From greg at turnstep.com Tue Mar 1 00:55:41 2005 From: greg at turnstep.com (Greg Sabino Mullane) Date: Tue Mar 1 00:52:22 2005 Subject: useless test keys and keyservers In-Reply-To: <200502281849.12565.linux@codehelp.co.uk> Message-ID: <7bbe8f8391ed0c367d06423a7b042e0b@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > IMHO, anyone who signs emails to a public mailing list should make > their public key available with the minimum of fuss. This, to me, > means putting it on one of the recommended keyservers, Or simply putting a URL to a webpage with their key in the headers or the sig. (which allows them to give you their preferred copy of their key) > All keyservers support the option to not upload your key - it's just > that once a key is public, there's no real way of stopping it being > submitted by someone else. Thereagain, if the key IS public, it should > be on a public keyserver - that's my case. How about, if the key IS public, it should be made publically available. Right now, the main option for doing so is the keyservers, which unfortunately have the flaw that anyone can make changes to anyone else's public key. That's why some people prefer a self-controlled web page. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200502281856 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFCI6/9vJuQZxSWSsgRAmc8AKCdQ0JvJkEIf/7twB8+KrM+sIcH1QCgj703 VuLz2dCXHGNjcSp5/7/Z4XY= =0vID -----END PGP SIGNATURE----- From mreese at calarts.edu Tue Mar 1 01:48:25 2005 From: mreese at calarts.edu (Melissa Reese) Date: Tue Mar 1 01:45:05 2005 Subject: useless test keys and keyservers In-Reply-To: <7bbe8f8391ed0c367d06423a7b042e0b@biglumber.com> References: <200502281849.12565.linux@codehelp.co.uk> <7bbe8f8391ed0c367d06423a7b042e0b@biglumber.com> Message-ID: <644916702.20050228164825@calarts.edu> Hi Greg, On Monday, February 28, 2005, at 3:55:41 PM PST, you wrote: Neil: >> IMHO, anyone who signs emails to a public mailing list should make >> their public key available with the minimum of fuss. This, to me, >> means putting it on one of the recommended keyservers, Greg: > Or simply putting a URL to a webpage with their key in the headers > or the sig. (which allows them to give you their preferred copy of > their key) I'll be looking into getting a web page set up for my keys, but for now, I distribute them via email auto-responder. Just click on the mailto in my signature, and send the resulting email message. An auto-reply with the keys will be sent immediately. > How about, if the key IS public, it should be made publically > available. Right now, the main option for doing so is the > keyservers, which unfortunately have the flaw that anyone can make > changes to anyone else's public key. That's why some people prefer a > self-controlled web page. And this is why I prefer to distribute my own keys. For the moment, via email, and when I can finally get it together, on a web page. -- Melissa PGP public keys: mailto:pgp_keys@gmx.co.uk?subject=0xFB04F2E9&Body=Please%20send%20keys -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : /pipermail/attachments/20050228/4aae308f/attachment.pgp From swright at physics.adelaide.edu.au Tue Mar 1 02:51:57 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Tue Mar 1 02:48:33 2005 Subject: useless test keys and keyservers In-Reply-To: <644916702.20050228164825@calarts.edu> References: <200502281849.12565.linux@codehelp.co.uk> <7bbe8f8391ed0c367d06423a7b042e0b@biglumber.com> <644916702.20050228164825@calarts.edu> Message-ID: <20050301015157.GA23707@anl.gov> G'day Entity-that-is-possibly-Melissa, * Melissa Reese [050228 18:54]: > I'll be looking into getting a web page set up for my keys, but for > now, I distribute them via email auto-responder. Just click on the > mailto in my signature, and send the resulting email message. An > auto-reply with the keys will be sent immediately. IMHO this is a pain. Some (most?) of us on this list don't use "click" type mailers. So for me to get your key I need to unmangle the mailto, workout what subject line I need to use and then finally send it off. Guess how much motivation I have for doing that? I'd never bothered even reading your signature so I never would have found out the instructions were there... Key servers were set up so people didn't have to to something like you have done. Heck, if you have the power to set up an email account that is an auto-responder, just have it auto-respond to any email, don't make us have to send both a subject _and_ and message body. I think that we will make the spread and use of OpenPGP grow by making it easier, not harder for people to verify signatures. > And this is why I prefer to distribute my own keys. For the moment, > via email, and when I can finally get it together, on a web page. So do you only envisage using your key to sign messages? If you want to use the encryption part then it becomes silly to have your philosophy. Take as an example someone, who wants to send you an message that your ISP isn't to read. This person would now have to mail you to get the key - thereby revealing to anyone who was listening in to your communications that entity controlling email address XYZ is interested in talking to you privately. Then you can get asked questions like "Why does want to to talk to you?". Just a thought, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050228/752967bd/attachment.pgp From mreese at calarts.edu Tue Mar 1 05:52:11 2005 From: mreese at calarts.edu (Melissa Reese) Date: Tue Mar 1 05:48:58 2005 Subject: useless test keys and keyservers In-Reply-To: <20050301015157.GA23707@anl.gov> References: <200502281849.12565.linux@codehelp.co.uk> <7bbe8f8391ed0c367d06423a7b042e0b@biglumber.com> <644916702.20050228164825@calarts.edu> <20050301015157.GA23707@anl.gov> Message-ID: <697355996.20050228205211@calarts.edu> Hi Stewart, On Monday, February 28, 2005, at 5:51:57 PM PST, you wrote: >> I'll be looking into getting a web page set up for my keys, but for >> now, I distribute them via email auto-responder. Just click on the >> mailto in my signature, and send the resulting email message. An >> auto-reply with the keys will be sent immediately. > IMHO this is a pain. Some (most?) of us on this list don't use > "click" type mailers. I've drafted a much longer and more detailed reply to your message, but since this is becoming a bit off-topic with regards to "GnuPG usage" specifically, I'll try to keep this reply as short and to the point as possible. I still suffer from my silly philosophical disagreement with the current state of the keyservers, so I guess I'm kind of stuck, at the moment, with with the choice between my "mailto" auto-reply method or a web page where my keys can be obtained. I just created a quick little web page for my keys (please see the URL in my signature), but I'm afraid that as far as mouse clicking goes, it's going to involve at least as much bother as clicking on my previous "mailto"; though the potential problems with the subject line and message body text of the "mailto" method is eliminated. I also won't have to worry about keeping my email client running all the time. Now, it seems to me that if you can't conveniently click on a mailto in your email client, a URL won't be much better for you. Is this correct? Or do you have an easier way to deal with web site URLs from within your mailer? In any event, short of simply uploading my keys to the keyservers, I am trying to make the distribution process as painless as possible, though I'm afraid I just won't be able to satisfy everyone, in every way possible. Again, I apologize for all the inconvenience. -- Melissa PGP public keys: http://www.freewebs.com/qajaq/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : /pipermail/attachments/20050228/6312b4f2/attachment.pgp From vedaal at hush.com Tue Mar 1 16:18:51 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Tue Mar 1 16:15:00 2005 Subject: key edit question // adding a comment Message-ID: <200503011518.j21FIrHc010054@mailserver2.hushmail.com> is it possible to add a 'comment' to a key after it is made? during key generation, gnupg asks if the user wants to enter a comment example: comment: (please, local signature only) having this type of comment might alert people not to sign the key, and decrease people's reluctance on having their keys on a server (the ideal keyserver situation would be to allow only the key owner to upload his/her key to a keyserver, and to obtain whatever signatures desired on that key, directly from the signers, and then upload it) anyway, could not figure out how to add a comment to a key after it has already been generated any ideas on how this could be done? tia, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From ml at bitfalle.org Tue Mar 1 18:00:15 2005 From: ml at bitfalle.org (markus reichelt) Date: Tue Mar 1 17:57:20 2005 Subject: key edit question // adding a comment In-Reply-To: <200503011518.j21FIrHc010054@mailserver2.hushmail.com> References: <200503011518.j21FIrHc010054@mailserver2.hushmail.com> Message-ID: <20050301170015.GA2303@dantooine> vedaal@hush.com wrote: > could not figure out how to add a comment to a key after it has > already been generated > > any ideas on how this could be done? As far as I know this can't be done yet. So I'm in for a feature request :-) -- Bastard Administrator in $hell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050301/2304adae/attachment.pgp From swright at physics.adelaide.edu.au Tue Mar 1 18:12:29 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Tue Mar 1 18:09:33 2005 Subject: [OT] Re: useless test keys and keyservers In-Reply-To: <697355996.20050228205211@calarts.edu> References: <200502281849.12565.linux@codehelp.co.uk> <7bbe8f8391ed0c367d06423a7b042e0b@biglumber.com> <644916702.20050228164825@calarts.edu> <20050301015157.GA23707@anl.gov> <697355996.20050228205211@calarts.edu> Message-ID: <20050301171229.GA12688@anl.gov> G'day Melissa, * Melissa Reese [050228 23:07]: > I still suffer from my silly philosophical disagreement with the > current state of the keyservers, so I guess I'm kind of stuck, at the > moment, with with the choice between my "mailto" auto-reply method or > a web page where my keys can be obtained. Well, it appears that someone (not me!) has submitted your key to a keyserver for you. (Paraphrasing a famous quote) Whilst I don't agree with your views on keyservers, I support your right to have them. If it wasn't you that submitted it I think this is bad form for whoever did it. :-( I would like to follow through the points you've made, but let's do it off list so as to not waste other members time. Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050301/71e86a13/attachment.pgp From vedaal at hush.com Tue Mar 1 18:32:46 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Tue Mar 1 18:28:56 2005 Subject: key edit question // adding a comment Message-ID: <200503011732.j21HWo13031822@mailserver2.hushmail.com> markus reichelt ml at bitfalle.org wrote: >As far as I know this can't be done yet. So I'm in for a feature >request :-) me too ;-) but if it really can't be done now, there is a clumsy/ugly but quite effective workaround: add an new keyid with the same user id but with the new comment, then delete the old keyid without the comment so, it can wait until the more important feature requests are done, (i thought that there just 'might' be another one of those cool commands around that never made it to the man.page, that could add the comment ;-) ) vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From dshaw at jabberwocky.com Tue Mar 1 18:47:03 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 1 18:43:51 2005 Subject: key edit question // adding a comment In-Reply-To: <200503011518.j21FIrHc010054@mailserver2.hushmail.com> References: <200503011518.j21FIrHc010054@mailserver2.hushmail.com> Message-ID: <20050301174703.GI25630@jabberwocky.com> On Tue, Mar 01, 2005 at 07:18:51AM -0800, vedaal@hush.com wrote: > is it possible to add a 'comment' to a key after it is made? > > during key generation, gnupg asks if the user wants to enter a > comment > > example: > comment: (please, local signature only) > > having this type of comment might alert people not to sign the key, > and decrease people's reluctance on having their keys on a server > > (the ideal keyserver situation would be to allow only the key owner > to upload his/her key to a keyserver, and to obtain whatever > signatures desired on that key, directly from the signers, and then > upload it) > > anyway, > could not figure out how to add a comment to a key after it has > already been generated > > any ideas on how this could be done? The comment is part of the user ID. If you want a new comment, you need to make a new user ID. David From ml at bitfalle.org Tue Mar 1 18:53:52 2005 From: ml at bitfalle.org (markus reichelt) Date: Tue Mar 1 18:50:36 2005 Subject: key edit question // adding a comment In-Reply-To: <200503011732.j21HWo13031822@mailserver2.hushmail.com> References: <200503011732.j21HWo13031822@mailserver2.hushmail.com> Message-ID: <20050301175351.GA2809@dantooine> vedaal@hush.com wrote: > there is a clumsy/ugly but quite effective workaround: > > add an new keyid with the same user id but with the new comment, > then delete the old keyid without the comment Wouldn't this affect signatures the key/uid in question has received? I don't have the time to test it right now, but I believe so. Given that I'm going to hunt some sig3s down next weekend I'd better not test it with my main keys, eh ;-) Anyway, if you already temper with UIDs, just add a new one (of whatever content) and fill the comment field according to your needs. This won't affect the other UIDs' signatures. -- Bastard Administrator in $hell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050301/539782b0/attachment.pgp From ml at bitfalle.org Tue Mar 1 18:58:56 2005 From: ml at bitfalle.org (markus reichelt) Date: Tue Mar 1 18:55:39 2005 Subject: key edit question // adding a comment In-Reply-To: <20050301174703.GI25630@jabberwocky.com> References: <200503011518.j21FIrHc010054@mailserver2.hushmail.com> <20050301174703.GI25630@jabberwocky.com> Message-ID: <20050301175856.GA2913@dantooine> David Shaw wrote: > The comment is part of the user ID. If you want a new comment, you > need to make a new user ID. So I guess the chances of this ever being available are exactly nil unless a corresponding RFC exists. Right? -- Bastard Administrator in $hell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050301/98d490fa/attachment.pgp From mreese at calarts.edu Tue Mar 1 19:04:34 2005 From: mreese at calarts.edu (Melissa Reese) Date: Tue Mar 1 19:01:10 2005 Subject: [OT] Re: useless test keys and keyservers In-Reply-To: <20050301171229.GA12688@anl.gov> References: <200502281849.12565.linux@codehelp.co.uk> <7bbe8f8391ed0c367d06423a7b042e0b@biglumber.com> <644916702.20050228164825@calarts.edu> <20050301015157.GA23707@anl.gov> <697355996.20050228205211@calarts.edu> <20050301171229.GA12688@anl.gov> Message-ID: <526380144.20050301100434@calarts.edu> Hi Stewart, On Tuesday, March 01, 2005, at 9:12:29 AM PST, you wrote: > Well, it appears that someone (not me!) has submitted your key to a > keyserver for you. (Paraphrasing a famous quote) Whilst I don't > agree with your views on keyservers, I support your right to have > them. If it wasn't you that submitted it I think this is bad form > for whoever did it. :-( Yes, one of my greatest disappointments with the current keyserver system is the ability of anyone to upload anyone else's keys. I have several keys, associated with several different accounts, and while I've uploaded *one* of them to the keyservers myself, the rest were uploaded by others. In some cases, after they've signed my keys with exportable signatures, though they don't know me, or my association with certain keys from a hole in the ground. Is that really "good practice" in terms of "web of trust"? > I would like to follow through the points you've made, but let's do it > off list so as to not waste other members time. When I have a bit of time, perhaps later tonight, I'll finish up the longer message I started last night and send it along off-list. -- Melissa PGP public keys: http://www.freewebs.com/qajaq/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : /pipermail/attachments/20050301/d159ca6d/attachment.pgp From dshaw at jabberwocky.com Tue Mar 1 19:09:43 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 1 19:06:18 2005 Subject: key edit question // adding a comment In-Reply-To: <20050301175856.GA2913@dantooine> References: <200503011518.j21FIrHc010054@mailserver2.hushmail.com> <20050301174703.GI25630@jabberwocky.com> <20050301175856.GA2913@dantooine> Message-ID: <20050301180943.GJ25630@jabberwocky.com> On Tue, Mar 01, 2005 at 06:58:56PM +0100, markus reichelt wrote: > David Shaw wrote: > > The comment is part of the user ID. If you want a new comment, you > > need to make a new user ID. > > So I guess the chances of this ever being available are exactly nil > unless a corresponding RFC exists. Right? Pretty much. Right now, comments are part of the user ID. You can use notations or the like to add other text to a key if you like, but the comment field that is part of the user ID is, well, part of the user ID. David From erwan at rail.eu.org Tue Mar 1 19:32:27 2005 From: erwan at rail.eu.org (Erwan David) Date: Tue Mar 1 19:29:01 2005 Subject: [OT] Re: useless test keys and keyservers In-Reply-To: <526380144.20050301100434@calarts.edu> References: <200502281849.12565.linux@codehelp.co.uk> <7bbe8f8391ed0c367d06423a7b042e0b@biglumber.com> <644916702.20050228164825@calarts.edu> <20050301015157.GA23707@anl.gov> <697355996.20050228205211@calarts.edu> <20050301171229.GA12688@anl.gov> <526380144.20050301100434@calarts.edu> Message-ID: <20050301183227.GA4583@ratagaz.depot.rail.eu.org> Le Tue 1/03/2005, Melissa Reese disait > Hi Stewart, > > On Tuesday, March 01, 2005, at 9:12:29 AM PST, you wrote: > > > Well, it appears that someone (not me!) has submitted your key to a > > keyserver for you. (Paraphrasing a famous quote) Whilst I don't > > agree with your views on keyservers, I support your right to have > > them. If it wasn't you that submitted it I think this is bad form > > for whoever did it. :-( > > Yes, one of my greatest disappointments with the current keyserver > system is the ability of anyone to upload anyone else's keys. I have > several keys, associated with several different accounts, and while > I've uploaded *one* of them to the keyservers myself, the rest were > uploaded by others. In some cases, after they've signed my keys with > exportable signatures, though they don't know me, or my association > with certain keys from a hole in the ground. Is that really "good > practice" in terms of "web of trust"? There are 2 keys on keyservers which bear my name, but which I do not own. Worse they are signed by several keys bearing the name of people who know me, but those keys do not belong to them either. However, if checks are done carefullly, nobody can trace those keys to me through a sensible chain of signatures, leading to a personnally verified key ownership. -- Erwan From dshaw at jabberwocky.com Tue Mar 1 19:47:29 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 1 19:44:12 2005 Subject: [OT] Re: useless test keys and keyservers In-Reply-To: <20050301183227.GA4583@ratagaz.depot.rail.eu.org> References: <200502281849.12565.linux@codehelp.co.uk> <7bbe8f8391ed0c367d06423a7b042e0b@biglumber.com> <644916702.20050228164825@calarts.edu> <20050301015157.GA23707@anl.gov> <697355996.20050228205211@calarts.edu> <20050301171229.GA12688@anl.gov> <526380144.20050301100434@calarts.edu> <20050301183227.GA4583@ratagaz.depot.rail.eu.org> Message-ID: <20050301184729.GK25630@jabberwocky.com> On Tue, Mar 01, 2005 at 07:32:27PM +0100, Erwan David wrote: > Le Tue 1/03/2005, Melissa Reese disait > > Hi Stewart, > > > > On Tuesday, March 01, 2005, at 9:12:29 AM PST, you wrote: > > > > > Well, it appears that someone (not me!) has submitted your key to a > > > keyserver for you. (Paraphrasing a famous quote) Whilst I don't > > > agree with your views on keyservers, I support your right to have > > > them. If it wasn't you that submitted it I think this is bad form > > > for whoever did it. :-( > > > > Yes, one of my greatest disappointments with the current keyserver > > system is the ability of anyone to upload anyone else's keys. I have > > several keys, associated with several different accounts, and while > > I've uploaded *one* of them to the keyservers myself, the rest were > > uploaded by others. In some cases, after they've signed my keys with > > exportable signatures, though they don't know me, or my association > > with certain keys from a hole in the ground. Is that really "good > > practice" in terms of "web of trust"? > > There are 2 keys on keyservers which bear my name, but which I do not > own. Worse they are signed by several keys bearing the name of people > who know me, but those keys do not belong to them either. This reminds me of something that happened back in the PGP 2 days. The web of trust was a lot smaller than it is today, and someone took it upon themselves to duplicate it by making all the keys themselves, and recreating the various inter-key links to match the real web. > However, if checks are done carefullly, nobody can trace those keys to > me through a sensible chain of signatures, leading to a personnally > verified key ownership. Yes. David From erwan at rail.eu.org Tue Mar 1 20:10:06 2005 From: erwan at rail.eu.org (Erwan David) Date: Tue Mar 1 20:06:10 2005 Subject: [OT] Re: useless test keys and keyservers In-Reply-To: <20050301184729.GK25630@jabberwocky.com> References: <200502281849.12565.linux@codehelp.co.uk> <7bbe8f8391ed0c367d06423a7b042e0b@biglumber.com> <644916702.20050228164825@calarts.edu> <20050301015157.GA23707@anl.gov> <697355996.20050228205211@calarts.edu> <20050301171229.GA12688@anl.gov> <526380144.20050301100434@calarts.edu> <20050301183227.GA4583@ratagaz.depot.rail.eu.org> <20050301184729.GK25630@jabberwocky.com> Message-ID: <20050301191006.GB4583@ratagaz.depot.rail.eu.org> Le Tue 1/03/2005, David Shaw disait > > > > There are 2 keys on keyservers which bear my name, but which I do not > > own. Worse they are signed by several keys bearing the name of people > > who know me, but those keys do not belong to them either. > > This reminds me of something that happened back in the PGP 2 days. > The web of trust was a lot smaller than it is today, and someone took > it upon themselves to duplicate it by making all the keys themselves, > and recreating the various inter-key links to match the real web. Here someone created keys with name and addresses of all regular participant to a french speaking computer security newsgroup. And cross)signed them before sending them to keyservers... > > However, if checks are done carefullly, nobody can trace those keys to > > me through a sensible chain of signatures, leading to a personnally > > verified key ownership. > > Yes. But ther is a weak point : if someone signs without carefully checking, those keys can be linked back to the real web of trust. Let's hope suche a person will not be trusted more marginally by anybody, but I have little hope in commen knowledge about the importance of key signing, even if there was no catastroph since 1998 when keys were uploaded... -- Erwan From mike at retnet.net Tue Mar 1 20:42:10 2005 From: mike at retnet.net (Michael Avila) Date: Tue Mar 1 20:38:28 2005 Subject: Create a Key using a script? Message-ID: <20050301144213.GA70821@mail07a.vwh1.net> Is there a way to create a key by passing a list of information to gpg? What I am trying to do is make it easy for our customers to create a key. I want to have a web form where they fill in the information, I submit it to gpg, I save the key on a keyring, and let them know what to do next. Is this possible? I have a Windows and a Linux platform from which this can be done if that is important. Any help, suggestions, comments are welcome. Thanks. Michael Avila Retail Network Inc Troy, Michigan 48083 (248)588-8000 x429 -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 1478 bytes Desc: not available Url : /pipermail/attachments/20050301/3b4553e0/winmail.bin -------------- next part -------------- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.5.1 - Release Date: 2/27/2005 From brunij at earthlink.net Tue Mar 1 19:41:02 2005 From: brunij at earthlink.net (Joseph Bruni) Date: Tue Mar 1 20:48:36 2005 Subject: correspondence between pref notications and algo's Message-ID: <30539855.1109702463018.JavaMail.root@scooter.psp.pas.earthlink.net> When I'm looking at preferences on a key, the list of algo's is using a shorthand notation, such as "S9 S8 S7 S3 S2 H2 H3 Z2 Z1". "showpref" shows the longer versions. Is there a document somewhere that describes which shorthand corresponds to which algorithm (i.e. what maps H2=SHA1?)