnstep.com (Greg Sabino Mullane) Date: Wed Jul 13 16:41:36 2005 Subject: How to check fingerprint without importing? In-Reply-To: <1120610454.28686.19.camel@S010600032d00065e.vc.shawcable.net> Message-ID: <741fb2dde285ab4101fcb57406831921@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ... > How do I print out details of GPG key files (fingerprints, owner, etc) > without importing them? Check out the --dry-run option as well. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200507130944 https://www.biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkLVGswACgkQvJuQZxSWSsio0ACaA7QpLBev+o7oyqcDP7c2+Cm1 XtMAn2NuOVk2RHxWwzganPgamFWx3FYk =OODg -----END PGP SIGNATURE----- From henkdebruijn at wanadoo.nl Wed Jul 13 19:45:27 2005 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Wed Jul 13 19:41:01 2005 Subject: CRC error encrypted_mdc packet with unkown version 255 In-Reply-To: <87hdez9byr.fsf@wheatstone.g10code.de> References: <981855454.20050710091545@wanadoo.nl> <87hdez9byr.fsf@wheatstone.g10code.de> Message-ID: <479939560.20050713194527@wanadoo.nl> On Wed, 13 Jul 2005 13:34:04 +0200GMT (13-7-2005, 13:34 +0200, where I live), Werner Koch wrote: > On Sun, 10 Jul 2005 09:15:45 +0200, Henk M de Bruijn said: >> gpg: CRC error; 4BF535 - 4F6694 > The ASCII armor has been garbled somewhere on the transport. I fell back from GnuPG 1.4.2rc2 to 1.4.1 and from GPGshell 3.45 to 3.44 but now I get this error message: gpg: Problem reading source (766 bytes remaining) gpg: handle plaintext failed: file read error gpg: WARNING: encrypted message has been manipulated! Could this something to do with my MUA the Bat!??? -- Henk M. de Bruijn ______________________________________________________________________ The Bat! Natural E-Mail System version 3.51 Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050713/4225da26/attachment.pgp From hlarons at yahoo.com Wed Jul 13 19:16:03 2005 From: hlarons at yahoo.com (Harold Hovis) Date: Wed Jul 13 20:12:37 2005 Subject: [ANN] mygpg-0.4: A perl/Curses interface for executing gpg commands Message-ID: <20050713171603.35717.qmail@web32802.mail.mud.yahoo.com> This perl script runs in a text console or xterm. It uses a Curses interface in Q-and-A style to construct a gpg command line for common operations. There is no need to remember the syntax of gpg commands or options. It may be downloaded at: http://www.cpan.org/authors/id/H/HL/HLARONS/mygpg-0.4 The script was developed under perl, v5.8.1 built for i586-linux, and gpg (GnuPG) v1.4.1 Perhaps most readers of this list may not need this simple kind of front end for gpg, but it can be useful for more casual users. Your comments or bug reports are welcome. Howard L. Arons, hlarons@CPAN.org __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From randomiadgf at fsck.ch Thu Jul 14 12:48:58 2005 From: randomiadgf at fsck.ch (Tobias Roth) Date: Thu Jul 14 13:36:55 2005 Subject: clearsign destroys files Message-ID: <20050714124858.2002e6f8.randomiadgf@fsck.ch> Hi The following command sequence seems to destroy the pdf file: gpg --clearsign -o signed.pdf original.pdf gpg --decrypt -o destroyed.pdf signed.pdf The new file is slightly smaller than the original one, the difference seems to be some differences in linefeed/newline characters. Adding --no-textmode does not make a difference. With --sign instead of clearsign, the original file and the signed/decrypted file match, no breakage occurs. My GnuPG version is 1.4.1, tried on FreeBSD and GNU/Linux. thanks, t. From wk at gnupg.org Thu Jul 14 14:13:29 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jul 14 14:11:13 2005 Subject: clearsign destroys files In-Reply-To: <20050714124858.2002e6f8.randomiadgf@fsck.ch> (Tobias Roth's message of "Thu, 14 Jul 2005 12:48:58 +0200") References: <20050714124858.2002e6f8.randomiadgf@fsck.ch> Message-ID: <87hdex60wm.fsf@wheatstone.g10code.de> On Thu, 14 Jul 2005 12:48:58 +0200, Tobias Roth said: > gpg --clearsign -o signed.pdf original.pdf You can't clearsign binary data. Shalom-Salam, Werner From greg at turnstep.com Thu Jul 14 18:57:49 2005 From: greg at turnstep.com (Greg Sabino Mullane) Date: Thu Jul 14 19:40:37 2005 Subject: clearsign destroys files In-Reply-To: <20050714124858.2002e6f8.randomiadgf@fsck.ch> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > gpg --clearsign -o signed.pdf original.pdf > gpg --decrypt -o destroyed.pdf signed.pdf You can't clearsign a binary directly, but you can clearsign a list of binary checksums, if you don't want to create a whole bunch of external files. I typically use both md5 and sha1. For example, here's how I signed the 8.0.3 PostgreSQL distribution: http://www.gtsm.com/postgresql-8.0.3.gpg.txt - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200507141255 https://www.biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkLWmVwACgkQvJuQZxSWSsgsNwCg32vjlIs52Oe0s19k3aGTkMXp DDkAn0jv3tqwYFGqriWLB7xvTJB+z5wm =BGRm -----END PGP SIGNATURE----- From messtic at oreka.com Thu Jul 14 21:46:02 2005 From: messtic at oreka.com (Alain Bench) Date: Thu Jul 14 22:40:44 2005 Subject: UTF-8 support In-Reply-To: <200507051950.54866.bruno@clisp.org> References: <23460.1116509668@www39.gmx.net> <200507041328.35351.bruno@clisp.org> <20050705122909.GA27586@oreka.com> <200507051950.54866.bruno@clisp.org> Message-ID: <20050714194602.GA8508@oreka.com> On Tuesday, July 5, 2005 at 7:50:54 PM +0200, Bruno Haible wrote: > Alain Bench wrote: >> how is a Win32 console app supposed to use libcharset? > The application needs to know where it intends to send a certain > string of text. And this app needs to know which Windows specific Get*CP() to call, then how to canonicalize charset name. So a Win32 console app can't use libcharset, but must more or less duplicate it? There is no text/graph mode hint an app could give to libcharset, to directly obtain the wanted charset? > GetOEMCP() or GetConsoleOutputCP() (I don't know the difference) I seem to understand GetOEMCP() gives fixed system default OEM CP, while GetConsoleOutputCP() gives current console OEM CP. After a user or app has done a "chcp 28591" on a French Windows, GetOEMCP()=850 while GetConsoleOutputCP()=28591. >> [GnuPG] on Win32 uses directly GetConsoleOutputCP(), unless it fails >> then GetACP() I should add that the frontend calling GnuPG, and wanting us to output ANSI text, has the duty to make GetConsoleOutputCP() fail for us returning 0. The Bat!? makes that, I don't know how. Bye! Alain. -- When you want to reply to a mailing list, please avoid doing so with Microsoft Outlook. This lacks necessary references and breaks threads. From oskar at rbgi.net Sat Jul 16 17:56:16 2005 From: oskar at rbgi.net (Oskar L.) Date: Sat Jul 16 18:41:28 2005 Subject: Filename for digests Message-ID: <3273.213.169.27.161.1121529376.squirrel@mail.rbgi.net> > > Sorry if this is a bit off topic. When you calculate the hashes (sha1) for > > several files, and save them in a singel file, then is there any standard > > witch states or suggests what this file should be called? > > Not that I know of. The format used by sha1sum is probably the best > suited one. > > > Salam-Shalom, > > Werner Yes, I agree that the standard format is the best one to use, but I was asking about the name of the file, not it's format. For example, if I'm going to share a directory with 1000 files, it would be inconvenient to save each file's hash as a separate file, and just add a .sha1 extension (resulting in 2000 files). So therefore I would store all the hashes in one file. But what should this file be called? sha1sums? hashes.sha1? digests.sha1? Is the .sha1 extension important? If there really isn't a standard for this, then if the user don't know if hashes are included or not, she or he would have to open all the files witch she or he suspect might contain hashes (like readme, info, important etc.), witch would be very irritating. Oskar From greg at turnstep.com Sun Jul 17 00:44:52 2005 From: greg at turnstep.com (Greg Sabino Mullane) Date: Sun Jul 17 00:40:53 2005 Subject: Filename for digests In-Reply-To: <3273.213.169.27.161.1121529376.squirrel@mail.rbgi.net> Message-ID: <9becbfe9ec8442159d366f025906efa1@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Yes, I agree that the standard format is the best one to use, but I was > asking about the name of the file, not it's format. For example, if I'm > going to share a directory with 1000 files, it would be inconvenient to > save each file's hash as a separate file, and just add a .sha1 extension > (resulting in 2000 files). So therefore I would store all the hashes in > one file. But what should this file be called? sha1sums? hashes.sha1? > digests.sha1? Is the .sha1 extension important? One pseudo-standard in place is to use uppercase for important meta-files like README and INSTALL. One named "CHECKSUMS" or "CHECKSUMS.sha1" should stand out enough. A signed version could be "CHECKSUMS.asc" or even CHECKSUMS.sha1.asc, etc. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200507161841 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFC2Y17vJuQZxSWSsgRAlARAJ4rgI4amLy3jfDgPWIWOj33ol0QSACghMTD LgU99YprF5R5+pT/zCnd7SU= =m9Bz -----END PGP SIGNATURE----- From suba_gl at yahoo.co.in Sat Jul 16 21:38:02 2005 From: suba_gl at yahoo.co.in (suba gopalan) Date: Mon Jul 18 11:02:11 2005 Subject: How to install Gnu PG Message-ID: <20050716193802.17537.qmail@web25408.mail.ukl.yahoo.com> Hi : I am completely new to GnuPG.How do I install ?.I am finding it hard which one to install.I use Windows XP. _______________________________________________________ Too much spam in your inbox? Yahoo! Mail gives you the best spam protection for FREE! http://in.mail.yahoo.com From kfitzner at excelcia.org Mon Jul 18 04:58:16 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Mon Jul 18 19:42:57 2005 Subject: [Announce] GPGee (GnuPG Explorer Extension) version 1.1.1 released Message-ID: <87mzok3b7c.fsf@wheatstone.g10code.de> Hello all, I have released version 1.1.1 of GPGee. This is a minor update to 1.1 to answer a couple user requests. Changes are: - Configuration entry added to set the way encryption Key IDs are displayed for subkeys. Encryption subkeys used to be displayed showing their subkey key ID. Now the default is to display the key ID of the parent key. This brings GPGee in line with most other GnuPG front ends. A configuration entry has been added so that (the very few) people who prefer the old behavior can still have it. - The length of time it takes for the sign/encrypt window to appear has been further reduced for people with very large keyrings. GPGee 1.1.1 installer and source are available from http://gpgee.excelcia.org For those that aren't familliar with GPGee, it is a GnuPG Explorer Extension for Windows. It adds GnuPG sign/encrypt/verify/decrypt support to the Windows explorer right-click context menu. See the web site above for a fuller list of features. Kurt Fitzner [reposted by moderator] _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From aborda at linuxperu.com Mon Jul 18 20:43:07 2005 From: aborda at linuxperu.com (Alberto Borda) Date: Mon Jul 18 21:54:07 2005 Subject: PGP in windows Message-ID: <42DBF83B.8080904@linuxperu.com> Hello I use GnuPG on my network with Thunderbird and Enigmail. Now, I have to use GPG but with Outlook XP, 2003 :( I have search some software on google. There are some. I am wondering if some of you has installed one? Which one do you recommend? Thank you in advance Alberto From bruno at clisp.org Mon Jul 18 13:43:54 2005 From: bruno at clisp.org (Bruno Haible) Date: Tue Jul 19 15:01:37 2005 Subject: UTF-8 support In-Reply-To: <20050714194602.GA8508@oreka.com> References: <23460.1116509668@www39.gmx.net> <200507051950.54866.bruno@clisp.org> <20050714194602.GA8508@oreka.com> Message-ID: <200507181343.54200.bruno@clisp.org> Alain Bench wrote: > > GetOEMCP() or GetConsoleOutputCP() (I don't know the difference) > > I seem to understand GetOEMCP() gives fixed system default OEM CP, > while GetConsoleOutputCP() gives current console OEM CP. After a user or > app has done a "chcp 28591" on a French Windows, GetOEMCP()=850 while > GetConsoleOutputCP()=28591. Thanks for explaining. > > The application needs to know where it intends to send a certain > > string of text. > > And this app needs to know which Windows specific Get*CP() to call, > then how to canonicalize charset name. So a Win32 console app can't use > libcharset, but must more or less duplicate it? There is no text/graph > mode hint an app could give to libcharset, to directly obtain the wanted > charset? Yes. I don't want to introduce new API variants for just a single platform (because when you do that, the outcome is such baroque like the Microsoft .NET API). You have the source code of the locale_charset() function, and it doesn't change very often. It's easy for you to duplicate it, replacing GetACP() with GetConsoleOutputCP(). > >> [GnuPG] on Win32 uses directly GetConsoleOutputCP(), unless it fails > >> then GetACP() > > I should add that the frontend calling GnuPG, and wanting us to > output ANSI text, has the duty to make GetConsoleOutputCP() fail for us > returning 0. The Bat!? makes that, I don't know how. Interesting hack... Bruno From mune72 at tiscali.it Tue Jul 19 13:05:16 2005 From: mune72 at tiscali.it (Federico Munerotto) Date: Tue Jul 19 15:01:43 2005 Subject: smart card + gpg only root Message-ID: <1121770936.2814.16.camel@lello.munet.org> I received the fsfe felloship card and I'm trying to use it. I Installed gnupg-1.4.1, ccid-0.9.3 and pcsc-lite-1.2.9-beta7. For all them I did (as root) 'make install'. As root I launch # /usr/local/sbin/pcscd # ./gpg --card-status works but still as *root*. My user is the group scard but as long as only the root user can have access to the smart card it remains useless. I think it is a trivial permission issue: any help? A workaround would be telling evolution to use sudo gpg instead of gpg, but there isn't a way to do that. -- Fede _________________________________________________________________________ mune (at) fsfe.org Ing. Federico Munerotto home http://www.krl.it/~mune Public key http://www.krl.it/~mune/personal/misc/pk/pk.html http://www.krl.it/~mune/personal/misc/signoraggio/ _________________________________________________________________________ In the stairway of life, you'd best take the elevator. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata Url : /pipermail/attachments/20050719/7ae08217/attachment.pgp From mune72 at tiscali.it Tue Jul 19 15:35:06 2005 From: mune72 at tiscali.it (Federico Munerotto) Date: Tue Jul 19 15:30:46 2005 Subject: smart card + gpg only root Message-ID: <1121780105.2814.31.camel@lello.munet.org> I received the fsfe felloship card and I'm trying to use it. I Installed gnupg-1.4.1, ccid-0.9.3 and pcsc-lite-1.2.9-beta7. For all them I did (as root) 'make install'. As root I launch # /usr/local/sbin/pcscd # ./gpg --card-status works but still as *root*. My user is the group scard but as long as only the root user can have access to the smart card it remains useless. I think it is a trivial permission issue: any help? A workaround would be telling evolution to use sudo gpg instead of gpg, but there isn't a way to do that. -- Fede _________________________________________________________________________ mune (at) fsfe.org Ing. Federico Munerotto home http://www.krl.it/~mune Public key http://www.krl.it/~mune/personal/misc/pk/pk.html http://www.krl.it/~mune/personal/misc/signoraggio/ _________________________________________________________________________ "... all the modern inconveniences ..." -- Mark Twain -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata Url : /pipermail/attachments/20050719/b3cb0248/attachment.pgp From vedaal at hush.com Tue Jul 19 22:50:55 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Tue Jul 19 23:40:10 2005 Subject: gnupg keyrings // question / request Message-ID: <200507192050.j6JKovuf024086@mailserver3.hushmail.com> i keep the keyrings on a usb drive, but keep my home directory as the root directory (c:\gnupg) if i connect the drive, and then type 'gpg' this is what happens: C:\>gpg gpg: keyring `c:/gnupg\secring.gpg' created gpg: Go ahead and type your message ... is there a way to tell gnupg that the keyrings are not in the home directory, and to look for them in their alternative location ? e.g. something like: gpg: secring not found in home directory gpg: is there another location? y/n y gpg: go ahead and type location of secring.gpg (right now, i just copy them in and over-write the c:\gnupg\secring.gpg file) (also, tiny really minor point: the gnupg error message for the windows binary should have the '\' not the '/' ) tia, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From vedaal at hush.com Wed Jul 20 07:36:44 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Jul 20 07:32:20 2005 Subject: gnupg keyrings // question / request Message-ID: <200507200536.j6K5amGd085661@mailserver2.hushmail.com> On Tue, 19 Jul 2005 21:05:05 -0700 Thomas Jones wrote: >Remove the secring.gpg file. Replace it with a shortcut to the >location of your private key that is on your USB drive. > >So now every time the GnuPG engine attempts to access your private >key, it will >be directed to the actual key on the USB medium. this sounded very promising, but i couldn't get it to work ;-(( this is what was tried:(on win xp pro) [1] secring.gpg was erased (eraser 5.7) [2] in the directory c:\gnupg, a shortcut was created to the secring.gpg on the usb drive [3] the shortcut was named secring.gpg [4] windows confirmed that gpg.exe is to be used to open all .gpg files this is what happened: [1] encrypted a test text file to my default key, and saved it as c:\r\t1.txt [2] typed gpg c:\r\t1.txt and here is the gnupg output: c:\gnupg>gpg c:\r\t1.txt gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! gpg: keyring `C:/GnuPG\secring.gpg' created gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: PGP 8.1 gpg: armor header: Comment: Acts of Kindness better the World, and protect the S oul :marker packet: 50 47 50 :pubkey enc packet: version 3, algo 1, keyid ACA163F604ADEE20 data: [4092 bits] gpg: public key is 04ADEE20 :encrypted data packet: length: 582 gpg: using subkey 04ADEE20 instead of primary key 6A589A97 gpg: encrypted with 4096-bit RSA key, ID 04ADEE20, created 2001-04- 26 "vedaal nistar " gpg: decryption failed: secret key not available [3] apparently gnupg did not recognize the shortcut, and proceeded to act as if there were no secring present, and created a nullfile named secring.gpg in the gnupg home directory, but couldn't access the real secring.gpg on the usb drive so, what did you do differently to get it to work on your system? tia, vedaal also, n.b. am not sure if this is a corruption in my registry, from having previous gnupg versions on it, but seem to have a persistent forward slash instead of a backward slash, and only in the first part of the path c:/gnupg so, when i installed 1.4.2rc2, everything worked except for the idea module loading but it was able to load after changing the option in ggp.conf to read: load-extension c:/gnupg\idea.dll no other problems in 1.4.2 rc 2 and Thanks! for fixing the signing issue with rsa keys in pgp ! 1.4.2rc2 now verifies the sigs vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From coconut_to_go at hotmail.com Wed Jul 20 07:12:12 2005 From: coconut_to_go at hotmail.com (coco coco) Date: Wed Jul 20 07:57:16 2005 Subject: can't use the same keyring from linux on windows Message-ID: Hi, I've been using thunderbird on Linux since 0.2 on my laptop, but recently, due to laptop problem, I want to move my mail to use portable thunderbird on a mobile hd. I've already moved my profile from Linux to the portable tb, and it's working fine, except, I can't get enigmail to work correctly. I've copied my pubring and secring into the gpg folder, and the key manager can show all keys correctly, including my key pairs and other people's public keys. Enigmail can figure out my key ID from my email address. But I'm still having problem getting enigmail to work correctly. When I'm trying to send a signed message, I'm getting the following error from the enigmail console: enigmail> G:\PortableThunderbird\gpg\gpg.exe --charset utf8 --batch --no-tty -- status-fd 2 --comment 'Using GnuPG with Thunderbird - http://enigmail.mozdev.org ' -s -b -t -a -u 0xA41D9118undefined gpg: skipped "0xA41D9118undefined": malformed user id gpg: signing failed: malformed user id enigmail.js: Enigmail.encryptMessageEnd: Error in command execution I don't understand why I'm getting this. Is it because my key rings are from Linux, and I'm using it on Windows? Curiously, I can't get gpg to work correctly on the command line either. I try to encrypt a file to myself, and then when I try to decrypt, it's complaining that the secret key is not available. Could anyone give a hint on what does that mean? The GPG packaged with portable thunderbird is version 1.4.1. Thanks a lot. _________________________________________________________________ Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ From mail at mark-kirchner.de Wed Jul 20 07:28:00 2005 From: mail at mark-kirchner.de (Mark Kirchner) Date: Wed Jul 20 08:13:04 2005 Subject: gnupg keyrings // question / request In-Reply-To: <200507192050.j6JKovuf024086@mailserver3.hushmail.com> References: <200507192050.j6JKovuf024086@mailserver3.hushmail.com> Message-ID: <1156655913.20050720072800@mark-kirchner.de> On Tuesday, July 19, 2005, 10:50:55 PM, vedaal wrote: > i keep the keyrings on a usb drive, but keep my home directory as > the root directory (c:\gnupg) > > if i connect the drive, and then type 'gpg' this is what happens: > > C:\>>gpg > gpg: keyring `c:/gnupg\secring.gpg' created > gpg: Go ahead and type your message ... > > is there a way to tell gnupg that the keyrings are not in the home > directory, and to look for them in their alternative location ? Yes, there is, call gpg with these options (or better, put them in your gpg.conf): --keyring --secret-keyring And then you'll probably want to use this one as well: --no-default-keyring Detailed explanations about these options are given in the manpage. Regards, Mark Kirchner -- _____________________________________________________________ Key (0x172C073C): http://www.mark-kirchner.de/keys/key-mk.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050720/22c55892/attachment.pgp From admin at buddhalinux.com Wed Jul 20 06:05:05 2005 From: admin at buddhalinux.com (Thomas Jones) Date: Wed Jul 20 10:32:05 2005 Subject: gnupg keyrings // question / request In-Reply-To: <200507192050.j6JKovuf024086@mailserver3.hushmail.com> References: <200507192050.j6JKovuf024086@mailserver3.hushmail.com> Message-ID: <42DDCD71.8000907@buddhalinux.