? (BTW, the --without-readline option also allowed me to compile 1.4 on HP/UX. Thanks David!) From dshaw at jabberwocky.com Tue Mar 1 20:56:02 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 1 20:52:42 2005 Subject: Create a Key using a script? In-Reply-To: <20050301144213.GA70821@mail07a.vwh1.net> References: <20050301144213.GA70821@mail07a.vwh1.net> Message-ID: <20050301195602.GA26043@jabberwocky.com> On Tue, Mar 01, 2005 at 02:42:10PM -0500, Michael Avila wrote: > Is there a way to create a key by passing a list of information to gpg? What I > am trying to do is make it easy for our customers to create a key. I want to > have a web form where they fill in the information, I submit it to gpg, I save > the key on a keyring, and let them know what to do next. Is this possible? I > have a Windows and a Linux platform from which this can be done if that is > important. Read the "Unattended key generation" section of the doc/DETAILS file. David From dshaw at jabberwocky.com Tue Mar 1 20:57:38 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 1 20:54:25 2005 Subject: correspondence between pref notications and algo's In-Reply-To: <30539855.1109702463018.JavaMail.root@scooter.psp.pas.earthlink.net> References: <30539855.1109702463018.JavaMail.root@scooter.psp.pas.earthlink.net> Message-ID: <20050301195738.GB26043@jabberwocky.com> On Tue, Mar 01, 2005 at 10:41:02AM -0800, Joseph Bruni wrote: > When I'm looking at preferences on a key, the list of algo's is > using a shorthand notation, such as "S9 S8 S7 S3 S2 H2 H3 Z2 > Z1". "showpref" shows the longer versions. > > Is there a document somewhere that describes which shorthand corresponds to > which algorithm (i.e. what maps H2=SHA1?)? RFC-2440. You can also get a listing with 'gpg -v --version' "pref" isn't that useful any longer now that 1.4 is out. "showpref" is the way to go since it actually gives the algorithms by name. David From mike at retnet.net Tue Mar 1 21:13:39 2005 From: mike at retnet.net (Michael Avila) Date: Tue Mar 1 21:09:55 2005 Subject: Create a Key using a script? In-Reply-To: <20050301195602.GA26043@jabberwocky.com> Message-ID: <20050301151342.GA14944@mail07b.vwh1.net> I don't seem to have that document. I have the manual.pdf, howto.rtf, and intro.pdf. Where can I get that file? Thanks. Mike -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw Sent: Tuesday, March 01, 2005 2:56 PM To: gnupg-users@gnupg.org Subject: Re: Create a Key using a script? On Tue, Mar 01, 2005 at 02:42:10PM -0500, Michael Avila wrote: > Is there a way to create a key by passing a list of information to > gpg? What I am trying to do is make it easy for our customers to > create a key. I want to have a web form where they fill in the > information, I submit it to gpg, I save the key on a keyring, and let > them know what to do next. Is this possible? I have a Windows and a > Linux platform from which this can be done if that is important. Read the "Unattended key generation" section of the doc/DETAILS file. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.5.1 - Release Date: 2/27/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.5.1 - Release Date: 2/27/2005 From dshaw at jabberwocky.com Tue Mar 1 21:18:44 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 1 21:15:21 2005 Subject: Create a Key using a script? In-Reply-To: <20050301151342.GA14944@mail07b.vwh1.net> References: <20050301195602.GA26043@jabberwocky.com> <20050301151342.GA14944@mail07b.vwh1.net> Message-ID: <20050301201844.GC26043@jabberwocky.com> On Tue, Mar 01, 2005 at 03:13:39PM -0500, Michael Avila wrote: > I don't seem to have that document. I have the manual.pdf, howto.rtf, and > intro.pdf. Where can I get that file? It is part of the distribution. If you can't find it in the materials you have, just download the latest release. It's in the doc/ directory. David From mike at retnet.net Tue Mar 1 21:28:50 2005 From: mike at retnet.net (Michael Avila) Date: Tue Mar 1 21:24:57 2005 Subject: Create a Key using a script? In-Reply-To: <20050301201844.GC26043@jabberwocky.com> Message-ID: <20050301152852.GA57958@mail07b.vwh1.net> Thanks for the help. Mike -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw Sent: Tuesday, March 01, 2005 3:19 PM To: gnupg-users@gnupg.org Subject: Re: Create a Key using a script? On Tue, Mar 01, 2005 at 03:13:39PM -0500, Michael Avila wrote: > I don't seem to have that document. I have the manual.pdf, howto.rtf, > and intro.pdf. Where can I get that file? It is part of the distribution. If you can't find it in the materials you have, just download the latest release. It's in the doc/ directory. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.5.1 - Release Date: 2/27/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.5.1 - Release Date: 2/27/2005 From tenui at myrealbox.com Tue Mar 1 19:58:25 2005 From: tenui at myrealbox.com (Tenui) Date: Tue Mar 1 21:25:28 2005 Subject: bzip2 cross-compiling problem Message-ID: <4224BB51.3020400@myrealbox.com> Greetings, I posted this yesterday morning but it seems to have gone missing in cyber space, so let's try again. I have installed the Debian MinGW environment to cross-compile gpg for Windows. My first attempt, with 1.4.1rc2, seemed to compile without problems, but when transferred to a Windows box I found there was no bzip2 capability included. I am using Libra Net 2.8.1. I have the bzip2 and libbzip2 .deb packages installed, so what else could be missing, or is there some configuration option I must include in autogen.sh or configure.ac? Thanks Tenui From shavital at mac.com Tue Mar 1 21:57:23 2005 From: shavital at mac.com (Charly Avital) Date: Tue Mar 1 21:53:56 2005 Subject: correspondence between pref notications and algo's In-Reply-To: <30539855.1109702463018.JavaMail.root@scooter.psp.pas.earthlink.net> References: <30539855.1109702463018.JavaMail.root@scooter.psp.pas.earthlink.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 In scroll down to Change Preferences. That's just one hit in a Google search. There are probably other documents. Charly On Mar 1, 2005, at 1:41 PM, Joseph Bruni wrote: > When I'm looking at preferences on a key, the list of algo's is using > a shorthand > notation, such as "S9 S8 S7 S3 S2 H2 H3 Z2 Z1". "showpref" shows the > longer > versions. > > Is there a document somewhere that describes which shorthand > corresponds to > which algorithm (i.e. what maps H2=SHA1?)? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (Darwin) Comment: GnuPG for Privacy iQIVAwUBQiTXQG69XHxycyfPAQjz+g//Zkaa6yjTh5YAL9cQ+7YExF8ETf2PVBB4 NmdXlzneCISf4YFaLcqERTrg6kjGbGGvYRZ/dCnmoshG//NwQxxKjJNQATgiE7JK F6IV6nP7DeA2+PoED+vyuX6t7GUSap16Vso7YLcyipJeQv4G8bmJfz2ZKQNQSTa8 +zS6OT2nfYE0o8tXjogP7hVxbDHMDmQyHTAg4KKWfv9NI/FLMxjYTPWJQlN7MXaw B26sEBM8OOxaWKvUHttlQdR6fk21Iiq8g6IkTnfJUDNf44h2XFQBmQeDVvD57Vo4 917CGzjcYoF1+dibc846ATbw7JKYrFXjousCYtr9uv8Xo/RGke9lWHEUr8tgBdro jA1u3zBUxK2FtPkYo9feZKeIKTkg6ZbVKK303yoH6CBvDz2GB7RaXbrqrEdszdAl QlTz/6V5Kuzr2H7ccSPsyO2F1tkVcS2o09pxADwatvlr8G+T16oPVJFe8pps99J2 s3mASvh7DzArzOgLtlksO456soiSJm2N1B+P/kgBpeAuV9xBWrIA+zAHt2d76sJU p4SGuueGlMiUhMMrR19Yo03sw9SCadJjv3Oa9tskwZFbjO5OkivWGK2IuYKLIt76 DQl3RNHZGfSJT8c5wwV8pD/Ev8C8ezjzLeAplFZ5jM3rmmJlFXKKZDGfjf4I7ZiW GioC0SaxyHg= =ZtZx -----END PGP SIGNATURE----- From vedaal at hush.com Wed Mar 2 00:54:31 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Mar 2 00:50:51 2005 Subject: gnupg and the Bat // ? possible in linux under wine Message-ID: <200503012354.j21NsWEF089775@mailserver2.hushmail.com> have finally made the plunge into linux (some neat bash commands that can be used with gnupg, like 'cat' are just not available in windows ... ;-) for easy transition from windows, am running fedora core 2) found the winetools (2.1.1) site, that lists the Bat as supported under wine: http://www.von-thadden.de/Joachim/WineTools/wt211jo.html has anyone had any experience with this and gotten it to work? tia, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From atom at smasher.org Wed Mar 2 01:49:32 2005 From: atom at smasher.org (Atom Smasher) Date: Wed Mar 2 01:44:49 2005 Subject: Create a Key using a script? In-Reply-To: <20050301144213.GA70821@mail07a.vwh1.net> References: <20050301144213.GA70821@mail07a.vwh1.net> Message-ID: <20050302004831.71838.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 1 Mar 2005, Michael Avila wrote: > Is there a way to create a key by passing a list of information to gpg? =============== attached is a shell script that you can modify for your own key preferences. SHA1 (gen-key-batch.gz) = 68b79122814f8d2d920c61e3d59bdff20687a0ae > What I am trying to do is make it easy for our customers to create a > key. I want to have a web form where they fill in the information, I > submit it to gpg, I save the key on a keyring, and let them know what to > do next. Is this possible? I have a Windows and a Linux platform from > which this can be done if that is important. ================== huh? you want to generate keys for people? why would they trust you? you could keep a copy of their secret key and cause trouble. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Why don't they get new jobs if they're unhappy, or go on Prozac?" -- Bush campaign employee Susan Sheybani, July 2004 responding to a question about job quality (Reuters, 29 July 2004) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCJQ2hAAoJEAx/d+cTpVciVSMIAKPkUulAExjwPTX+2pDQOIqN +QTB+cX8aw4ZbA93MC7yjU0ws88bFvEHXpNtniRoPiRm4qA6K070P1wM55qZ2oS8 OZWbX6Bfpaia0dBVJHUSMtUMMFEfE/GzYw1E9lXm/c2j27iCHBu/fabA49wPACHO jIz7ZvoDfrR/TMAHap2RbeaW9u2xqXFfCv5Lpyyso+370olozeV3jrMsQBzb8YRn eO1PIRJKbJo0YzEcMRgB81eetBawQxzcSHGDzTAeKeoeThBRqCbz5P9Duo2oiv8A et9pPYKjhyv4xIYJXK3NZTs0NiZ84hNqF0H42uDBQMqRaNJ/FmaBMje9Quyaf0g= =IUoF -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: gen-key-batch.gz Type: application/octet-stream Size: 425 bytes Desc: Url : /pipermail/attachments/20050301/dfff07b1/gen-key-batch.obj From pete at petesplace.id.au Wed Mar 2 11:43:09 2005 From: pete at petesplace.id.au (Peter Jones) Date: Wed Mar 2 13:56:54 2005 Subject: gnupg and the Bat // ? possible in linux under wine In-Reply-To: <200503012354.j21NsWEF089775@mailserver2.hushmail.com> References: <200503012354.j21NsWEF089775@mailserver2.hushmail.com> Message-ID: <200503022043.22778.pete@petesplace.id.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 2 Mar 2005 09:54 am, vedaal@hush.com wrote: > have finally made the plunge into linux > (some neat bash commands that can be used with gnupg, > like 'cat' are just not available in windows ... ;-) FWIW, every Windows machine I use has cygwin installed upon it fairly swiftly. It may not quite be "linux", but since it gives me access to a bash prompt and most of the commands you'd expect to use there, it's the next best thing... ;-) [Although sometimes you have to be wary of cat doing nasty things to line endings...] Pete. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCJZjG+Kt3WDVX4jQRAgMCAJ9TVF8hYLcmFxyt7p/A09S1O5BwrwCgqWmS 1e7Red5ZC9HYbwT4d3gEWGk= =7hsY -----END PGP SIGNATURE----- From cdm2 at student.cs.ucc.ie Tue Mar 1 18:02:51 2005 From: cdm2 at student.cs.ucc.ie (Colm McCarthy) Date: Wed Mar 2 15:37:11 2005 Subject: help needed Message-ID: <42261FB8@webmail.ucc.ie> Hi i was jsut wondering if anyone could help me out, pretty new to gpg and the rest. I have supplied the code that im using which i want to encrypt a message and send it to my mail account, i will not encrypt for me and i cant figure out why, any help would be greatly appreciated. Thanks. Message Sent

Your message was encrypted and sent.

Thank you."; } } if($result!=0) { echo "

Error:

Your message could not be encrypted, so has not been sent.

Sorry."; } ?> From JPClizbe at comcast.net Wed Mar 2 15:50:22 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Mar 2 15:46:59 2005 Subject: bzip2 cross-compiling problem In-Reply-To: <4224BB51.3020400@myrealbox.com> References: <4224BB51.3020400@myrealbox.com> Message-ID: <4225D2AE.4060105@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tenui wrote: > Greetings, > > I posted this yesterday morning but it seems to have gone missing in > cyber space, so let's try again. > > I have installed the Debian MinGW environment to cross-compile gpg for > Windows. My first attempt, with 1.4.1rc2, seemed to compile without > problems, but when transferred to a Windows box I found there was no > bzip2 capability included. > > I am using Libra Net 2.8.1. I have the bzip2 and libbzip2 .deb packages > installed, so what else could be missing, or is there some configuration > option I must include in autogen.sh or configure.ac? BZIP2 support isn't standard in Win32, so MinGW won't have an import library for it. Ditto ICONV and ZLIB. You can get the deveopment library files in the -lib packages available at SourceForge's GnuWin32 project. You'll need the DDLs frmo the -bin archives to be installed on the Windows system along with your GnuPG binaries. Since your User-Agent string is showing Mozilla on Windows 2000, why not build GnuPG directly on your windows platform and avoid the cross-compile issues? GnuPG configures and builds out-of-the-box under current MinGW/Msys distributions. The binaries and development packages (-bin & -lib) for bzip2, iconv and zlib are also needed from the GnuWin32 project at SourceForge. The MinGW site also has a GnuPG porting file with build script and handy patches. Building the GnuPG software from cvs requires a few more packages and a bit more tweaking. You can write me offlist if you need a bit more assistance with this. Regards. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCJdKsHQSsSmCNKhARAu2hAKCptyGcs0gP8pjyYC1A42xOPo+QmgCg8zOo AZx9tKMAQ1lgVd8M9GrntuQ= =xIeu -----END PGP SIGNATURE----- From tina.messmann at xinux.de Wed Mar 2 14:41:34 2005 From: tina.messmann at xinux.de (Tina Messmann) Date: Wed Mar 2 15:53:02 2005 Subject: geam compile problem Message-ID: <4225C28E.1010802@xinux.de> Hello List, i try to compile geam 0.8.4 - with no success so far i tried it with pth-2.0.3 and pth-2.0.4 i tried it with fedora core2 on x86_64 and with debian sarge on i686 the error is always the same these are the last lines when running make: gcc -g -O2 -Wall -Wcast-align -Wshadow -Wstrict-prototypes -o simple-mta simple-mta.o rwbuf.o rfc821.o rfc822.o ../lib/libutil.a rwbuf.o(.text+0x2f1): In function `rw_readline': /usr/src/geam-0.8.4/src/rwbuf.c:234: undefined reference to `pth_event_status' rwbuf.o(.text+0x2fd):/usr/src/geam-0.8.4/src/rwbuf.c:234: undefined reference to `pth_event_status' collect2: ld returned 1 exit status make[2]: *** [simple-mta] Fehler 1 make[2]: Leaving directory `/usr/src/geam-0.8.4/src' make[1]: *** [all-recursive] Fehler 1 make[1]: Leaving directory `/usr/src/geam-0.8.4' make: *** [all] Fehler 2 What am i missing? regards tina From JPClizbe at comcast.net Wed Mar 2 15:56:35 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Mar 2 15:53:15 2005 Subject: gnupg and the Bat // ? possible in linux under wine In-Reply-To: <200503012354.j21NsWEF089775@mailserver2.hushmail.com> References: <200503012354.j21NsWEF089775@mailserver2.hushmail.com> Message-ID: <4225D423.8000707@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 vedaal@hush.com wrote: > have finally made the plunge into linux > (some neat bash commands that can be used with gnupg, > like 'cat' are just not available in windows ... ;-) > cat and posix shells like sh and bash are easily obtainable for Windows. You should check out Cygwin; SourceForge's GnuWin32 project; MinGW's MSys environment, AT&T's UWIN, even Microsoft has an entry SFU: Services for Unix. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCJdQiHQSsSmCNKhARApPXAKCDeat+pbwhWhTxQOvIrqb8NSqSPACgwl8M 8c8B+2PdXMMiKkpCmlHSvp8= =2asF -----END PGP SIGNATURE----- From brunij at earthlink.net Wed Mar 2 16:05:26 2005 From: brunij at earthlink.net (Joseph Bruni) Date: Wed Mar 2 16:01:38 2005 Subject: help needed In-Reply-To: <42261FB8@webmail.ucc.ie> References: <42261FB8@webmail.ucc.ie> Message-ID: <00c8c0cbb1834226d5186b9fa23b05e7@earthlink.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The ordering of options and commands is important: gpg --output $outfile --recipient cdm2@student.cs.ucc.ie --encrypt $infile In this case --output and --recipient are options, --encrypt is the command. Also, if this is to run unattended, you might want to add the - --batch and --no-tty options as well. On Mar 1, 2005, at 10:02 AM, Colm McCarthy wrote: > $command = "usr/bin/gpg -e -r cdm2@student.cs.ucc.ie --encrypt -o > $outfile -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQiXWPFGV1jrNVRjHAQg+5Qf8CfGMTEK+QrQckr2rk8kB8ANU/Ea9mUfV fNssMqUtJCnSlXNleuZhl4byhDDeHUlvvv1AnNl+T5+aqZ9BUARmMLoqgeaLaQrD wDgYL2LNvt9odMjNB43+MSiVL1svxFySGDtQ0K6ond9PV0Yk14nQGYP8BTzcxxUM BFkSNuHzFjg+eVmWtpTRbZYZJXLsB9bE9zeLJGNCve3i4i78R9hgSmHLNqXlHHhY GP0bBFb4TaMS4KMauPJwMannqyuCvm0CsHFTbVPI3t597bTMVTqTlDtKymKizYAt noR9CQdgxbkkLA5f8Ew0PLiqwmy4DfPxNrz0pb7QV0AoqzAVzgj/GQ== =OeKV -----END PGP SIGNATURE----- From vedaal at hush.com Wed Mar 2 16:25:35 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Mar 2 16:21:43 2005 Subject: gnupg and the Bat // ? possible in linux under wine Message-ID: <200503021525.j22FPcUo081485@mailserver2.hushmail.com> >Message: 5 >Date: Wed, 2 Mar 2005 20:43:09 +1000 >From: Peter Jones >FWIW, every Windows machine I use has cygwin installed upon it >fairly >swiftly. It may not quite be "linux", but since it gives me >access to a >bash prompt and most of the commands you'd expect to use there, >it's the >next best thing... ;-) [Although sometimes you have to be wary >of cat >doing nasty things to line endings...] [...] >Message: 9 >Date: Wed, 02 Mar 2005 08:56:35 -0600 >From: John Clizbe >cat and posix shells like sh and bash are easily obtainable for >Windows. > >You should check out Cygwin; Thanks! Peter and John vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From tenui at myrealbox.com Wed Mar 2 16:48:08 2005 From: tenui at myrealbox.com (Tenui) Date: Wed Mar 2 16:44:20 2005 Subject: bzip2 cross-compiling problem In-Reply-To: <4225D2AE.4060105@comcast.net> References: <4224BB51.3020400@myrealbox.com> <4225D2AE.4060105@comcast.net> Message-ID: <4225E038.9010508@myrealbox.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Clizbe wrote: | BZIP2 support isn't standard in Win32, so MinGW won't have an import | library for it. Ditto ICONV and ZLIB. You can get the deveopment library | files in the -lib packages available at SourceForge's GnuWin32 project. | You'll need the DDLs frmo the -bin archives to be installed on the Windows | system along with your GnuPG binaries. | | Since your User-Agent string is showing Mozilla on Windows 2000, why not | build GnuPG directly on your windows platform and avoid the cross-compile | issues? | Hi John, Ever since the 1.3.x series started I have been native compiling my Windows versions, but since the change in the Linux cross-compiling environment it is much simpler to cross compile from Linux - except for this bzip2 issue. The official Windows installer release has bzip2 capabability....so how the heck does Werner do it? Regards Tenui -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) iQDVAwUBQiXgNHPPAoNX1Lx3AQKSLgYAwJLW9tnB38f8QCyZ2iaQEvftbrMgY5eS YcXf9Lbk0+36M9pemjPAZdatvAHzhYCkWUVASiUYkMzpZQAHGeZ3oJXZq78B3msL pCYPuko9xX7mRzeay/Y4MRhdsiKFJ1MrpaKDFDNk3wAYBb3yLpro+Lsk9VPnT7Qt zDbVP4EKHwOpfSjTNj69NLFm4xsmLzItAd47y/6PJQIlPon1Twi0dIiDNJ/90qZ/ qX2wR4HpallPBSwSExnQKxFB+m3o1VGM =HlW1 -----END PGP SIGNATURE----- From JPClizbe at comcast.net Wed Mar 2 17:46:30 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Mar 2 17:43:09 2005 Subject: bzip2 cross-compiling problem In-Reply-To: <4225E038.9010508@myrealbox.com> References: <4224BB51.3020400@myrealbox.com> <4225D2AE.4060105@comcast.net> <4225E038.9010508@myrealbox.com> Message-ID: <4225EDE6.7080108@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tenui wrote: > Ever since the 1.3.x series started I have been native compiling my > Windows versions, but since the change in the Linux cross-compiling > environment it is much simpler to cross compile from Linux - except for > this bzip2 issue. './configure && make' is pretty simple > The official Windows installer release has bzip2 capabability....so how > the heck does Werner do it? I can only guess how Werner is doing it. I've not asked him. Downloading and building the bzip2 sources, then adding '--with-bzip2=

' to configure was the way I used it to static link in the bzip2 code back before I switched over to the dll from the GnuWin32 folks. '--with-included-zlib' or '--with-zlib=' would do the same with the zlib code. Regards. Reply-To: XOR . Thank you. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCJe3kHQSsSmCNKhARAt6dAKDgcBcy/6s0BDFxLni4IFKGsvxN1gCg+d4b 4tyEWnQPbWHy4ea+pQNDmWo= =SOpT -----END PGP SIGNATURE----- From wk at gnupg.org Wed Mar 2 15:56:42 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Mar 2 18:38:50 2005 Subject: bzip2 cross-compiling problem In-Reply-To: <4224BB51.3020400@myrealbox.com> (tenui@myrealbox.com's message of "Tue, 01 Mar 2005 08:58:25 -1000") References: <4224BB51.3020400@myrealbox.com> Message-ID: <87mztmdrkl.fsf@wheatstone.g10code.de> On Tue, 01 Mar 2005 08:58:25 -1000, Tenui said: > I have installed the Debian MinGW environment to cross-compile gpg for > Windows. My first attempt, with 1.4.1rc2, seemed to compile without > problems, but when transferred to a Windows box I found there was no > bzip2 capability included. I recall that I put a libbz2.a into /usr/i586-mingw32msvc/lib/. This has been build from a vanilla bzip2-1.0.2 using these changes: diff -u orig/bzip2-1.0.2/Makefile bzip2-1.0.2/Makefile --- orig/bzip2-1.0.2/Makefile 2002-01-26 00:34:53.000000000 +0100 +++ bzip2-1.0.2/Makefile 2004-11-03 14:10:45.000000000 +0100 @@ -2,9 +2,9 @@ SHELL=/bin/sh # To assist in cross-compiling -CC=gcc -AR=ar -RANLIB=ranlib +CC=i586-mingw32msvc-gcc +AR=i586-mingw32msvc-ar +RANLIB=i586-mingw32msvc-ranlib LDFLAGS= # Suitably paranoid flags to avoid bugs in gcc-2.7 diff -u orig/bzip2-1.0.2/bzlib.h bzip2-1.0.2/bzlib.h --- orig/bzip2-1.0.2/bzlib.h 2001-12-30 03:19:45.000000000 +0100 +++ bzip2-1.0.2/bzlib.h 2004-11-03 14:32:41.000000000 +0100 @@ -62,6 +62,7 @@ #ifndef _BZLIB_H #define _BZLIB_H + #ifdef __cplusplus extern "C" { #endif @@ -113,7 +114,7 @@ /* Need a definitition for FILE */ #include -#ifdef _WIN32 +#if defined( _WIN32 ) && 0 # include # ifdef small /* windows.h define small to char */ Shalom-Salam, Werner From wk at gnupg.org Wed Mar 2 15:45:25 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Mar 2 18:39:04 2005 Subject: GPG scdaemon help In-Reply-To: <4221910D.7030201@pre-secure.de> (Olaf Gellert's message of "Sun, 27 Feb 2005 10:21:17 +0100") References: <4221910D.7030201@pre-secure.de> Message-ID: <87r7iyds3e.fsf@wheatstone.g10code.de> On Sun, 27 Feb 2005 10:21:17 +0100, Olaf Gellert said: > USB-tokens (eg. Aladdin eToken Pro, Safenet iKey3000) > which seem to work with OpenSC. Is there any FAQ > or tutorial or helpful information on how to make > this work with the smartcard daemon of GPG? You need to compile gnupg with OpenSC support. This should happen automagically if the opensc development files are installed. BUT: Due to the use of pthreads everywhere in OpenSC, some features of the scdaemon won't work. There is no way to solve it. The only reason we need OpenSC is due to itssupport for pkcs#15. However OpenSC has far too many features and only verty few people need the ability to crerate pkcs#15 cards. I have started to write a pkcs#15 application for scdaemon but it is far from being finished - With that application tehre won't be anymore need for OpeNSC as thah app-p16.c will take over all needed pkcs#15 parsing. Without OpenSC support, scdaemon supports the applications: DINSIG, Telesec NKS and the OpenPGP card (since the current CVS version). Salam-Shalom, Werner From james at jolt.co.uk Thu Mar 3 13:46:10 2005 From: james at jolt.co.uk (James Davis) Date: Thu Mar 3 13:42:53 2005 Subject: gpg: Oops; keylost! In-Reply-To: <20050222134652.GB31030@jabberwocky.com> References: <421B14F9.3090704@jolt.co.uk> <20050222134652.GB31030@jabberwocky.com> Message-ID: <42270712.5070102@jolt.co.uk> David Shaw wrote: > Can you send what GnuPG prints after that error? It indicates what > happened. > > In general, though, your pubring.gpg is probably corrupt. E:\gnupg>gpg.exe --list-keys E:/gnupg\pubring.gpg -------------------- gpg: Oops; key lost! node 00051CD0 01/00 type=secret-key node 00051DC0 00/00 type=user-id "James Davis (Security Manager) " .... node 00051ED8 00/00 type=signature class=13 keyid=544DF19E ts=1108383008 node 00052190 00/00 type=secret-subkey node 00054528 00/00 type=signature class=18 keyid=544DF19E ts=1108383009 pub 1024D/BC93CFBB 2005-02-14 James Davis (Jolt.co.uk Security Manager) sub 1792g/D3795FEB 2005-02-14 pub 1024D/A02964CF 2005-02-21 Keith Hardy sub 2048g/B1B3AD73 2005-02-21 E:\gnupg> Any ideas? James From dshaw at jabberwocky.com Thu Mar 3 14:02:31 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 3 13:59:18 2005 Subject: gpg: Oops; keylost! In-Reply-To: <42270712.5070102@jolt.co.uk> References: <421B14F9.3090704@jolt.co.uk> <20050222134652.GB31030@jabberwocky.com> <42270712.5070102@jolt.co.uk> Message-ID: <20050303130231.GC30706@jabberwocky.com> On Thu, Mar 03, 2005 at 12:46:10PM +0000, James Davis wrote: > David Shaw wrote: > > > Can you send what GnuPG prints after that error? It indicates what > > happened. > > > > In general, though, your pubring.gpg is probably corrupt. > > E:\gnupg>gpg.exe --list-keys > E:/gnupg\pubring.gpg > -------------------- > gpg: Oops; key lost! > node 00051CD0 01/00 type=secret-key > node 00051DC0 00/00 type=user-id "James Davis (Security Manager) > " .... > node 00051ED8 00/00 type=signature class=13 keyid=544DF19E ts=1108383008 > node 00052190 00/00 type=secret-subkey > node 00054528 00/00 type=signature class=18 keyid=544DF19E ts=1108383009 > pub 1024D/BC93CFBB 2005-02-14 James Davis (Jolt.co.uk Security Manager) > > sub 1792g/D3795FEB 2005-02-14 > > pub 1024D/A02964CF 2005-02-21 Keith Hardy > sub 2048g/B1B3AD73 2005-02-21 Yep. You have a secret key in your public keyring. Note the first line after the "key lost" message. David From james at jolt.co.uk Thu Mar 3 14:14:45 2005 From: james at jolt.co.uk (James Davis) Date: Thu Mar 3 14:10:51 2005 Subject: gpg: Oops; keylost! In-Reply-To: <20050303130231.GC30706@jabberwocky.com> References: <421B14F9.3090704@jolt.co.uk> <20050222134652.GB31030@jabberwocky.com> <42270712.5070102@jolt.co.uk> <20050303130231.GC30706@jabberwocky.com> Message-ID: <42270DC5.9090307@jolt.co.uk> David Shaw wrote: >Yep. You have a secret key in your public keyring. Note the first >line after the "key lost" message. > > What should I do to delete it? Sorry I'm quite new to gnupg. From dshaw at jabberwocky.com Thu Mar 3 14:40:09 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 3 15:08:09 2005 Subject: gpg: Oops; keylost! In-Reply-To: <42270DC5.9090307@jolt.co.uk> References: <421B14F9.3090704@jolt.co.uk> <20050222134652.GB31030@jabberwocky.com> <42270712.5070102@jolt.co.uk> <20050303130231.GC30706@jabberwocky.com> <42270DC5.9090307@jolt.co.uk> Message-ID: <20050303134009.GA4184@jabberwocky.com> On Thu, Mar 03, 2005 at 01:14:45PM +0000, James Davis wrote: > David Shaw wrote: > > >Yep. You have a secret key in your public keyring. Note the first > >line after the "key lost" message. > > > > > What should I do to delete it? Sorry I'm quite new to gnupg. There are a number of ways to fix it, but before we try those, can you try this: gpg --no-default-keyring --keyring ./fixed-pubring.gpg --secret-keyring ./fixed-secring.gpg --import /path/to/your/broken/pubring.gpg If that works, you should end up with two new files: fixed-pubring.gpg contains the public keys, and fixed-secring.gpg contains the secret keys. Then you can --import the fixed-secring.gpg file to put the secret key where it belongs, and replace your pubring.gpg with fixed-pubring.gpg to put the public keys where they belong. David From mike at retnet.net Thu Mar 3 16:45:45 2005 From: mike at retnet.net (Michael Avila) Date: Thu Mar 3 16:41:58 2005 Subject: PHP Script to Send Key to Keyserver Message-ID: <20050303104546.GA69639@mail07b.vwh1.net> Thanks to a couple of people here, I now have an HTML and PHP script interface to create a key. I was looking at installing my own keyserver but have decided that sending the key to a public keyserver would be better for many reasons. Now I am trying to find a PHP script that will send the key to www.keyserver.net and/or wwwkeys.pgp.net. Does anyone know of an existing PHP script that I couldmodify to met the needs of this company? I appreciate any help, suggestions, comments on sending a key to a keyserver. Again thanks for past help and for assistance with this phase of making a digital signature accessible. Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 1518 bytes Desc: not available Url : /pipermail/attachments/20050303/cedb6c14/winmail.bin From cwsiv at keepandbeararms.com Thu Mar 3 05:51:06 2005 From: cwsiv at keepandbeararms.com (Carl William Spitzer IV) Date: Thu Mar 3 17:24:14 2005 Subject: GPG for windows In-Reply-To: <20050225205726.GA6482@dantooine> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu> <421F861A.7070405@comcast.net> <20050225205726.GA6482@dantooine> Message-ID: <1109716045.5499.34.camel@linux.site> On Fri, 2005-02-25 at 12:57, markus reichelt wrote: > David Calvarese wrote: > > > Indeed it does. Full integration with either GnuPG or PGP, including > > > PGP/MIME with both. The integrated support for both is built in, so > > > there's no need for third party plug-ins. > > > > One Caveat, The Bat! has a few quirks and things that need fixed with > > it's GnuPG support that work right when using PGP. They're bad enough > > that I'm now using Thunderbird with Enigmail for email. > > well, tried out the bat! first, then enigmail... now I'm using > mutt... guess why :-) > > now if only Opera would support GnuPG... *sigh* Don't worry about Opera just use a good stand alone shell for gnupg. I use both kgpg and Seahorse in *nix. GNU.org has several links to front ends for gnupg. -- o _______________________________ o _____ | CWSIV@KeepAndBearArms.com | .][__n_n_|DD[ ====_____ | M A R K L I N T R A I N S | > (________|__|_[_________]_|___________________________| _/oo OOOOO oo` ooo ooo 'o!o!o o!o!o` From DBSMITH at OhioHealth.com Thu Mar 3 18:10:35 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Thu Mar 3 18:06:46 2005 Subject: question on multiple public keys In-Reply-To: Message-ID: I see the group function but how do I define a group ID with multiple keys as values? Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams Joseph Bruni To DBSMITH@OhioHealth.com 02/22/2005 08:41 cc PM gnupg-users@gnupg.org Subject Re: question on multiple public keys -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Another solution would be to make sure that you encrypt the file to all the users who should be able to decrypt that file. You can have multiple "--recipient" entries on the command line. Check out the "group" functions as well to simplify this process. - -Joe On Feb 22, 2005, at 8:19 AM, DBSMITH@OhioHealth.com wrote: > All > > Is there a way that we can add a second key to my file for gpg > encryption? > Our DBA in the Import Team needs to have this done so that he can open > our > file as well. When this person is out of the office, no one else is > able > to access your file unless they can access his computer. We would > like to > add another user to the keyring so that he can access your data as > well. > > please advise! > > THANK YOU, > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQhvfYlGV1jrNVRjHAQg2Qwf/WrjFsFIHIcRqA7pUKfz7V1SHumURD9kj IJShLCzbPSukB7K5tGQcKoM2o4UzqznFiArmev7Nj+0j2GJepPufpMVKsqzes4VI uH6fjKlcJNktObx0/CsQI59QPWZ91NQplgzGTx+YJsnlVO/cvl4j1SnXvthgPug6 GRtdSWk0AFp4lHtTDPm9qHT9cHuuSanrQqc5McrZLAXWARtqChOy8hj69n6hEREd e2MXGHwxH6NgfIfjleECQXV7OPALyEZXhB1Q366O0Cq7YkFOUUTUuIwXI/tpO1/o o6KVOLDGXt1Y9u92lneaQpmtxvKITf7QxRKrHsZDkdLbp+KXh6pEsQ== =Nl6j -----END PGP SIGNATURE----- From DBSMITH at OhioHealth.com Thu Mar 3 18:28:09 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Thu Mar 3 18:24:24 2005 Subject: question on multiple public keys In-Reply-To: Message-ID: I tried gpg --group hs=`echo ${foo[0]} ${foo[1]] ` foo0 and foo1 are elements of my array and contain two different key values with a space in between. when I run this it states gpg: cannot open 1111111 1111111 is the second key. I then tried hs="XXXXXX YYYYY" gpg --group hs=$hs with the same error. please help! Joseph Bruni To DBSMITH@OhioHealth.com 02/22/2005 08:41 cc PM gnupg-users@gnupg.org Subject Re: question on multiple public keys -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Another solution would be to make sure that you encrypt the file to all the users who should be able to decrypt that file. You can have multiple "--recipient" entries on the command line. Check out the "group" functions as well to simplify this process. - -Joe On Feb 22, 2005, at 8:19 AM, DBSMITH@OhioHealth.com wrote: > All > > Is there a way that we can add a second key to my file for gpg > encryption? > Our DBA in the Import Team needs to have this done so that he can open > our > file as well. When this person is out of the office, no one else is > able > to access your file unless they can access his computer. We would > like to > add another user to the keyring so that he can access your data as > well. > > please advise! > > THANK YOU, > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQhvfYlGV1jrNVRjHAQg2Qwf/WrjFsFIHIcRqA7pUKfz7V1SHumURD9kj IJShLCzbPSukB7K5tGQcKoM2o4UzqznFiArmev7Nj+0j2GJepPufpMVKsqzes4VI uH6fjKlcJNktObx0/CsQI59QPWZ91NQplgzGTx+YJsnlVO/cvl4j1SnXvthgPug6 GRtdSWk0AFp4lHtTDPm9qHT9cHuuSanrQqc5McrZLAXWARtqChOy8hj69n6hEREd e2MXGHwxH6NgfIfjleECQXV7OPALyEZXhB1Q366O0Cq7YkFOUUTUuIwXI/tpO1/o o6KVOLDGXt1Y9u92lneaQpmtxvKITf7QxRKrHsZDkdLbp+KXh6pEsQ== =Nl6j -----END PGP SIGNATURE----- From james at jolt.co.uk Thu Mar 3 18:38:26 2005 From: james at jolt.co.uk (James Davis) Date: Thu Mar 3 18:34:41 2005 Subject: gpg: Oops; keylost! In-Reply-To: <20050303134009.GA4184@jabberwocky.com> References: <421B14F9.3090704@jolt.co.uk> <20050222134652.GB31030@jabberwocky.com> <42270712.5070102@jolt.co.uk> <20050303130231.GC30706@jabberwocky.com> <42270DC5.9090307@jolt.co.uk> <20050303134009.GA4184@jabberwocky.com> Message-ID: <42274B92.60809@jolt.co.uk> David Shaw wrote: >There are a number of ways to fix it, but before we try those, can you >try this: Thank you very much, that worked perfectly. James From DBSMITH at OhioHealth.com Thu Mar 3 19:43:38 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Thu Mar 3 19:39:45 2005 Subject: group options In-Reply-To: <200310131935.28619.linux@codehelp.co.uk> Message-ID: > I use PGP to encrypt data for sending to various end users by > encrypting files using their public key they have provided. To make > it possible for me to associate their key with a meaningful user_id > , I use the PGP --group-add option to create a group name containing > a meaninful user_id and then add their public key to the group. > Now, I can call --encrypt with the meaningful user_id, instad of > having to use the actual key id. I'm looking for a similar "alias" > functionality in GPG but I can't find anything that works quite like > that. The adduid command requires that I have the private key also > that goes with the public key I want to associate with a meaningful > user_id. > > Does anyone know of a solution that is part of the GPG > functionality? Yes, there is a --group command. Stick in your gpg.conf file: group name_you_want_to_use = keyid1 keyid2 keyid3 keyid4 David I tried this and the error I am getting is: gpg: no = sign found in group definition "HlthStream" my conf file is group HlthStream = keyid1 keyid2 no-tty no-secmem-warning no-mdc-warning Any ideas? thank you, Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams 614-566-4145 Neil Williams To Sent by: "GnuPG Users" gnupg-users-bounc es@gnupg.org cc Subject 10/13/2003 02:35 Re: non root users PM On Monday 13 Oct 2003 6:45 pm, DBSMITH@OhioHealth.com wrote: > All, > > I am running version 1.2.1 and I want to allow non-root users to be able > to list the keys and encrypt for support issues. In my options file I > have stated > - -no-secmem-warning, but as a test user I still receive that messages > about the memory. > When I run gpg --list-keys as a test user I get nothing back...??? I Missed the --homedir option? gpg will create an empty .gnupg/ directory in the home directory of that test user. As the test user, do: $ cd ~ $ ls -a Probably an easier way is to import the keyring into the .gnupg folder, that'll allow you to set options in the conf file (which is also reset per user). The warning about secmem should be solvable - I'm sure others here will help with that but you would be best providing more information on exactly how you have used chmod. If the keyring is < 500 keys, it's not a problem to have duplicate keyrings - one for each user. You can either add the --refresh-keys to the lexicon used by ordinary users or leave the keyrings alone if the keys don't change often. It's not usual for everyone to need the same keys, that's why GnuPG runs with a lot of configuration and all keyrings dictated by that user alone. There's not much for root to do, once installation is complete. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 (See attached file: att7ouei.dat) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: att7ouei.dat Type: application/octet-stream Size: 196 bytes Desc: not available Url : /pipermail/attachments/20050303/b48afaa3/att7ouei.obj From admin at buddhalinux.org Thu Mar 3 20:24:29 2005 From: admin at buddhalinux.org (Thomas Jones) Date: Thu Mar 3 20:52:39 2005 Subject: group options In-Reply-To: References: Message-ID: <200503031324.34498.admin@buddhalinux.org> On Thursday 03 March 2005 12:43 pm, DBSMITH@OhioHealth.com wrote: > > Yes, there is a --group command. Stick in your gpg.conf file: > > group name_you_want_to_use = keyid1 keyid2 keyid3 keyid4 > > David > > > > I tried this and the error I am getting is: > > gpg: no = sign found in group definition "HlthStream" > > > my conf file is > > group HlthStream = keyid1 keyid2 > no-tty > no-secmem-warning > no-mdc-warning > > Any ideas? > > thank you, > > Derek B. Smith > OhioHealth IT > UNIX / TSM / EDM Teams > 614-566-4145 GPG seems to be reading your group value(s) not as expected. Referencing the source file g10.c: name=strsep(&string,"="); if(string==NULL) { log_error(_("no = sign found in group definition \"%s\"\n"),name); return; } The strsep function is attempting to access the token(value) in the &string variable. The first token is separated from the group name via the equals sign. Try to concatenate the name declaration, separation character(=), and value list. I've never tried, but you may need to quote the arguments(group value list) to keep it from being expanded unexpectedly in the configuration file. I know that passing the group command to bash requires quotes on my system. See if that has a desired effect. Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050303/84178eaa/attachment.pgp From dshaw at jabberwocky.com Thu Mar 3 21:11:14 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 3 21:08:04 2005 Subject: group options In-Reply-To: References: <200310131935.28619.linux@codehelp.co.uk> Message-ID: <20050303201114.GA4281@jabberwocky.com> On Thu, Mar 03, 2005 at 01:43:38PM -0500, DBSMITH@OhioHealth.com wrote: > > I use PGP to encrypt data for sending to various end users by > > encrypting files using their public key they have provided. To make > > it possible for me to associate their key with a meaningful user_id > > , I use the PGP --group-add option to create a group name containing > > a meaninful user_id and then add their public key to the group. > > Now, I can call --encrypt with the meaningful user_id, instad of > > having to use the actual key id. I'm looking for a similar "alias" > > functionality in GPG but I can't find anything that works quite like > > that. The adduid command requires that I have the private key also > > that goes with the public key I want to associate with a meaningful > > user_id. > > > > Does anyone know of a solution that is part of the GPG > > functionality? > > Yes, there is a --group command. Stick in your gpg.conf file: > > group name_you_want_to_use = keyid1 keyid2 keyid3 keyid4 > > David > > > > I tried this and the error I am getting is: > > gpg: no = sign found in group definition "HlthStream" > > > my conf file is > > group HlthStream = keyid1 keyid2 > no-tty > no-secmem-warning > no-mdc-warning I tried this using your conf file with both 1.4.0, and 1.2.8. It works fine for me. David From DBSMITH at OhioHealth.com Thu Mar 3 21:23:57 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Thu Mar 3 21:20:10 2005 Subject: group options In-Reply-To: <20050303201114.GA4281@jabberwocky.com> Message-ID: Well maybe it ia a version isue then b/c I am running 1.2.1 on AIX 5.2. What is the latest for AIX 5.2 and do I need to just replace the binary with a newer one for an upgrade, or recompile everything all over again? Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams David Shaw To Sent by: gnupg-users@gnupg.org, gnupg-users-bounc gnupg-users-bounces@gnupg.org es@gnupg.org cc Subject 03/03/2005 03:11 Re: group options PM On Thu, Mar 03, 2005 at 01:43:38PM -0500, DBSMITH@OhioHealth.com wrote: > > I use PGP to encrypt data for sending to various end users by > > encrypting files using their public key they have provided. To make > > it possible for me to associate their key with a meaningful user_id > > , I use the PGP --group-add option to create a group name containing > > a meaninful user_id and then add their public key to the group. > > Now, I can call --encrypt with the meaningful user_id, instad of > > having to use the actual key id. I'm looking for a similar "alias" > > functionality in GPG but I can't find anything that works quite like > > that. The adduid command requires that I have the private key also > > that goes with the public key I want to associate with a meaningful > > user_id. > > > > Does anyone know of a solution that is part of the GPG > > functionality? > > Yes, there is a --group command. Stick in your gpg.conf file: > > group name_you_want_to_use = keyid1 keyid2 keyid3 keyid4 > > David > > > > I tried this and the error I am getting is: > > gpg: no = sign found in group definition "HlthStream" > > > my conf file is > > group HlthStream = keyid1 keyid2 > no-tty > no-secmem-warning > no-mdc-warning I tried this using your conf file with both 1.4.0, and 1.2.8. It works fine for me. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From dshaw at jabberwocky.com Thu Mar 3 21:29:16 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 3 21:26:07 2005 Subject: group options In-Reply-To: References: <20050303201114.GA4281@jabberwocky.com> Message-ID: <20050303202916.GB4281@jabberwocky.com> On Thu, Mar 03, 2005 at 03:23:57PM -0500, DBSMITH@OhioHealth.com wrote: > Well maybe it ia a version isue then b/c I am running 1.2.1 on AIX 5.2. > What is the latest for AIX 5.2 and do I need to just replace the binary > with a newer one for an upgrade, or recompile everything all over again? The latest for AIX should be the same as the latest for any Unix-ish machine: 1.2.7 or 1.4.0. You should be able to drop in the binary without affecting anything. David From DBSMITH at OhioHealth.com Thu Mar 3 21:32:15 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Thu Mar 3 21:28:21 2005 Subject: group options In-Reply-To: <20050303201114.GA4281@jabberwocky.com> Message-ID: ok so in my conf file I have as below > group HlthStream = keyid1 keyid2 > no-tty > no-secmem-warning > no-mdc-warning then my command is : gpg -e -t -a -d "my key" - - group HlthStream "filetoencrypt" Is there something else I am doin wrong? Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams David Shaw To Sent by: gnupg-users@gnupg.org, gnupg-users-bounc gnupg-users-bounces@gnupg.org es@gnupg.org cc Subject 03/03/2005 03:11 Re: group options PM On Thu, Mar 03, 2005 at 01:43:38PM -0500, DBSMITH@OhioHealth.com wrote: > > I use PGP to encrypt data for sending to various end users by > > encrypting files using their public key they have provided. To make > > it possible for me to associate their key with a meaningful user_id > > , I use the PGP --group-add option to create a group name containing > > a meaninful user_id and then add their public key to the group. > > Now, I can call --encrypt with the meaningful user_id, instad of > > having to use the actual key id. I'm looking for a similar "alias" > > functionality in GPG but I can't find anything that works quite like > > that. The adduid command requires that I have the private key also > > that goes with the public key I want to associate with a meaningful > > user_id. > > > > Does anyone know of a solution that is part of the GPG > > functionality? > > Yes, there is a --group command. Stick in your gpg.conf file: > > group name_you_want_to_use = keyid1 keyid2 keyid3 keyid4 > > David > > > > I tried this and the error I am getting is: > > gpg: no = sign found in group definition "HlthStream" > > > my conf file is > > group HlthStream = keyid1 keyid2 > no-tty > no-secmem-warning > no-mdc-warning I tried this using your conf file with both 1.4.0, and 1.2.8. It works fine for me. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From dshaw at jabberwocky.com Thu Mar 3 21:43:44 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 3 21:40:23 2005 Subject: group options In-Reply-To: References: <20050303201114.GA4281@jabberwocky.com> Message-ID: <20050303204344.GC4281@jabberwocky.com> On Thu, Mar 03, 2005 at 03:32:15PM -0500, DBSMITH@OhioHealth.com wrote: > ok so in my conf file I have as below > > > group HlthStream = keyid1 keyid2 > > no-tty > > no-secmem-warning > > no-mdc-warning > > then my command is : gpg -e -t -a -d "my key" - - group HlthStream > "filetoencrypt" > > Is there something else I am doin wrong? Yes. That command doesn't mean anything. The options mean, in order, encrypt, textmode, ascii armor, decrypt. You have to pick either encrypt or decrypt as doing both would result in nothing happening. Also, --group doesn't go on the command line. You use the group name as a recipient (-r HlthStream). David From DBSMITH at OhioHealth.com Thu Mar 3 21:55:18 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Thu Mar 3 21:51:28 2005 Subject: group options In-Reply-To: <20050303204344.GC4281@jabberwocky.com> Message-ID: I meant --default-key NOT -d ... sorry! -r HltmStream! got it I will try1 Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams David Shaw To Sent by: gnupg-users@gnupg.org, gnupg-users-bounc gnupg-users-bounces@gnupg.org es@gnupg.org cc Subject 03/03/2005 03:43 Re: group options PM On Thu, Mar 03, 2005 at 03:32:15PM -0500, DBSMITH@OhioHealth.com wrote: > ok so in my conf file I have as below > > > group HlthStream = keyid1 keyid2 > > no-tty > > no-secmem-warning > > no-mdc-warning > > then my command is : gpg -e -t -a -d "my key" - - group HlthStream > "filetoencrypt" > > Is there something else I am doin wrong? Yes. That command doesn't mean anything. The options mean, in order, encrypt, textmode, ascii armor, decrypt. You have to pick either encrypt or decrypt as doing both would result in nothing happening. Also, --group doesn't go on the command line. You use the group name as a recipient (-r HlthStream). David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From admin at buddhalinux.org Thu Mar 3 22:38:10 2005 From: admin at buddhalinux.org (Thomas Jones) Date: Thu Mar 3 22:28:33 2005 Subject: group options In-Reply-To: <20050303204344.GC4281@jabberwocky.com> References: <20050303201114.GA4281@jabberwocky.com> <20050303204344.GC4281@jabberwocky.com> Message-ID: <200503031538.15898.admin@buddhalinux.org> On Thursday 03 March 2005 02:43 pm, David Shaw wrote: > > Yes. That command doesn't mean anything. The options mean, in order, > encrypt, textmode, ascii armor, decrypt. You have to pick either > encrypt or decrypt as doing both would result in nothing happening. > Also, --group doesn't go on the command line. You use the group name > as a recipient (-r HlthStream). > > David > Actually the group argument can go on the command-line. I've used it in various custom scripts on my systems. i.e. gpg -e -a --group TestGroup="0x57BF9042 0x515FAF83" -r TestGroup test_file.txt or in a script gpg -e -a --group ${GroupName}="${GroupList}" -r ${GroupName} test_file.txt This way the recipient group can be appended as needed throughout the script. And can then be expanded into the execution sequence. Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050303/b3d0da21/attachment.pgp From torduninja at mail.pf Fri Mar 4 00:25:32 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Fri Mar 4 00:26:17 2005 Subject: bzip2 cross-compiling problem Message-ID: <42279CEC.3070802@mail.pf> Tenui wrote: > > Ever since the 1.3.x series started I have been native compiling my > Windows versions, but since the change in the Linux cross-compiling > environment it is much simpler to cross compile from Linux - except for > this bzip2 issue. > > The official Windows installer release has bzip2 capabability....so how > the heck does Werner do it? An alternative to Werner's suggestion which avoids rebuilding bzip2 is to use the bzip2-1.0.2-3-bin.zip and bzip2-1.0.2-3-lib.zip files that you used for MinGW on Windows. Decompress them in the /usr/i586-mingw32msvc folder, then run autogen.sh This will give you bzip2 capability via a bzip2.dll as in a native Windows build. Salut Maxine -- PGP/GPG keys: http://www.torduninja.tk From vedaal at hush.com Fri Mar 4 00:45:04 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Fri Mar 4 00:41:09 2005 Subject: construction of mutually clearsigned contracts // can't get it to work ; -((( Message-ID: <200503032345.j23Nj6Ea060389@mailserver3.hushmail.com> a few months ago, on alt.security.pgp, David Shaw came up with a really innovative way to combine signatures of a text that was separately clearsigned by different people at different times, and reconstruct it into one clearsigned text with the combined signatures, verifiable for each signer http://groups- beta.google.com/group/alt.security.pgp/msg/feb71cd229eb0f9b?dmode=so urce the OP in the thread confirmed that it worked i have been trying the same steps in cygwin with gnupg 1.4 but can't get it to work ;-( specifically, it breaks down at this step: cat file1.temp file2.temp | gpg --output files.joined --enarmor cygwin just does the cat part, but not the gnupg part is the 'pipe' a problem in cygwin that requires a different syntax than the line above, or can the reconstruction be done only in linux/*nix ? tia, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From jharris at widomaker.com Fri Mar 4 01:12:14 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Mar 4 01:08:26 2005 Subject: PHP Script to Send Key to Keyserver In-Reply-To: <20050303104546.GA69639@mail07b.vwh1.net> References: <20050303104546.GA69639@mail07b.vwh1.net> Message-ID: <20050304001214.GG5390@wilma.widomaker.com> On Thu, Mar 03, 2005 at 10:45:45AM -0500, Michael Avila wrote: > Thanks to a couple of people here, I now have an HTML and PHP script interface > to create a key. I was looking at installing my own keyserver but have decided > that sending the key to a public keyserver would be better for many reasons. > Now I am trying to find a PHP script that will send the key to > www.keyserver.net and/or wwwkeys.pgp.net. Does anyone know of an existing PHP > script that I couldmodify to met the needs of this company? I appreciate any > help, suggestions, comments on sending a key to a keyserver. I recommend emailing them to two or more keyservers. Email is queued and will work even if a particular keyserver is unreachable via HKP at the exact moment you try to submit a key to it. If you want confirmation of the add, use a subject of "ADD" and email the key to one or more pks servers. If you don't want confirmation, use a subject of "INCREMENTAL" and email the key to one or more pks/onak/OpenPKSD/SKS servers. To start, email ASCII-armored keyblocks to pgp-public-keys AT keyserver.kjsl.com with a subject of ADD and a From: address that will reach you. Then, ask for permission to email other keyservers (and their sync. addresses) on the pgp-keyserver-folk mailing list: http://lists.kjsl.com/pipermail/pgp-keyserver-folk/ (backup list) http://lists.alt.org/pipermail/pgp-keyserver-folk/ (currently broken) NB: By emailing keys, you can also make them available on keyserver.net: http://keyserver.veridis.com:11371/nosubmit.jsp http://www.keyserver.net/ -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050303/d9f8e639/attachment-0001.pgp From RAlfonso at fin-tec.com Wed Mar 2 22:35:56 2005 From: RAlfonso at fin-tec.com (Rick Alfonso) Date: Fri Mar 4 11:04:06 2005 Subject: Install and setup GPG on Windows Server 2003 Message-ID: <200503021435.AA3145780@fin-tec.com> To whom it may concern; We are attempting to setup GnuPG version 1.4.0a on a windows platform and have downloaded what we think is the correct file for this: gnupg-w32cli-1.4.0a.zip After reading several readme files I'm not sure how we make the files and/or how to install and setup. Could you please give exact instructions to complete this task and how to generate our key to pass along to our vendor who has given us their key? Is there any third party packages for Windows that emulate all of the GPG features we need? Thank you in advance, Rick ________________________________________________________________ Sent via the WebMail system at fin-tec.com From d1v2m76 at telusplanet.net Fri Mar 4 03:02:07 2005 From: d1v2m76 at telusplanet.net (DVM) Date: Fri Mar 4 11:04:09 2005 Subject: (no subject) Message-ID: <4227C19F.1080104@telusplanet.net> Here are your instructions for the two scetions where I feel the install has gone wrong. Installation on Windows NT/2000/XP 1. Modify the Path In order for GnuPG to work correctly, the GnuPG installation directory must be in your PATH. * To modify the path, Click on Start --> Control Panel --> System --> Advanced --> Environment Variables * Highlight the Path variable under System variables, and click Edit. >>>There is no path in the entry list?? Do I have to create a path and then enter the information below, or should there be a path already listed in the list??<<< * Add ;C:\Program Files\GnuPG to the end of the Path. Finishing the installation GnuPG Configuration * You need to create the GnuPG configuration file to control how you wish GnuPG to work. Go to your "HomeDir"??? >>>Would this be the Home directory in the Documentsandsettings folder or the home install directory??<<< and create a new text file called gpg.conf My questions are surrounded with the ">>> <<<" any help will be welcome. Thank you from DVM Ps This is my first time From mike at retnet.net Fri Mar 4 16:40:17 2005 From: mike at retnet.net (Michael Avila) Date: Fri Mar 4 16:36:33 2005 Subject: Return Codes Message-ID: <20050304104019.GA67643@mail07a.vwh1.net> When I execute from a PHP script $output_array = array(); unset($output_array); $returncode = 100; $output = exec("E:\\newfromrn_dev\\pgp\\gpg.exe ".$parms, &$output_array, &$returncode); The return code is 2. Is there a place to find what that rc is equal to? The output_array is empty as well as $output. Any suggestions where I am going wrong? When I execute from the command line R:\newfromrn_dev\pgp>gpg --batch --options .\gpg.conf --gen-key mike@retnet.net gpg: Key data being read. gpg: Your Name is MichaelAvila gpg: Your EMail Address is mike@retnet.net gpg: Key data reading completed. gpg: Key Generation starting. gpg: writing public key to `mike@retnet.net.pub' gpg: writing secret key to `mike@retnet.net.sec' ++++++++++.++++++++++..++++++++++.++++++++++.++++++++++++++++++++++++++++++.++ ++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...>+++++......++ ++ + gpg: writing self signature gpg: DSA/SHA1 signature from: "311B49EC [?]" gpg: writing self signature gpg: DSA/SHA1 signature from: "311B49EC [?]" .++++++++++++++++++++.+++++++++++++++.+++++++++++++++++++++++++.++++++++++++++ ++ ++++++++++++++++++++++++.++++++++++++++++++++.+++++++++++++++^^^^ gpg: writing key binding signature gpg: DSA/SHA1 signature from: "311B49EC [?]" gpg: writing key binding signature gpg: DSA/SHA1 signature from: "311B49EC [?]" It works! All help, suggestions, comments are appreciated. Thanks. Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 1670 bytes Desc: not available Url : /pipermail/attachments/20050304/5e812a21/winmail.bin From JPClizbe at comcast.net Fri Mar 4 17:48:22 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Mar 4 17:52:41 2005 Subject: Install and setup GPG on Windows Server 2003 In-Reply-To: <200503021435.AA3145780@fin-tec.com> References: <200503021435.AA3145780@fin-tec.com> Message-ID: <42289156.3020506@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Alfonso wrote: > To whom it may concern; Ask not for whom the cell phone rings. It rings for thee. > We are attempting to setup GnuPG version 1.4.0a on a windows platform and have downloaded what we think is the correct file for this: > > gnupg-w32cli-1.4.0a.zip The 1.4.1rc2 installer may be a bit easier. And have more minor issues fixed. > After reading several readme files I'm not sure how we make the files and/or how to install and setup. Check the install and configure page we wrote for our windows-based Mozilla & Thunderbird users: http://enigmail.mozdev.org/gpgconf.html > > Could you please give exact instructions to complete this task and how to generate our key to pass along to our vendor who has given us their key? 1) Open a CMD window. Enter the command 'gpg --gen-key'. Answer each question. Accept defaults where offered. C:\WINNT>gpg --gen-key gpg: NOTE: THIS IS A DEVELOPMENT VERSION! Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (3) DSA (set your own capabilities) (5) RSA (sign only) (7) RSA (set your own capabilities) Your selection? <----- the default is fine DSA keypair will have 1024 bits. ELG-E keys may be between 512 and 4096 bits long. What keysize do you want? (2048)<----- the default is fine Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) <----- the default works. Pick an Key does not expire at all apropos value for your company Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: <----- Your group or company name Email address: some.email.address@fin-tec.com Comment: <----- Enter an useful comment describing the key You selected this USER-ID: "Your group or company name (useful comment describing the key) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <--O(kay) You need a Passphrase to protect your secret key. Enter passphrase: <--- Enter passphrase twice here. It is possible to create a key with no passphrase. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..+++++++++++++++.++++++++++.+++++.++++++++++.+++++..+++++++++++++++++++ ++++++.++++++++++++++++++++++++++++++.+++++++++++++++++++++++++.+++++..+ ++++>+++++.............................................................. ............................+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++.++++++++++.+++++...++++++++++++++++++++++++++++++.+++++++++++ ++++.++++++++++..++++++++++..++++++++++.+++++.++++++++++++++++++++++++++ +++++++++.+++++>.++++++++++>..+++++..>.+++++............................ ........................................................................ ........................+++++^^^ gpg: key 9EDE1AFA marked as ultimately trusted public and secret key created and signed. pub 1024D/9EDE1AFA 2005-03-04 Key fingerprint = F410 9BEE 477A 4B5E BE7E FA84 22EE 11FC 9EDE 1AFA uid Your group or company name (useful comment describing the key) sub 2048g/00B7F0F7 2005-03-04 C:\WINNT>gpg --export-key 0x9EDE1AFA > key_to_send_vendor.asc ^^^^^^^^ from end of key generation output above 2) Attach key_to_send_vendor.asc to an email to vendor and send. > Is there any third party packages for Windows that emulate all of the GPG features we need? No. PGP would come close but lacks features of GnuPG. You may wish to look at GPGshell as a GUI frontend to GnuPG. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCKJFVHQSsSmCNKhARAu/YAJ4xBJ9A8Xw/g4Lz5+NjUaaqYA17eQCePLTB LC1y9LjwCZOcdqNePQXTajM= =CXNx -----END PGP SIGNATURE----- From linux at codehelp.co.uk Fri Mar 4 22:48:18 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Fri Mar 4 22:44:14 2005 Subject: PHP Script to Send Key to Keyserver In-Reply-To: <20050303104546.GA69639@mail07b.vwh1.net> References: <20050303104546.GA69639@mail07b.vwh1.net> Message-ID: <200503042148.19323.linux@codehelp.co.uk> On Thursday 03 March 2005 3:45 pm, Michael Avila wrote: > Now I am trying to find a PHP script that will send the key > to > www.keyserver.net Hopelessly broken and contains many damaged keys. Don't use it. Use a functional keyserver and preferably one that handles subkeys properly: like subkeys.pgp.net -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050304/e4effad9/attachment.pgp From brunij at earthlink.net Sat Mar 5 02:15:52 2005 From: brunij at earthlink.net (Joseph Bruni) Date: Sat Mar 5 02:12:03 2005 Subject: Return Codes In-Reply-To: <20050304104019.GA67643@mail07a.vwh1.net> References: <20050304104019.GA67643@mail07a.vwh1.net> Message-ID: <9ac1443c0665175a66dfb98f3a586625@earthlink.net> $ man gpg ... RETURN VALUE The program returns 0 if everything was fine, 1 if at least a signature was bad, and other error codes for fatal errors. ... On Mar 4, 2005, at 8:40 AM, Michael Avila wrote: > The return code is 2. Is there a place to find what that rc is equal > to? The > output_array is empty as well as $output. Any suggestions where I am > going > wrong? From cwsiv at keepandbeararms.com Sat Mar 5 04:57:35 2005 From: cwsiv at keepandbeararms.com (Carl William Spitzer IV) Date: Sat Mar 5 04:56:50 2005 Subject: gnupg and the Bat // ? possible in linux under wine In-Reply-To: <200503012354.j21NsWEF089775@mailserver2.hushmail.com> References: <200503012354.j21NsWEF089775@mailserver2.hushmail.com> Message-ID: <1109994339.5461.1.camel@linux.site> On Tue, 2005-03-01 at 15:54, vedaal@hush.com wrote: > have finally made the plunge into linux > (some neat bash commands that can be used with gnupg, > like 'cat' are just not available in windows ... ;-) > > for easy transition from windows, am running fedora core 2) > > found the winetools (2.1.1) site, > that lists the Bat as supported under wine: > http://www.von-thadden.de/Joachim/WineTools/wt211jo.html > We have no need for windows front ends. In Gnome there is Seahorse which comes from SourceForge. In KDE there is kgpg both of which have editors to facilitate use of inline signatures for PGP compatability. CWSIV From tenui at myrealbox.com Sat Mar 5 05:19:13 2005 From: tenui at myrealbox.com (Tenui) Date: Sat Mar 5 05:15:27 2005 Subject: bzip2 cross-compiling problem Message-ID: <42293341.1080002@myrealbox.com> Maxine Brandt wrote: > An alternative to Werner's suggestion which avoids rebuilding bzip2 is to > use the bzip2-1.0.2-3-bin.zip and bzip2-1.0.2-3-lib.zip files that you used > for MinGW on Windows. Decompress them in the > /usr/i586-mingw32msvc folder, then run autogen.sh > > This will give you bzip2 capability via a bzip2.dll as in a native Windows > build. Thanks Maxine. That seems simple, but I would really like to include the bzip2 capabaility in gpg.exe, as in the official installer version for Windows. Regards Tenui From ulrich.windl at rz.uni-regensburg.de Fri Mar 4 14:22:14 2005 From: ulrich.windl at rz.uni-regensburg.de (Ulrich Windl) Date: Tue Mar 8 14:47:38 2005 Subject: GnuPG 1.4.0a for Windows Message-ID: <42286F16.30967.6920518@rkdvmks1.ngate.uni-regensburg.de> Hi, it seems the ZIP Archive packed does not correspond to the registry file supplied: All files are unpacked into one directory, but the gnupg-w32.reg assumes the locale files are in a subdirectory named "Locale" ("MODir"). Despite of that I'd also suggest to put the documentation files into a subdirectory named "docs" or "man". Generally I would create a subdirectory of %ProgramFiles% instead of %SystemDrive%. If your are working as non-Administrator, you access rights on the system drive may be limited. German translation seems incomplete and be using inconsistent coding of Umlauts: gpg: Keine g?ltigen OpenPGP-Daten gefunden. gpg: processing message failed: eof C:\Programme\GnuPG>gpg --gen-key gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Bitte w?hlen Sie, welche Art von Schl?ssel Sie m?chten: (1) DSA and Elgamal (default) (2) DSA (nur signieren/beglaubigen) (5) RSA (nur signieren/beglaubigen) Ihre Auswahl? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Die verlangte Schl?ssell?nge betr?gt 2048 Bit Bitte w?hlen Sie, wie lange der Schl?ssel g?ltig bleiben soll. 0 = Schl?ssel verf?llt nie = Schl?ssel verf?llt nach n Tagen w = Schl?ssel verf?llt nach n Wochen m = Schl?ssel verf?llt nach n Monaten y = Schl?ssel verf?llt nach n Jahren Wie lange bleibt der Schl?ssel g?ltig? (0) 1w Key verf?llt am 03/11/05 14:04:48 Westeurop?ische Normalzeit Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user I from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Ihr Name ("Vorname Nachname"): [...] gpg: key F80B55CF marked as ultimately trusted ?ffentlichen und geheimen Schl?ssel erzeugt und signiert. gpg: "Trust-DB" wird ?berpr?ft gpg: 3 marignal-needed, 1 complete-needed, PGP Trust-Modell gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: n?chste "Trust-DB"-Pflicht?berpr?fung am 2005-03-11 pub 1024D/F80B55CF 2005-03-04 [expires: 2005-03-11] Key fingerprint = 89B8 4C48 6EF5 BBDB 84E1 44DB 594B B985 F80B 55CF uid Tester Test (A Test) sub 2048g/2A2F3FC0 2005-03-04 [expires: 2005-03-11] GnuPG seems to create the key database outside of "HomeDir" registry value. Instad it seems to use %APPDATA%... (however this could be a left-over of having instaled GnuPT (Gnu Privacy Tray) before) Regards, Ulrich From torduninja at mail.pf Sat Mar 5 19:38:52 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Tue Mar 8 14:48:09 2005 Subject: bzip2 cross-compiling problem Message-ID: <4229FCBC.6060303@mail.pf> Tenui wrote: > Maxine Brandt wrote: > > > An alternative to Werner's suggestion which avoids rebuilding bzip2 is to > > use the bzip2-1.0.2-3-bin.zip and bzip2-1.0.2-3-lib.zip files that you used > > for MinGW on Windows. Decompress them in the > > /usr/i586-mingw32msvc folder, then run autogen.sh > > > > This will give you bzip2 capability via a bzip2.dll as in a native Windows > > build. > > Thanks Maxine. That seems simple, but I would really like to include the > bzip2 capabaility in gpg.exe, as in the official installer version for Windows. Well you can have it both ways if you download this file: http://www.chez.com/winterminator/compil/bzip2.zip It contains the two files that Werner mentioned. Put libbz2.a in the lib folder and bzlib.h in include. You'll have to change a line in bzlib.h - #if defined(_WIN32) && !defined(__MINGW32__) + #if defined(_WIN32) && 0 # include # ifdef small Then to include bzip2 capability in gpg.exe, in configure add the line ## --------------------- ## ## M4sh Initialization. ## ## --------------------- ## + LDFLAGS='-static' If you leave out this change to configure, gpg builds with bzip2 capability via the bzip2.dll. Salut Maxine -- PGP/GPG keys: http://www.torduninja.tk From twoaday at freakmail.de Sun Mar 6 17:26:46 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Tue Mar 8 14:48:19 2005 Subject: Announcement for WinPT Smart Card Bugfix Message-ID: <20050306162646.GB896@daredevil.joesixpack.net> He recently found a problem in WinPT concerning the way it communicates with GPG to handle smart card (edit) functions. In all prior versions to 0.9.90 (final) it is possible that WinPT indicated the PIN was successfully changed but actually the old PIN is still in use. If a mailer caches the PIN and sent the (invalid) PIN to GPG multiple times, the card will block. The problem does not occur if WinPT is used to sign or decrypt data protected with a key that is located on a smart card! I released a new version of WinPT (0.9.90 final) which fixes this and some other smart card related problems. The new version is available at http://www.winpt.org. Timo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 163 bytes Desc: not available Url : /pipermail/attachments/20050306/12d3aacc/attachment.pgp From jharris at widomaker.com Sun Mar 6 21:40:35 2005 From: jharris at widomaker.com (Jason Harris) Date: Tue Mar 8 14:48:25 2005 Subject: new (2005-03-06) keyanalyze results (+sigcheck) Message-ID: <20050306204035.GI5390@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-03-06/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: d66edcaa0e81fe3b98f72ae38eabb0761ea4fbe3 11435346 preprocess.keys b61561c46e1c677e20f466004af4cdae62871649 7211722 othersets.txt 8b27ecc4e6eb01b057041dcb71db8e6061140522 2898874 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html 0e9a0a32c35b3a6213780587fef68d0b2011fca6 2290 keyring_stats 1f8311fd5ee62b2c103ec8bb3d55be86f3ffc166 1140470 msd-sorted.txt.bz2 6e12f224047be19f629b21535e4542b05579f379 26 other.txt 0eb7e003afc22dce2609476dfcc52ce111ec08fe 1552135 othersets.txt.bz2 e98a8e0000258ebb00e686f4fdd9e97a12941259 4624745 preprocess.keys.bz2 03ad1c163536728c0e6cd007775677429f177b7c 11384 status.txt 930aab2a77ce9278abfc2e979ad2b4a4806b047d 211483 top1000table.html d25bfe7bd2d57c4c46ce1a3d4d48a73ee8fed931 30354 top1000table.html.gz b10ed43993166750b8a4706f33b8d0c1a4e022ca 10999 top50table.html 1040a8aab37eb36fbd7ff5aa478f3de00b0772cf 2389 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050306/5ad6f58a/attachment.pgp From adam00f at ducksburg.com Mon Mar 7 11:08:21 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Tue Mar 8 14:48:34 2005 Subject: How to extend subkey's expiry date? Message-ID: <200503071008.j27A8Lk14005@Porthos.co.umist.ac.uk> My key expired recently and GPG would (of course) not let me encrypt to it. I'd like to keep using the same key. So I used "gpg --edit-key" and the "expire" subcommand to extend the expiry date. Unfortunately the only subkey's expiry date did not change, so I still can't encrypt to the key. $ gpg --edit-key e3c5ee5e ... pub 1024D/E3C5EE5E created: 2002-02-19 expires: 2007-03-07 usage: CS trust: ultimate validity: ultimate sub 2048g/66796190 created: 2002-02-19 expired: 2005-02-18 usage: E ... I've tried using "expire sub" and "expire 66796190" commands inside edit-key, but I can't change the expiry of the subkey. Is it possible to do so, or do I need to add a new subkey to keep using the same main key? -- Thanks, Adam From jediknight2 at ec.rr.com Tue Mar 8 17:46:36 2005 From: jediknight2 at ec.rr.com (jediknight2) Date: Wed Mar 9 10:40:16 2005 Subject: Encrypting SubFolders Message-ID: <8311395.1110300396046.JavaMail.Administrator@atp> Is there a way to encrypt a folder including subfolders? I have tried gpg --encrypt --multifile \thisfolder\*.* gpg --encrypt --multifile \thisfolder\* The first one will hit all the subfolders inside thisfolder, but if those subfolders have folders then it wont go... so it will try thisfolder\subfolder but it wont catch thisfolder\subfolder\subsubfolder Any suggestions From zuxy.meng at gmail.com Wed Mar 9 11:01:16 2005 From: zuxy.meng at gmail.com (Zuxy) Date: Wed Mar 9 10:57:48 2005 Subject: How to extend subkey's expiry date? In-Reply-To: <200503071008.j27A8Lk14005@Porthos.co.umist.ac.uk> References: <200503071008.j27A8Lk14005@Porthos.co.umist.ac.uk> Message-ID: On Mon, 7 Mar 2005 10:08:21 GMT, Adam Funk wrote: > $ gpg --edit-key e3c5ee5e > ... > pub 1024D/E3C5EE5E created: 2002-02-19 expires: 2007-03-07 usage: CS > trust: ultimate validity: ultimate > sub 2048g/66796190 created: 2002-02-19 expired: 2005-02-18 usage: E > ... > > I've tried using "expire sub" and "expire 66796190" commands inside > edit-key, but I can't change the expiry of the subkey. "key 1" then "expire" should work. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From atom at smasher.org Wed Mar 9 21:06:00 2005 From: atom at smasher.org (Atom Smasher) Date: Wed Mar 9 21:00:08 2005 Subject: Encrypting SubFolders In-Reply-To: <8311395.1110300396046.JavaMail.Administrator@atp> References: <8311395.1110300396046.JavaMail.Administrator@atp> Message-ID: <20050309200403.30485.qmail@smasher.org> On Tue, 8 Mar 2005, jediknight2 wrote: > Is there a way to encrypt a folder including subfolders? > > I have tried > gpg --encrypt --multifile \thisfolder\*.* > gpg --encrypt --multifile \thisfolder\* > > The first one will hit all the subfolders inside thisfolder, but if those > subfolders have folders then it wont go... > > so it will try thisfolder\subfolder > but it wont catch thisfolder\subfolder\subsubfolder > > Any suggestions ========================== windows or *nix? -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Somebody has to take governments' place, and business seems to me to be a logical entity to do it." -- David Rockefeller Newsweek International, Feb 1 1999. From atom at smasher.org Wed Mar 9 21:20:26 2005 From: atom at smasher.org (Atom Smasher) Date: Wed Mar 9 21:14:32 2005 Subject: Encrypting SubFolders In-Reply-To: References: Message-ID: <20050309201831.45818.qmail@smasher.org> On Wed, 9 Mar 2005, David T Kerns wrote: > I'm new to gpg so not sure if gpg has a recursion flag, but on unix: > > gpg --encrypt --multifile `find /thisfolder -type f -print` ================== that's close to what i was thinking... find /thisfolder -type f -exec gpg --encrypt {} \; same thing, really... i can think of several variations for typing it. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The idea that Bill Gates has appeared like a knight in shining armor to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he, who by peddling second-rate technology, led them into it in the first place." -- Douglas Adams From koch at u32.de Wed Mar 9 21:24:53 2005 From: koch at u32.de (Walter Koch) Date: Wed Mar 9 21:26:56 2005 Subject: GnuPG 1.4.0a for Windows In-Reply-To: <42286F16.30967.6920518@rkdvmks1.ngate.uni-regensburg.de> References: <42286F16.30967.6920518@rkdvmks1.ngate.uni-regensburg.de> Message-ID: Moin, > German translation seems incomplete I'am working on it. > and be using inconsistent coding of Umlauts: > gpg: Keine g?ltigen OpenPGP-Daten gefunden. ... > Key verf?llt am 03/11/05 14:04:48 Westeurop?ische Normalzeit "Westeurop?ische Normalzeit" does not come from the gnupg translation, but from Sir Windows himself. You can judge it from the use of the term "Westeurop?ische Normalzeit" (Westeuropean mean time) for the timezone used in Germany. But thats wrong. It has to be "Mitteleurop?ische Zeit" (Central European time). However, the Umlaut is still wrong. Gruss, Walter -- Die Gedanken sind frei. Das N?here regelt ein Bundesgesetz. From david.t.kerns at us.hsbc.com Wed Mar 9 21:13:55 2005 From: david.t.kerns at us.hsbc.com (David T Kerns) Date: Wed Mar 9 22:11:02 2005 Subject: Encrypting SubFolders Message-ID: I'm new to gpg so not sure if gpg has a recursion flag, but on unix: gpg --encrypt --multifile `find /thisfolder -type f -print` should work. Atom Smasher To: gnupg-users@gnupg.org Sent by: cc: gnupg-users-bounces@g Subject: Re: Encrypting SubFolders nupg.org 03/09/2005 02:06 PM On Tue, 8 Mar 2005, jediknight2 wrote: > Is there a way to encrypt a folder including subfolders? > > I have tried > gpg --encrypt --multifile \thisfolder\*.* \thisfolder\* > > The first one will hit all the subfolders inside thisfolder, but if those > subfolders have folders then it wont go... > > so it will try thisfolder\subfolder > but it wont catch thisfolder\subfolder\subsubfolder > > Any suggestions ========================== windows or *nix? -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Somebody has to take governments' place, and business seems to me to be a logical entity to do it." -- David Rockefeller Newsweek International, Feb 1 1999. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ----------------------------------------- ************************************************************************ This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ************************************************************************ From rmalayter at bai.org Wed Mar 9 22:44:36 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Wed Mar 9 22:41:18 2005 Subject: Encrypting SubFolders Message-ID: <792DE28E91F6EA42B4663AE761C41C2A03C88152@cliff.bai.org> FYI, on windows the command would be: FOR /R c:\temp %f IN (*) DO gpg --encrypt %f Obviously, you can replace C:\temp with a relative path, UNC, or whatever else you'd like. I think you need Win98 or newer to have the FOR command available in the command shell. Regards, Ryan > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David T Kerns > Sent: Wednesday, March 09, 2005 2:14 PM > To: Atom Smasher > Cc: gnupg-users@gnupg.org; gnupg-users-bounces@gnupg.org > Subject: Re: Encrypting SubFolders > > I'm new to gpg so not sure if gpg has a recursion flag, but on unix: > > gpg --encrypt --multifile `find /thisfolder -type f -print` > > should work. > > > > > > > Atom Smasher > > > To: > gnupg-users@gnupg.org > > Sent by: cc: > > > gnupg-users-bounces@g Subject: Re: > Encrypting SubFolders > > nupg.org > > > > > > > > > 03/09/2005 02:06 PM > > > > > > > > > > > > > On Tue, 8 Mar 2005, jediknight2 wrote: > > > Is there a way to encrypt a folder including subfolders? > > > > I have tried > > gpg --encrypt --multifile \thisfolder\*.* > \thisfolder\* > > > > The first one will hit all the subfolders inside > thisfolder, but if those > > subfolders have folders then it wont go... > > > > so it will try thisfolder\subfolder > > but it wont catch thisfolder\subfolder\subsubfolder > > > > Any suggestions > ========================== > > windows or *nix? > > > -- > ...atom > > _________________________________________ > PGP key - http://atom.smasher.org/pgp.txt > 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > ------------------------------------------------- > > "Somebody has to take governments' place, and business > seems to me to be a logical entity to do it." > -- David Rockefeller > Newsweek International, Feb 1 1999. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > > > ----------------------------------------- > ************************************************************** > ********** > This E-mail is confidential. It may also be legally privileged. If you > are not the addressee you may not copy, forward, disclose or > use any part > of it. If you have received this message in error, please > delete it and > all copies from your system and notify the sender immediately > by return > E-mail. Internet communications cannot be guaranteed to be timely, > secure, error or virus-free. The sender does not accept > liability for any > errors or omissions. > ************************************************************** > ********** > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From david.t.kerns at us.hsbc.com Wed Mar 9 23:43:18 2005 From: david.t.kerns at us.hsbc.com (David T Kerns) Date: Thu Mar 10 00:41:35 2005 Subject: keyserver Message-ID: I've searched the FAQ and mailing list (albeit not exhaustively) but don't find much info on setting up a keyserver. I've set up a keyserver inside the corporate firewall and am hoping to have that one system share keys with a public server. My thoughts are I only have to configure one system to barrel through the firewall rather than every user on every server in my network. Certainly I'm not the first one to encounter this. Can anyone point me to some documentation? Thanks Dave Kerns ----------------------------------------- ************************************************************************ This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ************************************************************************ From jharris at widomaker.com Thu Mar 10 01:06:30 2005 From: jharris at widomaker.com (Jason Harris) Date: Thu Mar 10 01:02:38 2005 Subject: keyserver In-Reply-To: References: Message-ID: <20050310000630.GN5390@wilma.widomaker.com> On Wed, Mar 09, 2005 at 04:43:18PM -0600, David T Kerns wrote: > I've searched the FAQ and mailing list (albeit not exhaustively) but don't > find much info on setting up a keyserver. > > I've set up a keyserver inside the corporate firewall and am hoping to have > that one system share keys with a public server. > My thoughts are I only have to configure one system to barrel through the > firewall rather than every user on every server in my network. > Certainly I'm not the first one to encounter this. Can anyone point me to > some documentation? Post more details to the keyserver mailing list: http://lists.kjsl.com/mailman/listinfo/pgp-keyserver-folk Specifically, if you want people to sync. with your keyserver, we need to know what software you're running and the server's IP and email addresses. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050309/b2d33fd7/attachment.pgp From ilkkah at gmail.com Thu Mar 10 01:20:21 2005 From: ilkkah at gmail.com (Ilkka Huotari) Date: Thu Mar 10 01:43:03 2005 Subject: Preventing temporary files? Message-ID: Hello, I'm running Gnupg in an automated environment, from PHP, with proc_open(), which allows to open pipes, which in turn can be used to write input and read output. So it seems quite secure, no cleartext or passphrases in any temporary files. However, Gnupg still wants to use temporary files in some internal operations. I would not want to have even write access in the directory (--homedir), since that's another thing to worry about, and another step for the user to take care of. Is there any way to prevent gnupg from making or requiring these temporary files? I suppose it should be technically possible to do the encrytion without them? Thank you, Ilkka Huotari From atom at smasher.org Thu Mar 10 01:54:44 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Mar 10 01:48:46 2005 Subject: Preventing temporary files? In-Reply-To: References: Message-ID: <20050310005246.14389.qmail@smasher.org> On Thu, 10 Mar 2005, Ilkka Huotari wrote: > I'm running Gnupg in an automated environment, from PHP, with > proc_open(), which allows to open pipes, which in turn can be used to > write input and read output. So it seems quite secure, no cleartext or > passphrases in any temporary files. ================ this might give you some ideas, or depending on what you're doing it might be what you need. http://business-php.com/opensource/gpg_encrypt/ -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "In peace, sons bury their fathers. In war, fathers bury their sons." -- Herodotus From thomas at northernsecurity.net Thu Mar 10 00:53:43 2005 From: thomas at northernsecurity.net (Thomas =?iso-8859-1?Q?Sj=F6gren?=) Date: Thu Mar 10 02:01:56 2005 Subject: keyserver In-Reply-To: References: Message-ID: <20050309235343.GF30078@northernsecurity.net> On Wed, Mar 09, 2005 at 04:43:18PM -0600, David T Kerns wrote: > I've searched the FAQ and mailing list (albeit not exhaustively) but don't > find much info on setting up a keyserver. > > I've set up a keyserver inside the corporate firewall and am hoping to have > that one system share keys with a public server. > My thoughts are I only have to configure one system to barrel through the > firewall rather than every user on every server in my network. > Certainly I'm not the first one to encounter this. Can anyone point me to > some documentation? Point the users to your keyserver, only allow port 11370 11371 from/to that server and join the keyserver-folk mailing-list: http://lists.alt.org/mailman/listinfo/pgp-keyserver-folk /Thomas -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: Digital signature Url : /pipermail/attachments/20050310/652990b5/attachment.pgp From ilkkah at gmail.com Thu Mar 10 01:07:58 2005 From: ilkkah at gmail.com (Ilkka Huotari) Date: Thu Mar 10 02:03:57 2005 Subject: Preventing temporary files? Message-ID: Hello, I'm running Gnupg in an automated environment, from PHP, with proc_open(), which allows to open pipes, which in turn can be used to write input and read output. So it seems quite secure, no cleartext or passphrases in any temporary files. However, Gnupg still wants to use temporary files in some internal operations. I would not want to have even write access in the directory (--homedir), since that's another thing to worry about, and another step for the user to take care of. Is there any way to prevent gnupg from making or requiring these temporary files? I suppose it should be technically possible to do the encrytion without them? Thank you, Ilkka Huotari From ilkkah at gmail.com Thu Mar 10 02:22:14 2005 From: ilkkah at gmail.com (Ilkka Huotari) Date: Thu Mar 10 02:18:15 2005 Subject: Preventing temporary files? In-Reply-To: <20050310005246.14389.qmail@smasher.org> References: <20050310005246.14389.qmail@smasher.org> Message-ID: I have the PHP side working. The thing that I have problems with is this: gpg: failed to create temporary file `bin/gpg/.#lk0x80eb83c.nd2.2253': Permissio n denied Regards, Ilkka On Wed, 9 Mar 2005 19:54:44 -0500 (EST), Atom Smasher wrote: > On Thu, 10 Mar 2005, Ilkka Huotari wrote: > > > I'm running Gnupg in an automated environment, from PHP, with > > proc_open(), which allows to open pipes, which in turn can be used to > > write input and read output. So it seems quite secure, no cleartext or > > passphrases in any temporary files. > ================ > > this might give you some ideas, or depending on what you're doing it might > be what you need. > > http://business-php.com/opensource/gpg_encrypt/ > > -- > ...atom > > _________________________________________ > PGP key - http://atom.smasher.org/pgp.txt > 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > ------------------------------------------------- > > "In peace, sons bury their fathers. > In war, fathers bury their sons." > -- Herodotus > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Thu Mar 10 03:04:42 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 10 03:01:20 2005 Subject: Preventing temporary files? In-Reply-To: References: <20050310005246.14389.qmail@smasher.org> Message-ID: <20050310020442.GA18415@jabberwocky.com> On Thu, Mar 10, 2005 at 03:22:14AM +0200, Ilkka Huotari wrote: > I have the PHP side working. The thing that I have problems with is this: > > gpg: failed to create temporary file > `bin/gpg/.#lk0x80eb83c.nd2.2253': Permissio n denied That's a lock file. It is needed to prevent more than one instance of GnuPG from modifying keyrings (which would naturally corrupt them). If you can guarantee this exclusion outside of GnuPG, then see the --lock-never option in the manual. David From dshaw at jabberwocky.com Thu Mar 10 03:07:13 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 10 03:03:51 2005 Subject: keyserver In-Reply-To: References: Message-ID: <20050310020713.GB18415@jabberwocky.com> On Wed, Mar 09, 2005 at 04:43:18PM -0600, David T Kerns wrote: > I've searched the FAQ and mailing list (albeit not exhaustively) but don't > find much info on setting up a keyserver. > > I've set up a keyserver inside the corporate firewall and am hoping to have > that one system share keys with a public server. > My thoughts are I only have to configure one system to barrel through the > firewall rather than every user on every server in my network. > Certainly I'm not the first one to encounter this. Can anyone point me to > some documentation? It depends on what kind of keyserver you have set up. If it's the OpenLDAP sort, then they don't sync with other servers (except in the LDAP sense of sync - and there aren't any public servers that sync that way). If it's SKS or PKS, then you can sync via email. Your best bet is to subscribe to the pgp-keyserver-folk list at: http://lists.alt.org/mailman/listinfo/pgp-keyserver-folk Nearly every operator of a public keyserver is a member, and you can get all the information you need there. David From ilkkah at gmail.com Thu Mar 10 03:17:47 2005 From: ilkkah at gmail.com (Ilkka Huotari) Date: Thu Mar 10 03:13:48 2005 Subject: Preventing temporary files? In-Reply-To: <20050310020442.GA18415@jabberwocky.com> References: <20050310005246.14389.qmail@smasher.org> <20050310020442.GA18415@jabberwocky.com> Message-ID: Ah ok, Thank you so much! The keyring is not going to change so I think I can safely use the --lock-never. I can take the write permissions out of the keyring to make it sure even... After a quick testing, seems to work ok. Ilkka On Wed, 9 Mar 2005 21:04:42 -0500, David Shaw wrote: > On Thu, Mar 10, 2005 at 03:22:14AM +0200, Ilkka Huotari wrote: > > I have the PHP side working. The thing that I have problems with is this: > > > > gpg: failed to create temporary file > > `bin/gpg/.#lk0x80eb83c.nd2.2253': Permissio n denied > > That's a lock file. It is needed to prevent more than one instance of > GnuPG from modifying keyrings (which would naturally corrupt them). > If you can guarantee this exclusion outside of GnuPG, then see the > --lock-never option in the manual. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jharris at widomaker.com Thu Mar 10 05:13:55 2005 From: jharris at widomaker.com (Jason Harris) Date: Thu Mar 10 05:10:07 2005 Subject: keyserver In-Reply-To: <20050310020713.GB18415@jabberwocky.com> References: <20050310020713.GB18415@jabberwocky.com> Message-ID: <20050310041355.GO5390@wilma.widomaker.com> On Wed, Mar 09, 2005 at 09:07:13PM -0500, David Shaw wrote: > On Wed, Mar 09, 2005 at 04:43:18PM -0600, David T Kerns wrote: > > I've set up a keyserver inside the corporate firewall and am hoping to have > > that one system share keys with a public server. > > My thoughts are I only have to configure one system to barrel through the > > firewall rather than every user on every server in my network. > > Certainly I'm not the first one to encounter this. Can anyone point me to > > some documentation? > > It depends on what kind of keyserver you have set up. If it's the > OpenLDAP sort, then they don't sync with other servers (except in the > LDAP sense of sync - and there aren't any public servers that sync > that way). If it's SKS or PKS, then you can sync via email. Actually, ldap://horowitz.surfnet.nl:11370 receives syncs. via email and sends a nightly email with the day's updates. (Of course, both pgp.com keyservers remain unsynchronized.) (Also, I think the older software can sync. via sockets, but I don't know that it was ever used to sync. surfnet.nl and pgp.com.) As well, SKS does not require email connectivity for sync. A few SKS servers are currently configured with no email peers, FWIW. > Your best bet is to subscribe to the pgp-keyserver-folk list at: > > http://lists.alt.org/mailman/listinfo/pgp-keyserver-folk That one's still broken. See my first reply for the backup list URL. (Don't worry, Thomas just posted the wrong URL too. :) -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050309/57a91a5b/attachment.pgp From brunij at earthlink.net Thu Mar 10 05:14:40 2005 From: brunij at earthlink.net (Joseph Bruni) Date: Thu Mar 10 05:10:55 2005 Subject: Preventing temporary files? In-Reply-To: <20050310020442.GA18415@jabberwocky.com> References: <20050310005246.14389.qmail@smasher.org> <20050310020442.GA18415@jabberwocky.com> Message-ID: <971af2fdcb48ddd5b26ad66554212dfa@earthlink.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mar 9, 2005, at 7:04 PM, David Shaw wrote: > On Thu, Mar 10, 2005 at 03:22:14AM +0200, Ilkka Huotari wrote: >> I have the PHP side working. The thing that I have problems with is >> this: >> >> gpg: failed to create temporary file >> `bin/gpg/.#lk0x80eb83c.nd2.2253': Permissio n denied > > That's a lock file. It is needed to prevent more than one instance of > GnuPG from modifying keyrings (which would naturally corrupt them). > If you can guarantee this exclusion outside of GnuPG, then see the > --lock-never option in the manual. > > David Hi David, Just out of curiosity, why not obtain an OS lock on the keyring files themselves such as that provided by flock() for the BSD unixes and lockf() for the SVR4 unixes? Was this for portability reasons? Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQi/Ju1GV1jrNVRjHAQjXHgf9GRzSP0q94qHNTG2tf0SgJOmG9SuYZS6r sJR0I26Vo52zC8cNr5Yj2VbhPZAZ9/Fv4Q6OKgGbKRMzZr8ZPKQ5s2actbcVwQ5t nOY0jsXfpWFWMcblAwYDKT+dgGpsBZcX++Mc2nZ/hfYTgnATMGCi8ZlR9fRn9Srm 4ZiZfARqpM9BeoBabNU6nXB2elBBeVP2Y5H9bBOz4bxf8Gl3FR1iM2TVItPy5kSl /ihDyI6R3NUi/tTyeTpYnCuh8wuyPTahqGeGh6dXFFoChtUTnCwZWTLmRTP7K4ar SxwBb53qZ4boCo9MXdxyfJDoyvWP0cnxn3/KyFnhHjStPgzLtALLDA== =XPMf -----END PGP SIGNATURE----- From talmage at zero.ad.jp Thu Mar 10 06:51:14 2005 From: talmage at zero.ad.jp (Kory T) Date: Thu Mar 10 07:36:34 2005 Subject: gpg + smartcard ?s In-Reply-To: <20050310000630.GN5390@wilma.widomaker.com> References: <20050310000630.GN5390@wilma.widomaker.com> Message-ID: <778757e9219dc8f5b5cf006025d6cd96@zero.ad.jp> When GPG 1.4 came out a few months ago I noticed smartcard support was now officially included. For the last few months I've been hoping good documentation would pop-up on the net to guide me through the steps to use a smartcard with GPG. So far I haven't been able to find much. I would appreciate it if I could get some help getting answers for specific questions I have. From what I understand GnuPG1.4 can access smartcard readers in two ways. Through gpg built in drivers and through the PC/SC drivers. Is there a list of what drivers are built into gpg? or a list of devices that are officially supported by gnupg? Is it possible to use generic smartcards and not just the OpenPGP card from g10? For example, I want to try and use those 'usb token' size smartcards on desktop computers and regular smartcards (pcmcia reader) with laptops. If only the OpenPGP card is supported, what is so special about the OpenPGP card? Can generic smartcards be programmed to be the same as the OpenGPG card? And the most important questions I have is, does the gpg smartcard implementation support 2048~4096 bit keys? I've only found reference to 1024 bit keys. 1024 bit is simply not enough for the paranoid like myself. Forgive me if some of these questions have been answered on the list, I'm new to the list and did search through the list archives first ;). Any help will be appreciated. Thanks. KoryT From ml at charliesangels.biz Thu Mar 10 08:16:01 2005 From: ml at charliesangels.biz (ml@charliesangels.biz) Date: Thu Mar 10 08:12:02 2005 Subject: Encrypt - but no such user-id Message-ID: Hi all, I have a strange problem. 1) I do import a Public-Key: [sascha@localhost tmp]$ gpg --import testkeys gpg: WARNUNG: Sensible Daten k?nnten auf Platte ausgelagert werden. gpg: siehe http://www.gnupg.org/faq.html f?r weitere Informationen gpg: key 12345: public key "bla" imported gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 gpg: 3 marignal-needed, 1 complete-needed, classic Trust-Modell gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u Looks good, right ? gpg --list-keys shows the key. 2) Now I try to sign a file: [sascha@localhost tmp]$ gpg -e test gpg: WARNUNG: Sensible Daten k?nnten auf Platte ausgelagert werden. gpg: siehe http://www.gnupg.org/faq.html f?r weitere Informationen Sie haben keine User-ID angegeben (Sie k?nnen die Option "-r" verwenden). Current recipients: Geben Sie die User-ID ein. Beenden mit einer leeren Zeile: 12345 Keine solche User-ID vorhanden. Current recipients: Geben Sie die User-ID ein. Beenden mit einer leeren Zeile: Somehow it seems, that the key is corrupt - but I still don't get it. Why does import work - but encryption not ? Thanks and regards Sascha From JPRuehmann at web.de Wed Mar 9 21:53:03 2005 From: JPRuehmann at web.de (=?UTF-8?B?SmFuLVBldGVyIFLDvGhtYW5u?=) Date: Thu Mar 10 10:37:52 2005 Subject: Proxy still not work Message-ID: <422F622F.9050608@web.de> Hello. I?ve just installed 1.4.1 RC2 but the Connection via Proxy still is impossible when will Proxying be functioning? Thanks, -- ------------------------------------------------------------------------ Hallo Leute Jan-Peter R?hmann Gubkower Str. 7 Tel.: +49 (038205) 65484 18195 Prangendorf FAX: +49 (038205) 65212 Deutschland EMail (Privat) JPRuehmann@web.de EMail (Firma) HP: http://home.debitel.net/user/jan-peter.ruehmann/ ------------------------------------------------------------------------ From wk at gnupg.org Thu Mar 10 11:24:13 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 10 11:21:11 2005 Subject: GnuPG 1.4.0a for Windows In-Reply-To: <42286F16.30967.6920518@rkdvmks1.ngate.uni-regensburg.de> (Ulrich Windl's message of "Fri, 04 Mar 2005 14:22:14 +0100") References: <42286F16.30967.6920518@rkdvmks1.ngate.uni-regensburg.de> Message-ID: <87is3zre7m.fsf@wheatstone.g10code.de> On Fri, 04 Mar 2005 14:22:14 +0100, Ulrich Windl said: > Hi, > it seems the ZIP Archive packed does not correspond to the registry file supplied: This has already changed with the release candidates for 1.4.1: We won't distribute ZIP files anymore but installer packages. As written in the release notes the use of the registry changed as well as tghe way translation files are located. Check out ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe Salam-Shalom, Werner From wk at gnupg.org Thu Mar 10 11:20:34 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 10 11:21:20 2005 Subject: GnuPG 1.4.0a for Windows In-Reply-To: (Walter Koch's message of "Wed, 09 Mar 2005 21:24:53 +0100") References: <42286F16.30967.6920518@rkdvmks1.ngate.uni-regensburg.de> Message-ID: <87mztbredp.fsf@wheatstone.g10code.de> On Wed, 09 Mar 2005 21:24:53 +0100, Walter Koch said: > used in Germany. But thats wrong. It has to be "Mitteleurop?ische Zeit" > (Central European time). However, the Umlaut is still wrong. I already fixed thatin the CVS by removing the string. Shalom-Salam, Werner From wk at gnupg.org Thu Mar 10 11:25:22 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 10 11:26:12 2005 Subject: Proxy still not work In-Reply-To: <422F622F.9050608@web.de> ( =?utf-8?q?Jan-Peter_R=C3=BChmann's_message_of?= "Wed, 09 Mar 2005 21:53:03 +0100") References: <422F622F.9050608@web.de> Message-ID: <87ekenre5p.fsf@wheatstone.g10code.de> On Wed, 09 Mar 2005 21:53:03 +0100, Jan-Peter R?hmann said: > I?ve just installed 1.4.1 RC2 but the Connection via Proxy still is > impossible when will Proxying be functioning? Please elaborate. Shalom-Salam, Werner From wk at gnupg.org Thu Mar 10 11:29:46 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 10 11:26:24 2005 Subject: Preventing temporary files? In-Reply-To: <971af2fdcb48ddd5b26ad66554212dfa@earthlink.net> (Joseph Bruni's message of "Wed, 9 Mar 2005 21:14:40 -0700") References: <20050310005246.14389.qmail@smasher.org> <20050310020442.GA18415@jabberwocky.com> <971af2fdcb48ddd5b26ad66554212dfa@earthlink.net> Message-ID: <87acpbrdyd.fsf@wheatstone.g10code.de> On Wed, 9 Mar 2005 21:14:40 -0700, Joseph Bruni said: > themselves such as that provided by flock() for the BSD unixes and > lockf() for the SVR4 unixes? Was this for portability reasons? Yes, this is a portability issue. A lock file is the only way to take a lock in a portable way independed of the file system. In general it also work with remotely mounted file systems accessed by different types of OSes. Salam-Shalom, Werner From JPRuehmann at web.de Thu Mar 10 12:26:37 2005 From: JPRuehmann at web.de (=?UTF-8?B?SmFuLVBldGVyIFLDvGhtYW5u?=) Date: Thu Mar 10 12:23:32 2005 Subject: Proxy still not work In-Reply-To: <87ekenre5p.fsf@wheatstone.g10code.de> References: <422F622F.9050608@web.de> <87ekenre5p.fsf@wheatstone.g10code.de> Message-ID: <42302EED.1010200@web.de> Werner Koch schrieb: >On Wed, 09 Mar 2005 21:53:03 +0100, Jan-Peter R?hmann said: > > > >>I?ve just installed 1.4.1 RC2 but the Connection via Proxy still is >>impossible when will Proxying be functioning? >> >> > >Please elaborate. > > >Shalom-Salam, > > Werner > > Read my Mails from the last Months atleast beginning with December last year and you know what I mean. Thank you, Jan-Peter From iam-est-hora-surgere at despammed.com Thu Mar 10 13:04:20 2005 From: iam-est-hora-surgere at despammed.com (Marcus Frings) Date: Thu Mar 10 13:04:29 2005 Subject: Trust model: classic or pgp? Message-ID: Hello, I have two questions concerning the trust model. The man page says: ,----[ man gpg ] | --trust-model pgp|classic|always | Set what trust model GnuPG should follow. The models are: | | | pgp This is the Web of Trust combined with trust signa- | tures as used in PGP 5.x and later. This is the | default trust model. | | classic This is the standard Web of Trust as used in PGP | 2.x and earlier. `---- First of all, what is actually the difference between "pgp" and "classic"? The first option tells about WOT and trust signatures but the latter just mentions the WOT. My last question is why gpg --check-trustdb results in gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model ^^^^^^^ when "pgp" is supposed to be the default? I cannot remember that I have ever changed the trust model. I guess I should switch over to "pgp", right? Regards, Marcus -- "Ich glaube an Tod, Zerst?rung, Chaos, Schmutz und Habgier." From khylandirl at aol.com Thu Mar 10 12:59:13 2005 From: khylandirl at aol.com (Keith Hyland) Date: Thu Mar 10 13:29:52 2005 Subject: Newbie... Verifying a p7s signature In-Reply-To: <42302EED.1010200@web.de> References: <422F622F.9050608@web.de> <87ekenre5p.fsf@wheatstone.g10code.de> <42302EED.1010200@web.de> Message-ID: <42303691.6040000@aol.com> Hi, I a complete newbie to using gpg.. I've got a sample detached signature which I would like to verify. Its in a p7s format (I don't know what this means)... I also have the original pdf docuemnt that was signed. When I try to verfiy it I get .. gpg -v --verify doc.pdf.p7s doc.pdf gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line. Anybody got any ideas? Do I need the public key or is it included in the p7s file? Cheers, Keith From dshaw at jabberwocky.com Thu Mar 10 14:17:54 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 10 14:14:37 2005 Subject: keyserver In-Reply-To: <20050310041355.GO5390@wilma.widomaker.com> References: <20050310020713.GB18415@jabberwocky.com> <20050310041355.GO5390@wilma.widomaker.com> Message-ID: <20050310131754.GC18415@jabberwocky.com> On Wed, Mar 09, 2005 at 11:13:55PM -0500, Jason Harris wrote: > On Wed, Mar 09, 2005 at 09:07:13PM -0500, David Shaw wrote: > > On Wed, Mar 09, 2005 at 04:43:18PM -0600, David T Kerns wrote: > > > > I've set up a keyserver inside the corporate firewall and am hoping to have > > > that one system share keys with a public server. > > > My thoughts are I only have to configure one system to barrel through the > > > firewall rather than every user on every server in my network. > > > Certainly I'm not the first one to encounter this. Can anyone point me to > > > some documentation? > > > > It depends on what kind of keyserver you have set up. If it's the > > OpenLDAP sort, then they don't sync with other servers (except in the > > LDAP sense of sync - and there aren't any public servers that sync > > that way). If it's SKS or PKS, then you can sync via email. > > Actually, ldap://horowitz.surfnet.nl:11370 receives syncs. via email > and sends a nightly email with the day's updates. (Of course, both > pgp.com keyservers remain unsynchronized.) (Also, I think the older > software can sync. via sockets, but I don't know that it was ever > used to sync. surfnet.nl and pgp.com.) horowitz.surfnet.nl is not the "OpenLDAP sort" of keyserver. It's one of the old NAI keyservers. They're sort of LDAP on the front end, but not really. I'm not even sure this is still sold as a product, actually. pgp.com runs two keyservers: one NAI and one OpenLDAP. Bottom line is, they're not the same thing. > > Your best bet is to