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 vedaal@hush.com wrote: >i keep the keyrings on a usb drive, >but keep my home directory as the root directory >(c:\gnupg) > >if i connect the drive, >and then type 'gpg' >this is what happens: > >C:\>gpg >gpg: keyring `c:/gnupg\secring.gpg' created >gpg: Go ahead and type your message ... > > >is there a way to tell gnupg that the keyrings are not in the home >directory, and to look for them in their alternative location ? > >e.g. >something like: > >gpg: secring not found in home directory >gpg: is there another location? y/n y >gpg: go ahead and type location of secring.gpg > > >(right now, i just copy them in and over-write the >c:\gnupg\secring.gpg >file) > >(also, tiny really minor point: >the gnupg error message for the windows binary >should have the '\' not the '/' ) > > >tia, > >vedaal > > > > > >Concerned about your privacy? Follow this link to get >secure FREE email: http://www.hushmail.com/?l=2 > >Free, ultra-private instant messaging with Hush Messenger >http://www.hushmail.com/services-messenger?l=434 > >Promote security and make money with the Hushmail Affiliate Program: >http://www.hushmail.com/about-affiliate?l=427 > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > Remove the secring.gpg file. Replace it with a shortcut to the location of your private key that is on your USB drive. So now every time the GnuPG engine attempts to access your private key, it will be directed to the actual key on the USB medium. As a side note, I hope that you have your revocation certificate secured and stored on a medium other than that of your USB drive. i.e. Backup CD-R -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC3c1xoR5cE1e/kEIRAjatAJ0WDHOfuwE4fqajEGmOsbzE7VAGewCdFYGu NfbeJav8S4JlmvbETahQN84= =w9Aw -----END PGP SIGNATURE----- From rtilley at vt.edu Tue Jul 19 19:21:00 2005 From: rtilley at vt.edu (Brad Tilley) Date: Wed Jul 20 10:32:09 2005 Subject: catching output from gpg --verify Message-ID: <1121793660.9251.7.camel@athop1.ath.vt.edu> Hello Gnupg users, I am writing a script to automate the downloading and building of Linux kernels. As a part of the script, I use gpg to check and make sure that the kernel key is installed: check = os.popen('gpg --list-keys') data = check.read() check.close() This works well. I can read the data from gpg --list-keys and check it and then proceed. If the key is not installed, I download and install it, if it is installed, I move on. However, the next case in which I need to use gpg fails because I cannot capture the output of gpg --verify: cmd = os.popen('gpg --verify kernel_name_sig, kernel_name) data = cmd.read() cmd.close() I've tried re-directing the output to a file (doesn't work) form the command line and from my script. Any tips on how to capture this output would be greatly appreciated. From sk at intertivity.com Wed Jul 20 11:00:40 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Wed Jul 20 11:43:27 2005 Subject: catching output from gpg --verify In-Reply-To: <1121793660.9251.7.camel@athop1.ath.vt.edu> References: <1121793660.9251.7.camel@athop1.ath.vt.edu> Message-ID: <42DE12B8.6000508@intertivity.com> Brad Tilley schrieb: >I've tried re-directing the output to a file (doesn't work) form the >command line and from my script. Any tips on how to capture this output >would be greatly appreciated. > > Hi, have you tried the commandline-option --output which requires a filename to write the data to. HTH --sk From wk at gnupg.org Wed Jul 20 10:59:39 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jul 20 11:43:37 2005 Subject: smart card + gpg only root In-Reply-To: <1121770936.2814.16.camel@lello.munet.org> (Federico Munerotto's message of "Tue, 19 Jul 2005 13:05:16 +0200") References: <1121770936.2814.16.camel@lello.munet.org> Message-ID: <87sly9q2dg.fsf@wheatstone.g10code.de> On Tue, 19 Jul 2005 13:05:16 +0200, Federico Munerotto said: > My user is the group scard but as long as only the root user can have > access to the smart card it remains useless. I think it is a trivial > permission issue: any help? With the Debian packages of pcscd anyone may connect to a running pcscd and access the reader. Use pcsc_scan to see whether the pcscd is working. You might also want to start pcscd in the foreground pcscd -f -d to better see what's going on. > A workaround would be telling evolution to use sudo gpg instead of gpg, > but there isn't a way to do that. Don't even think of doing this. As explained in the HOWTO (at www.gnupg.org) you might also want to check whether the gpg onternal driver works for you (gpg 1.4.2rc2). When building gpg, just make sure that libusb development files have been installed. The follow the Howto to setup the permissions properly. gpg --debug-ccid-driver .... might then be helpful. Shalom-Salam, Werner From sk at intertivity.com Wed Jul 20 12:02:24 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Wed Jul 20 11:57:56 2005 Subject: receiving key to file and more Message-ID: <42DE2130.4070004@intertivity.com> Hi 1. is it possible to receive a key to a file instead of to the keyring? 2. what is the difference between --search-keys and --recv-keys ? Thanks in advance --sk From mune72 at tiscali.it Wed Jul 20 13:13:00 2005 From: mune72 at tiscali.it (Federico Munerotto) Date: Wed Jul 20 13:08:42 2005 Subject: smart card + gpg only root In-Reply-To: <87sly9q2dg.fsf@wheatstone.g10code.de> References: <1121770936.2814.16.camel@lello.munet.org> <87sly9q2dg.fsf@wheatstone.g10code.de> Message-ID: <1121857979.2816.11.camel@lello.munet.org> Il mer, 2005-07-20 alle 10:59, Werner Koch ha scritto: [...] > gpg --debug-ccid-driver .... as mune user ++++++++++++++++++++ [mune@lello mune]$ /usr/local/bin/gpg --debug-ccid-driver --card-status gpg: ATTENZIONE: si sta usando memoria insicura! gpg: visitare http://www.gnupg.org/faq.html per ulteriori informazioni gpg: DBG: ccid-driver: using CCID reader 0 (ID=058F:9520:X:0) gpg: DBG: ccid-driver: idVendor: 058F idProduct: 9520 bcdDevice: F033 gpg: DBG: ccid-driver: ChipCard Interface Descriptor: gpg: DBG: ccid-driver: bLength 54 gpg: DBG: ccid-driver: bDescriptorType 33 gpg: DBG: ccid-driver: bcdCCID 1.00 gpg: DBG: ccid-driver: nMaxSlotIndex 0 gpg: DBG: ccid-driver: bVoltageSupport 3 1.8V gpg: DBG: ccid-driver: dwProtocols 3 T=0 T=1 gpg: DBG: ccid-driver: dwDefaultClock 3700 gpg: DBG: ccid-driver: dwMaxiumumClock 3700 gpg: DBG: ccid-driver: bNumClockSupported 1 gpg: DBG: ccid-driver: dwDataRate 9946 bps gpg: DBG: ccid-driver: dwMaxDataRate 318280 bps gpg: DBG: ccid-driver: bNumDataRatesSupp. 53 gpg: DBG: ccid-driver: dwMaxIFSD 254 gpg: DBG: ccid-driver: dwSyncProtocols 00000007 2-wire 3-wire I2C gpg: DBG: ccid-driver: dwMechanical 00000000 gpg: DBG: ccid-driver: dwFeatures 000204BE gpg: DBG: ccid-driver: Auto configuration based on ATR gpg: DBG: ccid-driver: Auto activation on insert gpg: DBG: ccid-driver: Auto voltage selection gpg: DBG: ccid-driver: Auto clock change gpg: DBG: ccid-driver: Auto baud rate change gpg: DBG: ccid-driver: Auto PPS made by CCID gpg: DBG: ccid-driver: Auto IFSD exchange gpg: DBG: ccid-driver: Short APDU level exchange gpg: DBG: ccid-driver: dwMaxCCIDMsgLen 271 gpg: DBG: ccid-driver: bClassGetResponse echo gpg: DBG: ccid-driver: bClassEnvelope echo gpg: DBG: ccid-driver: wlcdLayout none gpg: DBG: ccid-driver: bPINSupport 0 gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 gpg: DBG: ccid-driver: usb_claim_interface failed: -1 gpg: pcsc_establish_context failed: no service (0x8010001d) gpg: card reader not available gpg: OpenPGP card not available: errore generale ++++++++++++++++++++++++++++++++++++++++ as root user ++++++++++++++++++++++++++++++++++++++++ [root@lello gnupg-1.4.1]# /usr/local/bin/gpg --card-status --debug-ccid-driver gpg: DBG: ccid-driver: using CCID reader 0 (ID=058F:9520:X:0) gpg: DBG: ccid-driver: idVendor: 058F idProduct: 9520 bcdDevice: F033 gpg: DBG: ccid-driver: ChipCard Interface Descriptor: gpg: DBG: ccid-driver: bLength 54 gpg: DBG: ccid-driver: bDescriptorType 33 gpg: DBG: ccid-driver: bcdCCID 1.00 gpg: DBG: ccid-driver: nMaxSlotIndex 0 gpg: DBG: ccid-driver: bVoltageSupport 3 1.8V gpg: DBG: ccid-driver: dwProtocols 3 T=0 T=1 gpg: DBG: ccid-driver: dwDefaultClock 3700 gpg: DBG: ccid-driver: dwMaxiumumClock 3700 gpg: DBG: ccid-driver: bNumClockSupported 1 gpg: DBG: ccid-driver: dwDataRate 9946 bps gpg: DBG: ccid-driver: dwMaxDataRate 318280 bps gpg: DBG: ccid-driver: bNumDataRatesSupp. 53 gpg: DBG: ccid-driver: dwMaxIFSD 254 gpg: DBG: ccid-driver: dwSyncProtocols 00000007 2-wire 3-wire I2C gpg: DBG: ccid-driver: dwMechanical 00000000 gpg: DBG: ccid-driver: dwFeatures 000204BE gpg: DBG: ccid-driver: Auto configuration based on ATR gpg: DBG: ccid-driver: Auto activation on insert gpg: DBG: ccid-driver: Auto voltage selection gpg: DBG: ccid-driver: Auto clock change gpg: DBG: ccid-driver: Auto baud rate change gpg: DBG: ccid-driver: Auto PPS made by CCID gpg: DBG: ccid-driver: Auto IFSD exchange gpg: DBG: ccid-driver: Short APDU level exchange gpg: DBG: ccid-driver: dwMaxCCIDMsgLen 271 gpg: DBG: ccid-driver: bClassGetResponse echo gpg: DBG: ccid-driver: bClassEnvelope echo gpg: DBG: ccid-driver: wlcdLayout none gpg: DBG: ccid-driver: bPINSupport 0 gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1gpg: DBG: ccid-driver: sending 61 07 00 00 00 00 02 01 00 00 01 10 00 41 00 FE 00 gpg: DBG: ccid-driver: status: 40 error: 0C octet[9]: 01 data: 13 10 FF 45 00 80 00 gpg: DBG: ccid-driver: sending 6F 0B 00 00 00 00 03 04 00 00 00 A4 04 00 06 D2 76 00 01 24 01 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 6F 12 84 10 D2 76 00 01 24 01 01 01 00 01 00 00 03 17 00 00 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 04 04 00 00 00 CA 00 4F 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: D2 76 00 01 24 01 01 01 00 01 00 00 03 17 00 00 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 05 04 00 00 00 CA 00 C4 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 00 FE FE FE 03 03 03 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 06 04 00 00 00 CA 00 6E 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 4F 10 D2 76 00 01 24 01 01 01 00 01 00 00 03 17 00 00 73 81 9D C0 01 78 C1 05 01 04 00 00 20 C2 05 01 04 00 00 20 C3 05 01 04 00 00 20 C4 07 00 FE FE FE 03 03 03 C5 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C C4 85 A6 CD 7E C6 6E 9E EC 33 65 F2 70 F2 75 E4 C3 2F 6C A5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00 00 5E 04 6D 75 6E 65 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 07 04 00 00 00 CA 00 5E 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 6D 75 6E 65 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 08 04 00 00 00 CA 00 65 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 5B 13 4D 75 6E 65 72 6F 74 74 6F 3C 3C 46 65 64 65 72 69 63 6F 5F 2D 02 64 65 5F 35 01 31 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 09 04 00 00 00 CA 5F 50 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 0A 04 00 00 00 CA 00 C4 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 00 FE FE FE 03 03 03 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 0B 04 00 00 00 CA 00 7A 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 93 03 00 00 00 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 0C 04 00 00 00 CA 01 01 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 0D 04 00 00 00 CA 01 02 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 5B 32 38 39 5D 20 46 65 64 65 72 69 63 6F 20 4D 75 6E 65 72 6F 74 74 6F 20 3C 6D 75 6E 65 40 66 73 66 65 2E 6F 72 67 3E 90 00 Application ID ...: D2760001240101010001000003170000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000317 Name of cardholder: Federico Munerotto Language prefs ...: de Sex ..............: male URL of public key : [not set] Login data .......: mune Private DO 1 .....: [not set] Private DO 2 .....: [289] Federico Munerotto CA fingerprint 1 .: C485 A6CD 7EC6 6E9E EC33 65F2 70F2 75E4 C32F 6CA5 Signature PIN ....: forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg: DBG: ccid-driver: status: 01 error: 00 octet[9]: 01 data: +++++++++++++++++++++++++++++++++++++++++++++++++ I don't find any help I hope you can see something useful. Thanks -- Fede _________________________________________________________________________ mune (at) fsfe.org Ing. Federico Munerotto home http://www.krl.it/~mune Public key http://www.krl.it/~mune/personal/misc/pk/pk.html http://www.krl.it/~mune/personal/misc/signoraggio/ _________________________________________________________________________ "... all the modern inconveniences ..." -- Mark Twain -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata Url : /pipermail/attachments/20050720/1405c544/attachment.pgp From linux at codehelp.co.uk Wed Jul 20 13:34:22 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Wed Jul 20 14:27:31 2005 Subject: receiving key to file and more In-Reply-To: <42DE2130.4070004@intertivity.com> References: <42DE2130.4070004@intertivity.com> Message-ID: <200507201234.25637.linux@codehelp.co.uk> On Wednesday 20 July 2005 11:02 am, Sascha Kiefer wrote: > Hi > > 1. is it possible to receive a key to a file instead of to the keyring? --keyring --no-default-keyring from man gpg: --keyring file Add file to the current list of keyrings. If file begins with a tilde and a slash, these are replaced by the $HOME directory. If the filename does not contain a slash, it is assumed to be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME is not used). Note that this adds a keyring to the current list. If the intent is to use the specified keyring alone, use --keyring along with --no-default-keyring. > 2. what is the difference between --search-keys and --recv-keys ? --search-keys displays a list of possible matches and allows you to select which one (if any) to import. Use to search parts of a name or domain. Used when you don't know the specific keyid, just the name or email. --recv-keys imports the specified key without further prompts. Easiest when used with a specific keyID. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050720/20b47880/attachment.pgp From vedaal at hush.com Wed Jul 20 14:46:39 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Jul 20 14:42:10 2005 Subject: gnupg keyrings // question / request Message-ID: <200507201246.j6KCkgia084919@mailserver3.hushmail.com> >Message: 8 >Date: Wed, 20 Jul 2005 07:28:00 +0200 >From: Mark Kirchner >Subject: Re: gnupg keyrings // question / request >To: gnupg-users >>is there a way to tell gnupg that the keyrings are not in the home >>directory, and to look for them in their alternative location ? >Yes, there is, call gpg with these options (or better, put them in >your gpg.conf): >--keyring >--secret-keyring > >And then you'll probably want to use this one as well: >--no-default-keyring Thanks!!! this worked perfectly! vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From wk at gnupg.org Wed Jul 20 14:48:35 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jul 20 14:46:19 2005 Subject: receiving key to file and more In-Reply-To: <42DE2130.4070004@intertivity.com> (Sascha Kiefer's message of "Wed, 20 Jul 2005 12:02:24 +0200") References: <42DE2130.4070004@intertivity.com> Message-ID: <87u0ipod7g.fsf@wheatstone.g10code.de> On Wed, 20 Jul 2005 12:02:24 +0200, Sascha Kiefer said: > 1. is it possible to receive a key to a file instead of to the keyring? No. You may however use the helper tools directly. > 2. what is the difference between --search-keys and --recv-keys ? --search keys presents a list of macthing keys whereas --recv-keys will return the key matching the keyID. Shalom-Salam, Werner From wk at gnupg.org Wed Jul 20 15:03:05 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jul 20 15:01:21 2005 Subject: smart card + gpg only root In-Reply-To: <1121857979.2816.11.camel@lello.munet.org> (Federico Munerotto's message of "Wed, 20 Jul 2005 13:13:00 +0200") References: <1121770936.2814.16.camel@lello.munet.org> <87sly9q2dg.fsf@wheatstone.g10code.de> <1121857979.2816.11.camel@lello.munet.org> Message-ID: <87pstdocja.fsf@wheatstone.g10code.de> On Wed, 20 Jul 2005 13:13:00 +0200, Federico Munerotto said: > gpg: DBG: ccid-driver: usb_claim_interface failed: -1 The USB device can't be accessed. This is a permission problem with the usbfs. > (ID=058F:9520:X:0) Use lsusb to figure out the device like: $ lsusb Bus 002 Device 001: ID 0000:0000 Bus 001 Device 001: ID 0000:0000 Bus 001 Device 002: ID 058f:9254 Alcor Micro Corp. Hub Bus 001 Device 011: ID 046d:0a02 Logitech, Inc. Bus 001 Device 014: ID 04e6:e003 SCM Microsystems, Inc. You should find a line with the ID 058F:9520. Assuming this is the 6th line you now do a: $ ls -l /proc/bus/usb/001/014 -rw-rw-r-- 1 root scard 18 Jul 20 11:13 /proc/bus/usb/001/014 The above is correct but I guess that the permissions are not correct for you. If setup as suggested by the HOWTO then the hotplug scripts should take care of it. Soem systems have a bug in the scripts and require a 0x0 instead of a just a 0. If you used the scripts verbatim you should fix them: # Generic CCID device gnupg-ccid 0x0080 0x0 0x0 0 0 0 0 0x00 0x0B 0x00 0x00 0x00000000 # SPR532 is CCID but without the proper CCID class gnupg-ccid 0x0003 0x04e6 0xe003 0 0 0 0 0x00 0x0B 0x00 0x00 0x00000000 # SCR33x is CCID but without the proper CCID class gnupg-ccid 0x0003 0x04e6 0x5115 0 0 0 0 0x00 0x0B 0x00 0x00 0x00000000 to # Generic CCID device gnupg-ccid 0x0080 0x0 0x0 0x0 0x0 0x0 0x0 0x00 0x0B 0x00 0x00 0x00000000 .... [Yes, I need to upload a revision of the HOWTO.] The change above should be sufficient. If this all does not work you might want to manually chmod and chgrp the device for now and then figure out what's wrong with the hotplug scripts. If you made this reader work for you, please tell me the type so that I can put it into our list of verified readers. hth, Werner From dshaw at jabberwocky.com Wed Jul 20 15:10:56 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jul 20 16:13:24 2005 Subject: catching output from gpg --verify In-Reply-To: <1121793660.9251.7.camel@athop1.ath.vt.edu> References: <1121793660.9251.7.camel@athop1.ath.vt.edu> Message-ID: <20050720131056.GB19229@jabberwocky.com> On Tue, Jul 19, 2005 at 01:21:00PM -0400, Brad Tilley wrote: > Hello Gnupg users, > > I am writing a script to automate the downloading and building of Linux > kernels. As a part of the script, I use gpg to check and make sure that > the kernel key is installed: > > check = os.popen('gpg --list-keys') > data = check.read() > check.close() > > This works well. I can read the data from gpg --list-keys and check it > and then proceed. If the key is not installed, I download and install > it, if it is installed, I move on. > > However, the next case in which I need to use gpg fails because I cannot > capture the output of gpg --verify: > > cmd = os.popen('gpg --verify kernel_name_sig, kernel_name) > data = cmd.read() > cmd.close() > > I've tried re-directing the output to a file (doesn't work) form the > command line and from my script. Any tips on how to capture this output > would be greatly appreciated. The problem here is not really that you can't capture the output, but that you shouldn't capture the output. The output of GPG is very subject to change, and every time we change GPG, we'll break your script. There are two good ways to do this safely: 1) Use something like: gpg --status-fd 1 --verify kernel_name_sig kernel_name 2>/dev/null That will cause a machine readable series of messages to appear on stdout. If you see a VALIDSIG tag, you know the signature is good. 2) Use gpgv, which is just a signature verification tool and exits 0 if the signature is good, and non-0 otherwise. David From david at adboyd.com Wed Jul 20 15:07:50 2005 From: david at adboyd.com (J. David Boyd) Date: Wed Jul 20 16:13:37 2005 Subject: can't use the same keyring from linux on windows References: Message-ID: <81hdepeic9.fsf@adboyd.com> "coco coco" writes: > Hi, > > I've been using thunderbird on Linux since 0.2 on my laptop, but > recently, due to > laptop problem, I want to move my mail to use portable thunderbird on a > mobile hd. > > I've already moved my profile from Linux to the portable tb, and it's > working fine, > > except, I can't get enigmail to work correctly. I've copied my pubring > and secring > into the gpg folder, and the key manager can show all keys correctly, > including > my key pairs and other people's public keys. Enigmail can figure out > my key ID from > my email address. But I'm still having problem getting enigmail to > work correctly. > When I'm trying to send a signed message, I'm getting the following > error from > the enigmail console: > > enigmail> G:\PortableThunderbird\gpg\gpg.exe --charset utf8 --batch > --no-tty -- > status-fd 2 --comment 'Using GnuPG with Thunderbird - > http://enigmail.mozdev.org > ' -s -b -t -a -u 0xA41D9118undefined > gpg: skipped "0xA41D9118undefined": malformed user id > gpg: signing failed: malformed user id > enigmail.js: Enigmail.encryptMessageEnd: Error in command execution > > I don't understand why I'm getting this. Is it because my key rings are from > Linux, and I'm using it on Windows? Curiously, I can't get gpg to work > correctly > on the command line either. I try to encrypt a file to myself, and > then when I > try to decrypt, it's complaining that the secret key is not available. > > Could anyone give a hint on what does that mean? > > The GPG packaged with portable thunderbird is version 1.4.1. > > Thanks a lot. > How did you get your keys to the linux box? ftp? Did you make certain that you were using binary mode? I transfer key files from my windows box to my linux box all the time, with never a problem. Dave From johanw at vulcan.xs4all.nl Wed Jul 20 10:38:33 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Jul 20 16:13:45 2005 Subject: gnupg keyrings // question / request In-Reply-To: <200507200536.j6K5amGd085661@mailserver2.hushmail.com> Message-ID: <200507200838.j6K8cXjH005117@vulcan.xs4all.nl> Thomas Jones wrote: >Remove the secring.gpg file. Replace it with a shortcut to the >location of your private key that is on your USB drive. Won't work. Windows shortcuts don't work as Unix softlinks but are just files with the location information in it. They are recognised by explorer but not autonatically by other programs: you'd have to add code to analyse them. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From alphasigmax at gmail.com Wed Jul 20 15:32:46 2005 From: alphasigmax at gmail.com (Alphax) Date: Wed Jul 20 16:13:58 2005 Subject: receiving key to file and more In-Reply-To: <200507201234.25637.linux@codehelp.co.uk> References: <42DE2130.4070004@intertivity.com> <200507201234.25637.linux@codehelp.co.uk> Message-ID: <42DE527E.2090208@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Neil Williams wrote: > On Wednesday 20 July 2005 11:02 am, Sascha Kiefer wrote: > >>Hi >> >>1. is it possible to receive a key to a file instead of to the keyring? > > > --keyring --no-default-keyring > from man gpg: > --keyring file > Add file to the current list of keyrings. If file begins with a tilde > and a slash, these are replaced > by the $HOME directory. If the filename does not contain a slash, it > is assumed to be in the GnuPG home > directory ("~/.gnupg" if --homedir or $GNUPGHOME is not used). > > Note that this adds a keyring to the current list. If the intent is > to use the specified keyring > alone, use --keyring along with --no-default-keyring. > I suspect you might also want to use --primary-keyring: > --primary-keyring file > Designate file as the primary public keyring. This means > that newly imported keys (via --import or keyserver --recv- > from) will go to this keyring. so something like > gpg --keyring --primary-keyring combined with the import statement may (or may not) do want you want. - -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC3lJ+/RxM5Ph0xhMRA3rXAJ9u5ab4evwfg4TR505mN1HKNA10bACeMAyn FtXbZosSTAaPTyhKgpVYQpE= =DuhR -----END PGP SIGNATURE----- From mune72 at tiscali.it Wed Jul 20 16:27:04 2005 From: mune72 at tiscali.it (Federico Munerotto) Date: Wed Jul 20 16:22:44 2005 Subject: smart card + gpg only root In-Reply-To: <87pstdocja.fsf@wheatstone.g10code.de> References: <1121770936.2814.16.camel@lello.munet.org> <87sly9q2dg.fsf@wheatstone.g10code.de> <1121857979.2816.11.camel@lello.munet.org> <87pstdocja.fsf@wheatstone.g10code.de> Message-ID: <1121869623.2816.48.camel@lello.munet.org> Il mer, 2005-07-20 alle 15:03, Werner Koch ha scritto: [...] > $ ls -l /proc/bus/usb/001/014 > -rw-rw-r-- 1 root scard 18 Jul 20 11:13 /proc/bus/usb/001/014 [...] Ok. Works BUT if the device is unplugged and then plugged again, belongs again to the root group and isn't writable again (change its location). I need to set up hotplug to 1. chgrp to the proper group 2. chmod +rw scard the file that is created. After replugging the USB of the raeder: [root@lello gnupg-1.4.1]# /sbin/lsusb Bus 003 Device 006: ID 058f:9520 Alcor Micro Corp. Bus 003 Device 001: ID 0000:0000 Bus 002 Device 003: ID 046d:c501 Logitech, Inc. Cordless Mouse Receiver Bus 002 Device 002: ID 046d:c309 Logitech, Inc. Bus 002 Device 001: ID 0000:0000 Bus 001 Device 001: ID 0000:0000 [root@lello gnupg-1.4.1]# ll /proc/bus/usb/003/006 -rw-r--r-- 1 root root 111 20 lug 15:52 /proc/bus/usb/003/006 -- Fede _________________________________________________________________________ mune (at) fsfe.org Ing. Federico Munerotto home http://www.krl.it/~mune Public key http://www.krl.it/~mune/personal/misc/pk/pk.html http://www.krl.it/~mune/personal/misc/signoraggio/ _________________________________________________________________________ "... all the modern inconveniences ..." -- Mark Twain -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata Url : /pipermail/attachments/20050720/af780b13/attachment.pgp From wk at gnupg.org Wed Jul 20 16:55:23 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jul 20 16:56:17 2005 Subject: smart card + gpg only root In-Reply-To: <1121869623.2816.48.camel@lello.munet.org> (Federico Munerotto's message of "Wed, 20 Jul 2005 16:27:04 +0200") References: <1121770936.2814.16.camel@lello.munet.org> <87sly9q2dg.fsf@wheatstone.g10code.de> <1121857979.2816.11.camel@lello.munet.org> <87pstdocja.fsf@wheatstone.g10code.de> <1121869623.2816.48.camel@lello.munet.org> Message-ID: <877jflo7c4.fsf@wheatstone.g10code.de> On Wed, 20 Jul 2005 16:27:04 +0200, Federico Munerotto said: > if the device is unplugged and then plugged again, belongs again to the > root group and isn't writable again (change its location). I need to set > up hotplug to > 1. chgrp to the proper group > 2. chmod +rw scard > the file that is created. You needs to debug the hotplug script. Here are the scripts I am using: -------------- next part -------------- # The entries below are used to detect CCID devices and run a script # # USB_MATCH_VENDOR 0x0001 # USB_MATCH_PRODUCT 0x0002 # USB_MATCH_DEV_LO 0x0004 # USB_MATCH_DEV_HI 0x0008 # USB_MATCH_DEV_CLASS 0x0010 # USB_MATCH_DEV_SUBCLASS 0x0020 # USB_MATCH_DEV_PROTOCOL 0x0040 # USB_MATCH_INT_CLASS 0x0080 # USB_MATCH_INT_SUBCLASS 0x0100 # USB_MATCH_INT_PROTOCOL 0x0200 # # script match_flags idVendor idProduct bcdDevice_lo bcdDevice_hi # bDeviceClass bDeviceSubClass bDeviceProtocol # bInterfaceClass bInterfaceSubClass bInterfaceProtocol driver_info # # flags V P Bl Bh Clas Sub Prot Clas Sub Prot Info gnupg-ccid 0x0080 0x0 0x0 0x0 0x0 0x00 0x00 0x00 0x0B 0x00 0x00 0x00000000 # SPR532 is CCID but without the proper CCID class gnupg-ccid 0x0003 0x04e6 0xe003 0x0 0x0 0x00 0x00 0x00 0x0B 0x00 0x00 0x00000000 -------------- next part -------------- A non-text attachment was scrubbed... Name: gnupg-ccid Type: test/plain Size: 724 bytes Desc: not available Url : /pipermail/attachments/20050720/076ad6a6/gnupg-ccid.bin -------------- next part -------------- $ ls -l /etc/hotplug/usb/gnupg* -rwxr-xr-x 1 root root 724 Sep 22 2004 /etc/hotplug/usb/gnupg-ccid -rw-r--r-- 1 root root 865 Mar 16 16:08 /etc/hotplug/usb/gnupg-ccid.usermap Remember to chmod +x gnupg-ccid. I use the group wk instead of scard, so you need to change that. Does this help? Salam-Shalom, Werner From gnupg-users=gnupg.org at lists.palfrader.org Wed Jul 20 15:11:51 2005 From: gnupg-users=gnupg.org at lists.palfrader.org (Peter Palfrader) Date: Wed Jul 20 17:04:13 2005 Subject: no-ask-cert-expire during sign-key Message-ID: <20050720131151.GE32765@opium.palfrader.org> Hi, gpg (1.4.1) always asks whether UID certifications should expire on the same day as the primary key: | weasel@galaxy:~$ gpg --no-ask-cert-expire --sign-key 52C8180E | [..] | pub 1024D/52C8180E created: 2004-12-11 expires: 2012-12-10 usage: CS | trust: marginal validity: full | Primary key fingerprint: 77FA 0CBE A7BB 268A 312B DB25 3D45 FF99 52C8 180E | | Matthias Bauer | Matthias Bauer | | This key is due to expire on 2012-12-10. | Do you want your signature to expire at the same time? (Y/n) I always answer no to this question. Is it possible to change the behaviour of --no-ask-cert-expire to also apply to this case? At least the manpage suggests that it already should do just that: | --no-ask-cert-expire | When making a key signature, prompt for an expiration time. | If this option is not specified, the expiration time is | "never". --no-ask-cert-expire disables this option. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From mune72 at tiscali.it Wed Jul 20 17:49:49 2005 From: mune72 at tiscali.it (Federico Munerotto) Date: Wed Jul 20 17:45:31 2005 Subject: smart card + gpg only root In-Reply-To: <877jflo7c4.fsf@wheatstone.g10code.de> References: <1121770936.2814.16.camel@lello.munet.org> <87sly9q2dg.fsf@wheatstone.g10code.de> <1121857979.2816.11.camel@lello.munet.org> <87pstdocja.fsf@wheatstone.g10code.de> <1121869623.2816.48.camel@lello.munet.org> <877jflo7c4.fsf@wheatstone.g10code.de> Message-ID: <1121874588.2816.85.camel@lello.munet.org> Il mer, 2005-07-20 alle 16:55, Werner Koch ha scritto: > On Wed, 20 Jul 2005 16:27:04 +0200, Federico Munerotto said: > > > if the device is unplugged and then plugged again, belongs again to the > > root group and isn't writable again (change its location). I need to set > > up hotplug to > > 1. chgrp to the proper group > > 2. chmod +rw scard > > the file that is created. > > You needs to debug the hotplug script. Here are the scripts I am > using: > > > ______________________________________________________________________ > # The entries below are used to detect CCID devices and run a script > # > # USB_MATCH_VENDOR 0x0001 > # USB_MATCH_PRODUCT 0x0002 > # USB_MATCH_DEV_LO 0x0004 > # USB_MATCH_DEV_HI 0x0008 > # USB_MATCH_DEV_CLASS 0x0010 > # USB_MATCH_DEV_SUBCLASS 0x0020 > # USB_MATCH_DEV_PROTOCOL 0x0040 > # USB_MATCH_INT_CLASS 0x0080 > # USB_MATCH_INT_SUBCLASS 0x0100 > # USB_MATCH_INT_PROTOCOL 0x0200 > # > # script match_flags idVendor idProduct bcdDevice_lo bcdDevice_hi > # bDeviceClass bDeviceSubClass bDeviceProtocol > # bInterfaceClass bInterfaceSubClass bInterfaceProtocol driver_info > # > # flags V P Bl Bh Clas Sub Prot Clas Sub Prot Info > gnupg-ccid 0x0080 0x0 0x0 0x0 0x0 0x00 0x00 0x00 0x0B 0x00 0x00 0x00000000 > # SPR532 is CCID but without the proper CCID class > gnupg-ccid 0x0003 0x04e6 0xe003 0x0 0x0 0x00 0x00 0x00 0x0B 0x00 0x00 0x00000000 > > > ______________________________________________________________________ > $ ls -l /etc/hotplug/usb/gnupg* > -rwxr-xr-x 1 root root 724 Sep 22 2004 /etc/hotplug/usb/gnupg-ccid > -rw-r--r-- 1 root root 865 Mar 16 16:08 /etc/hotplug/usb/gnupg-ccid.usermap > > Remember to chmod +x gnupg-ccid. I use the group wk instead of scard, > so you need to change that. > > Does this help? Yep Finally it worked, many thanks! I copied your gnupg-ccid.usermap in /etc/hotplug/usb . My reader is HUSBSCR by Hamlet: http://www.hamletcom.com/ProductDetails.aspx?sid=35b7b4c44d114e50969195359871a380&ProductId=3437 Thay declare it is win comp but two months ago, when I bought it, there was a penguin logo, too. Now, I'll move my key from $HOME/.gnupg to the card and I'll tell to Evolution to read there the key to sign my e-mails. -- Fede _________________________________________________________________________ mune (at) fsfe.org Ing. Federico Munerotto home http://www.krl.it/~mune Public key http://www.krl.it/~mune/personal/misc/pk/pk.html http://www.krl.it/~mune/personal/misc/signoraggio/ _________________________________________________________________________ "... all the modern inconveniences ..." -- Mark Twain -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata Url : /pipermail/attachments/20050720/3adc5727/attachment.pgp From mune72 at tiscali.it Wed Jul 20 22:56:48 2005 From: mune72 at tiscali.it (Federico Munerotto) Date: Wed Jul 20 22:52:26 2005 Subject: smart card + gpg only root In-Reply-To: <1121887904.2816.99.camel@lello.munet.org> References: <1121770936.2814.16.camel@lello.munet.org> <87sly9q2dg.fsf@wheatstone.g10code.de> <1121857979.2816.11.camel@lello.munet.org> <87pstdocja.fsf@wheatstone.g10code.de> <1121869623.2816.48.camel@lello.munet.org> <877jflo7c4.fsf@wheatstone.g10code.de> <1121874588.2816.85.camel@lello.munet.org> <1121887904.2816.99.camel@lello.munet.org> Message-ID: <1121893007.2816.112.camel@lello.munet.org> Il mer, 2005-07-20 alle 21:31, Federico Munerotto ha scritto: > Il mer, 2005-07-20 alle 17:49, Federico Munerotto ha scritto: > > Il mer, 2005-07-20 alle 16:55, Werner Koch ha scritto: > [...] > > > Does this help? > > > > Yep > > > > Finally it worked, many thanks! > > > > I copied your gnupg-ccid.usermap in /etc/hotplug/usb . > > > > My reader is HUSBSCR by Hamlet: > > http://www.hamletcom.com/ProductDetails.aspx?sid=35b7b4c44d114e50969195359871a380&ProductId=3437 > > Thay declare it is win comp but two months ago, when I bought it, there > > was a penguin logo, too. > > > > Now, I'll move my key from $HOME/.gnupg to the card and I'll tell to > > Evolution to read there the key to sign my e-mails. > > I thought I'm done: I was wrong. > > My key wasn't writeable on the card ("You may only store a 1024 bit RSA > key on the card"), so I thought I revoke the existing one and I will > generate a new one. > > The revoking process was ok but while genarating I got an error: > > [mune@lello mune]$ gpg --card-edit > [...] > > Comando> admin > Admin commands are allowed > > Comando> generate > Make off-card backup of encryption key? (Y/n) > > PIN > Per favore specifica per quanto tempo la chiave sar? valida. > 0 = la chiave non scadr? > = la chiave scadr? dopo n giorni > w = la chiave scadr? dopo n settimane > m = la chiave scadr? dopo n mesi > y = la chiave scadr? dopo n anni > Chiave valida per? (0) > Key does not expire at all > Is this correct? (y/N) y > > You need a user ID to identify your key; the software constructs the > user ID > from the Real Name, Comment and Email Address in this form: > "Heinrich Heine (Der Dichter) " > [...] > Modifica (N)ome, (C)ommento, (E)mail oppure (O)kay/(Q)uit? o > gpg: generating new key > > gpg: 3 Admin PIN attempts remaining before card is permanently locked > > Admin PIN > gpg: please wait while key is being generated ... > gpg: ccid_transceive failed: (0x1000a) > gpg: apdu_send_simple(0) failed: card I/O error > gpg: generating key failed > gpg: key generation failed: errore generale > Generazione della chiave fallita: errore generale > > Somebody has any suggests? > > Thanks -- Fede _________________________________________________________________________ mune (at) fsfe.org Ing. Federico Munerotto home http://www.krl.it/~mune Public key http://www.krl.it/~mune/personal/misc/pk/pk.html http://www.krl.it/~mune/personal/misc/signoraggio/ _________________________________________________________________________ Today is the first day of the rest of your life. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata Url : /pipermail/attachments/20050720/a52a692f/attachment.pgp From felix.klee at inka.de Thu Jul 21 10:33:16 2005 From: felix.klee at inka.de (Felix E. Klee) Date: Thu Jul 21 12:39:35 2005 Subject: PGP and Smartcards? Message-ID: <87d5pc5zjn.wl%felix.klee@inka.de> I'd like to do PGP with a Smartcard that contains my main private key (I want to go for 2048 RSA, it should last for about five years) and subkeys (they should each last for about six months). I didn't buy a smart card for this purpose yet, and before I go ahead, I'd like to get some questions answered: * Can I use GnuPG for signing and decryption with a smart card and 2048 bit RSA keys? What limitations do I have to expect, if any? * Personally, I currently favor the Axalto Cryptoflex 32k. But is there any card that you recommend? (I know that there's the OpenPGP card but it only supports keys up to 1024 bits - not an option.) * Why was OpenSC removed with development version 1.9.17 of GnuPG? From a software developer's point of view it just doesn't make sense to ditch an existing and supposedly well working library that provides a standardized interface (PKCS#11) and whose license (LGPL) is compliant with the license of the GnuPG. * If not GnuPG, what free software alternatives are there for doing PGP signing and decryption with a smart card? -- Felix E. Klee From felix.klee at inka.de Thu Jul 21 00:39:33 2005 From: felix.klee at inka.de (Felix E. Klee) Date: Thu Jul 21 12:49:53 2005 Subject: PGP and Smartcards? Message-ID: <87u0ipcday.wl%felix.klee@inka.de> I'd like to do PGP with a Smartcard that contains my main private key (I want to go for 2048 RSA, it should last for about five years) and subkeys (they should each last for about six months). I didn't buy a smart card for this purpose yet, and before I go ahead, I'd like to get some questions answered: * Can I use GnuPG for signing and decryption with a smart card and 2048 bit RSA keys? What limitations do I have to expect, if any? * Personally, I currently favor the Axalto Cryptoflex 32k. But is there any card that you recommend? (I know that there's the OpenPGP card but it only supports keys up to 1024 bits - not an option.) * Why was OpenSC removed with development version 1.9.17 of GnuPG? From a software developer's point of view it just doesn't make sense to ditch an existing and supposedly well working library that provides a standardized interface (PKCS#11) and whose license (LGPL) is compliant with the license of the GnuPG. * If not GnuPG, what free software alternatives are there for doing PGP signing and decryption with a smart card? -- Felix E. Klee From felix.klee at inka.de Thu Jul 21 12:25:49 2005 From: felix.klee at inka.de (Felix E. Klee) Date: Thu Jul 21 13:09:05 2005 Subject: PGP and Smartcards? Message-ID: <878y005uc2.wl%felix.klee@inka.de> I'd like to do PGP with a Smartcard that contains my main private key (I want to go for 2048 RSA, it should last for about five years) and subkeys (they should each last for about six months). I didn't buy a smart card for this purpose yet, and before I go ahead, I'd like to get some questions answered: * Can I use GnuPG for signing and decryption with a smart card and 2048 bit RSA keys? What limitations do I have to expect, if any? * Personally, I currently favor the Axalto Cryptoflex 32k. But is there any card that you recommend? (I know that there's the OpenPGP card but it only supports keys up to 1024 bits - not an option.) * Why was OpenSC removed with development version 1.9.17 of GnuPG? From a software developer's point of view it just doesn't make sense to ditch an existing and supposedly well working library that provides a standardized interface (PKCS#11) and whose license (LGPL) is compliant with the license of the GnuPG. * If not GnuPG, what free software alternatives are there for doing PGP signing and decryption with a smart card? -- Felix E. Klee From zvrba at globalnet.hr Thu Jul 21 13:09:40 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Thu Jul 21 13:50:41 2005 Subject: PGP and Smartcards? In-Reply-To: <87d5pc5zjn.wl%felix.klee@inka.de> References: <87d5pc5zjn.wl%felix.klee@inka.de> Message-ID: <42DF8274.4040204@globalnet.hr> Felix E. Klee wrote: > I'd like to do PGP with a Smartcard that contains my main private key (I > I have made a patch to support 3rd party smart-cards with GPG using PKCS#11 interface. In the mean time I have abandoned the development, however another kind individual has picked up from where I have left. In a private communication he has said to make it work with Cryptoflex 32k and PKCS#11 drivers from OpenSC and from the MUSCLE project. We both believe that the most useful usage scenario is master key on the smart-card with subkeys on the disk, as usual. He has said to post the updated patch to this mailing list when he polishes it. I think it won't be too long. You can read more about the state of affairs about this (including the relevant links) on http://zwillow.blogspot.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050721/dfe648d6/signature.pgp From oub at mat.ucm.es Thu Jul 21 18:18:00 2005 From: oub at mat.ucm.es (Uwe Brauer) Date: Thu Jul 21 16:16:37 2005 Subject: same key: pgp 2.6 version and gpg version: keyserver Message-ID: <87sly8jfpj.fsf@mat.ucm.es> Hello Several years ago I submitted my pgp 2.6 to the key server http://math-www.uni-paderborn.de/pgp/. Now I successfully exported that key to gpg. (The key as in both program the same ID) I would like to submit both version of the same key to a more recent key server like sks.keyserver.penguin.de. Is this possible, or would the same key in different flavours cause problems and confusions? Thanks Uwe Brauer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available Url : /pipermail/attachments/20050721/5b9a5885/attachment.pgp From dshaw at jabberwocky.com Thu Jul 21 16:46:30 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jul 21 16:42:34 2005 Subject: same key: pgp 2.6 version and gpg version: keyserver In-Reply-To: <87sly8jfpj.fsf@mat.ucm.es> References: <87sly8jfpj.fsf@mat.ucm.es> Message-ID: <20050721144630.GA9164@jabberwocky.com> On Thu, Jul 21, 2005 at 04:18:00PM +0000, Uwe Brauer wrote: > Hello > > > Several years ago I submitted my pgp 2.6 to the key server > http://math-www.uni-paderborn.de/pgp/. > > Now I successfully exported that key to gpg. (The key as in both > program the same ID) > > I would like to submit both version of the same key to a more > recent key server like sks.keyserver.penguin.de. > > Is this possible, or would the same key in different flavours cause > problems and confusions? There is only one version of the key whether it is in PGP or GPG. Go ahead and submit it to any keyserver you like. David From oub at mat.ucm.es Thu Jul 21 19:21:13 2005 From: oub at mat.ucm.es (Uwe Brauer) Date: Thu Jul 21 17:18:00 2005 Subject: same key: pgp 2.6 version and gpg version: keyserver References: <87sly8jfpj.fsf@mat.ucm.es> <20050721144630.GA9164@jabberwocky.com> Message-ID: <874qaohy7q.fsf@mat.ucm.es> >>>>> "David" == David Shaw writes: David> On Thu, Jul 21, 2005 at 04:18:00PM +0000, Uwe Brauer David> wrote: There is only one version of the key whether it David> is in PGP or GPG. Go ahead and submit it to any David> keyserver you like. David> David I am confused. From what I read pgp 2.6 and gpg are not compatible, see [1] I cannot as a gpg user use the pgp public key in order to send a message. Do you agree? So if there are then "two versions" of the same key, which is to submit? [1] as a matter of fact I had to erase the password for the pgp key before importing, because otherwise it did not work, that is I could not use my imported pgp key withing gpg. From patrick at mozilla-enigmail.org Thu Jul 21 16:19:14 2005 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Thu Jul 21 17:19:51 2005 Subject: can't use the same keyring from linux on windows In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 coco coco wrote: > Hi, > > I've been using thunderbird on Linux since 0.2 on my laptop, but > recently, due to > laptop problem, I want to move my mail to use portable thunderbird on a > mobile hd. > > I've already moved my profile from Linux to the portable tb, and it's > working fine, > > except, I can't get enigmail to work correctly. I've copied my pubring > and secring > into the gpg folder, and the key manager can show all keys correctly, > including > my key pairs and other people's public keys. Enigmail can figure out my > key ID from > my email address. But I'm still having problem getting enigmail to work > correctly. > When I'm trying to send a signed message, I'm getting the following > error from > the enigmail console: > > enigmail> G:\PortableThunderbird\gpg\gpg.exe --charset utf8 --batch > --no-tty -- > status-fd 2 --comment 'Using GnuPG with Thunderbird - > http://enigmail.mozdev.org > ' -s -b -t -a -u 0xA41D9118undefined > gpg: skipped "0xA41D9118undefined": malformed user id > gpg: signing failed: malformed user id > enigmail.js: Enigmail.encryptMessageEnd: Error in command execution > > I don't understand why I'm getting this. Is it because my key rings are > from > Linux, and I'm using it on Windows? Curiously, I can't get gpg to work > correctly > on the command line either. I try to encrypt a file to myself, and then > when I > try to decrypt, it's complaining that the secret key is not available. > > Could anyone give a hint on what does that mean? > > The GPG packaged with portable thunderbird is version 1.4.1. > > Thanks a lot. This looks like Thunderbird (or Enigmail to be precise) is doing something wrong. I would open the "OpenPGP Security" settings of the identity you're using to check if everything is correctly configured, especially your key ID. - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2rc2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC367h2KgHx8zsInsRAgJiAKDp6jJYrQwbfHdjml/HNk7lK+uqFQCeOade pz4biqTl/doeXQzMll3zmLY= =HAht -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Jul 21 17:39:32 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jul 21 17:35:31 2005 Subject: same key: pgp 2.6 version and gpg version: keyserver In-Reply-To: <874qaohy7q.fsf@mat.ucm.es> References: <87sly8jfpj.fsf@mat.ucm.es> <20050721144630.GA9164@jabberwocky.com> <874qaohy7q.fsf@mat.ucm.es> Message-ID: <20050721153932.GB9164@jabberwocky.com> On Thu, Jul 21, 2005 at 05:21:13PM +0000, Uwe Brauer wrote: > >>>>> "David" == David Shaw writes: > > David> On Thu, Jul 21, 2005 at 04:18:00PM +0000, Uwe Brauer > David> wrote: There is only one version of the