subscribe to the pgp-keyserver-folk list at: > > > > http://lists.alt.org/mailman/listinfo/pgp-keyserver-folk > > That one's still broken. See my first reply for the backup list URL. > (Don't worry, Thomas just posted the wrong URL too. :) This is silly. If the lists.alt.org version of the list is broken, is there a reason why not to fix it? And if it isn't going to be fixed, why not just make a new list (or promote the backup) and be done with it rather than have two lists, neither being the One True List? David From dshaw at jabberwocky.com Thu Mar 10 14:24:01 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 10 14:20:40 2005 Subject: Trust model: classic or pgp? In-Reply-To: References: Message-ID: <20050310132401.GD18415@jabberwocky.com> On Thu, Mar 10, 2005 at 01:04:20PM +0100, Marcus Frings wrote: > Hello, > > I have two questions concerning the trust model. The man page says: > > ,----[ man gpg ] > | --trust-model pgp|classic|always > | Set what trust model GnuPG should follow. The models are: > | > | > | pgp This is the Web of Trust combined with trust signa- > | tures as used in PGP 5.x and later. This is the > | default trust model. > | > | classic This is the standard Web of Trust as used in PGP > | 2.x and earlier. > `---- > > First of all, what is actually the difference between "pgp" and > "classic"? The first option tells about WOT and trust signatures but the > latter just mentions the WOT. That is the difference. The "pgp" trust model is identical to "classic" except that "pgp" supports trust signatures, and "classic" doesn't (it treats them the same as any other signature). I'm not quite sure what you're asking. > My last question is why > > gpg --check-trustdb > > results in > > gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model > ^^^^^^^ > > when "pgp" is supposed to be the default? I cannot remember that I have > ever changed the trust model. I guess I should switch over to "pgp", > right? You probably were using GnuPG 1.2.x or earlier before you upgraded to 1.4. In this case, your trustdb was created as "classic", and so GnuPG 1.4 is just respecting that. If you want to force an upgrade to "pgp", do gpg --trust-model pgp --check-trustdb After that, you can just do --check-trustdb as before, but it'll use the "pgp" trust model calculations. Incidentally, you can similarly switch from "pgp" to "classic" by doing: gpg --trust-model classic --check-trustdb As to whether you want to do this or not, it's up to you. If you don't use trust signatures, then there is no benefit to using the "pgp" model. No real harm either, though. David From jediknight2 at ec.rr.com Thu Mar 10 15:18:01 2005 From: jediknight2 at ec.rr.com (jediknight2) Date: Thu Mar 10 14:50:22 2005 Subject: Encrypting SubFolders Message-ID: <4876828.1110464281796.JavaMail.Administrator@atp> That line works, but it starts encrypting the .gpg then the .gpg.gpg then the .gpg.gpg.gpg :) I cant find any --exclude option that works...I actually had to add a % sign so it reads For /R c:\temp %%f IN (*) DO gpg --encrypt %%f FYI, on windows the command would be: FOR /R c:\temp %f IN (*) DO gpg --encrypt %f Obviously, you can replace C:\temp with a relative path, UNC, or whatever else you'd like. I think you need Win98 or newer to have the FOR command available in the command shell. Regards, Ryan > -----Original Message----- > From: gnupg-users-bounces at gnupg.org > [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of David T Kerns > Sent: Wednesday, March 09, 2005 2:14 PM > To: Atom Smasher > Cc: gnupg-users at gnupg.org; gnupg-users-bounces at gnupg.org > Subject: Re: Encrypting SubFolders > > I'm new to gpg so not sure if gpg has a recursion flag, but on unix: > > gpg --encrypt --multifile `find /thisfolder -type f -print` > > should work. > > > > > > > Atom Smasher > > > To: > gnupg-users at gnupg.org > > Sent by: cc: > > > gnupg-users-bounces at g Subject: Re: > Encrypting SubFolders > > nupg.org > > > > > > > > > 03/09/2005 02:06 PM > > > > > > > > > > > > > On Tue, 8 Mar 2005, jediknight2 wrote: > > > Is there a way to encrypt a folder including subfolders? > > > > I have tried > > gpg --encrypt --multifile \thisfolder\*.* > \thisfolder\* > > > > The first one will hit all the subfolders inside > thisfolder, but if those > > subfolders have folders then it wont go... > > > > so it will try thisfolder\subfolder > > but it wont catch thisfolder\subfolder\subsubfolder > > > > Any suggestions > ========================== > > windows or *nix? > > > -- > ...atom > > _________________________________________ > PGP key - http://atom.smasher.org/pgp.txt > 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > ------------------------------------------------- > > "Somebody has to take governments' place, and business > seems to me to be a logical entity to do it." > -- David Rockefeller > Newsweek International, Feb 1 1999. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > > > ----------------------------------------- > ************************************************************** > ********** > This E-mail is confidential. It may also be legally privileged. If you > are not the addressee you may not copy, forward, disclose or > use any part > of it. If you have received this message in error, please > delete it and > all copies from your system and notify the sender immediately > by return > E-mail. Internet communications cannot be guaranteed to be timely, > secure, error or virus-free. The sender does not accept > liability for any > errors or omissions. > ************************************************************** > ********** > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Thu Mar 10 15:23:59 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 10 15:20:36 2005 Subject: Proxy still not work In-Reply-To: <422F622F.9050608@web.de> References: <422F622F.9050608@web.de> Message-ID: <20050310142359.GH18415@jabberwocky.com> On Wed, Mar 09, 2005 at 09:53:03PM +0100, Jan-Peter R?hmann wrote: > Hello. > > I?ve just installed 1.4.1 RC2 but the Connection via Proxy still is > impossible when will Proxying be functioning? There have been a few reports of proxy problems in 1.4.0. Can you try something for me? Instead of using: keyserver-options honor-http-proxy try this: keyserver-options http-proxy Let me know if that helps. David From dshaw at jabberwocky.com Thu Mar 10 15:52:16 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 10 15:48:50 2005 Subject: Encrypt - but no such user-id In-Reply-To: References: Message-ID: <20050310145216.GI18415@jabberwocky.com> On Thu, Mar 10, 2005 at 08:16:01AM +0100, ml@charliesangels.biz wrote: > > Hi all, > > I have a strange problem. > > 1) I do import a Public-Key: > > [sascha@localhost tmp]$ gpg --import testkeys > gpg: WARNUNG: Sensible Daten k?nnten auf Platte ausgelagert werden. > gpg: siehe http://www.gnupg.org/faq.html f?r weitere Informationen > gpg: key 12345: public key "bla" imported > gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 > gpg: importiert: 1 > gpg: 3 marignal-needed, 1 complete-needed, classic Trust-Modell > gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u > > Looks good, right ? > gpg --list-keys shows the key. > > 2) Now I try to sign a file: > [sascha@localhost tmp]$ gpg -e test > gpg: WARNUNG: Sensible Daten k?nnten auf Platte ausgelagert werden. > gpg: siehe http://www.gnupg.org/faq.html f?r weitere Informationen > Sie haben keine User-ID angegeben (Sie k?nnen die Option "-r" > verwenden). > > Current recipients: > > Geben Sie die User-ID ein. Beenden mit einer leeren Zeile: 12345 > Keine solche User-ID vorhanden. > > Current recipients: > > Geben Sie die User-ID ein. Beenden mit einer leeren Zeile: > > > Somehow it seems, that the key is corrupt - but I still don't get it. > Why does import work - but encryption not ? Can you switch your language to English and repost the messages you got? I can probably help, but unfortunately I can't read what you posted. David From rmalayter at bai.org Thu Mar 10 18:29:16 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Thu Mar 10 18:26:04 2005 Subject: Encrypting SubFolders Message-ID: <792DE28E91F6EA42B4663AE761C41C2A03C88361@cliff.bai.org> Didn't think about that recursion problem. The for command can parse the file extensions using the variable modifer "~x". This is described near the bottom of the FOR help screens. You can then use the IF NOT command to see if the file to be encrypted is already a GPG file, like so: FOR /R c:\temp %f IN (*) DO IF NOT %~xf==gpg gpg --encrypt %f As you mentioned, you need to replace the % with %% if you're going to use this inside a batch file. Regards, Ryan > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of jediknight2 > Sent: Thursday, March 10, 2005 8:18 AM > To: gnupg-users@gnupg.org > Subject: Re: Encrypting SubFolders > > That line works, but it starts encrypting the .gpg then the > .gpg.gpg then > the .gpg.gpg.gpg :) I cant find any --exclude option that > works...I actually > had to add a % sign so it reads > > For /R c:\temp %%f IN (*) DO gpg --encrypt %%f > > > > > > > > > FYI, on windows the command would be: > > FOR /R c:\temp %f IN (*) DO gpg --encrypt %f > > Obviously, you can replace C:\temp with a relative path, UNC, or > whatever else you'd like. > > I think you need Win98 or newer to have the FOR command > available in the > command shell. > > Regards, > Ryan > > > > > -----Original Message----- > > From: gnupg-users-bounces at gnupg.org > > [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of David T Kerns > > Sent: Wednesday, March 09, 2005 2:14 PM > > To: Atom Smasher > > Cc: gnupg-users at gnupg.org; gnupg-users-bounces at gnupg.org > > Subject: Re: Encrypting SubFolders > > > > I'm new to gpg so not sure if gpg has a recursion flag, but on unix: > > > > gpg --encrypt --multifile `find /thisfolder -type f -print` > > > > should work. > > > > > > > > > > > > > > Atom Smasher > > > > > > To: > > gnupg-users at gnupg.org > > > > Sent by: cc: > > > > > > gnupg-users-bounces at g Subject: Re: > > Encrypting SubFolders > > > > nupg.org > > > > > > > > > > > > > > > > > > 03/09/2005 02:06 PM > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, 8 Mar 2005, jediknight2 wrote: > > > > > Is there a way to encrypt a folder including subfolders? > > > > > > I have tried > > > gpg --encrypt --multifile \thisfolder\*.* > > \thisfolder\* > > > > > > The first one will hit all the subfolders inside > > thisfolder, but if those > > > subfolders have folders then it wont go... > > > > > > so it will try thisfolder\subfolder > > > but it wont catch thisfolder\subfolder\subsubfolder > > > > > > Any suggestions > > ========================== > > > > windows or *nix? > > > > > > -- > > ...atom > > > > _________________________________________ > > PGP key - http://atom.smasher.org/pgp.txt > > 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > > ------------------------------------------------- > > > > "Somebody has to take governments' place, and business > > seems to me to be a logical entity to do it." > > -- David Rockefeller > > Newsweek International, Feb 1 1999. > > > > > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > > > > > > > > > > ----------------------------------------- > > ************************************************************** > > ********** > > This E-mail is confidential. It may also be legally > privileged. If you > > are not the addressee you may not copy, forward, disclose or > > use any part > > of it. If you have received this message in error, please > > delete it and > > all copies from your system and notify the sender immediately > > by return > > E-mail. Internet communications cannot be guaranteed to > be timely, > > secure, error or virus-free. The sender does not accept > > liability for any > > errors or omissions. > > ************************************************************** > > ********** > > > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From rmalayter at bai.org Thu Mar 10 18:43:13 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Thu Mar 10 18:39:44 2005 Subject: Encrypting SubFolders Message-ID: <792DE28E91F6EA42B4663AE761C41C2A03C88378@cliff.bai.org> Whoops... Forgot one more thing. You should add the /I operator to the IF command to make sure it does case-insensitive string comparisons, just to be safe. And quotes around the comparison strings make things a bit clearer. So a working command should be very similar to this: FOR /R c:\temp %f IN (*) DO IF /I NOT "%~xf"==".gpg" gpg --encrypt %f Regards, Ryan From jharris at widomaker.com Thu Mar 10 19:05:00 2005 From: jharris at widomaker.com (Jason Harris) Date: Thu Mar 10 19:01:09 2005 Subject: keyserver In-Reply-To: <20050310131754.GC18415@jabberwocky.com> References: <20050310020713.GB18415@jabberwocky.com> <20050310041355.GO5390@wilma.widomaker.com> <20050310131754.GC18415@jabberwocky.com> Message-ID: <20050310180500.GP5390@wilma.widomaker.com> On Thu, Mar 10, 2005 at 08:17:54AM -0500, David Shaw wrote: > On Wed, Mar 09, 2005 at 11:13:55PM -0500, Jason Harris wrote: > horowitz.surfnet.nl is not the "OpenLDAP sort" of keyserver. It's one > of the old NAI keyservers. They're sort of LDAP on the front end, but > not really. I'm not even sure this is still sold as a product, > actually. pgp.com runs two keyservers: one NAI and one OpenLDAP. > Bottom line is, they're not the same thing. OK. > > > Your best bet is to subscribe to the pgp-keyserver-folk list at: > > > > > > http://lists.alt.org/mailman/listinfo/pgp-keyserver-folk > > > > That one's still broken. See my first reply for the backup list URL. > > (Don't worry, Thomas just posted the wrong URL too. :) > > This is silly. If the lists.alt.org version of the list is broken, is > there a reason why not to fix it? And if it isn't going to be fixed, > why not just make a new list (or promote the backup) and be done with > it rather than have two lists, neither being the One True List? Drew is MIA. I've done all that I am currently willing to do by inviting the entire membership of the first list to subscribe to the second list - once, and only once, in the beginning of 2005-01. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050310/aa5f3057/attachment.pgp From adam00f at ducksburg.com Thu Mar 10 19:49:00 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Thu Mar 10 19:45:04 2005 Subject: How to extend subkey's expiry date? In-Reply-To: References: Message-ID: <200503101849.00666.adam00f@ducksburg.com> > > $ gpg --edit-key e3c5ee5e > > ... > > pub ?1024D/E3C5EE5E ?created: 2002-02-19 ?expires: 2007-03-07 ?usage: > > CS trust: ultimate ? ? ?validity: ultimate > > sub ?2048g/66796190 ?created: 2002-02-19 ?expired: 2005-02-18 ?usage: > > E ... > > > > I've tried using "expire sub" and "expire 66796190" commands inside > > edit-key, but I can't change the expiry of the subkey. > > "key 1" then "expire" should work. Is it worthwhile to replace and revoke subkeys periodically, or should I just renew the expiry date? From dshaw at jabberwocky.com Thu Mar 10 19:54:43 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 10 19:51:16 2005 Subject: How to extend subkey's expiry date? In-Reply-To: <200503101849.00666.adam00f@ducksburg.com> References: <200503101849.00666.adam00f@ducksburg.com> Message-ID: <20050310185443.GC20245@jabberwocky.com> On Thu, Mar 10, 2005 at 06:49:00PM +0000, Adam Funk wrote: > > > $ gpg --edit-key e3c5ee5e > > > ... > > > pub ?1024D/E3C5EE5E ?created: 2002-02-19 ?expires: 2007-03-07 ?usage: > > > CS trust: ultimate ? ? ?validity: ultimate > > > sub ?2048g/66796190 ?created: 2002-02-19 ?expired: 2005-02-18 ?usage: > > > E ... > > > > > > I've tried using "expire sub" and "expire 66796190" commands inside > > > edit-key, but I can't change the expiry of the subkey. > > > > "key 1" then "expire" should work. > > Is it worthwhile to replace and revoke subkeys periodically, or should I > just renew the expiry date? It somewhat a matter of personal taste, but in general, it's a good idea. The ability to replace subkeys periodically is one of the reasons for subkeys. David From linux at codehelp.co.uk Thu Mar 10 20:57:48 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Thu Mar 10 20:53:49 2005 Subject: Encrypt - but no such user-id In-Reply-To: References: Message-ID: <200503101957.52725.linux@codehelp.co.uk> On Thursday 10 March 2005 7:16 am, ml@charliesangels.biz wrote: > gpg --list-keys shows the key. > > 2) Now I try to sign a file: No, now you are trying to encrypt a file. To sign a file, use gpg -b or gpg -s I generally use -a as well to make it a text signature that can be easier to inspect and as I'm usually signing files for distribution, I use a detached signature that doesn't alter the file itself. gpg -ab > [sascha@localhost tmp]$ gpg -e test Who are you encrypting TO? gpg could use any key in the keyring to encrypt the content, you need to tell gpg who is the intended recipient? Who should be able to read this message? gpg cannot assume it was the most recently imported key, you need to tell gpg that you want the message encrypted TO a particular person. gpg -r myfriend -e test gpg -r 0x28bcb3e3 -e test etc. > gpg: WARNUNG: Sensible Daten k?nnten auf Platte ausgelagert werden. > gpg: siehe http://www.gnupg.org/faq.html f?r weitere Informationen > Sie haben keine User-ID angegeben (Sie k?nnen die Option "-r" You have not given a User ID, use the option -r. gpg is telling you what you need to do. Tell gpg who is meant to read this encrypted text. > Current recipients: > > Geben Sie die User-ID ein. Beenden mit einer leeren Zeile: 12345 > Keine solche User-ID vorhanden. Provide a User ID of someone who should be able to decrypt the item. If that is only you, then you can use the default-recipient option in gpg.conf. default-recipient name Use name as default recipient if option --recipient is not used and don't ask if this is a valid one. > Somehow it seems, that the key is corrupt - but I still don't get it. > Why does import work - but encryption not ? Because you haven't said who should be allowed to decrypt it. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050310/9a097696/attachment.pgp From dougb at dougbarton.net Fri Mar 11 03:16:15 2005 From: dougb at dougbarton.net (Doug Barton) Date: Fri Mar 11 03:49:47 2005 Subject: Preventing temporary files? In-Reply-To: <87acpbrdyd.fsf@wheatstone.g10code.de> References: <20050310005246.14389.qmail@smasher.org> <20050310020442.GA18415@jabberwocky.com> <971af2fdcb48ddd5b26ad66554212dfa@earthlink.net> <87acpbrdyd.fsf@wheatstone.g10code.de> Message-ID: <4230FF6F.7060209@dougbarton.net> Werner Koch wrote: > On Wed, 9 Mar 2005 21:14:40 -0700, Joseph Bruni said: > > >>themselves such as that provided by flock() for the BSD unixes and >>lockf() for the SVR4 unixes? Was this for portability reasons? > > > Yes, this is a portability issue. A lock file is the only way to take > a lock in a portable way independed of the file system. In general it > also work with remotely mounted file systems accessed by different > types of OSes. In my past life as a systems programmer in a Unix environment I did a lot of research on this for a project I had that needed to run across a variety of systems, including NFS mounts where the status of the system locking was unknown. It turned out that the most effective way to handle this was actually to create a lock directory rather than a lock file. The main reason this was a better solution is that (as I understand it) directory creation is specified by POSIX to be an atomic operation, and therefore isn't susceptible to race or locking issues in the same way that file creation is. (Note, nothing was put in the directories, their successful creation was the threshold operation for locking.) I'm not suggesting here that gnupg change anything, I just wanted to point this issue out in case at some point down the road a solution is necessary for weird issues that file based locking doesn't solve. Hope this helps, Doug -- If you're never wrong, you're not trying hard enough From hhhobbit7 at netscape.net Fri Mar 11 10:18:25 2005 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Fri Mar 11 10:48:34 2005 Subject: Current Zimmerman Message-ID: <4448B614.76395BA5.0307202B@netscape.net> ALL: Does anybody know the most up to date URL pages on where Phil Zimmerman is and what he is doing? Evidently, everything I am trying is the wrong to way to go about it in search engines. I did see the page where he embedded his phone number in the text, and wondered if that one is the most current one (which alas, I did not bookmark). HHH -- Key Name: "Henry Hertz Hobbit" pub 1024D/1CC23BC0 2005-03-08 [expires: 2006-03-08] Key fingerprint = 9CD0 839E 79C9 5E20 B97A 15A6 9AB7 484D 1CC2 3BC0 __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From xwck at oreka.com Thu Mar 10 20:36:56 2005 From: xwck at oreka.com (Alain Bench) Date: Fri Mar 11 12:00:41 2005 Subject: GnuPG 1.4.0a for Windows In-Reply-To: References: <42286F16.30967.6920518@rkdvmks1.ngate.uni-regensburg.de> Message-ID: <20050310193656.GA23720@oreka.com> Hello Walter, On Wednesday, March 9, 2005 at 9:24:53 PM +0100, Walter Koch wrote: [on CP850 console] >> Key verf?llt am 03/11/05 14:04:48 Westeurop?ische Normalzeit > "Westeurop?ische Normalzeit" does not come from the gnupg translation, > but from Sir Windows himself. Windows outputs the timezone name in the current locale charset, as set by setlocale(). GnuPG doesn't call setlocale() on Win32. The default locale on German Windows is "German_Germany.1252", with a CP-1252 charset. CP-1252 output on CP-850 terminal gives the wrong ? tilde. A call to setlocale(LC_ALL, ".850") gives correct ? umlaut. Beware it also localizes "03/11/05 14:04:48" according to regional options of the control panel: "11.03.2005 14:04:48". Bye! Alain. -- When you want to reply to a mailing list, please avoid doing so with Lotus Notes 5. This lacks necessary references and breaks threads. From bludnok at gmail.com Fri Mar 11 11:05:12 2005 From: bludnok at gmail.com (Maj. Dennis Bludnok, Ret.) Date: Fri Mar 11 12:01:45 2005 Subject: Help with version 1.4.0a for Windows In-Reply-To: <42310888.38454db6.183c.ffffdba5SMTPIN_ADDED@mx.gmail.com> References: <42310888.38454db6.183c.ffffdba5SMTPIN_ADDED@mx.gmail.com> Message-ID: <1d9bcc8205031102051faac7f@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello everyone, I recently downloaded gnupg via link from www.pgpi.org. I ended up with v1.2.2 As soon as I checked the gnupg.org site I realised a newer version was available and installed that. It seems to work except that when I do "gpg --version" I get an error message above the version info relating to a file called "iconv.dll" which is not mentioned anywhere on the site that I can find, nor is it one of the files in the distribution. Do I need this file to run gnupg on WinXP? AS you can see from the signature, I'm going to continue using v 1.2.2 for now. Will this leave me open to any attacks or bugs? Thanks for your time, bludnok -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQFCMW1KzEdcVY/LPHIRAnWpAJ0dhrY4jUTFNwyX903aIthO4eg2vwCcCvo1 tfGpiKql6dlcgpmgzqsrfbc= =9Mq4 -----END PGP SIGNATURE----- From wk at gnupg.org Fri Mar 11 13:34:34 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Mar 11 13:31:11 2005 Subject: Preventing temporary files? In-Reply-To: <4230FF6F.7060209@dougbarton.net> (Doug Barton's message of "Thu, 10 Mar 2005 20:16:15 -0600") References: <20050310005246.14389.qmail@smasher.org> <20050310020442.GA18415@jabberwocky.com> <971af2fdcb48ddd5b26ad66554212dfa@earthlink.net> <87acpbrdyd.fsf@wheatstone.g10code.de> <4230FF6F.7060209@dougbarton.net> Message-ID: <87zmxafjj9.fsf@wheatstone.g10code.de> On Thu, 10 Mar 2005 20:16:15 -0600, Doug Barton said: > lock file. The main reason this was a better solution is that (as I > understand it) directory creation is specified by POSIX to be an > atomic operation, and therefore isn't susceptible to race or locking NFS does not try to optimimize directory creation as it seems to do with the (atomic) link call. If someone has real problems (i.e. data corruption) with the current approach we may start to think about using mkdir for locking. Eventually we will use a dedicated process to access the keyring and thus avoid the need for locking at all. Shalom-Salam, Werner From wk at gnupg.org Fri Mar 11 13:35:48 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Mar 11 13:36:09 2005 Subject: Help with version 1.4.0a for Windows In-Reply-To: <1d9bcc8205031102051faac7f@mail.gmail.com> (Maj. Dennis Bludnok's message of "Fri, 11 Mar 2005 10:05:12 +0000") References: <42310888.38454db6.183c.ffffdba5SMTPIN_ADDED@mx.gmail.com> <1d9bcc8205031102051faac7f@mail.gmail.com> Message-ID: <87vf7yfjh7.fsf@wheatstone.g10code.de> On Fri, 11 Mar 2005 10:05:12 +0000, Maj Dennis Bludnok, Ret said: > get an error message above the version info relating to > a file called "iconv.dll" which is not mentioned anywhere > on the site that I can find, nor is it one of the files in The README files tells you about it. Or well, get ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-1.4.1rc2.exe which includes iconv.dll. Salam-Shalom, Werner From hmujtaba at forumsys.com Fri Mar 11 19:35:30 2005 From: hmujtaba at forumsys.com (Hasnain Mujtaba) Date: Fri Mar 11 19:32:09 2005 Subject: checking created signature failed: bad signature Message-ID: Hi everyone, I am using GPG 124 to sign a file using the keypair below. I got the strange error below, which I have never seen before. Exactly what kind of check is GPG performing on the created signature? The passphrase for the keypair is TestingPassphrase. Regards, Hasnain. gpg --sign -u Bob file1024 You need a passphrase to unlock the secret key for user: "Bob C. Omplex " 1024-bit RSA key, ID 8F79C1B7, created 2005-03-08 (main key ID 4CFAD743) gpg: checking created signature failed: bad signature gpg: signing failed: bad signature gpg: signing failed: bad signature -----BEGIN PGP PRIVATE KEY BLOCK----- Version: Cryptix OpenPGP 0.20041202 lQHsBEIs7lYBBACTsHUMGguF9KTcv49VSdqjEDss3iUxJ3SaDdUQpWSYQpemx6yW S585s53lcNgCa1ebeUr377VvtdNPp60tTW+aSXbLlaMa9xetCYIfyBRqwmVXhDUl +XpnDJke/YiAE2bTpp/B+lh3TZVRVdUgJkONrStsffvGJaGtATivkSVByQARAQAB /wMDAtPcYZUWV31Ill5YzrlukSzHXGO2Tb+zY7pRGV8iS7jWbrVFyv+KScl9R4Sa trwK5DqGJvx3Rnk6wr1sy2wK+V5NbPTR6DO2TBgacLa0G9ebxVQorD9WU00OlH9/ TDJv0KErFLxEe9TwO87lWmokMM02hEIUIKkJeijNIR2Ks8CPHpOo+10xpTY0lsSl V8u0S+k03gRJpDX7b5DB7aDuVnrxhuDrHC11EgLuz1wl4eM8LyFI5CWZKG8ZjZ1C jm7GXIKnMzZQBemq9OD57633+ZBDxY9rcKRwJHHudy3+heNUcDB5t2Iv+SO3Xpra owyAEZDc3Yj0fwt+VcVgIecZVvAZhLDqSvL2PPBnjZgSw8OuDtkFxUIMQghtgADK V7bxYMlh7koCz3bcqtKTN+iwDMmqMokcCRxr+nG8oqpHUvhdwEvQ2JpWHXyTv9yW Gaym2/0JSMjX+kIkHKxjtB9Cb2IgQy4gT21wbGV4IDxib2JAY29tcGxleC5jb20+ iKwEEwECABYFAkIs7lYGCwcICQMCAxUCAwQWAgEAAAoJEAGuMVBM+tdDBGAD/AwM rqmk803Jm5tPkXLgotVuPvNUGdzi5SOPBlHV0B+03QesC72akPyq1VOJpetj/IR8 tWDmKcK0WzS8cU2WIP+I7wsZioOboK5R0zvXHaaCN/PdQgOjWH6o5nDwYc/xZB9q nEHPVsUizaR92me5cU+cPViH6gLUz/8yHxb6e+SDtBxCb2IgQy4gT21wbGV4IDxi b2JAd29yay5jb20+iKwEEwECABYFAkIs7lYGCwcICQMCAxUCAwQWAgEAAAoJEAGu MVBM+tdDPOkD/i4vDOxYKV2/E6LEbGk4Us+nmfcI+/VcjCY+8hlP0X/gJerPMZhQ kTiZ0a/nfGybwQJ1VUrXhOHVv7ND4OFABihTuC4F5ce8CDjhrrRvobB0Njf83/At CDlf97A2kLjKuLv6C5MXE40H968017pTe6BaS7vOR0thEL22N9gDYIlqnQHsBEIs 7lYBBACCFRwxaa8dui2XlZn9w6Ey1GvN9W3UwyJARIFdeoF1oK9e4jov4b1yTR1L NmTSsX8nSRvi23hNMBcDVAj1zMFRZFI3oMm+iW9f/RvQXnU1x8RfMyKM7WNXL8dv YEZ4uuIHI76g1oDTvEznyMIT3P4E6vXSVuJ7T0i7cylPUi/ttQARAQAB/wMDAi3r weQlT7o1lt8Ut8tpPJZ/Y4vrtWUixmEkrMj3OUH+JKlOL26Z+AuLr9IiirBEjV/t OVLt6ZqZYOgDznrrtDrfUj25W8V4jmVdjLoh5XveTnPUDwUDjMEB+0A4QtKCTcpo nFFI8PduqCuUA/d4UObEspR9SWeCFFXOR42CLNOgz6nW6yeGbUONHpaQU2+cZFuV 3sQOcCQc2n5d3DmQves9K602L/SWM5GfP01X3QMsU4B31u2A86JFqVsRc03T6BG9 N9ptd6XtZCl2yaPZWtgN73XibnSi7cGyl3Xf6M0IDhCkJUHnbdEyiYh/UBqPL01n btroeI0NPCDuBnIj6+HIsHMUfffx2HhmpT0TOYVe1EGyooEonl/OY4KejSzkc1WI m3FaUIUhS+i3Cg1L8ZevH0QeNg4vrBIR2QamFpmRyIai6kbV+xkkmEBXCk0Y0u31 GLOHUHfGa2L2iJwEGAECAAYFAkIs7lYACgkQAa4xUEz610NP2gP9FVtxmju/5CqA ugqmZV91Vj+PSCXm6jIsyHiZGRIJ8G1u0orhBwbojO/svpTVeo/5odwkdi+ceIfC Xt19aTVVY1Y8rHIg1DC5yf/yGiSkCCK7BKEjiBxmRL4K8y3vKxWEvuoogRkDDJyO aCkSwxrp1/5s4iwOFlnaJj/8HMgg3Uw= =s2Mj -----END PGP PRIVATE KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: Cryptix OpenPGP 0.20041202 mI0EQizuVgEEAJOwdQwaC4X0pNy/j1VJ2qMQOyzeJTEndJoN1RClZJhCl6bHrJZL nzmzneVw2AJrV5t5SvfvtW+100+nrS1Nb5pJdsuVoxr3F60Jgh/IFGrCZVeENSX5 emcMmR79iIATZtOmn8H6WHdNlVFV1SAmQ42tK2x9+8Yloa0BOK+RJUHJABEBAAG0 H0JvYiBDLiBPbXBsZXggPGJvYkBjb21wbGV4LmNvbT6IrAQTAQIAFgUCQizuVgYL BwgJAwIDFQIDBBYCAQAACgkQAa4xUEz610MEYAP8DAyuqaTzTcmbm0+RcuCi1W4+ 81QZ3OLlI48GUdXQH7TdB6wLvZqQ/KrVU4ml62P8hHy1YOYpwrRbNLxxTZYg/4jv CxmKg5ugrlHTO9cdpoI3891CA6NYfqjmcPBhz/FkH2qcQc9WxSLNpH3aZ7lxT5w9 WIfqAtTP/zIfFvp75IO0HEJvYiBDLiBPbXBsZXggPGJvYkB3b3JrLmNvbT6IrAQT AQIAFgUCQizuVgYLBwgJAwIDFQIDBBYCAQAACgkQAa4xUEz610M86QP+Li8M7Fgp Xb8TosRsaThSz6eZ9wj79VyMJj7yGU/Rf+Al6s8xmFCROJnRr+d8bJvBAnVVSteE 4dW/s0Pg4UAGKFO4LgXlx7wIOOGutG+hsHQ2N/zf8C0IOV/3sDaQuMq4u/oLkxcT jQf3rzTXulN7oFpLu85HS2EQvbY32ANgiWq4jQRCLO5WAQQAghUcMWmvHbotl5WZ /cOhMtRrzfVt1MMiQESBXXqBdaCvXuI6L+G9ck0dSzZk0rF/J0kb4tt4TTAXA1QI 9czBUWRSN6DJvolvX/0b0F51NcfEXzMijO1jVy/Hb2BGeLriByO+oNaA07xM58jC E9z+BOr10lbie09Iu3MpT1Iv7bUAEQEAAYicBBgBAgAGBQJCLO5WAAoJEAGuMVBM +tdDT9oD/RVbcZo7v+QqgLoKpmVfdVY/j0gl5uoyLMh4mRkSCfBtbtKK4QcG6Izv 7L6U1XqP+aHcJHYvnHiHwl7dfWk1VWNWPKxyINQwucn/8hokpAgiuwShI4gcZkS+ CvMt7ysVhL7qKIEZAwycjmgpEsMa6df+bOIsDhZZ2iY//BzIIN1M =Nnja -----END PGP PUBLIC KEY BLOCK----- From bludnok at gmail.com Sat Mar 12 10:07:52 2005 From: bludnok at gmail.com (Maj. Dennis Bludnok, Ret.) Date: Sat Mar 12 10:04:43 2005 Subject: Help with version 1.4.0a for Windows In-Reply-To: <87vf7yfjh7.fsf@wheatstone.g10code.de> References: <42310888.38454db6.183c.ffffdba5SMTPIN_ADDED@mx.gmail.com> <1d9bcc8205031102051faac7f@mail.gmail.com> <87vf7yfjh7.fsf@wheatstone.g10code.de> Message-ID: <1d9bcc82050312010761ec0c20@mail.gmail.com> Unfortunately, when I try that URL I get the following error message: 550 directory change failed; directory does not exist. When I go to plain ftp://ftp.gnupg.org I can see that there is no "gcrypt" subfolder. ~bludnok On Fri, 11 Mar 2005 13:35:48 +0100, Werner Koch wrote: > On Fri, 11 Mar 2005 10:05:12 +0000, Maj Dennis Bludnok, Ret said: > > > get an error message above the version info relating to > > a file called "iconv.dll" which is not mentioned anywhere > > on the site that I can find, nor is it one of the files in > > The README files tells you about it. Or well, get > > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-1.4.1rc2.exe > > which includes iconv.dll. > > Salam-Shalom, > > Werner > > -- GPG Key ID: 0x8FCB3C72 Fingerprint: E8BB 887C CC19 5E39 10E6 14BF CC47 5C55 8FCB 3C72 From mreese at calarts.edu Sat Mar 12 18:26:18 2005 From: mreese at calarts.edu (Melissa Reese) Date: Sat Mar 12 18:23:08 2005 Subject: Current Zimmerman In-Reply-To: <4448B614.76395BA5.0307202B@netscape.net> References: <4448B614.76395BA5.0307202B@netscape.net> Message-ID: <405264392.20050312092618@calarts.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Henry, On Friday, March 11, 2005, at 1:18:25 AM PST, you wrote: > Does anybody know the most up to date URL pages on where Phil > Zimmerman is and what he is doing? Evidently, everything I am trying > is the wrong to way to go about it in search engines. First, unless your spelling of "Zimmerman" above was just a one time typo, you might have better luck in searching if you spell his last name with two "n"s on the end: "Zimmermann" It's not much so far, but here's an article from January of this year that mentions a few things he said about a flaw in MS Word: http://www.pcworld.com/news/article/0,aid,119483,00.asp > I did see the page where he embedded his phone number in the text, > and wondered if that one is the most current one (which alas, I did > not bookmark). You might try sending him an email if you really need to get in touch with him. I've done this in the past when I've had questions to ask him, and he was always very prompt with his replies. As long as it's still a valid email address for him, click on the link to his email address on the "How to contact" page of his site (it is displayed on the page in anti-spam form, but clicking on the link should open up your email client editor with the correct address already in the "To" field): http://www.philzimmermann.com/EN/contact/index.html - -- Melissa PGP public keys: http://www.freewebs.com/qajaq/ -----BEGIN PGP SIGNATURE----- iQCVAwUBQjMmLqcKCSqXMHPPAQMtNAQAhkr98FasHw02pCfdqUG39PXwRfovse9K AmeLDYY6iciNBMsm7rCSR3ysRdT6udMyx/vdVRPCpUKKBAnK3QCKW8gTDu1j+AfR QwH/GO6v3AWDeDTP5lRg7og0gyC691VfmYIH98TztwVMHWr6ndhmnHw+ZvQctOt9 8JB8KevX6aM= =3r3J -----END PGP SIGNATURE----- From finalcut at videotron.ca Sun Mar 13 00:04:20 2005 From: finalcut at videotron.ca (The Final Cut) Date: Sun Mar 13 00:01:02 2005 Subject: Help with version 1.4.0a for Windows In-Reply-To: <1d9bcc82050312010761ec0c20@mail.gmail.com> References: <42310888.38454db6.183c.ffffdba5SMTPIN_ADDED@mx.gmail.com> <1d9bcc8205031102051faac7f@mail.gmail.com> <87vf7yfjh7.fsf@wheatstone.g10code.de> <1d9bcc82050312010761ec0c20@mail.gmail.com> Message-ID: <1308636458.20050312180420@videotron.ca> Hello gnupg-users@gnupg.org On Saturday, March 12, 2005, at 4:07:52 AM You wrote: MDBR> Unfortunately, when I try that URL I get the MDBR> following error message: MDBR> 550 directory change failed; directory does not exist. MDBR> When I go to plain ftp://ftp.gnupg.org I can see that there is no MDBR> "gcrypt" subfolder. MDBR> ~bludnok there must be something bad with your browser or whatever ftp client you use because this gcrypt is really there ftp://ftp.gnupg.org/gcrypt/alpha/binary -- The FinalCut TheBat 3.0.2.10 key: http://finalcut.ca/finalcut.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 247 bytes Desc: not available Url : /pipermail/attachments/20050312/195e060e/attachment-0001.pgp From johanw at vulcan.xs4all.nl Sun Mar 13 15:17:01 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Mar 13 15:16:56 2005 Subject: Other hashes with DSA keys Message-ID: <200503131417.PAA03991@vulcan.xs4all.nl> Hello, Now that PGP 9 beta seems to have extended the standard to allow non-160 bit hashes to be used with DSA keys, isn't it time for GnuPG to do the same, especially after the recent attacks on SHA-1? I know it's against the standard, but the expansion of the standard is pretty straightforward and not due to interpretation problems. After all, the official standard is often a reflection of the behaviour of specific programs anyway. And while this is being provessed, Tiger might be re-included too, since the arguments against its 192 bits size are then no longer relevant. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From bludnok at gmail.com Mon Mar 14 10:53:53 2005 From: bludnok at gmail.com (Maj. Dennis Bludnok, Ret.) Date: Mon Mar 14 10:50:24 2005 Subject: Differences between 1.2.2 and 1.4.1rc2. was: Help with v1.4.0. In-Reply-To: <423375e9.371cf532.03ca.51d4SMTPIN_ADDED@mx.gmail.com> References: <423375e9.371cf532.03ca.51d4SMTPIN_ADDED@mx.gmail.com> Message-ID: <1d9bcc820503140153f5fbfe@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the help so far everyone. I've been able to download the new version from a different network. I think the firewall at my office doesn't like FTP sites. My other question was: Is the old version I have at the moment vulnerable to any attacks or bugs that were fixed in the new version, or will the upgrade just provide more functionality? Cheers, ~Bludnok -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQFCNV7FzEdcVY/LPHIRAongAJ0XqBBBn7L/B82lazM7/pwP9pR7jQCeIKm4 AZmIQaVAY4jzI8rhWdFqAWk= =CXn9 -----END PGP SIGNATURE----- -- GPG Key ID: 0x8FCB3C72 Fingerprint: E8BB 887C CC19 5E39 10E6 14BF CC47 5C55 8FCB 3C72 From talmage at zero.ad.jp Mon Mar 14 11:19:43 2005 From: talmage at zero.ad.jp (Kory T) Date: Mon Mar 14 11:11:43 2005 Subject: GnuPG + Smartcard In-Reply-To: <200503140808.j2E88ZtS020870@perelaz.lviv.farlep.net> References: <200503140808.j2E88ZtS020870@perelaz.lviv.farlep.net> Message-ID: Thanks for the help Robert. That HOWTO was very helpful. I hope more documentation like this will pop up on the net. It's been really hard to find info on the OpenPGP card implementation. I've been searching around the net for an answer to whether it's possible to use large keys on smartcards with GPG (2048+). Anyone on the list know whether it's possible to import off-card generated keys into OpenPGP Card which are larger than 1024bits? I now know that the card is only capable of 'generating' 1024bit keys on the card, but there should be enough space to store off-card generated 1024bit+ keys? Kory T On Mar 14, 2005, at 5:07 PM, Robert Golovniov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Hello Kory, > > I've seen your posting at the gnupg-users mailing list, and since > no > one responded to you yet, I decided to try answer your question. > > I am not sure whether GnuPG at this stage supports other cards > than > OpenPGP card. But for this card you may find some points > mentioned > below quite helpful: > > The GnuPG Smartcard HOWTO > Written by Werner Koch > v0.0, 2004-09-21 > > Table of Contents > > > XXXX > > > > N. Introduction > > GnuPG supports smartcards since version 1.3.3. The next generation > of GnupG, version 1.9.x also supports this card. Cards most comply > with the OpenPGP card specification version 1.0 available at > http://g10code.com/docs/openpgp-card-1.0.pdf . > > > N. Installation > > Since version 1.3.90, GnuPG will be build be default with support for > smartcards. A configure time option may be used to exclude this > support. To support all available methods of accessing a card > reader, the library libusb available at > > http://prdownloads.sourceforge.net/libusb/ > > should be installed prior to building GnuPG. On Debian GNU/Linux > systems a mere > > apt-get install libusb-dev > > should be sufficient. Note, that the, at this time unreleased, > development version of this library is not supported. The do the > usual ./configure and make as descibed in the GnuPG installation. > If you are using the 1.9 branch of GnuPG and plan to use the PC/SC > driver (see below) you should now install the software so that the > pcsc wrapper binary will be available at the right place. > > > N. Hardware > > Obviously you need an OpenPGP smartcard. To plug this card into you > computer you will also need a card reader. Such readers are not yet > installed on most computers but they are available at some computer > stores. The quite usual readers used for flash memory are not what > we want. > > Here is a list of readers we have tested and know that they work: > > * SCM Microsystems SCR335 > > This is a small USB reader sized 65*45*8mm and also very suitable > for use with laptops. This is a CCID (Chip Card Interface > Device; USB device class 11) reader and GnuPG comes with direct > support for it. > > * SCM Microsystems SPR532 > > This is an USB/serial reader equipped with a numerical keypad and > 3 > extra buttons. The pinpad may be used to securely entered the > PIN. This device may be used as a serial reader or as a USB > CCID reader. We have however only tested the USB interface. > > * Towitoko Chipdrive micro > > This one comes in 2 flavours: Serial and USB, both are very > similar and of the same size 65*45*8mm. AFAIK, these readers are > not anymore manufactured and have been replaced by the SCR335. > > * Omnikey Cardman 2020 > > * Omnikey Cardman 2010 > > From my experience the SCM readers work best and are a lot faster > than the other readers, because they are able to transfer data at up > to 115200 kb/s which is the highest possible rate supported by > smartcards. > > > N. Drivers > > Although they are called drivers, the drivers fro smartcard readers > are more a library to translate the proprietary reader protocol to a > standard protocol. Drivers used to be connected to the serial port > and as such utilize the actual serial driver of the OS. Most USB > readers available today still behave like serial readers, just > connected through USB. When using the Linux kernel you often need > pl2303 module to access this one. Modern reders support the CCID > specification and are native USB devices; GnuPG directly supports > these. > > The are 3 standard protocols used to access a reader from an > application and appendant driver" to translate the protocol. > > > N.1 CTAPI Driver > > This is the old and simple API (Chip Terminal API) used since the > beginning of chipcards. To make use of it, yuou need an appropriate > CTAPI driver which comes in form of a shared library. TO enable it > you need to give a option to gpg; either on the command line (prefix > it with 2 dashes) or in the configuration file gpg.conf. For > example to use the CTAPI driver for the Towitoko readers you may put > > ctapi-driver /usr/lib/libtowitoko.so.2 > > into ~/.gnupg/gpg.conf. This will try to use the reader at the > first serial port. To select a reader on a specific port, you need > to use the option reader port. for example to use the reader at > /dev/ttyS2 you add this to your gpg.conf: > > reader-port 2 > > How the reader port is actually specified depends on the type of > reader and the "driver". For example you may use the libtowitoko > also for the USB version of the driver in which case you use > > reader-port 32768 > > to select the first USB attached reader. > > > N.2 PC/SC Driver > > FIXME: Tell about pcsclite, that thre is a CCID driver too, that > there are sometime problems wityh it. pcsc-wrapper. > > > > N.3 CCID Driver > > This driver is built into gpg if it has been build with LIBUSB > support. The driver will be used by default if a the option > --disable-ccid has not been given. > > To use the driver you must probably setup your system. In > particular make sure that you have suffiecient permissions to access > the USB devices for read and write. This setup depends on the > system you are using: > > N.3.1 GNU/Linux > > The USB stack is here accessed by means of libUSB through the > special usbfd. Thus make sure that this file system has been > mounted; the suggested way of doing so is by using the following > line in /etc/fstab: > > none /proc/bus/usb usbfs default 0 0 > > To get the permission right you may use the lazy way of mounting > the USB filesystem under your uid. For example if your userID is > 1000, you may use this line in /etc/fstab > > none /proc/bus/usb usbfs default,devuid=1000 0 0 > > After mounting this file system (using "mount /proc/bus/usb") all > files below /proc/bus/usb are owned by you. You may instead use > devgid to allow access by a group. There is however a major > security problem with this approach: The owner of the files has full > permissions to all connected USB devices not matter what type of > device. Thus it is strongly suggested to use the follwoing method > instead. > > If your system comes with hotplug support you may assign permissions > on a per devices base. Here we want to give permissions to all CCID > devises to the user in the group "scard". You need to create the > following 2 files. > > A mapping file to select what script to run for which device: > > === /etc/hotplug/usb/gnupg-ccid.usermap === > # The entries below are used to detect CCID devices and run a script > # > # USB_MATCH_VENDOR 0x0001 > # USB_MATCH_PRODUCT 0x0002 > # USB_MATCH_DEV_LO 0x0004 > # USB_MATCH_DEV_HI 0x0008 > # USB_MATCH_DEV_CLASS 0x0010 > # USB_MATCH_DEV_SUBCLASS 0x0020 > # USB_MATCH_DEV_PROTOCOL 0x0040 > # USB_MATCH_INT_CLASS 0x0080 > # USB_MATCH_INT_SUBCLASS 0x0100 > # USB_MATCH_INT_PROTOCOL 0x0200 > # > # script match_flags idVendor idProduct bcdDevice_lo bcdDevice_hi > # bDeviceClass bDeviceSubClass bDeviceProtocol > # bInterfaceClass bInterfaceSubClass bInterfaceProtocol > driver_info > # > # flags V P Bcd C S Prot Clas Sub Prot Info > # > # Generic CCID device > gnupg-ccid 0x0080 0x0 0x0 0 0 0 0 0x00 0x0B 0x00 0x00 > 0x00000000 > # SPR532 is CCID but without the proper CCID class > gnupg-ccid 0x0003 0x04e6 0xe003 0 0 0 0 0x00 0x0B 0x00 0x00 > 0x00000000 > ======= > > This file states that the script "gnupg-ccid" should be run if a > devices matching the parameters comes available by plugging it into > the USB. The script to actually assign the permissions is: > > === /etc/hotplug/usb/gnupg-ccid === > #!/bin/sh > # This script changes the permissions and ownership of a USB device > # under /proc/bus/usb to grant access to this device to users in the > # "scard" group. > # > # Arguments : > # ----------- > # ACTION=[add|remove] > # DEVICE=/proc/bus/usb/BBB/DDD > # TYPE=usb > # > # latest hotplug doesn't set DEVICE on 2.6.x kernels > if [ -z "$DEVICE" ] ; then > IF=`echo $DEVPATH | sed > 's/\(bus\/usb\/devices\/\)\(.*\)-\(.*\)/\2/'` > DEV=`echo $DEVPATH | sed > 's/\(bus\/usb\/devices\/\)\(.*\)-\(.*\)/\3/'` > DEV=`expr $DEV + 1` > DEVICE=`printf '/proc/bus/usb/%.03d/%.03d' $IF $DEV` > fi > > if [ "$ACTION" = "add" -a "$TYPE" = "usb" ]; then > chgrp scard "$DEVICE" > chmod g=rw "$DEVICE" > fi > ====== > > Don't forget to "chmod +x" this script. > > > > N. Features of the OpenPGP card > > FIXME: list feature and explain why "only 1024 bit RSA and why not > DSA etc. > > > N. Looking at a card > > The first thing you should do is to have a look at the card and by > this also check whether your setup works. Put your OpenPGP card > into the reader and run > > gpg --card-status > > For an empty card you should see an output similar to: > > gpg: detected reader `Towitoko Chipdrive USB 00 00' > Application ID ...: D2760001240101000001000000CB0000 > Version ..........: 1.0 > Manufacturer .....: PPC Card Systems > Serial number ....: 000000CB > Name of cardholder: [not set] > Language prefs ...: de > Sex ..............: unspecified > URL of public key : [not set] > Login data .......: [not set] > Signature PIN ....: forced > Max. PIN lengths .: 254 254 254 > PIN retry counter : 3 3 3 > Signature counter : 0 > Signature key ....: [none] > Encryption key....: [none] > Authentication key: [none] > General key info..: [none] > > the first line is actually printed to stderr and telling you the > reader used. It depends on the reader and the driver. > > The other information is the standard output for the cards I am > using. Depending on the manufactorer different default values migth > be shown and obviously the combination of manufactorer and serial > number is unique. The serial number is used by gpg to associate a > key with a physical card so that it may prompt you to insert the > right card into the reader. With the forthcoming revision 1.1 of the > OpenPGP card spec you might notice a few other lines in the output. > > The max. PIN lengths as shown above are unchangeable constants put > into the card during personalization (i.e. right after the chip has > been glued to the card body). Same goes for the PIN retry counters > which are commonly set to 3 as experience has shown that this is a > suitable value. These retry counters are decremented for each wrong > PIN presented to the card and reset to the default of 3 if a correct > OPIN has been presented. The first and second counter are for the > standard PIN and gpg makes sure that they are syncronized (the > second PIN is only required due to ISO-7816 standard pecularities). > The third value reflects the retry counter for the Admin PIN. > > The value of the signature counter is 0 indicating that no signature > has yet been done using the Signature Key. In fact there is no key > currently stored on the card. This counter is incremented with each > signature and only reset to 0 is a new Signature Key has been > created or imported to the card. > > If you run the card-status command on an initialzed card you will > see data put by the owener onto the card: > > Application ID ...: D2760001240101000001000000290000 > Version ..........: 1.0 > Manufacturer .....: PPC Card Systems > Serial number ....: 00000029 > Name of cardholder: Archibald Goodwin > Language prefs ...: de > Sex ..............: unspecified > URL of public key : [not set] > Login data .......: archi > Signature PIN ....: forced > Max. PIN lengths .: 254 254 254 > PIN retry counter : 3 3 3 > Signature counter : 6 > Signature key ....: AB6E 49C1 2834 1F3C CE57 A8CD DF98 07BC E702 > A550 > Encryption key....: 7BC2 FC86 8599 FD03 6E33 4EB5 D45E AE41 E370 > D3DC > Authentication key: 5B81 A544 068F E66A 464C FB04 4754 3878 B64A > 8ABB > General key info..: pub 1024R/E702A550 2004-04-28 Archibald > Goodwin\ > (test) > > > Here the name of the card holder has been set as well as language > preferences. These are standard data objects for chip cards and > usually used by terminals to display a name and a message in a > friendly way. gpg does not make used of these fields but allows to > set them. > > A special data objcet of the OpenPGP card is the Login Data which > may be used to store the account name of the card holder. The GnuPG > convention is to use the data up to an optional line feed character > for the account name. This account name may be used for login > purposes. gpg does not enforce any match of this name with a name > used in the key. See the source (app-openpgp.c) for some special > features of the login-name field. > > The signature counter has been bumped up to 6 which indicates under > the current gpg implementation that this the key stored on the card > has not been used. While creating the key teh card has been asked > to do 6 signing operations: 1 self-siganture to bind the name to the > primary key and 2 key-binding signatures. This has then been > repeated for the secret key part. > > 3 keys have been created or imported to the card. Their > corresponding OpenPGP fingerprints are shown: The signature key is > commonly used as the primary OpenPGP key, the encryption key as a > subkey and the authentication key is not used by GPG but by other > tools like ssh or PAM modules for authentication services. These > fingerprints are stored on the card in special DOs to link the key > with a public keypublic store in the usual public keyring. When > using cards implementing the 1.1. version of the OpenPGP card > specification, the creation date of the keys will also be shown. If > this corresponding public OpenPGP key is available, the primary user > ID is show at the last line. > > > N. Initializing a new card > > Here is the standard way on how to prepare a new card for use. > Assuming that the reader works and the card can be accessed (see > above, command "gpg --card-status"), you should enter > > gpg --card-edit > > The basic information of the card will be shown (this is the same > output as with "gpg --card-status") followed by a prompt. You may > how enter the command "help" to see a list of available commands. > However these commands are not very useful now as they don't allow > to change any data on the card. You need to get into the Admin mode > to do this. So go ahead and enter "admin". Now the "help" command > will show you more commands at your dispose. > > The first thing we want to store on the card is the name of the card > owner. This is technically not required but useful to identify the > card if you are using more than one card. Enter "name" and follow > the prompts. You will be asked for surname and given name > separately because the name is store in an ISO speicified format > which allows to distinguish between thye name parts (that is the > same format as used in the machine readable part of passports). gpg > currently does only allow plain ASCII characters for this field. > After entering the data you will be asked for a PIN to unlock the > card. When beeing asked for a PIN look