key whether it > David> is in PGP or GPG. Go ahead and submit it to any > David> keyserver you like. > > David> David > > I am confused. From what I read pgp 2.6 and gpg are not compatible, > see > [1] > I cannot as a gpg user use the pgp public key in order to send a > message. > Do you agree? No. > So if there are then "two versions" of the same key, which is to submit? There are not two versions of the key. David From rtilley at vt.edu Wed Jul 20 19:39:29 2005 From: rtilley at vt.edu (Brad Tilley) Date: Thu Jul 21 17:45:59 2005 Subject: catching output from gpg --verify In-Reply-To: <20050720131056.GB19229@jabberwocky.com> References: <1121793660.9251.7.camel@athop1.ath.vt.edu> <20050720131056.GB19229@jabberwocky.com> Message-ID: <1121881169.10294.1.camel@athop1.ath.vt.edu> On Wed, 2005-07-20 at 09:10 -0400, David Shaw wrote: > On Tue, Jul 19, 2005 at 01:21:00PM -0400, Brad Tilley wrote: > > Hello Gnupg users, > > > > I am writing a script to automate the downloading and building of Linux > > kernels. As a part of the script, I use gpg to check and make sure that > > the kernel key is installed: > > > > check = os.popen('gpg --list-keys') > > data = check.read() > > check.close() > > > > This works well. I can read the data from gpg --list-keys and check it > > and then proceed. If the key is not installed, I download and install > > it, if it is installed, I move on. > > > > However, the next case in which I need to use gpg fails because I cannot > > capture the output of gpg --verify: > > > > cmd = os.popen('gpg --verify kernel_name_sig, kernel_name) > > data = cmd.read() > > cmd.close() > > > > I've tried re-directing the output to a file (doesn't work) form the > > command line and from my script. Any tips on how to capture this output > > would be greatly appreciated. > > The problem here is not really that you can't capture the output, but > that you shouldn't capture the output. The output of GPG is very > subject to change, and every time we change GPG, we'll break your > script. > > There are two good ways to do this safely: > > 1) Use something like: > > gpg --status-fd 1 --verify kernel_name_sig kernel_name 2>/dev/null Thank you. I found this solution to work better for my situation. I appreciate your advice. Have a nice day. > > That will cause a machine readable series of messages to appear on > stdout. If you see a VALIDSIG tag, you know the signature is good. > > 2) Use gpgv, which is just a signature verification tool and exits 0 > if the signature is good, and non-0 otherwise. > > David From oub at mat.ucm.es Thu Jul 21 21:46:44 2005 From: oub at mat.ucm.es (Uwe Brauer) Date: Thu Jul 21 19:44:00 2005 Subject: same key: pgp 2.6 version and gpg version: keyserver References: <87sly8jfpj.fsf@mat.ucm.es> <20050721144630.GA9164@jabberwocky.com> <874qaohy7q.fsf@mat.ucm.es> <20050721153932.GB9164__36800.6413490095$1121963143$gmane$org@jabberwocky.com> Message-ID: <874qaoeycb.fsf@mat.ucm.es> >>>>> "David" == David Shaw writes: David> On Thu, Jul 21, 2005 at 05:21:13PM +0000, Uwe Brauer wrote: >> >>>>> "David" == David Shaw writes: >> David> On Thu, Jul 21, 2005 at 04:18:00PM +0000, Uwe Brauer David> wrote: There is only one version of the key whether it David> is in PGP or GPG. Go ahead and submit it to any David> keyserver you like. >> David> David >> >> I am confused. From what I read pgp 2.6 and gpg are not compatible, >> see >> [1] >> I cannot as a gpg user use the pgp public key in order to send a >> message. >> Do you agree? David> No. Aha, I asked some weeks ago about how to import my pgp 2.6 to gpg, because following the rules mentioned above gpg --import private.pgp and the alike did NOT work, that is I used the imported key and tried to send myself a message using enigmail and failed, the reason seems to be IDEA (well you can compile IDEA support into gpg however this is not standard.) See the messages: Message-ID: <87k6kcf6hs.fsf@mat.ucm.es> Message-ID: <42C3BA05.2050905@mark-kirchner.de> and especially Message-ID: <87slz06sk5.fsf@wheatstone.g10code.de> Where Werner advice to empty the pass-phrase in pgp2.6 import it to gpg and then introduce a pass-phrase. So I conclude from that that a pgp2.6 with IDEA protected pass-phrase is NOT the same as the imported key into gpg, where the pass phrase is protected by other algorithm. Uwe From dshaw at jabberwocky.com Thu Jul 21 20:01:11 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jul 21 19:57:10 2005 Subject: same key: pgp 2.6 version and gpg version: keyserver In-Reply-To: <874qaoeycb.fsf@mat.ucm.es> References: <87sly8jfpj.fsf@mat.ucm.es> <20050721144630.GA9164@jabberwocky.com> <874qaohy7q.fsf@mat.ucm.es> <20050721153932.GB9164__36800.6413490095$1121963143$gmane$org@jabberwocky.com> <874qaoeycb.fsf@mat.ucm.es> Message-ID: <20050721180111.GA9501@jabberwocky.com> On Thu, Jul 21, 2005 at 07:46:44PM +0000, Uwe Brauer wrote: > >>>>> "David" == David Shaw writes: > > David> On Thu, Jul 21, 2005 at 05:21:13PM +0000, Uwe Brauer wrote: > >> >>>>> "David" == David Shaw writes: > >> > David> On Thu, Jul 21, 2005 at 04:18:00PM +0000, Uwe Brauer > David> wrote: There is only one version of the key whether it > David> is in PGP or GPG. Go ahead and submit it to any > David> keyserver you like. > >> > David> David > >> > >> I am confused. From what I read pgp 2.6 and gpg are not compatible, > >> see > >> [1] > >> I cannot as a gpg user use the pgp public key in order to send a > >> message. > >> Do you agree? > > David> No. > > Aha, I asked some weeks ago about how to import my pgp 2.6 to gpg, > because following the rules mentioned above > gpg --import private.pgp > and the alike did NOT work, that is I used the imported key and tried > to send myself a message using enigmail and failed, > the reason seems to be IDEA (well you can compile IDEA support into > gpg however this is not standard.) > > See the messages: > Message-ID: <87k6kcf6hs.fsf@mat.ucm.es> > Message-ID: <42C3BA05.2050905@mark-kirchner.de> > and especially > Message-ID: <87slz06sk5.fsf@wheatstone.g10code.de> > > Where Werner advice to empty the pass-phrase in pgp2.6 import it to gpg > and then introduce a pass-phrase. > > So I conclude from that that a pgp2.6 with IDEA protected pass-phrase > is NOT the same as the imported key into gpg, where the pass phrase is > protected by other algorithm. You changed the secret key. The public key is the one that goes on the keyserver and is exactly the same between PGP and GPG. David From gnupg-users=gnupg.org at lists.palfrader.org Thu Jul 21 20:03:51 2005 From: gnupg-users=gnupg.org at lists.palfrader.org (Peter Palfrader) Date: Thu Jul 21 19:59:20 2005 Subject: same key: pgp 2.6 version and gpg version: keyserver In-Reply-To: <874qaoeycb.fsf@mat.ucm.es> References: <87sly8jfpj.fsf@mat.ucm.es> <20050721144630.GA9164@jabberwocky.com> <874qaohy7q.fsf@mat.ucm.es> <20050721153932.GB9164__36800.6413490095$1121963143$gmane$org@jabberwocky.com> <874qaoeycb.fsf@mat.ucm.es> Message-ID: <20050721180351.GK32765@opium.palfrader.org> On Thu, 21 Jul 2005, Uwe Brauer wrote: > Where Werner advice to empty the pass-phrase in pgp2.6 import it to gpg > and then introduce a pass-phrase. > > So I conclude from that that a pgp2.6 with IDEA protected pass-phrase > is NOT the same as the imported key into gpg, where the pass phrase is > protected by other algorithm. It's still the same public key. [Tho really you should create a new version 4 key. Version 3 (old pgp 2.6 keys) are obsolete and support for them may eventually go away (the sooner the better)] -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From oub at mat.ucm.es Thu Jul 21 22:57:37 2005 From: oub at mat.ucm.es (Uwe Brauer) Date: Thu Jul 21 20:54:34 2005 Subject: same key: pgp 2.6 version and gpg version: keyserver References: <87sly8jfpj.fsf@mat.ucm.es> <20050721144630.GA9164@jabberwocky.com> <874qaohy7q.fsf@mat.ucm.es> <20050721153932.GB9164__36800.6413490095$1121963143$gmane$org@jabberwocky.com> <874qaoeycb.fsf@mat.ucm.es> <20050721180351.GK32765@opium.palfrader.org> Message-ID: <873bq7ev26.fsf@mat.ucm.es> >>>>> "Peter" == Peter Palfrader >>>>> writes: Peter> It's still the same public key. Peter> [Tho really you should create a new version 4 key. Version 3 (old pgp Peter> 2.6 keys) are obsolete and support for them may eventually go away (the Peter> sooner the better)] Well the problem is that my 2.6 key is already around, that I have a lot messages already encrypted with this key (I know gpg cannot decrypt it even with the imported key.) I want backward compatibility as much as I can have. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available Url : /pipermail/attachments/20050721/b0c6575f/attachment.pgp From johanw at vulcan.xs4all.nl Fri Jul 22 00:32:24 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Jul 22 09:23:01 2005 Subject: same key: pgp 2.6 version and gpg version: keyserver In-Reply-To: <873bq7ev26.fsf@mat.ucm.es> Message-ID: <200507212232.j6LMWOsr004289@vulcan.xs4all.nl> Uwe Brauer wrote: >Well the problem is that my 2.6 key is already around, that I have a >lot messages already encrypted with this key (I know gpg cannot >decrypt it even with the imported key.) Then you're using the wrong options or you're not using the idea plugin (win32) or have not compiled in idea.c (other OSes). -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Fri Jul 22 10:12:37 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jul 22 10:11:21 2005 Subject: PGP and Smartcards? In-Reply-To: <878y005uc2.wl%felix.klee@inka.de> (Felix E. Klee's message of "Thu, 21 Jul 2005 12:25:49 +0200") References: <878y005uc2.wl%felix.klee@inka.de> Message-ID: <87r7drgsy2.fsf@wheatstone.g10code.de> On Thu, 21 Jul 2005 12:25:49 +0200, Felix E Klee said: > * Can I use GnuPG for signing and decryption with a smart card and 2048 > bit RSA keys? What limitations do I have to expect, if any? Cards able to to generate and use 2k RSA keys are not easily available. This will change in a year or so. State of the art is still 1k RSA. > * Personally, I currently favor the Axalto Cryptoflex 32k. But is there > any card that you recommend? (I know that there's the OpenPGP card but > it only supports keys up to 1024 bits - not an option.) gpg only supports the OpenPGP card specification. You are free to implement it on your card. > * Why was OpenSC removed with development version 1.9.17 of GnuPG? From > a software developer's point of view it just doesn't make sense to > ditch an existing and supposedly well working library that provides a * OpenSC is a huge and complex library with an ever changing API and often hidden ABI changes. It just makes too much trouble. * It requires your application to use pthreads with conflicts with the use of another threading library; GNU Pth in our case. * We only need to _read_ PKCS#15 structures and not to _create_ them. This it is actually pretty easy to implement. PKCS#15 has intentionally been designed to ease things. > standardized interface (PKCS#11) and whose license (LGPL) is compliant > with the license of the GnuPG. Not really: You need to build OpenSC without OpenSSL support. Otherwise you put additional restrictions on any GPL program linking to OpenSC - which is not compatible to the GPL. Frankly, I don't understand why the OpenSC folks still do this. I complained about this several times in the last years and it is one of the reasons why I stopped working on OpenSC (I wrote the the support for TCOS and MICARDO). > * If not GnuPG, what free software alternatives are there for doing PGP > signing and decryption with a smart card? I don't know. For me the smartcard support works pretty well and I know quite some people who are using it day by day for email and to mount encrypted file systems. Salam-Shalom, Werner From dshaw at jabberwocky.com Fri Jul 22 18:18:29 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jul 22 18:14:48 2005 Subject: no-ask-cert-expire during sign-key In-Reply-To: <20050720131151.GE32765@opium.palfrader.org> References: <20050720131151.GE32765@opium.palfrader.org> Message-ID: <20050722161829.GB12845@jabberwocky.com> On Wed, Jul 20, 2005 at 03:11:51PM +0200, Peter Palfrader wrote: > Hi, > > gpg (1.4.1) always asks whether UID certifications should expire on the > same day as the primary key: > > | weasel@galaxy:~$ gpg --no-ask-cert-expire --sign-key 52C8180E > | [..] > | pub 1024D/52C8180E created: 2004-12-11 expires: 2012-12-10 usage: CS > | trust: marginal validity: full > | Primary key fingerprint: 77FA 0CBE A7BB 268A 312B DB25 3D45 FF99 52C8 180E > | > | Matthias Bauer > | Matthias Bauer > | > | This key is due to expire on 2012-12-10. > | Do you want your signature to expire at the same time? (Y/n) > > I always answer no to this question. > > Is it possible to change the behaviour of --no-ask-cert-expire to also > apply to this case? At least the manpage suggests that it already should do > just that: Ok, done for 1.4.2. David From dshaw at jabberwocky.com Fri Jul 22 18:32:20 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jul 22 18:28:18 2005 Subject: Filename for digests In-Reply-To: <9becbfe9ec8442159d366f025906efa1@biglumber.com> References: <3273.213.169.27.161.1121529376.squirrel@mail.rbgi.net> <9becbfe9ec8442159d366f025906efa1@biglumber.com> Message-ID: <20050722163220.GC12845@jabberwocky.com> On Sat, Jul 16, 2005 at 10:44:52PM -0000, Greg Sabino Mullane wrote: > > > > Yes, I agree that the standard format is the best one to use, but I was > > asking about the name of the file, not it's format. For example, if I'm > > going to share a directory with 1000 files, it would be inconvenient to > > save each file's hash as a separate file, and just add a .sha1 extension > > (resulting in 2000 files). So therefore I would store all the hashes in > > one file. But what should this file be called? sha1sums? hashes.sha1? > > digests.sha1? Is the .sha1 extension important? > > One pseudo-standard in place is to use uppercase for important meta-files > like README and INSTALL. One named "CHECKSUMS" or "CHECKSUMS.sha1" > should stand out enough. A signed version could be "CHECKSUMS.asc" > or even CHECKSUMS.sha1.asc, etc. Red Hat and others use a filename of "MD5SUM", which is a clearsigned file containing the human readable MD5 hashes. I like your CHECKSUMS idea better since MD5 isn't the way to go any longer. David From felix.klee at inka.de Fri Jul 22 19:01:57 2005 From: felix.klee at inka.de (Felix E. Klee) Date: Fri Jul 22 18:59:26 2005 Subject: PGP and Smartcards? In-Reply-To: <87r7drgsy2.fsf@wheatstone.g10code.de> References: <878y005uc2.wl%felix.klee@inka.de> <87r7drgsy2.fsf@wheatstone.g10code.de> Message-ID: <87ll3ylqpm.wl%felix.klee@inka.de> At Fri, 22 Jul 2005 10:12:37 +0200, Werner Koch wrote: > > * Can I use GnuPG for signing and decryption with a smart card and > > 2048 bit RSA keys? What limitations do I have to expect, if any? > > Cards able to to generate and use 2k RSA keys are not easily > available. This will change in a year or so. State of the art is > still 1k RSA. OpenPGP cards with 2048 bit keys don't seem to be available at all. However, ordinary ISO 7816-4 compliant smart cards are available through online outlets. For example CryptoFlex and CyberFlex cards can be bought at Axalto's web shop [1] (only in packages of five, though) or at IT-Secure's webshop [2] based in Switzerland. Aladdin eToken PRO smart cards should also be available at web shops. Price for these and similar cards is somewhere between 20 EUR and 30 EUR per piece. > > * Personally, I currently favor the Axalto Cryptoflex 32k. But is there > > any card that you recommend? (I know that there's the OpenPGP card but > > it only supports keys up to 1024 bits - not an option.) > > gpg only supports the OpenPGP card specification. You are free to > implement it on your card. Uh, I guess this would cost me too much time. One solution, though, would be to buy a JavaCard and try to run and enhance the OpenPGP Java implementation that was started by Zeljko Vrba [3]. A simpler solution, though, would probably be porting code for accessing an Axalto CryptoFlex 32k to GnuPG, or helping fork a "clean" PKCS#11 library from OpenSC and interfacing it to GnuPG. But before thinking about doing anything like that, I'd like to clarify: Can the crypto capabilities on an ISO 7816-4 compliant card actually be used for doing PGP? The thing is: All that I need is a card that can securely store a (private) RSA key and that can encrypt and decrypt data with this key. All other things - e.g. encrypting with public keys, decrypting messages with unencrypted session keys, hashing of messages to be singed - don't need to be done on the card. They could safely be done on the host computer. [1] [2] [3] -- Felix E. Klee From michaeln at twentyten.org Fri Jul 22 21:39:10 2005 From: michaeln at twentyten.org (Michael Nguyen) Date: Fri Jul 22 22:15:12 2005 Subject: Getting Started... Message-ID: <01a701c58ef5$0b7c3bb0$800101df@oldeenglish> So... I'm trying to get started, but I was wondering if the people here could give me some suggestions on what I need to do. The How-To's and guides seem to focus on using the GnuPG command line package, but what I'm trying to do is create a GnuPG aware application. Basically I want to write a GnuPG plugin for Postfix. What libraries do I need to download? I started with GPGME, but realized that I'm not really sure what I need here. Is there a place where I can look at function prototypes or a similar type guide? Thanks in advance! Michael From wk at gnupg.org Fri Jul 22 22:19:22 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jul 22 22:16:18 2005 Subject: PGP and Smartcards? In-Reply-To: <87ll3ylqpm.wl%felix.klee@inka.de> (Felix E. Klee's message of "Fri, 22 Jul 2005 19:01:57 +0200") References: <878y005uc2.wl%felix.klee@inka.de> <87r7drgsy2.fsf@wheatstone.g10code.de> <87ll3ylqpm.wl%felix.klee@inka.de> Message-ID: <87ll3yd25x.fsf@wheatstone.g10code.de> On Fri, 22 Jul 2005 19:01:57 +0200, Felix E Klee said: > OpenPGP cards with 2048 bit keys don't seem to be available at all. > However, ordinary ISO 7816-4 compliant smart cards are available through > online outlets. For example CryptoFlex and CyberFlex cards can be Good luck getting a secure and fast 2k RSA card. > Uh, I guess this would cost me too much time. One solution, though, > would be to buy a JavaCard and try to run and enhance the OpenPGP Java > implementation that was started by Zeljko Vrba [3]. Java cards do have some restrictions which don't allow to implement ISO commands. > A simpler solution, though, would probably be porting code for accessing > an Axalto CryptoFlex 32k to GnuPG, or helping fork a "clean" PKCS#11 > library from OpenSC and interfacing it to GnuPG. But before thinking We won't support pkcs#11 becuase it is not a standard but a way to interconnect proprietary applications using proprietary extesions to pkcs#11. > Can the crypto capabilities on an ISO 7816-4 compliant card actually be > used for doing PGP? -4 does not define asymmetric crypto. You want -8. The OpenPGP card ISO 7816-8 compliant. > The thing is: All that I need is a card that can securely store a > (private) RSA key and that can encrypt and decrypt data with this key. Well, I am using that for a long time now and the latest gpg releases work pretty well. However it you want 2048k RSA I have no instant solution; OTOH the card is for sure not the weakest link and 1024 RSA is still far out of scope of any attack. Salam-Shalom, Werner From zvrba at globalnet.hr Fri Jul 22 22:42:20 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Fri Jul 22 22:37:28 2005 Subject: PGP and Smartcards? In-Reply-To: <87ll3yd25x.fsf@wheatstone.g10code.de> References: <878y005uc2.wl%felix.klee@inka.de> <87r7drgsy2.fsf@wheatstone.g10code.de> <87ll3ylqpm.wl%felix.klee@inka.de> <87ll3yd25x.fsf@wheatstone.g10code.de> Message-ID: <42E15A2C.40402@globalnet.hr> Werner Koch wrote: > On Fri, 22 Jul 2005 19:01:57 +0200, Felix E Klee said: >>Uh, I guess this would cost me too much time. One solution, though, >>would be to buy a JavaCard and try to run and enhance the OpenPGP Java >>implementation that was started by Zeljko Vrba [3]. > > Java cards do have some restrictions which don't allow to implement > ISO commands. > I would disagree on that. Java Card is totally programmable and if you want you can implement the complete ISO7816 command set (as far as the hardware permits, of course). The downside is that you will have to implement your own filesystem, etc, but it is doable. Returning to the topic - to make JavaCard functional with GPG you don't need to implement the whole ISO7816. Just the commands defined by the spec. There are no limitations in the JavaCard platform itself that would prevent writing a fully functional, OpenPGP-compliant applet. Why I didn't finish the development - because I've found some discrepancies between the GPG code, OpenPGP card spec and the PKCS#1 padding spec. Added to that that the Sun's cref EMULATOR doesn't support raw PKCS#1 (so that I could do and test my own padding in the applet).. I did not want to write code I couldn't test. In the mean time I've switched interests, but maybe I afford myself a JCOP card trial kit (http://www.zurich.ibm.com/jcop/news/news.html) and get the thing finished. Now it does only signing and handles the on-card user data. BTW, that "maybe" is not about the money (JCOP toolkit is not very expensive), but a matter of time. And when that "maybe" will happen I can't tell. Felix, if you wish to finish the applet yourself, I can help you a bit with the existing code, if you need help. Best regards, Zeljko. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050722/65ffd753/signature.pgp From oskar at rbgi.net Fri Jul 22 23:33:53 2005 From: oskar at rbgi.net (Oskar L.) Date: Fri Jul 22 23:30:03 2005 Subject: Filename for digests In-Reply-To: <20050722163220.GC12845@jabberwocky.com> References: <3273.213.169.27.161.1121529376.squirrel@mail.rbgi.net><9becbfe9ec8442159d366f025906efa1@biglumber.com> <20050722163220.GC12845@jabberwocky.com> Message-ID: <2527.213.169.2.124.1122068033.squirrel@mail.rbgi.net> > Red Hat and others use a filename of "MD5SUM", which is a clearsigned > file containing the human readable MD5 hashes. I like your CHECKSUMS > idea better since MD5 isn't the way to go any longer. > > David Naming a file containing hashes CHECKSUMS would not be a good idea, since a hash is not the same as a checksum. I think sha1sums, sha256sums, sha384sums etc. would be a better option. Does any important applications (i.e. Free Software) make use of the .md5 or .sha1 extensions? Oskar From felix.klee at inka.de Fri Jul 22 23:42:39 2005 From: felix.klee at inka.de (Felix E. Klee) Date: Fri Jul 22 23:40:04 2005 Subject: PGP and Smartcards? In-Reply-To: <87ll3yd25x.fsf@wheatstone.g10code.de> References: <878y005uc2.wl%felix.klee@inka.de> <87r7drgsy2.fsf@wheatstone.g10code.de> <87ll3ylqpm.wl%felix.klee@inka.de> <87ll3yd25x.fsf@wheatstone.g10code.de> Message-ID: <87k6jildps.wl%felix.klee@inka.de> At Fri, 22 Jul 2005 22:19:22 +0200, Werner Koch wrote: > > OpenPGP cards with 2048 bit keys don't seem to be available at all. > > However, ordinary ISO 7816-4 compliant smart cards are available > > through online outlets. For example CryptoFlex and CyberFlex cards > > can be > > Good luck getting a secure and fast 2k RSA card. Your wording implies that the cards I mentioned aren't both secure and fast. Any pointers? > > A simpler solution, though, would probably be porting code for > > accessing an Axalto CryptoFlex 32k to GnuPG, or helping fork a > > "clean" PKCS#11 library from OpenSC and interfacing it to GnuPG. > > But before thinking > > We won't support pkcs#11 becuase it is not a standard I know that the PKCS are more or less standard suggestions. IMHO this isn't that interesting, though. The point is that AFAICS PKCS#11 clearly defines an API, and perhaps it may become an ISO standard in the future (as other PKCS have done). If GnuPG would provide an interface to PKCS#11, then the user would have the choice among all crypto devices for which free software PKCS#11 implementations are available. Aside from OpenCS there are other PKCS#11 libraries such as the MUSCLE Framework or openCryptoki (unfortunately those two feature GPL incompatible licenses but who says that this won't change?). > but a way to interconnect proprietary applications using proprietary > extesions to pkcs#11. Well I guess one doesn't have to use those unless one interfaces with proprietary libs (which is not an option due to licensing issues). > > The thing is: All that I need is a card that can securely store a > > (private) RSA key and that can encrypt and decrypt data with this > > key. > > Well, I am using that for a long time now and the latest gpg releases > work pretty well. However it you want 2048k RSA I have no instant > solution; Perhaps I'll indeed buy two of those because everything else seems to be like too much hassle. I may limit my new master key's life time to two years, and then see if other devices are around. > OTOH the card is for sure not the weakest link and 1024 RSA is still > far out of scope of any attack. About the weakest link: For a master key the length of the key may well be the weakest link if the master key is stored away in a safe place and if it is only used once in a while on reasonably tamper proof systems not connected to a network. [1] https://sourceforge.net/projects/opencryptoki/ -- Felix E. Klee From felix.klee at inka.de Fri Jul 22 23:57:09 2005 From: felix.klee at inka.de (Felix E. Klee) Date: Fri Jul 22 23:54:32 2005 Subject: PGP and Smartcards? In-Reply-To: <42E15A2C.40402@globalnet.hr> References: <878y005uc2.wl%felix.klee@inka.de> <87r7drgsy2.fsf@wheatstone.g10code.de> <87ll3ylqpm.wl%felix.klee@inka.de> <87ll3yd25x.fsf@wheatstone.g10code.de> <42E15A2C.40402@globalnet.hr> Message-ID: <87hdemld1m.wl%felix.klee@inka.de> At Fri, 22 Jul 2005 22:42:20 +0200, Zeljko Vrba wrote: > Felix, if you wish to finish the applet yourself, I can help you a bit > with the existing code, if you need help. Right at the moment, I also have time problems ;-). But I may be interested to do that in the near future. -- Felix E. Klee From dshaw at jabberwocky.com Sat Jul 23 01:33:52 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jul 23 01:29:53 2005 Subject: Filename for digests In-Reply-To: <2527.213.169.2.124.1122068033.squirrel@mail.rbgi.net> References: <20050722163220.GC12845@jabberwocky.com> <2527.213.169.2.124.1122068033.squirrel@mail.rbgi.net> Message-ID: <20050722233352.GA13508@jabberwocky.com> On Sat, Jul 23, 2005 at 03:33:53AM +0000, Oskar L. wrote: > > Red Hat and others use a filename of "MD5SUM", which is a clearsigned > > file containing the human readable MD5 hashes. I like your CHECKSUMS > > idea better since MD5 isn't the way to go any longer. > > Naming a file containing hashes CHECKSUMS would not be a good idea, since > a hash is not the same as a checksum. Sure they are. Or rather, a hash makes a very effective checksum, and that's how we're talking about using them, as a redundancy check. Where do you think the "sum" from md5sum/sha1sum/etc comes from? David From highspeednodrag at comcast.net Sat Jul 23 02:52:07 2005 From: highspeednodrag at comcast.net (highspeednodrag@comcast.net) Date: Sat Jul 23 03:25:32 2005 Subject: Changing the email address on an existing key...how? Should I? Message-ID: <200507221752.07248.highspeednodrag@comcast.net> Is it possible (or advisable) to change the email address on an existing pgp key? I'm using GnuPG 1.4.1 on Linux. The man pages do not show how to change or edit the mail address of an existing key. I've had the key(s) a long time and friends use them. I use the same key on several platforms. It would not be too much hassle for me to just create another key with the correct mail address and distribute the public key. What is good practice in this regard and where might I read more about it? TIA. Or, should I just add a user ID to my existing key so several mail addresses are included in one key? -- Heisenberg was right, I think. From dshaw at jabberwocky.com Sat Jul 23 04:26:21 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jul 23 04:22:25 2005 Subject: Changing the email address on an existing key...how? Should I? In-Reply-To: <200507221752.07248.highspeednodrag@comcast.net> References: <200507221752.07248.highspeednodrag@comcast.net> Message-ID: <20050723022621.GA13965@jabberwocky.com> On Fri, Jul 22, 2005 at 05:52:07PM -0700, highspeednodrag@comcast.net wrote: > Is it possible (or advisable) to change the email address on an existing pgp > key? > > I'm using GnuPG 1.4.1 on Linux. The man pages do not show how to change or > edit the mail address of an existing key. > > I've had the key(s) a long time and friends use them. I use the same key on > several platforms. It would not be too much hassle for me to just create > another key with the correct mail address and distribute the public key. > > What is good practice in this regard and where might I read more about it? > TIA. > > Or, should I just add a user ID to my existing key so several mail addresses > are included in one key? There isn't a way to edit an email address on a key. That is a feature, for various reasons. What you need to do is generate a new address on that key, and then revoke the old address. Some people have many old addresses (revoked) on their keys. Some people just make a whole new key. It's really a question of how easy it is in your environment to make a new key, and whether you have signatures (on the non-revoked user IDs) that you want to keep, etc. David From kabads at gmail.com Sat Jul 23 23:12:00 2005 From: kabads at gmail.com (Adam Cripps) Date: Sun Jul 24 00:09:50 2005 Subject: Getting Started... In-Reply-To: <01a701c58ef5$0b7c3bb0$800101df@oldeenglish> References: <01a701c58ef5$0b7c3bb0$800101df@oldeenglish> Message-ID: On 7/22/05, Michael Nguyen wrote: > So... I'm trying to get started, but I was wondering if the people here > could give me some suggestions on what I need to do. The How-To's and > guides seem to focus on using the GnuPG command line package, but what I'm > trying to do is create a GnuPG aware application. > > Basically I want to write a GnuPG plugin for Postfix. What libraries do I > need to download? I started with GPGME, but realized that I'm not really > sure what I need here. Is there a place where I can look at function > prototypes or a similar type guide? > > Thanks in advance! > > > Michael > Just out of interest, why do you want to write a plugin for Postfix - what is the end result? What functionality do you want to add to Postfix? Adam -- http://www.monkeez.org PGP key: 0x7111B833 From kutinskyv at obninsk.com Sun Jul 24 18:00:48 2005 From: kutinskyv at obninsk.com (Vladimir N. Kutinsky) Date: Sun Jul 24 17:56:47 2005 Subject: zlib inflate problem Message-ID: Hi, I am decrypting files sent to me by another user through my HTTP server. Quite often I get errors that look like the following snippet: "gpg: fatal: zlib inflate problem: oversubscribed dynamic bit lengths tree secmem usage: 2368/3808 bytes in 4/9 blocks of pool 3904/32768" Could you please tell me what might cause this problem? I am using GnuPG 1.4.1 on a Win2000. File encryption/decription is performed in a batch mode. For encryption: gpg --openpgp --output OutFile --recipient Recipient --armor --yes --batch --encrypt InFile For decryption: gpg --openpgp --output OutFile --yes --batch --passphrase-fd 0 --decrypt InFile Thanks, Vladimir From felix.klee at inka.de Sun Jul 24 18:05:26 2005 From: felix.klee at inka.de (Felix E. Klee) Date: Sun Jul 24 18:02:56 2005 Subject: PGP and Smartcards? In-Reply-To: <42DF8274.4040204@globalnet.hr> References: <87d5pc5zjn.wl%felix.klee@inka.de> <42DF8274.4040204@globalnet.hr> Message-ID: <87ek9ob35l.wl%felix.klee@inka.de> At Thu, 21 Jul 2005 13:09:40 +0200, Zeljko Vrba wrote: > > I'd like to do PGP with a Smartcard that contains my main private > > key (I > > I have made a patch to support 3rd party smart-cards with GPG using > PKCS#11 interface. > > In the mean time I have abandoned the development, however another > kind individual has picked up from where I have left. In a private > communication he has said to make it work with Cryptoflex 32k and > PKCS#11 drivers from OpenSC and from the MUSCLE project. This does indeed look very interesting. However, at the moment I don't have a CryptoFlex 32k at hand and time doesn't permit me to play too much with this smart card stuff. For the time being, I may simply buy an OpenPGP card with support for 1024 bit keys and use that for my day to day use. After all, 1024bit keys still seem to be quite secure. There have been some rumors that say otherwise, but they seem to be based on misunderstandings (at least that's what RSA says in a 2002 technical note [1]). > We both believe that the most useful usage scenario is master key on > the smart-card with subkeys on the disk, as usual. Huh? AFAICS, in general it is more important to have the subkeys on a smart card than the master key. After all the master key can be stored in a safe place at home (e.g. on a CD, though a smart card would be more secure). The subkeys are usually carried around and are, thus, easy subject for thieves. Also for a cracker it should usually be much easier to gain access to an everyday-machine with Internet access than it is to get access to a system primarily used for maintaining PGP keys (such a system should not have network access and, for additional security, it should be booted from a reasonably tamper proof device, e.g. from a Knoppix CD off a recently bought computer journal). > You can read more about the state of affairs about this (including the > relevant links) on http://zwillow.blogspot.com/ I read about the licensing issue that you complain about in your blog. Although, I say that combining incompatible licenses is a no-no, I would appreciate it if GPG would incorporate an interface to PKCS#11 since both issues are essentially unrelated. [1] http://www.rsasecurity.com/rsalabs/node.asp?id=2007 -- Felix E. Klee From kutinskyv at obninsk.com Sun Jul 24 21:58:13 2005 From: kutinskyv at obninsk.com (Vladimir N. Kutinsky) Date: Sun Jul 24 21:54:12 2005 Subject: gpg doesn't know In-Reply-To: Message-ID: Does anyone know what it means? "gpg: CRC error; 92501E - 300D6B gpg: [don't know]: invalid packet (ctb=2b)" Thanks, Vladimir From jharris at widomaker.com Mon Jul 25 01:03:26 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Jul 25 01:51:22 2005 Subject: new (2005-07-24) keyanalyze results (+sigcheck) Message-ID: <20050724230326.GA356@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-07-24/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 1d5b6f31f5dadcf51a8e3f1ba7d9b6886ab714b1 12683034 preprocess.keys 049222cb8f7dd353e1201ce0da8eb5812054799e 7831850 othersets.txt 2ccaedff263dffc4a17bb75c1f51a1a6324c522d 3159722 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html 5256ee2fd5ed9b9d5124d4f580eb02a22f8b0c26 2291 keyring_stats 7c4ea2569d1093a4c4a6e1e7ceefc83d2a3553af 1242476 msd-sorted.txt.bz2 bde26494c9adf32bc415aa4794794ef7edd0a1ae 26 other.txt 736856b9e41f302734fc2812d4da9728dbc22e8f 1686538 othersets.txt.bz2 8c41c822ea107d7beae407796564f31cc28408d1 5138698 preprocess.keys.bz2 a7e5d622ef84e92a95443af811dd2f1f4bc7ac94 12827 status.txt 92d8e8de0872f81f55ba2d1910fae1cfcad3a439 210320 top1000table.html bee92bfedf809a5828365a840e00443f47465f64 30298 top1000table.html.gz 9bdf18aeab3060ee7130f5b5aff0c2812756b760 10865 top50table.html 203306fcd34c52e8d4787012466983dad7b75814 2534 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20050724/cd24f8bb/attachment.pgp From dshaw at jabberwocky.com Mon Jul 25 02:59:54 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jul 25 02:56:10 2005 Subject: gpg doesn't know In-Reply-To: References: Message-ID: <20050725005954.GD13965@jabberwocky.com> On Sun, Jul 24, 2005 at 11:58:13PM +0400, Vladimir N. Kutinsky wrote: > Does anyone know what it means? > > "gpg: CRC error; 92501E - 300D6B > gpg: [don't know]: invalid packet (ctb=2b)" Corrupted message. In this particular case, corrupted ascii armor. David From dshaw at jabberwocky.com Mon Jul 25 03:09:17 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jul 25 03:05:14 2005 Subject: zlib inflate problem In-Reply-To: References: Message-ID: <20050725010917.GE13965@jabberwocky.com> On Sun, Jul 24, 2005 at 08:00:48PM +0400, Vladimir N. Kutinsky wrote: > Hi, > I am decrypting files sent to me by another user through my HTTP server. > Quite often I get errors that look like the following snippet: > "gpg: fatal: zlib inflate problem: oversubscribed dynamic bit lengths > tree > secmem usage: 2368/3808 bytes in 4/9 blocks of pool 3904/32768" > Could you please tell me what might cause this problem? > > I am using GnuPG 1.4.1 on a Win2000. > File encryption/decription is performed in a batch mode. > For encryption: > gpg --openpgp --output OutFile --recipient > Recipient --armor --yes --batch --encrypt InFile > For decryption: > gpg --openpgp --output OutFile --yes --batch --passphrase-fd 0 --decrypt > InFile Hmm. What version of zlib are you using? David From michaeln at twentyten.org Mon Jul 25 05:06:50 2005 From: michaeln at twentyten.org (Michael Nguyen) Date: Mon Jul 25 05:02:35 2005 Subject: Getting Started... References: <01a701c58ef5$0b7c3bb0$800101df@oldeenglish> Message-ID: <005b01c590c5$ea665820$800101df@oldeenglish> From: "Adam Cripps" > On 7/22/05, Michael Nguyen wrote: [snip] > Just out of interest, why do you want to write a plugin for Postfix - > what is the end result? What functionality do you want to add to > Postfix? Eh...something very custom for our customer base. It wouldn't be useful to anyone else. Basically, what I'm going to do is allow a PGP option for our users. We'll have a bunch of key generation and storage stuff, but the part I'm going to write is this: - Email comes in for user - If user is set to have "PGP enabled", check to see if the email is encrypted - If encrypted, check the user's key rings and decrypt it - Write this new decrypted buffer to the maildir That's really rough, but I hope you see what I'm getting at. I intend to do the same thing for outgoing mail. Michael From mark.weisler at comcast.net Sat Jul 23 01:32:25 2005 From: mark.weisler at comcast.net (mweisler) Date: Mon Jul 25 10:41:59 2005 Subject: Changing the email address on an existing key...how? Should I? In-Reply-To: <87hdemld1m.wl%felix.klee@inka.de> References: <878y005uc2.wl%felix.klee@inka.de> <42E15A2C.40402@globalnet.hr> <87hdemld1m.wl%felix.klee@inka.de> Message-ID: <200507221632.26132.mark.weisler@comcast.net> Is it possible (or advisable) to change the email address on an existing pgp key? I'm using GnuPG 1.4.1 on Linux. The man pages do not show how to change or edit the mail address of an existing key. I've had the key(s) a long time and friends use them. I use the same key on several platforms. It would not be too much hassle for me to just create another key with the correct mail address and distribute the public key. What is good practice in this regard and where might I read more about it? TIA. -- Heisenberg was right, I think. From felix.klee at inka.de Mon Jul 25 11:43:42 2005 From: felix.klee at inka.de (Felix E. Klee) Date: Mon Jul 25 11:41:19 2005 Subject: Changing the email address on an existing key...how? Should I? In-Reply-To: <200507221632.26132.mark.weisler@comcast.net> References: <878y005uc2.wl%felix.klee@inka.de> <42E15A2C.40402@globalnet.hr> <87hdemld1m.wl%felix.klee@inka.de> <200507221632.26132.mark.weisler@comcast.net> Message-ID: <87zmsbxltd.wl%felix.klee@inka.de> At Fri, 22 Jul 2005 16:32:25 -0700, mweisler wrote: > What is good practice in this regard and where might I read more about > it? You could create a new identity and, optionally, revoke the old one. Read more about it in the GNU Privacy Handbook. Also, keep in mind that, if your key is very old already, chances are that it's private part may have been stolen at some point during its life time, unless you have handled it very carefully. If you're worried about this, you may want to create a new key. -- Felix E. Klee From alphasigmax at gmail.com Mon Jul 25 11:52:28 2005 From: alphasigmax at gmail.com (Alphax) Date: Mon Jul 25 11:51:51 2005 Subject: zlib inflate problem In-Reply-To: <20050725010917.GE13965@jabberwocky.com> References: <20050725010917.GE13965@jabberwocky.com> Message-ID: <42E4B65C.6030602@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 David Shaw wrote: > On Sun, Jul 24, 2005 at 08:00:48PM +0400, Vladimir N. Kutinsky wrote: > >>Hi, >>I am decrypting files sent to me by another user through my HTTP server. >>Quite often I get errors that look like the following snippet: >> "gpg: fatal: zlib inflate problem: oversubscribed dynamic bit lengths >>tree >> secmem usage: 2368/3808 bytes in 4/9 blocks of pool 3904/32768" >>Could you please tell me what might cause this problem? >> >>I am using GnuPG 1.4.1 on a Win2000. >>File encryption/decription is performed in a batch mode. >>For encryption: >> gpg --openpgp --output OutFile --recipient >>Recipient --armor --yes --batch --encrypt InFile >>For decryption: >> gpg --openpgp --output OutFile --yes --batch --passphrase-fd 0 --decrypt >>InFile > > > Hmm. What version of zlib are you using? > Is this related to the zlib security flaw mentioned back around the 8th of July? Sounds like it might almost be a buffer overflow error... - -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC5LZc/RxM5Ph0xhMRA6YhAJ9DaQd/fb0/tM2HboQveux+PHqiFgCeL3Lj OhmBGBFb7f39ZB0xtiOopBA= =eSCH -----END PGP SIGNATURE----- From linux at codehelp.co.uk Mon Jul 25 12:32:46 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Jul 25 12:28:30 2005 Subject: Getting Started... In-Reply-To: <005b01c590c5$ea665820$800101df@oldeenglish> References: <01a701c58ef5$0b7c3bb0$800101df@oldeenglish> <005b01c590c5$ea665820$800101df@oldeenglish> Message-ID: <200507251132.50089.linux@codehelp.co.uk> On Monday 25 July 2005 4:06 am, Michael Nguyen wrote: > Eh...something very custom for our customer base. It wouldn't be useful to > anyone else. Assumption is the mother of all $^?&*^ ups. :-) > Basically, what I'm going to do is allow a PGP option for our > users. We'll have a bunch of key generation and storage stuff, but the > part I'm going to write is this: > > - Email comes in for user > - If user is set to have "PGP enabled", check to see if the email is > encrypted > - If encrypted, check the user's key rings and decrypt it Presumably users are aware that this would render their own keys insecure so you're using "group" or "corporate" keys via your key generation/storage? Why then check the *user's* keyrings? Shouldn't that be the central keyring of generated keys (presumably with no passphrase). Users should not be given the impression that these keys are secure for use with personal email, keysigning etc. > - Write this new decrypted buffer to the maildir For absolutely anyone to read - you're merely using encryption for the external part of the mail chain? You assume that your internal security is sufficient to prevent unauthorised users within the company reading the maildir? > That's really rough, but I hope you see what I'm getting at. Well I wouldn't use it! :-) If I encrypt to someone, I expect that person to be the only person to be able to decrypt the message. I do not expect some automated script to be able to decrypt it in passing - I wouldn't sign any such key so exactly who or what is encrypting to this script? Have you looked at x.509 certificates that have a different trust model, perhaps more suited to a "group" or "corporate" model rather than the individual trust inherent in GnuPG/PGP? > I intend to > do the same thing for outgoing mail. Automated encryption is fine - if you've got sufficient keys - but automated decryption always weakens the security and can make encryption itself worthless. How secure is the server that runs the script? How secure do you actually need the communication? Wouldn't using standard protocols via SSH accomplish the same end via much simpler (and standardised) methods? I use a script to automatically encrypt messages from the server to those members who have suitable keys, but I'd never trust any server open to the internet sufficiently to decrypt messages automatically. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050725/08e5ebc5/attachment.pgp From wk at gnupg.org Mon Jul 25 07:40:22 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jul 25 16:08:57 2005 Subject: Getting Started... In-Reply-To: <01a701c58ef5$0b7c3bb0$800101df@oldeenglish> (Michael Nguyen's message of "Fri, 22 Jul 2005 12:39:10 -0700") References: <01a701c58ef5$0b7c3bb0$800101df@oldeenglish> Message-ID: <87oe8rtpdl.fsf@wheatstone.g10code.de> On Fri, 22 Jul 2005 12:39:10 -0700, Michael Nguyen said: > need to download? I started with GPGME, but realized that I'm not really > sure what I need here. Is there a place where I can look at function GPGME comes with a complete manual ("info gpgme" or build a printable version using "cd doc; make gpgme.pdf") as well as test programs useful as examples. Shalom-Salam, Werner From wk at gnupg.org Mon Jul 25 07:45:37 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jul 25 16:09:06 2005 Subject: PGP and Smartcards? In-Reply-To: <42E15A2C.40402@globalnet.hr> (Zeljko Vrba's message of "Fri, 22 Jul 2005 22:42:20 +0200") References: <878y005uc2.wl%felix.klee@inka.de> <87r7drgsy2.fsf@wheatstone.g10code.de> <87ll3ylqpm.wl%felix.klee@inka.de> <87ll3yd25x.fsf@wheatstone.g10code.de> <42E15A2C.40402@globalnet.hr> Message-ID: <87k6jftp4u.fsf@wheatstone.g10code.de> On Fri, 22 Jul 2005 22:42:20 +0200, Zeljko Vrba said: > I would disagree on that. Java Card is totally programmable and if you > want you can implement the complete ISO7816 command set (as far as the Sorry, this is was a misinterpretation by me. > hardware permits, of course). The downside is that you will have to > implement your own filesystem, etc, but it is doable. Well for the OpenPGP card you don't need any filesystem as we onjly use the get/put data commands. Thus a simple offset,length table is what you need. Well, you know that of course. > Why I didn't finish the development - because I've found some > discrepancies between the GPG code, OpenPGP card spec and the PKCS#1 Care to elaborate on this? I am still interested to have reference implementation for java card although I can't help very much with the implementation but I know all the details of the specs and have some knowledge of the gpg code. Salam-Shalom, Werner From wk at gnupg.org Mon Jul 25 08:01:36 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jul 25 16:09:16 2005 Subject: PGP and Smartcards? In-Reply-To: <87k6jildps.wl%felix.klee@inka.de> (Felix E. Klee's message of "Fri, 22 Jul 2005 23:42:39 +0200") References: <878y005uc2.wl%felix.klee@inka.de> <87r7drgsy2.fsf@wheatstone.g10code.de> <87ll3ylqpm.wl%felix.klee@inka.de> <87ll3yd25x.fsf@wheatstone.g10code.de> <87k6jildps.wl%felix.klee@inka.de> Message-ID: <87fyu3toe7.fsf@wheatstone.g10code.de> On Fri, 22 Jul 2005 23:42:39 +0200, Felix E Klee said: > Your wording implies that the cards I mentioned aren't both secure and > fast. Any pointers? No, I was just not aware that they support 2k RSA and key generation in particular. My (old) specs don't say so. > isn't that interesting, though. The point is that AFAICS PKCS#11 > clearly defines an API, and perhaps it may become an ISO standard in the No it does not define a clean API. Almost everyone is using proprietary extensions and I don't consider that a standard. It is a complex specification targeted to allow some interoperabilty between proprietary applications. With Free Software we are not bound to some of these stupid things. If we would try to support all pcks#11 supported tokes we need to add a lot of extra code to gpg to cope with minor pecularities of the tokens. And well, complexity is the worsest enemy of security. > Framework or openCryptoki (unfortunately those two feature GPL > incompatible licenses but who says that this won't change?). Experience? Missing copyright assignments, lost contact to the authors? > About the weakest link: For a master key the length of the key may well > be the weakest link if the master key is stored away in a safe place and > if it is only used once in a while on reasonably tamper proof systems Unless you have real physical security with guards, barbed wire, 2m concrete walls I really doubt that. Hiring a burgler or a gunman is far out cheaper than to break one key - even if it is a CA key for a small or medium domain. Shalom-Salam, Werner From wk at gnupg.org Mon Jul 25 08:02:56 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jul 25 16:09:31 2005 Subject: gpg doesn't know In-Reply-To: (Vladimir N. Kutinsky's message of "Sun, 24 Jul 2005 23:58:13 +0400") References: Message-ID: <87br4rtobz.fsf@wheatstone.g10code.de> On Sun, 24 Jul 2005 23:58:13 +0400, Vladimir N Kutinsky said: > Does anyone know what it means? > "gpg: CRC error; 92501E - 300D6B > gpg: [don't know]: invalid packet (ctb=2b)" The input data is garbled. Transmission error or the usual ascii vs. binary FTP problem. Salam-Shalom, Werner From zvrba at globalnet.hr Mon Jul 25 16:26:49 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Mon Jul 25 16:21:53 2005 Subject: PGP and Smartcards? In-Reply-To: <87ek9ob35l.wl%felix.klee@inka.de> References: <87d5pc5zjn.wl%felix.klee@inka.de> <42DF8274.4040204@globalnet.hr> <87ek9ob35l.wl%felix.klee@inka.de> Message-ID: <42E4F6A9.2020300@globalnet.hr> Felix E. Klee wrote: > > Huh? AFAICS, in general it is more important to have the subkeys on a > smart card than the master key. After all the master key can be stored > But then you cannot commit a mortal sin of using GPG remotely ;) Seriously, I think you have a very strong point in case of keeping the subkeys on the smart card (btw, this will be possible too with the PKCS#11 patch). I carefully chose my passwords so that they have ~50 bits of entropy, using my own utility for the purpose, of course :) http://freshmeat.net/projects/secpwgen/ This key length won't stop NSA but will stop 95% of attackers. For the other 5% I do not worry because I'm not dealing with highly-sensitive data. This is a conscious trade-off security vs. comfort on my side. Having your frequently used keys on the smart-card.. has some disadvantages: - you can't use it remotely (yes, I know, it's bad for security, but I'm comfortable with it since I've defined my threat model) - maybe you'll want to access your mail from some computer on which you're not allowed to install the smart-card reader and its drivers (although it is questionable whether you SHOULD decrypt something on the computer you're not in charge of) I have been employed at a real-world PKI deployment - a national CA in fact. And esp. the 2nd point was one of the major complaints from the users about smart-cards. Another frequent problem was locked smart-card. With smart-card it is much easier to perform the denial-of-service on you than with file-based keys. Say you go on a business trip.. someone steals your smart-card and you can't do business. Or even worse, irreversibly locks both PINs so that the card is effectivly unusable. So, personally, I'd rather have one long-lived master key on the smart-card, get as many people as possible to sign it, and use *that* key to sign my other (shorter-lived) keys. The same scheme I'm also using now, but not with the smart-card. In the hope that I'll never go through the inconvenience of revoking my master key (which, of course, has much stronger passphrase than my 'regular' keys). Of course, it all depends on your threat model, the value of information you are protecting and the minimum desired secrecy lifetime. Best regards, Zeljko. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050725/f62463be/signature.pgp From zvrba at globalnet.hr Mon Jul 25 16:45:25 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Mon Jul 25 16:40:30 2005 Subject: PGP and Smartcards? In-Reply-To: <87fyu3toe7.fsf@wheatstone.g10code.de> References: <878y005uc2.wl%felix.klee@inka.de> <87r7drgsy2.fsf@wheatstone.g10code.de> <87ll3ylqpm.wl%felix.klee@inka.de> <87ll3yd25x.fsf@wheatstone.g10code.de> <87k6jildps.wl%felix.klee@inka.de> <87fyu3toe7.fsf@wheatstone.g10code.de> Message-ID: <42E4FB05.2010409@globalnet.hr> Werner Koch wrote: > On Fri, 22 Jul 2005 23:42:39 +0200, Felix E Klee said: >>isn't that interesting, though. The point is that AFAICS PKCS#11 >>clearly defines an API, and perhaps it may become an ISO standard in the > > > No it does not define a clean API. Almost everyone is using > proprietary extensions and I don't consider that a standard. It is a > The standard allows for proprietary extensions. However, I have seen several implementations and all of them can do what GPG needs w/o using any extensions. > > If we would try to support all pcks#11 supported tokes we need to add > a lot of extra code to gpg to cope with minor pecularities of the > tokens. > Unfortunately :( Although the PKCS#11 defines an interface, every vendor has its own interpretation of it because it is, well, complex and vague at some points. Still, my opinion is that PKCS#11 has more-or-less succeeded where ISO7816 has failed: to unify the interface for accessing any kind of cryptographic token (it is not limited to smart-cards either). And I think it is illusionary to think that smart-card vendors are *ever* going to fully conform to the ISO spec. In their world of business, it makes all vendors replacable. And since most of the vendors already have an established market, it is not in their interest to become replacable. Which makes me wonder.. maybe they even interpret on purpose the vague PKCS#11 points differently from their competitors. > > And well, complexity is the worsest enemy of security. > True. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050725/8b4f12f0/signature.pgp From michaeln at twentyten.org Mon Jul 25 17:01:40 2005 From: michaeln at twentyten.org (Michael Nguyen) Date: Mon Jul 25 16:57:18 2005 Subject: Getting Started... References: <01a701c58ef5$0b7c3bb0$800101df@oldeenglish> <87oe8rtpdl.fsf@wheatstone.g10code.de> Message-ID: <015b01c59129$c6924ad0$800101df@oldeenglish> From: "Werner Koch" > On Fri, 22 Jul 2005 12:39:10 -0700, Michael Nguyen said: > > > need to download? I started with GPGME, but realized that I'm not really > > sure what I need here. Is there a place where I can look at function > > GPGME comes with a complete manual ("info gpgme" or build a printable > version using "cd doc; make gpgme.pdf") as well as test programs > useful as examples. Yes, I think GPGME seems good enough. I just wanted to know if this is indeed what I should be using. Thanks guys. Michael From zvrba at globalnet.hr Mon Jul 25 17:05:51 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Mon Jul 25 17:01:02 2005 Subject: PGP and Smartcards? In-Reply-To: <87k6jftp4u.fsf@wheatstone.g10code.de> References: <878y005uc2.wl%felix.klee@inka.de> <87r7drgsy2.fsf@wheatstone.g10code.de> <87ll3ylqpm.wl%felix.klee@inka.de> <87ll3yd25x.fsf@wheatstone.g10code.de> <42E15A2C.40402@globalnet.hr> <87k6jftp4u.fsf@wheatstone.g10code.de> Message-ID: <42E4FFCF.7020707@globalnet.hr> Werner Koch wrote: > > Well for the OpenPGP card you don't need any filesystem as we onjly > use the get/put data commands. Thus a simple offset,length table is > what you need. Well, you know that of course. > Yeah, I know that very well :) It took me a bit of time to correctly implement the coding/decoding of composite objects, but this stuff is now fully working. > >>Why I didn't finish the development - because I've found some >>discrepancies between the GPG code, OpenPGP card spec and the PKCS#1 > > Care to elaborate on this? > Uff, I would have to look it up to be exact. It has to do with PKCS#1 padding block types. For example, in my signing function I'm not using the Java Signature class (which produces one kind of PKCS#1 block type) but the Cipher class and encrypt method (which produces another kind of PKCS#1 block type) AFAIR, I've lost quite a bit of time on figuring out what was wrong (reading the specs, everything should have fit perfectly) and in the moment of despair I've just changed it to use encrpytion with the private key instead of signature. Before the change GPG complained about invalid signature, but after, the thing magically worked! It may have to do with Sun's cref emulation but nevertheless.. > > I am still interested to have reference implementation for java card > although I can't help very much with the implementation but I know all > thanks, but I don't need any help with the implementation. if I just bit the bullet I believe I could finish it up in a week to be completely functional. I'm having more of a logistic trouble: - I should buy the JCOP development toolkit (ok, that's no problem) - buy from somewhere else a smart-card reader (also shouldn't be a problem) - install Java, which is not trivial on FreeBSD. installing linux on my laptop is not really an option (too much data to move around). hmph, maybe a boot CD+10GB ext2 "disk file" on FAT32 for the linux :) - install Eclipse 3 (since the JCOP toolkit is an Eclipse plugin) - learn to use Eclipse - patch (again! - I've done it so it can talk to cref, but I don't think I've brought the patch with me when I moved :/ ) GPG somehow to talk to the emulated smart-card so I can test the applet without actually downloading it to the card until it's finally finished - and FINALLY, make the applet fully-functional I think that all of the above work exceeds the effort needed to finish the applet :( I'm extremly lazy to do all of the above grunt-work and if I start now, maybe I'll get it finished in 6 months :) then I can start working on the applet :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050725/a3544b46/signature.pgp From reuter at do.isst.fraunhofer.de Tue Jul 26 09:00:23 2005 From: reuter at do.isst.fraunhofer.de (Claudia Reuter) Date: Tue Jul 26 09:53:56 2005 Subject: libgcrypt manuals/tutorials Message-ID: <42E5DF87.8080805@do.isst.fraunhofer.de> Hi @ll. I look for manuals/tutorials about gnu libgcrypt; I'm exspially interessted in the asymetric cryptography part. Could anyone help me with that? yours Claudia From chrreddy at yahoo.com Tue Jul 26 15:48:33 2005 From: chrreddy at yahoo.com (chilkuri rajireddy) Date: Tue Jul 26 16:44:29 2005 Subject: Unable to decrypt the file Message-ID: <20050726134833.11556.qmail@web30407.mail.mud.yahoo.com> Hi All, I am able to generate key and encrypt file in Solaris system on command line. But when decrypt the file the log file showing following error. "gpg: cannot open /dev/tty: No such device or address Return code from pgp command: 2". Can anyone please help me how to resolve this error. Thanks, Raj ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs From fischer at deutaeit.de Tue Jul 26 16:35:58 2005 From: fischer at deutaeit.de (Sven Fischer) Date: Tue Jul 26 17:05:55 2005 Subject: libcrypt and RC2 revisited Message-ID: Hi all, I have again the "I can't decode Outlook s/MIME mails" problem, 'cause I receive mails from Outlook users that are obviously encrypted with 40bit RC-2. Just for my interest: In libgcrypt's rfc2268.c the RC2 algorithm is implemented. But the ID for the RC2 the Outlook mails are sent is commented out. Well, this seems to have a reason, since uncommenting and recompiling libgcrypt 1.2.1 let gpgsm try to decrypt the mail, but without success (it says no data). Where is the problem with this? Can I help in any way to decode the Outlook mails? Best regards, Beste Gr??e, Sven Fischer -- Sven Fischer -- DEUTA-Werke GmbH, Abteilung ED Dipl.-Phys. Paffrather Str. 140, 51465 Bergisch Gladbach, Germany Tel.: +49-(0)2202-958-216 Fax.: +49-(0)2202-958-145 Please note the disclaimer: http://www.deutaeit.de/disclaimer.html From wk at gnupg.org Tue Jul 26 18:57:13 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 26 18:56:20 2005 Subject: libcrypt and RC2 revisited In-Reply-To: (Sven Fischer's message of "Tue, 26 Jul 2005 16:35:58 +0200") References: Message-ID: <87ack9v72u.fsf@wheatstone.g10code.de> On Tue, 26 Jul 2005 16:35:58 +0200, Sven Fischer said: > out. Well, this seems to have a reason, since uncommenting and recompiling > libgcrypt 1.2.1 let gpgsm try to decrypt the mail, but without success (it > says no data). Where is the problem with this? Can I help in any way to > decode the Outlook mails? IIRC, we would need to implement a variant of RC2 to allow this. And well, 40 bit RC2 keys are pretty ridiculous. Shalom-Salam, Werner From zvrba at globalnet.hr Tue Jul 26 19:22:06 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Tue Jul 26 19:17:47 2005 Subject: libcrypt and RC2 revisited In-Reply-To: <87ack9v72u.fsf@wheatstone.g10code.de> References: <87ack9v72u.fsf@wheatstone.g10code.de> Message-ID: <42E6713E.6020102@globalnet.hr> Werner Koch wrote: > > IIRC, we would need to implement a variant of RC2 to allow this. And > well, 40 bit RC2 keys are pretty ridiculous. > Ugh, I hope that you'll _never,ever_ allow such low-grade insecure algorithms in gpg or anything related to it, no matter what the public demand is. best regards, Zeljko. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050726/61410f4b/signature-0001.pgp From chrreddy at yahoo.com Tue Jul 26 18:47:35 2005 From: chrreddy at yahoo.com (chilkuri rajireddy) Date: Tue Jul 26 19:43:29 2005 Subject: Decryption via UNIX shell script Message-ID: <20050726164735.23628.qmail@web30411.mail.mud.yahoo.com> Hi, I tried with both --no-tty and --batch options but still my shell script does not work. My command looks like this "gpg --no-tty --batch --passphrase-fd 0 --output $target_fn --decrypt $source_fn ". Can you please suggest me how can I resolve this issue. Thanks, Raj __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From wk at gnupg.org Tue Jul 26 20:11:01 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jul 26 20:11:18 2005 Subject: libcrypt and RC2 revisited In-Reply-To: <42E6713E.6020102@globalnet.hr> (Zeljko Vrba's message of "Tue, 26 Jul 2005 19:22:06 +0200") References: <87ack9v72u.fsf@wheatstone.g10code.de> <42E6713E.6020102@globalnet.hr> Message-ID: <87ek9ltp3e.fsf@wheatstone.g10code.de> On Tue, 26 Jul 2005 19:22:06 +0200, Zeljko Vrba said: > Ugh, I hope that you'll _never,ever_ allow such low-grade insecure > algorithms in gpg or anything related to it, no matter what the public > demand is. For sure not in an application like gpg. However for certain tools (e.g. a crypto workbench) it makes sense to have even very simple ciphers. Salam-Shalom, Werner From jan at gondor.com Tue Jul 26 19:52:51 2005 From: jan at gondor.com (Jan Niehusmann) Date: Tue Jul 26 20:22:19 2005 Subject: PGP and Smartcards? In-Reply-To: <42E4F6A9.2020300@globalnet.hr> References: <87d5pc5zjn.wl%felix.klee@inka.de> <42DF8274.4040204@globalnet.hr> <87ek9ob35l.wl%felix.klee@inka.de> <42E4F6A9.2020300@globalnet.hr> Message-ID: <20050726175251.GA5332@knautsch.gondor.com> On Mon, Jul 25, 2005 at 04:26:49PM +0200, Zeljko Vrba wrote: > - you can't use it remotely (yes, I know, it's bad for security, but I'm > comfortable with it since I've defined my threat model) > - maybe you'll want to access your mail from some computer on which > you're not allowed to install the smart-card reader and its drivers > (although it is questionable whether you SHOULD decrypt something on the > computer you're not in charge of) What about storing the keys on a smart card, and leaving the card in a card reader on your remote-accessible computer? Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : /pipermail/attachments/20050726/e66f9ab4/attachment.pgp From panickedthumb at gmail.com Wed Jul 27 06:43:32 2005 From: panickedthumb at gmail.com (Travis C Newman) Date: Wed Jul 27 07:41:28 2005 Subject: I have the public key, but not the private... Message-ID: <1122439413.8558.28.camel@localhost.localdomain> I had reinstalled a while ago, and forgot to backup my gpg files. I have retrieved my public key from MIT's keyserver, but I don't have the private key, so I can't sign anything. Help? Travis From rlaager at wiktel.com Wed Jul 27 07:59:43 2005 From: rlaager at wiktel.com (Richard Laager) Date: Wed Jul 27 09:04:28 2005 Subject: I have the public key, but not the private... In-Reply-To: <1122439413.8558.28.camel@localhost.localdomain> References: <1122439413.8558.28.camel@localhost.localdomain> Message-ID: <1122443983.26020.19.camel@localhost> On Wed, 2005-07-27 at 00:43 -0400, Travis C Newman wrote: > I had reinstalled a while ago, and forgot to backup my gpg files. I have > retrieved my public key from MIT's keyserver, but I don't have the > private key, so I can't sign anything. Help? You're out of luck. If you generated a revocation certification and still have that, you can revoke the key so people will know not to encrypt to it any more. Either way, you need to make a new key. Richard Laager From atom at smasher.org Wed Jul 27 08:29:51 2005 From: atom at smasher.org (Atom Smasher) Date: Wed Jul 27 09:22:36 2005 Subject: I have the public key, but not the private... In-Reply-To: <1122439413.8558.28.camel@localhost.localdomain> References: <1122439413.8558.28.camel@localhost.localdomain> Message-ID: <20050727062947.98406.qmail@smasher.org> On Wed, 27 Jul 2005, Travis C Newman wrote: > I had reinstalled a while ago, and forgot to backup my gpg files. I have > retrieved my public key from MIT's keyserver, but I don't have the > private key, so I can't sign anything. Help? ============== um... no. without the private key, you're beat. that's kind of the whole point of pgp/gpg. if you discover a way to recover the private key from a public key before the earth is swallowed by the sun, we'd all like to know about it. you did follow the instructions and created a revocation certificate, right? and stored it in a safe place? -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- Bob Woodward: "How do you think history will regard the war in Iraq?" George "dubya" Bush: "It won't matter. We'll all be dead." From wk at gnupg.org Wed Jul 27 09:53:27 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jul 27 11:08:55 2005 Subject: [Announce] GnuPG 1.4.2 released Message-ID: <87sly0sn0o.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From johanw at vulcan.xs4all.nl Wed Jul 27 11:32:51 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Jul 27 12:49:57 2005 Subject: libcrypt and RC2 revisited In-Reply-To: <42E6713E.6020102@globalnet.hr> Message-ID: <200507270932.j6R9Wp4L002252@vulcan.xs4all.nl> Zeljko Vrba wrote: [40 bit RC2] >Ugh, I hope that you'll _never,ever_ allow such low-grade insecure >algorithms in gpg or anything related to it, no matter what the public >demand is. One could use GnuPG 1.0.6, the last version with the plugin system, and write a RC2 plugin if it's really needed. Or is there an easy way to add new algorithms to the current version of GnuPG that doesn't require changes in many places in the code? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From shavital at mac.com Wed Jul 27 12:18:29 2005 From: shavital at mac.com (Charly Avital) Date: Wed Jul 27 12:52:41 2005 Subject: GnuPG 1.4.2 released Message-ID: <4667D83E-7D36-416D-8772-71918D84774C@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, compiled for Darwin 8.2.0, with idea.c, libcurl (afer applying the patch to g10/keyserver.c). Thank you for your work. Charly Werner Koch wrote the following on 7/27/05 3:53 AM: > Hello! > > We are pleased to announce the availability of a new stable GnuPG > release: Version 1.4.2 > [...] > GnuPG 1.4.2 may be downloaded from one of the GnuPG mirror sites or > direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be > found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not > available at ftp.gnu.org. > > On the mirrors you should find the following files in the *gnupg* > directory: > > gnupg-1.4.2.tar.bz2 (2.8M) > gnupg-1.4.2.tar.bz2.sig > > GnuPG source compressed using BZIP2 and OpenPGP signature. > > gnupg-1.4.2.tar.gz (4.0M) > gnupg-1.4.2.tar.gz.sig > > GnuPG source compressed using GZIP and OpenPGP signature. > > gnupg-1.4.1-1.4.2.diff.bz2 (939k) > > A patch file to upgrade a 1.4.1 GnuPG source. > > Select one of them. To shorten the download time, you probably want to > get the BZIP2 compressed file. Please try another mirror if > exceptional your mirror is not yet up to date. > [...] > What's New > =========== > > * New command "verify" in the card-edit menu to display > the Private-DO-3. The Admin command has been enhanced to take > the optional arguments "on", "off" and "verify". The latter may > be used to verify the Admin Pin without modifying data; this > allows displaying the Private-DO-4 with the "list" command. > > * Rewrote large parts of the card code to optionally make use of a > running gpg-agent. If --use-agent is being used and a gpg- agent > with enabled scdaemon is active, gpg will now divert all card > operations to that daemon. This is required because both, > scdaemon and gpg require exclusive access to the card reader. By > delegating the work to scdaemon, both can peacefully coexist and > scdaemon is able to control the use of the reader. Note that > this requires at least gnupg 1.9.17. > > * Fixed a couple of problems with the card reader. > > * Command completion is now available in the --edit-key and > --card-edit menus. Filename completion is available at all > filename prompts. Note that completion is only available if the > system provides a readline library. > > * New experimental HKP keyserver helper that uses the cURL > library. It is enabled via the configure option --with-libcurl > like the other (also experimental) cURL helpers. Please make > sure to also apply the attached patch. > > * New key cleaning options that can be used to remove unusable > (expired, revoked) signatures from a key. This is available via > the new "clean" command in --edit-key on a key by key basis, as > well as via the import-clean-sigs/import-clean-uids and > export-clean-sigs/export-clean-uids options for --import- options > and --export-options. These are currently off by default, and > replace the import-unusable-sigs/export-unusable-sigs options > from version 1.4.1. > > * New export option export-reset-subkey-passwd. > > * New option --limit-card-insert-tries. > > > Internationalization > ==================== > > GnuPG comes with support for 28 languages: > > American English Indonesian (id)[*] > Bela-Russian (be)[*] Italian (it)[*] > Catalan (ca)[*] Japanese (ja)[*] > Czech (cs) Polish (pl)[*] > Danish (da)[*] Brazilian Portuguese (pt_BR)[*] > Dutch (nl)[*] Portuguese (pt)[*] > Esperanto (eo)[*] Romanian (ro) > Estonian (et)[*] Russian (ru) > Finnish (fi)[*] Slovak (sk)[*] > French (fr) Spanish (es) > Galician (gl)[*] Swedish (sv)[*] > German (de) [*] Traditional Chinese (zh_TW) > Greek (el) [*] Simplified Chinese (zh_CN) > Hungarian (hu) [*] Turkish (tr) > > Languages marked with [*] have not been updated for this release and > you will most likely notice untranslated messages. Many thanks to the > translators who updated their work in time. > > > Future Directions > ================= > > GnuPG 1.4.x is the current stable branch and will be kept as the easy > to use and build single-executable versions. We plan to backport new > features from the development series to 1.4. > > GnuPG 1.9.x is the new development series of GnuPG. This version > merged the code from the Aegypten project and thus it includes the > gpg-agent, a smartcard daemon and gpg's S/MIME cousin gpgsm. The > design is different to the previous versions and we may not support > all ancient systems - thus POSIX compatibility will be an absolute > requirement for supported platforms. 1.9 is as of now based on an > somewhat older 1.3 code but will peacefully coexist with other GnuPG > versions. > > > Support > ======= > > Developing and maintaining GnuPG and related software is nothing one > can do in the evening or on weekends. We all spend a lot of time and > money on it. David is actually doing this in his spare time beside > his day job; g10 Code employs Timo and Werner to work on this software > and would appreciate to refinance it by entering into support > contracts or other contributions. > > > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, administering the > servers, spreading the word or answering questions on the mailing > lists. > > > Happy Hacking, > > > The GnuPG Team (David, Timo and Werner) > > > > p.s. A few hours too late we found a bug in the cURL based helper > programs which makes cURL based LDAP support unusable. Given that > --with-libcurl is not the default we did not offtake the release but > ask you to apply the patch below. > > diff -u -p -r1.90 -r1.91 > --- g10/keyserver.c 22 Jul 2005 16:28:40 -0000 1.90 > +++ g10/keyserver.c 27 Jul 2005 01:24:57 -0000 1.91 > @@ -860,7 +860,9 @@ curl_can_handle(const char *scheme) > static const char * > keyserver_typemap(const char *type) > { > - if(strcmp(type,"ldaps")==0) > + if(strcmp(type,"ldap")==0) > + return "ldap"; > + else if(strcmp(type,"ldaps")==0) > return "ldap"; > else if(curl_can_handle(type)) > return "curl"; > [...] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) Comment: GnuPG for Privacy iQIVAwUBQudfh269XHxycyfPAQiVeRAApw+uF7+7ZDeI+YPytH5hhBit9jr5juEv jmY0SM0i03r7M1fd2wt9YFArbBuzSTL24NO1u2z04rWdn3JooqJSh1w4MWlVKndI hy/ZhALp+0x4LIlibSqSg6Smj/G3jm1Bf0Es1u4CLx35Nk4EKseOuk16e3yKWVwE XcSKwm5n2BFFzpU0JipHYAiDQghGyE53bejExs+PBT+aiJZRxHpV62/0oBd65FHj ZqaQO04fb0EqpI0wI4FexweieuAX5u96+rKx2M48vXvhj8qgyx7kkqxi/+3aSSj3 htDHTZNW8Qoh8BotTeOuXfJ66DdXGTU7tow25u1O8bjvlKG1CCz+B+41NwBzWhwb is+xkeNQMURZGE17etOqq1M3FGvUXLTeVu1tEHHVCJk9VaMh7LM26sA8yFw/CyGH Ntd87LwZYQepm7ek43V1rij2M6Eq8HC798gSPzMxkiA3vBmlOqG3z80YhXgMSzsU nZtNhQm+8RUrBwQGL/GMBCFkALP7b6HE/dNOMUIgglNucRthuXtOmhN0rt4pw9hW iasLcKK1bNz8reRSWoJFs+sZ3FL3nTqUxLPqmdGGJmkxJDyNuKhSJFS37sCAalZX 4VNmN15oWlOumZJ2tfJjyYiI16/LAHY8wzlqbQUy+o3tD848c5zAUX9LhdqRz/Wt F0tFwvdZxC4= =Pxlj -----END PGP SIGNATURE----- From reuter at do.isst.fraunhofer.de Wed Jul 27 15:21:22 2005 From: reuter at do.isst.fraunhofer.de (Claudia Reuter) Date: Wed Jul 27 15:14:57 2005 Subject: libgcrypt & passphrase Message-ID: <42E78A52.6010602@do.isst.fraunhofer.de> Hi @ll. I wrote an application based on libgcrypt, which generates a key pair. Similar to GnuPG I like to encrypt the secrete key with a passphrase. libgcrypt seems not to implement a function to encrypt a key with a passphrase or am I wrong? Any suggestions would be appreciated. yours Claudia From wk at gnupg.org Wed Jul 27 16:41:00 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jul 27 16:41:19 2005 Subject: libcrypt and RC2 revisited In-Reply-To: <200507270932.j6R9Wp4L002252@vulcan.xs4all.nl> (Johan Wevers's message of "Wed, 27 Jul 2005 11:32:51 +0200 (MET DST)") References: <200507270932.j6R9Wp4L002252@vulcan.xs4all.nl> Message-ID: <87u0igpb0j.fsf@wheatstone.g10code.de> On Wed, 27 Jul 2005 11:32:51 +0200 (MET DST), Johan Wevers said: > write a RC2 plugin if it's really needed. Or is there an easy way to add > new algorithms to the current version of GnuPG that doesn't require > changes in many places in the code? It is actual pretty simple but limited by the fact of OpenPGP supported algorithms. Salam-Shalom, Werner From johanw at vulcan.xs4all.nl Wed Jul 27 20:58:42 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Jul 27 23:38:38 2005 Subject: [Announce] GnuPG 1.4.2 released In-Reply-To: <87sly0sn0o.fsf@wheatstone.g10code.de> Message-ID: <200507271858.j6RIwg7S001754@vulcan.xs4all.nl> Werner Koch wrote: >We are pleased to announce the availability of a new stable GnuPG >release: Version 1.4.2 Compiled OK the second time I tried (Linux; Slackware 10 with gcc 3.3.4). Because I got a signal 11 the first time I think I really have to replace this hardware ASAP. Passed all tests, including my own about pgp 2 compatibility. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From panickedthumb at gmail.com Thu Jul 28 05:42:06 2005 From: panickedthumb at gmail.com (Travis C Newman) Date: Thu Jul 28 05:37:10 2005 Subject: I have the public key, but not the private... In-Reply-To: <20050727062947.98406.qmail@smasher.org> References: <1122439413.8558.28.camel@localhost.localdomain> <20050727062947.98406.qmail@smasher.org> Message-ID: <1122522127.8558.33.camel@localhost.localdomain> On Wed, 2005-07-27 at 02:29 -0400, Atom Smasher wrote: > you did follow the instructions and created a revocation certificate, > right? and stored it in a safe place? Nope. the howto I followed had nothing about it. I'm admittedly quite green with GPG. I just needed it to sign something once, now I need it to sign something else, and I don't have the revocation cert. *bangs head on desk* From wk at gnupg.org Thu Jul 28 08:57:46 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jul 28 08:56:20 2005 Subject: libgcrypt & passphrase In-Reply-To: <42E78A52.6010602@do.isst.fraunhofer.de> (Claudia Reuter's message of "Wed, 27 Jul 2005 15:21:22 +0200") References: <42E78A52.6010602@do.isst.fraunhofer.de> Message-ID: <877jfbo1sl.fsf@wheatstone.g10code.de> On Wed, 27 Jul 2005 15:21:22 +0200, Claudia Reuter said: > Similar to GnuPG I like to encrypt the secrete key with a passphrase. > libgcrypt seems not to implement a function to encrypt a key with a > passphrase or am I wrong? Any suggestions would be appreciated. That is correct. At some point we might move some of this code into Libgcrypt as it is useful for other applications too but I doubt that this will happen in the near future. You might also want to look at the agent/protect-tools.c which is a program to use the GnuPG 1.9 style key protection. It should not be too hard to use it along with libgcrypt. The format is described in agent/keyformat.txt and the basic code is in agent/protect.c. Basically it is the same algorithm as used by OpenPGP but modified to work with S-expressions. Shalom-Salam, Werner From sepreh at gmx.de Wed Jul 27 23:01:29 2005 From: sepreh at gmx.de (Sven Fischer) Date: Thu Jul 28 09:46:17 2005 Subject: libcrypt and RC2 revisited References: <87ack9v72u.fsf@wheatstone.g10code.de> <42E6713E.6020102@globalnet.hr> <87ek9ltp3e.fsf@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > On Tue, 26 Jul 2005 19:22:06 +0200, Zeljko Vrba said: > >> Ugh, I hope that you'll _never,ever_ allow such low-grade insecure >> algorithms in gpg or anything related to it, no matter what the public >> demand is. > > For sure not in an application like gpg. However for certain tools > (e.g. a crypto workbench) it makes sense to have even very simple > ciphers. Also, it isn't our fault, that M$ does use such simple crypto algorithms. I personally share this opinion, but only for the encryption side. For decryption, I don't understand why it should be a problem. A problem is, that an user new to the Unix world wants to decrypt the messages sent to them, regardless of the encryption system the sender used. And since the gnupg solution is used by the popular KMail of KDE, no KMail user is able to decrypt this Outlook crap sent to them. Is telling the Outlook users to use another mail program or use no encryption at all the solution? I don't think so. I even tried to convince Outlook to use 3des, but couldn't figure out how to do that. So, thanks for the explanation, keep up the good work. Greetings, Sven -- Sven Fischer -- Moitzfeld 47, 51429 Bergisch Gladbach, Germany Tel./Fax: +49-(0)2204-480985 sepreh@gmx.de From zvrba at globalnet.hr Thu Jul 28 10:36:11 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Thu Jul 28 10:31:23 2005 Subject: libcrypt and RC2 revisited In-Reply-To: References: <87ack9v72u.fsf@wheatstone.g10code.de> <42E6713E.6020102@globalnet.hr> <87ek9ltp3e.fsf@wheatstone.g10code.de> Message-ID: <42E898FB.9040200@globalnet.hr> Sven Fischer wrote: > > Also, it isn't our fault, that M$ does use such simple crypto algorithms. I > personally share this opinion, but only for the encryption side. For > decryption, I don't understand why it should be a problem. > For decryption there is no problem, of course. As for encryption.. it is impossible to misuse a feature (even accidentaly!) which simply is not present :) that was my reasoning behind the comment. > user is able to decrypt this Outlook crap sent to them. Is telling the > Outlook users to use another mail program or use no encryption at all the > solution? I don't think so. I even tried to convince Outlook to use 3des, > but couldn't figure out how to do that. > that setting is hidden deep somewhere in account settings. but are you talking about S/MIME or GPG? IMHO, outlook users that are using GPG are pretty 'advanced' users (compared to rest of them). AFAIK, Outlook makes it easy to use X.509 but you have to have some kind of plugin for GPG, no? and GPG (except the experimental one) can't yet handle S/MIME. So linux mail readers have to use something else besides GPG for S/MIME.. and then I don't see how not incorporating RC2 into GPG even for decryption is a problem.. am I missing something here? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050728/6cadf8c5/signature-0001.pgp From wk at gnupg.org Thu Jul 28 13:04:41 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jul 28 13:01:21 2005 Subject: libcrypt and RC2 revisited In-Reply-To: <42E898FB.9040200@globalnet.hr> (Zeljko Vrba's message of "Thu, 28 Jul 2005 10:36:11 +0200") References: <87ack9v72u.fsf@wheatstone.g10code.de> <42E6713E.6020102@globalnet.hr> <87ek9ltp3e.fsf@wheatstone.g10code.de> <42E898FB.9040200@globalnet.hr> Message-ID: <87y87rmbsm.fsf@wheatstone.g10code.de> On Thu, 28 Jul 2005 10:36:11 +0200, Zeljko Vrba said: > For decryption there is no problem, of course. As for encryption.. it is Well not supporting it _might_ help the sender to realize that he is doing something strange (i.e. using a weak algorithm) > but you have to have some kind of plugin for GPG, no? and GPG (except > the experimental one) can't yet handle S/MIME. So linux mail readers I won't declare the S/MIME support experimental in any way. It is actually stable and in production use at several sites. It is just that gpgsm is distributed in the development branch of gpg - which is unfortunately but currently there is no solution for it. Let me repeat: gpgsm, gpg-agent and gpgconf as available in gnupg 1.9.x are stable and ready for use. You may install GnuPG 1.9 along with GnuPG 1.4 to get both: OpenPGP and S/MIME. MUAs supporting gpgsm are at least KMail and Mutt (1.5.x). Shalom-Salam, Werner From adam00f at ducksburg.com Thu Jul 28 15:31:44 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Thu Jul 28 16:40:02 2005 Subject: Best/correct way to back up keys and configuration? Message-ID: <200507281431.45086.adam00f@ducksburg.com> What's the best way to back up my GnuPG keyrings -- just a tar.gz of the ~/.gnupg directory? Or is there any advantage to producing additional files with the "--export" and "--export-secret-keys" commands? (I know that the backups then need to be stored securely.) From alphasigmax at gmail.com Thu Jul 28 16:53:33 2005 From: alphasigmax at gmail.com (Alphax) Date: Thu Jul 28 16:51:00 2005 Subject: Best/correct way to back up keys and configuration? In-Reply-To: <200507281431.45086.adam00f@ducksburg.com> References: <200507281431.45086.adam00f@ducksburg.com> Message-ID: <42E8F16D.7070703@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Adam Funk wrote: > What's the best way to back up my GnuPG keyrings -- just a tar.gz of the > ~/.gnupg directory? > > Or is there any advantage to producing additional files with the > "--export" and "--export-secret-keys" commands? > > (I know that the backups then need to be stored securely.) > Not sure if there is any advantage, but ASCII-armored files are always nice :) I keep a log of what keys I import (by date, including expiration & revocation status) and date my keyring backups - just in case it gets corrupted, but I want to rebuild my keyring from some saved point. Make sure *before you do anything else* that you have a backup of your secret key *and a revocation certificate*, in case anything bad happens... - -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC6PFt/RxM5Ph0xhMRAxA9AJwPKaOFkfGaa52fTyzJ8A6SJlnjogCgoLRO +OWW6tIvDGx5ixx1FBGp0kE= =tt61 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Jul 28 20:02:49 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jul 28 19:58:59 2005 Subject: Best/correct way to back up keys and configuration? In-Reply-To: <200507281431.45086.adam00f@ducksburg.com> References: <200507281431.45086.adam00f@ducksburg.com> Message-ID: <20050728180249.GB16810@jabberwocky.com> On Thu, Jul 28, 2005 at 02:31:44PM +0100, Adam Funk wrote: > What's the best way to back up my GnuPG keyrings -- just a tar.gz of the > ~/.gnupg directory? > > Or is there any advantage to producing additional files with the > "--export" and "--export-secret-keys" commands? > > (I know that the backups then need to be stored securely.) One advantage to using --export-secret-keys and --armor is that you can print the secret key out and in a worst-case scenario, type it back in again. Not a replacement for regular backups of course, but unlike CDR and floppies, ink on paper in the dark can last longer than you and I will. David From SeidlS at schneider.com Thu Jul 28 23:37:16 2005 From: SeidlS at schneider.com (SeidlS@schneider.com) Date: Fri Jul 29 00:23:30 2005 Subject: Key Ring Questions Message-ID: I have a couple questions around the maintenance/clean up of gnuPG key rings. 1) We have gnuPG installed and used by 3 users on one Unix type server. One of the 3 users was used for initial setup and testing of the gnuPG software and is no longer used. Is it possible to remove the key, and key ring from this user? Is it as simple as deleting the .gnupg directory under that users home directory? 2)Is it possible to remove keys from the key ring if they are no longer used? Example: a key was imported for use a year ago, but is no longer used for encryption/decryption. Is there a way to remove it? Thanks for the help. Scott Thanks Scott Seidl Electronic Communication Services seidls@schneider.com Tel) 920-592-2163 This document, and any attachments therein, contains proprietary and confidential information that may not be disclosed without the prior written permission of Schneider National, Inc. and its subsidiaries. Unauthorized use or misuse of this information and its contents is strictly prohibited. Schneider National, Inc. vigorously protects its rights. From JPClizbe at comcast.net Fri Jul 29 05:04:58 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Jul 29 05:35:27 2005 Subject: Key Ring Questions In-Reply-To: References: Message-ID: <42E99CDA.1000502@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SeidlS@schneider.com wrote: > I have a couple questions around the maintenance/clean up of gnuPG key > rings. > > 1) We have gnuPG installed and used by 3 users on one Unix type server. > One of the 3 users was used for initial setup and testing of the gnuPG > software and is no longer used. Is it possible to remove the key, and key > ring from this user? Is it as simple as deleting the .gnupg directory > under that users home directory? That'll do it > 2)Is it possible to remove keys from the key ring if they are no longer > used? Example: a key was imported for use a year ago, but is no longer > used for encryption/decryption. Is there a way to remove it? gpg --delete-key 0xDecafBad - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC6ZzZHQSsSmCNKhARAvXqAKDcqhjS3ygBiIG31S0pOIGGsB8RwQCfaTq6 YtEsAVKenIO2NhxOMNzqnTc= =1Pk2 -----END PGP SIGNATURE----- From JPClizbe at comcast.net Fri Jul 29 05:15:51 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Jul 29 05:35:38 2005 Subject: I have the public key, but not the private... In-Reply-To: <1122522127.8558.33.camel@localhost.localdomain> References: <1122439413.8558.28.camel@localhost.localdomain> <20050727062947.98406.qmail@smasher.org> <1122522127.8558.33.camel@localhost.localdomain> Message-ID: <42E99F67.50901@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Travis C Newman wrote: > On Wed, 2005-07-27 at 02:29 -0400, Atom Smasher wrote: > >> you did follow the instructions and created a revocation certificate, >> right? and stored it in a safe place? > > Nope. the howto I followed had nothing about it. I'm admittedly quite > green with GPG. I just needed it to sign something once, now I need it > to sign something else, and I don't have the revocation cert. > *bangs head on desk* The old key is toast. There is nothing you can do to retrieve it. Create a new key. And this time, create a revocation certificate THEN save the pubkey, seckey, and revcert offline somewhere safe. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC6Z9mHQSsSmCNKhARAo/LAJ0XHLXwOkf6EgLntsGDS/8aLHUrLgCfTBcT WhU+JvNtvSGMbouxmJJWeNM= =37R6 -----END PGP SIGNATURE----- From chd at chud.net Sat Jul 30 00:59:16 2005 From: chd at chud.net (Chris De Young) Date: Sat Jul 30 01:54:10 2005 Subject: Entropy in ascii-armored output? Message-ID: <42EAB4C4.80908@chud.net> Hi, Some people have started to suggest that actually writing down passwords, if they're kept in a secure place, might not be a bad idea; the rationale is that passwords which can be considered "good" are reaching the point of being un-memorizable. Assuming for the moment that this is the case (whether it really is or not isn't clear, I think), it seems that copying some arbitrary chunk out of the middle of some GPG encryption output (with -a, e.g. "QhRuM+W4xC9qnPvn") might be a good source of password material. It's random-looking to the untrained eye, but how random is it really? It occurred to me that the ascii-armoring process might introduce weaknesses that aren't obvious, but I don't follow the guts of the process well enough to be sure. Thanks! -C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050729/c6a1a6cf/signature.pgp From dshaw at jabberwocky.com Sat Jul 30 02:56:58 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jul 30 02:52:58 2005 Subject: Entropy in ascii-armored output? In-Reply-To: <42EAB4C4.80908@chud.net> References: <42EAB4C4.80908@chud.net> Message-ID: <20050730005658.GA4618@jabberwocky.com> On Fri, Jul 29, 2005 at 03:59:16PM -0700, Chris De Young wrote: > Hi, > > Some people have started to suggest that actually writing down > passwords, if they're kept in a secure place, might not be a bad > idea; the rationale is that passwords which can be considered "good" > are reaching the point of being un-memorizable. > > Assuming for the moment that this is the case (whether it really is > or not isn't clear, I think), it seems that copying some arbitrary > chunk out of the middle of some GPG encryption output (with -a, > e.g. "QhRuM+W4xC9qnPvn") might be a good source of password > material. > > It's random-looking to the untrained eye, but how random is it > really? It occurred to me that the ascii-armoring process might > introduce weaknesses that aren't obvious, but I don't follow the > guts of the process well enough to be sure. ASCII armor is just a base64 transformation of some data, so if the original data was random, then the armor is as well. If you do: cat /good/random/source | gpg --enarmor you'll get armored random data. However, it takes more armor to get to the same amount of random data, due to the expansion that base64 does. For example, 128 digits of random data takes 171 armored digits (I'm not counting padding and checksum for now). This means that if you take 10 digits of armor, you're not getting 10 digits of randomness. Combine that with the knowledge of the valid armor characters (a-z, A-Z, +, and /), and you can set yourself up with a passphrase that is weaker than you think it is. All that said, the bottom line is that if the source is random, the armor is too. David From unknown_kev_cat at hotmail.com Sat Jul 30 04:33:11 2005 From: unknown_kev_cat at hotmail.com (Joe Smith) Date: Sat Jul 30 04:29:10 2005 Subject: Entropy in ascii-armored output? References: <42EAB4C4.80908@chud.net> <20050730005658.GA4618__37934.1910630048$1122685234$gmane$org@jabberwocky.com> Message-ID: > All that said, the bottom line is that if the source is random, the > armor is too. He was speaking especially of encypted output which is theoretically near random, so it is fairly secure. If the password must be long, reproducable, and reasonably secure, using ascii-amoured output of encryption of a file is fairly secure, assuming the attacker is not aware of the nature of the password.If the attacker is aware security goes down some, but not terribly much. From atom at smasher.org Sat Jul 30 07:44:41 2005 From: atom at smasher.org (Atom Smasher) Date: Sat Jul 30 07:40:09 2005 Subject: Entropy in ascii-armored output? In-Reply-To: <20050730005658.GA4618@jabberwocky.com> References: <42EAB4C4.80908@chud.net> <20050730005658.GA4618@jabberwocky.com> Message-ID: <20050730054438.82641.qmail@smasher.org> check out . something like: $ head -4 /dev/urandom | gpg --enarmor will produce much better "random" output than encrypted output. encrypted output can be filled with information that is not at all random, such as partial body length headers. of course, base64 is limited to little more than half of the characters that you could be using on an english keyboard... let's say that there are 100 printable characters available on an english keyboard. (according to my math) a 10 character password using only base64 characters can contain up to 60 bits of entropy, but allowing 100 possible characters it can contain almost 66.5 bits of entropy. using 20 characters, it's 120 bits for base64 and almost 133 bits otherwise. personally, i find diceware ~type~ passphrases easier to remember than gibberish. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "We have a saying in our company. Our competitors are our friends. Our customers are the enemy." -- James Randall, Archer Daniels Midland Corporation, ("ADM, Supermarket to the world") quoted in Fortune magazine 4/26/99 From zvrba at globalnet.hr Sat Jul 30 07:50:05 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Sat Jul 30 07:45:20 2005 Subject: Entropy in ascii-armored output? In-Reply-To: <42EAB4C4.80908@chud.net> References: <42EAB4C4.80908@chud.net> Message-ID: <42EB150D.8020908@globalnet.hr> Chris De Young wrote: > some GPG encryption output (with -a, e.g. "QhRuM+W4xC9qnPvn") might be a good > source of password material. > > It's random-looking to the untrained eye, but how random is it really? It > 1. I know that this isn't what you were asking but you can get the same result by using [zax:zvrba]$ openssl rand -base64 8 57YOqsXaSWk= (8 is the number of random bytes). OpenSSL tries hard to use good randomness sources. You can also take a look at a little program I've written: Secure Password Generator. http://freshmeat.net/projects/secpwgen/ 2. Now to try to answer you question: it depends. If the message is signed-only, then there is no security (because in the middle you have your original, plaintext content). If you get a part of the encrypted message, it should be good password. The output of a good encryption algorithm is indistinguishable from truly random data. Again, if you cut-paste a part of the OpenPGP header/footer, the quality is poor. best regards, Zeljko. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050730/f5c532c8/signature.pgp From pats_comp_solutions at hotpop.com Sat Jul 30 08:02:56 2005 From: pats_comp_solutions at hotpop.com (Patrick Dickey) Date: Sat Jul 30 07:58:59 2005 Subject: I have the public key, but not the private... In-Reply-To: <1122439413.8558.28.camel@localhost.localdomain> References: <1122439413.8558.28.camel@localhost.localdomain> Message-ID: <42EB1810.30700@hotpop.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Travis C Newman wrote: > I had reinstalled a while ago, and forgot to backup my gpg files. I > have retrieved my public key from MIT's keyserver, but I don't > have the private key, so I can't sign anything. Help? > > Travis > > > > _______________________________________________ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > While I can't help you with this problem, I can possibly give you a suggestion for the future. I use a program called PW Safe by PassWare. It's basically a password management program, but it's encrypted. What I do is, I create an entry for GNU-PG and put in the username in it's space, and generate a password using it's built in Generator. Then, when I go to create the key, I type the generated password in for the key. Now, when I do a backup of everything, and restore my keys, I have the passwords saved. Or, if I import them from a keyserver (which I'm assuming you are trying to do), I have the passwords also. If you want to, in the notes section in PW Safe, you can put your private key. That way, you have it as well. (it could be listed in the 'username' field, if you want). You can find PW Safe at http://sourceforge.net/projects/pwsafe/. Hopefully this helps you out. Patrick Dickey. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC6xgQlYHHywHZe7ARAufHAJ932LAXLFdVBaZPsREeOTNeqckzfACfafOY 0pBiyeEFbD6srsAj6escq5Q= =4Kxw -----END PGP SIGNATURE----- From pats_comp_solutions at hotpop.com Sat Jul 30 08:33:24 2005 From: pats_comp_solutions at hotpop.com (Patrick Dickey) Date: Sat Jul 30 08:30:14 2005 Subject: [outlgpg] Questions on installing and using with Outlook 2003. Message-ID: <42EB1F34.2010103@hotpop.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, First of all, has anyone successfully installed this and used it with Outlook 2003? I downloaded the file, and unzipped everything. I put the gpgexch.dll file in one folder, and the libgpgmedlgs.dll file into the Windows\system32 directory. When I tried to do regsvr, I had to move the gpgexch.dll file to the Windows\System32 folder also. Now, I have the tabs in Outlook, but it doesn't work as expected... My questions are these... 1) When I did the regsvr, should I have did regsvr32.exe "C:\Program Files\Microsoft\Outlook" (where I originally put the gpgexch.dll file), or was I correct in moving the file to C:\Windows\System32? 2) How do I configure Outlook to use the gpg program? I have my GPG keys and the binaries in "C:\Program Files\GNU\GnuPG\" but, I'm not sure what program is the key-manager one. I have gpg.exe for that, and when I run the keymanager, I get a cmd box that says "gpg-- Go ahead and type your message." Also, I don't have any new buttons in my mail message composition box. 3) Is there any documentation out there specifically for Microsoft Outlook? If not, would there be an interest in having some created? If/when I find out the answers to my problems, I can create a .rtf file or htm file that walks you through it, if the interest is there. Thanks in advance for any help on this. Patrick Dickey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC6x80lYHHywHZe7ARAiCGAJ9v9H2F20BSfuuh1fzHTFKeK7aPEACfXsmZ dLDvb7GUGGd5DBmLChbbKdE= =UIHI -----END PGP SIGNATURE----- From wk at gnupg.org Sat Jul 30 12:45:45 2005 From: wk at gnupg.org (Werner Koch) Date: Sat Jul 30 12:46:18 2005 Subject: Entropy in ascii-armored output? In-Reply-To: <20050730005658.GA4618@jabberwocky.com> (David Shaw's message of "Fri, 29 Jul 2005 20:56:58 -0400") References: <42EAB4C4.80908@chud.net> <20050730005658.GA4618@jabberwocky.com> Message-ID: <87r7dginc6.fsf@wheatstone.g10code.de> On Fri, 29 Jul 2005 20:56:58 -0400, David Shaw said: > cat /good/random/source | gpg --enarmor There is even an easier way: gpg --gen-random -a 1 12 Returns 16 bytes of armored random; i.e. actual 12 bytes. This uses the same algorithm gpg uses for session keys. By using 2 instead of 1 gpg will use the algorithm it uses for creating keys (i.e. it might block until enough random is available). Should should use a multiple of 3 for the number of random bytes, so that gpg won't produce padding characters. Salam-Shalom, Werner From twoaday at gmx.net Sat Jul 30 11:18:15 2005 From: twoaday at gmx.net (Timo Schulz) Date: Sat Jul 30 12:54:17 2005 Subject: [outlgpg] Questions on installing and using with Outlook 2003. In-Reply-To: <42EB1F34.2010103@hotpop.com> References: <42EB1F34.2010103@hotpop.com> Message-ID: <42EB45D7.2010401@gmx.net> Patrick Dickey wrote: > into the Windows\system32 directory. When I tried to do regsvr, I had > to move the gpgexch.dll file to the Windows\System32 folder also. What Windows version do you use? I've never seen that this step is needed and I tested it on 98 and XP. What is the error or why do you think you have to copy it to this place also? > Now, I have the tabs in Outlook, but it doesn't work as expected... What does this exactly means? > My questions are these... 1) When I did the regsvr, should I > have did regsvr32.exe "C:\Program Files\Microsoft\Outlook" (where I > originally put the gpgexch.dll file), or was I correct in moving the gpgexch.dll can be stored at any place. regsvr32 stores the path of the current directory in the registry for you. > 2) How do I configure Outlook to use the gpg program? I have my GPG > keys and the binaries in "C:\Program Files\GNU\GnuPG\" but, I'm not If you enabled 'GPGExch' in the Outlook Extension dialog, you just need to click on the new tabbed pane 'GnuPG' and set the gpg binary. > and when I run the keymanager, I get a cmd box that says "gpg-- Go > ahead and type your message." Also, I don't have any new buttons in Currently only WinPT is supported for key management. Just enter the WinPT path plus --keymanager. Example "c:\winpt\winpt.exe --keymanager". > If/when I find out the answers to my problems, I can create a .rtf > file or htm file that walks you through it, if the interest is there. The plugin is currently in a beta stadium. When we release the first stable version, it will contain more documentation how to use and to install it. Anyway I guess it's also a good idea to provide some more details for the beta version right now. From kfitzner at excelcia.org Sat Jul 30 00:29:18 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Sat Jul 30 14:08:50 2005 Subject: [Announce] GPGee version 1.1.2 - Important Security Update Message-ID: <42EAADBE.901@excelcia.org> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From pats_comp_solutions at hotpop.com Sat Jul 30 18:51:28 2005 From: pats_comp_solutions at hotpop.com (Patrick Dickey) Date: Sat Jul 30 18:47:29 2005 Subject: [outlgpg] Questions on installing and using with Outlook 2003. In-Reply-To: <42EB45D7.2010401@gmx.net> References: <42EB1F34.2010103@hotpop.com> <42EB45D7.2010401@gmx.net> Message-ID: <42EBB010.5080007@hotpop.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Timo Schulz wrote: > Patrick Dickey wrote: > >> into the Windows\system32 directory. When I tried to do regsvr, >> I had to move the gpgexch.dll file to the Windows\System32 folder >> also. > > > What Windows version do you use? I've never seen that this step is > needed and I tested it on 98 and XP. > > What is the error or why do you think you have to copy it to this > place also? > > >> Now, I have the tabs in Outlook, but it doesn't work as >> expected... > > > What does this exactly means? > > >> My questions are these... 1) When I did the regsvr, should I >> have did regsvr32.exe "C:\Program Files\Microsoft\Outlook" (where >> I originally put the gpgexch.dll file), or was I correct in >> moving the > > > gpgexch.dll can be stored at any place. regsvr32 stores the path of > the current directory in the registry for you. > > >> 2) How do I configure Outlook to use the gpg program? I have my >> GPG keys and the binaries in "C:\Program Files\GNU\GnuPG\" but, >> I'm not > > > If you enabled 'GPGExch' in the Outlook Extension dialog, you just > need to click on the new tabbed pane 'GnuPG' and set the gpg > binary. > > >> and when I run the keymanager, I get a cmd box that says "gpg-- >> Go ahead and type your message." Also, I don't have any new >> buttons in > > > Currently only WinPT is supported for key management. Just enter > the WinPT path plus --keymanager. Example "c:\winpt\winpt.exe > --keymanager". > > > >> If/when I find out the answers to my problems, I can create a >> .rtf file or htm file that walks you through it, if the interest >> is there. > > > The plugin is currently in a beta stadium. When we release the > first stable version, it will contain more documentation how to use > and to install it. > > Anyway I guess it's also a good idea to provide some more details > for the beta version right now. > > > _______________________________________________ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > To answer your questions.... I was mistaken when I said I had to copy it into the folder. When I ran Regsvr32, I got Load Module failed, can't find the module. But, it was because I wasn't using quotes around the Path. I should have known better.. :S As for what "I have the tabs in Outlook, but they don't work as expected means", I tried to explain that afterwards. I have the tab in my Preferences, but I wasn't exactly sure what to put in there. Originally, I had the "Always sign with the default key" option checked, but since I didn't know what to put, I put a pathname to a file in. Looking back, I'm assuming it means an actual key. Also the message I get in the cmd box when I try running Keymanager (which you explained later on). When you click on the Advanced button in the GnuPG tab (Preferences in Outlook), and specify the binaries, you want to put "C:\Program Files\GNU\GnuPG\gpg.exe" for the Path to Binaries, "C:\Program Files\GNU\GnuPG\" for the path to home directory (since that's where my trustdb.gpg file is located) and "C:\winpt\winpt.exe --keymanager" for the path to keymanager? Thanks for your help on this. It's greatly appreciated. Patrick Dickey. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFC67APlYHHywHZe7ARAmX2AJdylTwlzzoJ5JqhfP+r5dnxSrTFAJ0XdcN8 HDOGN7nbyTHC7TDm8Z7+4g== =7BNR -----END PGP SIGNATURE----- From jharris at widomaker.com Sat Jul 30 20:20:35 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat Jul 30 20:16:13 2005 Subject: [Announce] GnuPG 1.4.2 released In-Reply-To: <87sly0sn0o.fsf@wheatstone.g10code.de> References: <87sly0sn0o.fsf@wheatstone.g10code.de> Message-ID: <20050730182035.GC358@wilma.widomaker.com> On Wed, Jul 27, 2005 at 09:53:27AM +0200, Werner Koch wrote: > We are pleased to announce the availability of a new stable GnuPG > release: Version 1.4.2 > What's New > =========== > * New experimental HKP keyserver helper that uses the cURL > library. It is enabled via the configure option --with-libcurl > like the other (also experimental) cURL helpers. Please make > sure to also apply the attached patch. When enabled (./configure --with-libcurl=DIR), connections to hkp://keyserver.kjsl.com will be persistent/reused and pipelined (as defined in RFC 2616). Enjoy (responsibly)! -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20050730/28783490/attachment.pgp From folkert at vanheusden.com Sat Jul 30 23:23:31 2005 From: folkert at vanheusden.com (Folkert van Heusden) Date: Sat Jul 30 23:54:34 2005 Subject: optimizing gpg for the gpgme library Message-ID: <20050730212330.GI14975@vanheusden.com> Hi, I propose the following: split-up gpg into a front-end and a shared library. The shared library then contains all code for handling the keyring-files, doing the crypto-stuff, etc. while the front-end (just a normal executable) contains the code for parsing commandlines and calling the shared library with all the previously mentioned functions. That way, the gpgme-library can also link against this library so that it only has to do function-calls instead of invoking the whole gpg-executable when it wants to do anything pgp-ish. Folkert van Heusden -- Auto te koop, zie: http://www.vanheusden.com/daihatsu.php -------------------------------------------------------------------- Get your PGP/GPG key signed at www.biglumber.com! -------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 282 bytes Desc: Digital signature Url : /pipermail/attachments/20050730/72462d40/attachment.pgp From folkert at vanheusden.com Sun Jul 31 00:14:54 2005 From: folkert at vanheusden.com (Folkert van Heusden) Date: Sun Jul 31 00:10:18 2005 Subject: problem with certain commandline switches Message-ID: <20050730221453.GT14975@vanheusden.com> Hi, I'm trying to send my keys to the Tor pgp-keyservers. For that I use: gpg --keyserver=x-hkp://yod73zr3y6wnm2sw.onion --keyserver-options=honor-http-proxy,broken-http-proxy,http-proxy=http://192.168.64.1:8118/ --send-key 1f28d8ae but that doesn't work! I then get: gpg: sending key 1F28D8AE to hkp server yod73zr3y6wnm2sw.onion ?: [fd 4]: write error: Broken pipe ?: [fd 4]: write error: Broken pipe gpgkeys: remote server returned error 503 gpg: keyserver internal error gpg: keyserver send failed: keyserver error If I, instead, do the following: http_proxy=http://192.168.64.1:8118 gpg --options .gnupg/options.tor1 --send-key 1f28d8ae everything works perfectly. (with .gnupg/options.tor1 containing this: load-extension /usr/lib/gnupg/idea keyserver x-hkp://yod73zr3y6wnm2sw.onion keyserver-options honor-http-proxy broken-http-proxy keyserver-options verbose compress-level 9 default-key folkert@vanheusden.com list-options show-policy-urls cert-policy-url http://www.vanheusden.com/pgp-key-signing-policy.html sig-policy-url http://www.vanheusden.com/data-signing-with-pgp-policy.html no-random-seed-file # tricky: no-force-v3-sigs force-mdc ) What can be the cause of this? Folkert van Heusden -- Auto te koop, zie: http://www.vanheusden.com/daihatsu.php -------------------------------------------------------------------- Get your PGP/GPG key signed at www.biglumber.com! -------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 282 bytes Desc: Digital signature Url : /pipermail/attachments/20050731/f7331112/attachment.pgp From dshaw at jabberwocky.com Sun Jul 31 03:28:28 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jul 31 03:24:39 2005 Subject: [Announce] GnuPG 1.4.2 released In-Reply-To: <20050730182035.GC358@wilma.widomaker.com> References: <87sly0sn0o.fsf@wheatstone.g10code.de> <20050730182035.GC358@wilma.widomaker.com> Message-ID: <20050731012828.GB6168@jabberwocky.com> On Sat, Jul 30, 2005 at 02:20:35PM -0400, Jason Harris wrote: > On Wed, Jul 27, 2005 at 09:53:27AM +0200, Werner Koch wrote: > > > We are pleased to announce the availability of a new stable GnuPG > > release: Version 1.4.2 > > > What's New > > =========== > > > * New experimental HKP keyserver helper that uses the cURL > > library. It is enabled via the configure option --with-libcurl > > like the other (also experimental) cURL helpers. Please make > > sure to also apply the attached patch. > > When enabled (./configure --with-libcurl=DIR), connections to > hkp://keyserver.kjsl.com will be persistent/reused and pipelined > (as defined in RFC 2616). Enjoy (responsibly)! Thought you'd get a kick out of that... Note that in the next release of GnuPG, --with-libcurl will be the default. (So the more people who try it now, and report back any problems, the better). David From twoaday at gmx.net Sun Jul 31 19:09:30 2005 From: twoaday at gmx.net (Timo Schulz) Date: Sun Jul 31 19:14:03 2005 Subject: [outlgpg] Questions on installing and using with Outlook 2003. In-Reply-To: <42EBB010.5080007@hotpop.com> References: <42EB1F34.2010103@hotpop.com> <42EB45D7.2010401@gmx.net> <42EBB010.5080007@hotpop.com> Message-ID: <42ED05CA.8080701@gmx.net> Patrick Dickey wrote: > I was mistaken when I said I had to copy it into the folder. When I > ran Regsvr32, I got Load Module failed, can't find the module. But, > it was because I wasn't using quotes around the Path. I should have IIRC, the example in the README is like "regsvr32 gpgexch" but in any case we need to improve the documentation. > Originally, I had the "Always sign with the default key" option > checked, but since I didn't know what to put, I put a pathname to a > file in. Looking back, I'm assuming it means an actual key. Also the Yes. This feature is not 100% ready yet. And I guess we need to reword it a little so the user knows a key ID is expected. > Files\GNU\GnuPG\" for the path to home directory (since that's where > my trustdb.gpg file is located) and "C:\winpt\winpt.exe --keymanager" > for the path to keymanager? Yes. And with these settings the plugin should work. Please make sure you use 0.99.4 because there I fixed a lot of Outlook 2003 related things. I currently use Outlook 2003 on my laptop and it works pretty well. Timo From cedar at 3web.net Sun Jul 31 21:44:23 2005 From: cedar at 3web.net (cdr) Date: Sun Jul 31 22:35:29 2005 Subject: Entropy in ascii-armored output? In-Reply-To: <42EAB4C4.80908@chud.net> References: <42EAB4C4.80908@chud.net> Message-ID: <42ED2A17.6090409@3web.net> Chris De Young wrote: > ...that actually writing down passwords, if > they're kept in a secure place, might not be a bad idea... This is almost certainly the case, especially for passwords that are used to protect data while 'in transit' on public networks. > ...it seems that copying some arbitrary chunk out of > the middle of some GPG encryption output... Once any machine-readable key material has been recorded on your local filesystem or, worse, transmitted over the network, the possiblities that an attacker will get hold of it increase significantly; it would be much better to use some mechanical device (cards, dice, bag with tiles...) instead. C. Rok From wholmes4 at csc.com Wed Jul 27 23:07:18 2005 From: wholmes4 at csc.com (William F Holmes) Date: Mon Aug 8 10:57:06 2005 Subject: secret key not available Message-ID: We recently generated a new key pair because of a server domain change. We generated a new armored public key and provided it to companies that send us files via ftp. They have encrypted files with our new public key and sent these files. We cannot decrypt them. Here is what we get when we try to decrypt: gpg: Warning: using insecure memory! gpg: encrypted with ELG-E key, ID 7725AAB6 gpg: decryption failed: secret key not available We're using GnuPG version 1.0.6. What have we done wrong? William F. Holmes Sr. PeopleSoft Oracle Database Administrator Desk: 703-818-5635 E-mail: wholmes4@csc.com ---------------------------------------------------------------------------------------- This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ---------------------------------------------------------------------------------------- From tobias at karmabits.net Thu Jul 28 23:33:24 2005 From: tobias at karmabits.net (Tobias Eichert) Date: Mon Aug 8 10:57:24 2005 Subject: Multiple self signatures Message-ID: Hello, I have multiple self signatures within my key and I haven't found a reason yet. I usually don't self-sign my key several times (well, at least I'm not aware of it). :) http://pgpkeys.pca.dfn.de:11371/pks/lookup?op=vindex&fingerprint=on&search=0x7E9154BFDA817013 How can I prevent this? I'd really appreciate any hints. Could you please CC me? I'm not subscribed to this list. GnuPG version is 1.4.2 (on Windows XP SP 2) Thanks Tobias