carefully t the prompt: It > may either be the "PIN" or the "Admin PIN", both are different and > in particular entering a wrong "Admin PIN" is dangerous. Okay, here > wou will be asked for the "Admin PIn" and - being a fresh card - you > should enter the dfault value for the Admin PIN: "12345678" (without > the qoutes of course). The Admin PIN is usually cached and in > general it is not required to enter it again unless you have removed > the card. See below unter "PIN Management" for more details. Having > done all this the name should be stored on the card; check it using > the "list" or "l" command. > > Now you might want to tell the card what language you prefer > ("lang") or whether a terminal should address you as Mister or > Madame ("sex"). You may want to omit this because gpg does not make > any use of them. > > Now for a more exiting exercise: Generation of the key. Enter the > command "generate" and you will then be asked whether to make an > off-card backup of the encryption key. You usually want to say yes > here. This backup is useful because without it you won't be able to > access any data you encrypted with the card in case you lost the > card (we don't hoe so) or the card gets damaged. Recall that a > smartcard is a small embedded device and the chip may have a > malfunction or physical break if the card is bended too hard. > > In case that an existing key exists in the card, a security question > has to be answered, so that a key won't get inadvertly overwritten. > After that you have to answer the usual questions when generating a > key (name, email, expiration etc.). Now sit back for about a minute > while the card starts to generate the keys and gpg generates and > imports the encryption key. During this process you might get > distrubed by questions for the PIN and the Admin PIN. Don't miz > them up. The PIn is required for the binding signatures and for a > fresh card you will have to enter the default PIN of "123456" (note > that this one is 2 charatres shorter than the default Admin PIN). > > Now your card is ready for use and carries your keys. What's left > to do is to save away the backup key you probably decided to > create. This backup key is protected using the passphrase you > entered for it and should be transferred to another media and stored > at a safe place (you may want to write the passphrase then down). > It is important that you delete the copy of the key on the hard disk > too. The best choice here is to use a tool like "shred" (from the > GNU coreutils package) or "wipe" to make sure that the original > content gets overwritten. For storing the key a printout is also a > good idea - you usually don't need it so entering the ASCII armored > format back won't be that of a problem in case the card breaks and > the decryption key is not anymore available. The command gpg > --enarmor may be used to convert the backup key into a printable > format. In case of the case see below on how to restore a backup > key. > > > N. PIN Management > > Fixme: Tell how to change the PIN, how to unblock it etc. > > > N. Advanced features > > > N.1 Using the card only for subkeys > > Sometimes it is useful to use the card not in the default way. In > particular if you already own a key with a lot of key signatures it > would be a waste to start over with a new key. The card does not > support DSA keys so moving the primary key onto the card is not an > option. Even if you are using an RSA key, the currently available > cards do only allow for 1024 bit keys which is probably not what you > are using. Fortunately we can help anyway. > > The way it works is to use the key on the card only for signing and > decryption but not for key signing. By keeping the primary key > offline (which is a thing you can do with gpg since many years), you > won't expose even this key to remote attacks. In fact I am using > such a method for my 5B0358A2 key created back in spring 1999. The > first years it was troublesome becuase other OpenPGP implementations > and the keyservers were not able to cope with signing subkeys but > the times they have changed and signing sub keys are today state of > the art. Obviously if you ever had your pirmary key stored on a > networked box there is some chance that it has already been > compromised and thus the card stuff won't help you - Let's assume > this is not the case and your primary key has always been safely > stored. > > To start creating a card using an offline primary key you must first > make the primary key accesible; i.e. walk down to the 7th basement > take those shiny metal keys, oben the vault and take out your laptop > you are using to sign other keys. Install the card rader as usual > and prepare a card as describe above - however don't use the > "generate" command but enter "quit" and start gpg again using "gpg > --edit-key ". Now enter "addcardkey" and gpg will show > you a short menu to select whether a signing, decryption or > authentication key shall be generated. First you should create a > signing key; select this and gpg will create a new key for you on > the card. If such a key already exists on the card, a security > query needs to be answered as usual. Afte rthis has worked out you > may either want to run the "save" command to commit the changes (note > that the key won't get deleted from the card if you you exit without > saving but this is is then mostly useless. Alternativly you may > then choose to create another subkey using "addcardkey", this time > selecting an encryption key and proceed as described. Note that gpg > will always use the latest created key of a given type. > > However there is no direct way to create a backup key of the card's > decrytpion key like it is done with the "generate" command. However > it is easy to do this with a few steps more: First create a regular > RSA subkey of 1024 bit length using the "addkey" command and then > select this new key and run the command "keytocard"; gpg will > transfer the key to the card and replace the existing secret key > with a stub. Well you have benn smart enough to make a copy of your > whole secret key before running the "keytocard" command - otherwise > the procedure would have been pointless. > > > N.2 Moving an existing key to a card > > This is basicaly described above. You may transfer any key (primary > or sub) to a card using the command "keytocard", given only that the > card supports the type of the key and the length. gpg does proper > checking and will tell you if it won't be possible. The "addtokey" > command is mostly self-explaining but you should make sure that you > do a "save" later to save a way the replaced secret key. Without > the safe you create merely a copy of a key on the card. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > GLOSSARY > > CHV - Card Holder Verfication, commonly followed by a a number > denoting the which CHV is meant. The OpenPGP card uses 3 CHVs: > CHV1, CHV2, CHV3. The are often also referenced as PIN 1, PIN > 2 and PIN 3. CHV3 is used the so called Admin PIN (sometimes > also called SO PIN (Security Officer). > > PC/SC - > > CTAPI - > > CCID - Chip Card Interface Description. The specification for the > USB device class 11 used for chip card readers. > > OpenPGP > > > > > > > > > > Copyright 2004 Free Software Foundation, Inc. > > This file is free software; as a special exception the author gives > unlimited permission to copy and/or distribute it, with or without > modifications, as long as this notice is preserved. > > This file is distributed in the hope that it will be useful, but > WITHOUT ANY WARRANTY, to the extent permitted by law; without even > the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR > PURPOSE. > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > =-=-=-=-= > > Please let me know if I can be of any other help to you. > > - -- > -=Robert & Beata Golovniov | Psalms 27:4=- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~ > OpenPGP key for secure communication at: http://tinyurl.com/4df7a > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (MingW32) - GPGshell v3.40rc2 > Comment: Using PGP/GnuPG for Internet privacy. > Comment: Gossamer Spider Web of Trust: http://www.gswot.org > > iD8DBQFCNUZHWh2fA2M/bQcRA3o1AJwJ+2KreV7m469EfQvRgijblp9NLQCg03wP > 6UxdGlIxjyrdz18OSVUHYms= > =3LW9 > -----END PGP SIGNATURE----- > > From JPClizbe at comcast.net Mon Mar 14 11:20:43 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Mar 14 11:17:25 2005 Subject: Differences between 1.2.2 and 1.4.1rc2. was: Help with v1.4.0. In-Reply-To: <1d9bcc820503140153f5fbfe@mail.gmail.com> References: <423375e9.371cf532.03ca.51d4SMTPIN_ADDED@mx.gmail.com> <1d9bcc820503140153f5fbfe@mail.gmail.com> Message-ID: <4235657B.4070904@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maj. Dennis Bludnok, Ret. wrote: > Thanks for the help so far everyone. > I've been able to download the new version from a different network. > I think the firewall at my office doesn't like FTP sites. > > My other question was: > Is the old version I have at the moment vulnerable to any attacks or > bugs that were fixed in the new version, or will the upgrade just > provide more functionality? The ElGamal Signing Key bug was fixed in 1.2.4 (IIRC). It only affected a small number of non-default keys. The 1.4.x releases also add the newer SHA-256|384|512 Hash functions. I'd recommend upgrading to the 1.4 series. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCNWV6HQSsSmCNKhARAvACAKCGqv1MZXChFGISLdfB65QjQT4n2gCfSVns DB4cF967bhO/d9Rvfi3wp3s= =A/Kk -----END PGP SIGNATURE----- From wk at gnupg.org Mon Mar 14 11:37:14 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Mar 14 11:36:11 2005 Subject: Other hashes with DSA keys In-Reply-To: <200503131417.PAA03991@vulcan.xs4all.nl> (Johan Wevers's message of "Sun, 13 Mar 2005 15:17:01 +0100 (MET)") References: <200503131417.PAA03991@vulcan.xs4all.nl> Message-ID: <87mzt6bjj9.fsf@wheatstone.g10code.de> On Sun, 13 Mar 2005 15:17:01 +0100 (MET), Johan Wevers said: > Now that PGP 9 beta seems to have extended the standard to allow non-160 bit > hashes to be used with DSA keys, isn't it time for GnuPG to do the same, Their beta seems to use a truncated hash; it is not intended behaviour. > And while this is being provessed, Tiger might be re-included too, since the > arguments against its 192 bits size are then no longer relevant. Tiger is not part of OpenPGP. Replacing well known algorithms with obscure ones is not a solid way to solve possible security problems. Shalom-Salam, Werner From wk at gnupg.org Mon Mar 14 11:39:02 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Mar 14 11:36:23 2005 Subject: GnuPG + Smartcard In-Reply-To: (Kory T.'s message of "Mon, 14 Mar 2005 19:19:43 +0900") References: <200503140808.j2E88ZtS020870@perelaz.lviv.farlep.net> Message-ID: <87is3ubjg9.fsf@wheatstone.g10code.de> On Mon, 14 Mar 2005 19:19:43 +0900, Kory T said: > the list know whether it's possible to import off-card generated keys > into OpenPGP Card which are larger than 1024bits? I now know that the > card is only capable of 'generating' 1024bit keys on the card, but > there should be enough space to store off-card generated 1024bit+ keys? No the current cards I know of are all 1024 bit. There is no way to change this or to import larger keys. Salam-Shalom, Werner From JPClizbe at comcast.net Mon Mar 14 12:02:21 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Mar 14 11:59:09 2005 Subject: Other hashes with DSA keys In-Reply-To: <200503131417.PAA03991@vulcan.xs4all.nl> References: <200503131417.PAA03991@vulcan.xs4all.nl> Message-ID: <42356F3D.6050709@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johan Wevers wrote: > Hello, > > Now that PGP 9 beta seems to have extended the standard to allow non-160 bit > hashes to be used with DSA keys, isn't it time for GnuPG to do the same, > especially after the recent attacks on SHA-1? I know it's against the > standard, but the expansion of the standard is pretty straightforward and > not due to interpretation problems. After all, the official standard is > often a reflection of the behaviour of specific programs anyway. > > And while this is being provessed, Tiger might be re-included too, since the > arguments against its 192 bits size are then no longer relevant. I don't know that "extended the standard" is the language I'd use. More to the point would be "second guessed the IETF OpenPGP WG". Did they even meet at last week's IETF meeting? The current draft, rfc2440bis-12, expires in May of this year. (http://tools.ietf.org/wg/openpgp/draft-ietf-openpgp-rfc2440bis/draft-ietf-openpgp-rfc2440bis-12.txt) Granted Jon Callas of PGP Corp. is a member of the OpenPGP WG, but I think PGP Corp. is just trying to predict what will happen in the near term with DSS/DSA and be ready to market the new solution. DSS and DSA are NIST standards (FIPS-180 and FIPS-186) and 'official' changes to them will come from NIST after the usual solicitation and comment periods. (Much like the selection of AES to replace DES.) Yes, some of the likely successors to SHA-1 are already implemented in GnuPG 1.4, but I wouldn't try to second guess NIST (too much of that went on with AES). Perhaps SHA-256|384|512 and even Tiger will be elevated to 'interim solutions' while DSA-2 is being formulated. My view is that it doesn't make sense /right now/ to break DSS/DSA by ad hoc extensions. The new hashes are already in GnuPG 1.4, they can be fully enabled once the new standard is in place. Changing now is premature. Until then, if one is *REALLY* paranoid, maybe he/she should consider using 2048 bit RSA keys. 8-}) - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCNW88HQSsSmCNKhARAgqEAKDUhVrnKzKTlgjTGVkVhhibkDo+SACgm6Xv t0hhjCH1zLFOrjbn55IOrH4= =UGNC -----END PGP SIGNATURE----- From wk at gnupg.org Mon Mar 14 15:57:18 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Mar 14 15:56:18 2005 Subject: Other hashes with DSA keys In-Reply-To: <42356F3D.6050709@comcast.net> (John Clizbe's message of "Mon, 14 Mar 2005 05:02:21 -0600") References: <200503131417.PAA03991@vulcan.xs4all.nl> <42356F3D.6050709@comcast.net> Message-ID: <87zmx68ecx.fsf@wheatstone.g10code.de> On Mon, 14 Mar 2005 05:02:21 -0600, John Clizbe said: > I don't know that "extended the standard" is the language I'd use. More to > the point would be "second guessed the IETF OpenPGP WG". Did they even > meet at last week's IETF meeting? The current draft, rfc2440bis-12, > expires in May of this year. Yes, there was a meeting. As usual a new draft will be posted as soon as the old one is too expire - or well, this time we might really be able to get he new RFC out. > My view is that it doesn't make sense /right now/ to break DSS/DSA by ad > hoc extensions. The new hashes are already in GnuPG 1.4, they can be fully That is the common understanding of the OpenPGP WG too. We know that there are problems but it would we not wise to rush out ad hoc fixes. Thus the next RFC will have some warnings and the WG will the start over to discuss the problems at hand and work on an Update of OpenPGP. Salam-Shalom, Werner From plan9z at bellsouth.net Mon Mar 14 17:24:22 2005 From: plan9z at bellsouth.net (Plan9) Date: Mon Mar 14 19:39:26 2005 Subject: ASCII Armored example from rfc2440bis-12 Message-ID: <4235BAB6.8050608@bellsouth.net> Given the following example of an ASCII Armored Message in section 6.6 of rfc2440bis-12: (Note I removed the leading two blanks from each line) -----BEGIN PGP MESSAGE----- Version: OpenPrivacy 0.99 yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFqclFqUDBovzS vBSFjNSiVHsuAA== =njUN -----END PGP MESSAGE----- When I try to decrypt using gpg, C:\GnuPG>gpg --decrypt x.txt, I get the following error: gpg: invalid armor header: yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFq clFqUDBovzS However PGP 8.1 decrypts it with no problems. If I edit the example and place a blank line after the Version: line then pgp will also decrypt it. PGP 8.1 has no problems with either form. -----BEGIN PGP MESSAGE----- Version: OpenPrivacy 0.99 yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFqclFqUDBovzS vBSFjNSiVHsuAA== =njUN -----END PGP MESSAGE----- Do I have something set up incorrectly or is this an anomaly of GPG vs PGP? -- Regards, Plan9 mailto:plan9z@bellsouth.net From lists at moins.de Mon Mar 14 20:43:44 2005 From: lists at moins.de (Rainer Bendig aka Ny) Date: Mon Mar 14 22:14:16 2005 Subject: german book about gnupg Message-ID: <20050314194344.GA2375@localdomain> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, i am seeking for a well written German book about gnupg. Is there any book 'bout it? thx ~ ny - -- - --------------------------------------------------------------------- Rainer Bendig aka "Ny" | http://www.moins.de | GnuPG-Key 0x41D44F10 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.9.16-cvs (GNU/Linux) iD8DBQFCNelvWmkXC0TkjEgRAgZuAJ97ROodC1uCKFSG2vHpuBT0GNXukACghPLo TAX93djAN6XT0Eg2+QW+jpA= =eg+U -----END PGP SIGNATURE----- From iam-est-hora-surgere at despammed.com Tue Mar 15 00:13:22 2005 From: iam-est-hora-surgere at despammed.com (Marcus Frings) Date: Tue Mar 15 00:28:48 2005 Subject: Trust model: classic or pgp? References: <20050310132401.GD18415__22499.9678008773$1110461496$gmane$org@jabberwocky.com> Message-ID: * David Shaw wrote: > On Thu, Mar 10, 2005 at 01:04:20PM +0100, Marcus Frings wrote: >> First of all, what is actually the difference between "pgp" and >> "classic"? The first option tells about WOT and trust signatures but the >> latter just mentions the WOT. > That is the difference. The "pgp" trust model is identical to > "classic" except that "pgp" supports trust signatures, and "classic" > doesn't (it treats them the same as any other signature). > I'm not quite sure what you're asking. Sorry for the misunderstanding, my problem was that I wasn't aware of the new option "tsign" which is new in 1.4.0. After reading the info about "tsign" in the manpage I understand the difference now. [...] >> when "pgp" is supposed to be the default? I cannot remember that I have >> ever changed the trust model. I guess I should switch over to "pgp", >> right? > You probably were using GnuPG 1.2.x or earlier before you upgraded to > 1.4. In this case, your trustdb was created as "classic", and so > GnuPG 1.4 is just respecting that. If you want to force an upgrade to > "pgp", do Yes, this was an upgrade from 1.2 to 1.4, I have changed to trust-model "pgp" now although I don't use these trust signatures at the moment. Regards, Marcus -- "Ich bewundere die konzeptionelle Reinheit... Geschaffen, um zu ?berleben... Kein Gewissen beeinflusst es, es kennt keine Schuld oder Wahnvorstellungen ethischer Art." From iam-est-hora-surgere at despammed.com Tue Mar 15 00:21:30 2005 From: iam-est-hora-surgere at despammed.com (Marcus Frings) Date: Tue Mar 15 00:37:43 2005 Subject: Can't select single UIDs for signing keys Message-ID: Hello, see this: ,---- | [00:15][marcus@xenon:~]$ gpg --set-policy-url http://www.sc-delphin-eschweiler.de/pgp/ --ask-cert-level --sign-key 82F61240 | | pub 1024D/82F61240 created: 2004-10-22 expires: 2010-10-21 usage: CS | trust: unknown validity: undefined | sub 1024g/7E11EB83 created: 2004-10-22 expires: 2010-10-21 usage: E | [ undef ] (1). Florian Streibelt (general purpose key) | [ undef ] (2) Florian Streibelt (Usenet ONLY) | [ undef ] (3) Florian Streibelt (some other account) | [ undef ] (4) Florian Streibelt (business key) | [ undef ] (5) Florian Streibelt | [ undef ] (6) [jpeg image of size 2092] | [ unknown] (7) Florian Streibelt | | Really sign all user IDs? (y/N) n | Hint: Select the user IDs to sign | | Key not changed so no update needed. | [00:15][marcus@xenon:~]$ `---- What's going on here? Why does GPG 1.4.0 return to the shell immediately without giving me the option to select the UIDs I want to sign? In previous versions, when I pressed "n", I had the possibility to select the UIDs I want to sign and then say "sign". Now I'm just back on my shell ... Regards, Marcus -- Sackmanns Sicherheitshinweise: "Gegen Internet-Zugriffsmissbrauch die Internet-Sicherheits-Dinge verwenden." Johannes Sackmann in der Gruppe microsoft.public.de.security.heimanwender From servie_tech at yahoo.com Tue Mar 15 03:25:43 2005 From: servie_tech at yahoo.com (Servie Platon) Date: Tue Mar 15 04:22:21 2005 Subject: Lib\idea could not be found error Message-ID: <20050315022543.28759.qmail@web52509.mail.yahoo.com> Hi folks, I got this error message after I issued the command shown below: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\servie>gpg --version gpg (GnuPG) 1.4.0 Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: C:/Documents and Settings/servie/Application Data/GnuPG Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA gpg: LoadLibrary failed: The system cannot find the file specified. gpg: invalid module `Lib\idea': The specified module could not be found. Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Would you guys know what went wrong with my configuration? As far as the instructions and steps on http://enigmail.mozdev.org/gpgconf.html is concerned, I have followed the steps religiously and copied the iconv.dll to C:\Program Files\GnuPG directory. Any hints on this would be highly appreciated. Thanks in advance. Sincerely, Servie __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ From JPClizbe at comcast.net Tue Mar 15 04:36:14 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Mar 15 04:32:50 2005 Subject: [Enigmail] Lib\idea could not be found error In-Reply-To: <20050315022543.28759.qmail@web52509.mail.yahoo.com> References: <20050315022543.28759.qmail@web52509.mail.yahoo.com> Message-ID: <4236582E.5030800@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Servie Platon wrote: > Hi folks, > > I got this error message after I issued the command > shown below: > > > gpg: invalid module `Lib\idea': The specified module > could not be found. > > Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, > TWOFISH > Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > Would you guys know what went wrong with my configuration? As far as > the instructions and steps on http://enigmail.mozdev.org/gpgconf.html > is concerned, I have followed the steps religiously and copied the > iconv.dll to C:\Program Files\GnuPG directory. Your gpg.conf configuration contains the line load-extension Lib\idea but your GnuPG directory does not contain a Lib subdirectory containing idea.dll. IDEA is not included in GnuPG for patent reasons, but is available freely for non-commercial use. The US patent expires 25-May-2010 and the European and Japanese patents expire 16-May-2011. More information on IDEA is at http://www.mediacrypt.com/. The lack of widespread use of IDEA shows the chilling effect software patents can have. If you don't need the IDEA cipher remove the line from gpg.conf. If you do need IDEA, (ie you communicate with PGP 2.x users) obtain the idea.dll and install it in Lib in your GnuPG program directory. https://netfiles.uiuc.edu/ehowes/www/gpg-idea/gpg-idea.htm#120 lists two sources for the IDEA DLL. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCNlgtHQSsSmCNKhARAlJfAJ4+ulWMYjjEP5Mzwi1+OxdDHo3P0QCg54RI +gvU2j6ZM6hYerwxjpzaGn0= =Tid+ -----END PGP SIGNATURE----- From kha-list-gnupg-users at hemma.treskal.com Tue Mar 15 08:18:44 2005 From: kha-list-gnupg-users at hemma.treskal.com (Karl =?iso-8859-1?Q?Hasselstr=F6m?=) Date: Tue Mar 15 08:52:12 2005 Subject: Trust model: classic or pgp? In-Reply-To: References: <20050310132401.GD18415__22499.9678008773$1110461496$gmane$org@jabberwocky.com> Message-ID: <20050315071844.GB4598@backpacker.hemma.treskal.com> On 2005-03-15 00:13:22 +0100, Marcus Frings wrote: > Sorry for the misunderstanding, my problem was that I wasn't aware > of the new option "tsign" which is new in 1.4.0. After reading the > info about "tsign" in the manpage I understand the difference now. I went looking for this too, and found the info in the man page too. But is there more info about this somewhere, like all the web-of-trust and keysigning documentation for regular signing? I like to get a thorough understanding of what I'm doing before I sign stuff . . . -- Karl Hasselstr?m, kha@treskal.com www.treskal.com/kalle -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050315/e2da488f/attachment.pgp From patrick at mozilla-enigmail.org Tue Mar 15 08:25:19 2005 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Tue Mar 15 09:15:13 2005 Subject: Getting trust information for UIDs Message-ID: <42368DDF.1000701@mozilla-enigmail.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When sending an encrypted mail I want to display in a list the keys/UID's and their trust level. For this I use gpg --with-colons --list-keys Now, I have the following problem. If a secondary UID is not signed, in the calc. trust field there is a "-", indicating that this UID is not trusted. However, if a secondary UID is signed but the primary UID is not signed, the calc. trust can be "f" but still the UID is not trusted. Is it correct that I have no way using --with-colons --list-keys to find out the trust level of primary UIDs? If so, is there any other way to get the calculated trust of UIDs correctly without needing to check all signatures? - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCNo3d2KgHx8zsInsRAuDYAJ9GnhxSkJJ360ccLFu02umak0oQnACeOZeG /Oe7JD+yrVVW8Yv8w8Q4trI= =8rQJ -----END PGP SIGNATURE----- From list at rachinsky.de Tue Mar 15 09:59:02 2005 From: list at rachinsky.de (Nicolas Rachinsky) Date: Tue Mar 15 09:55:15 2005 Subject: Getting trust information for UIDs In-Reply-To: <42368DDF.1000701@mozilla-enigmail.org> References: <42368DDF.1000701@mozilla-enigmail.org> Message-ID: <20050315085902.GA96299@pc5.i.0x5.de> * Patrick Brunschwig [2005-03-15 08:25 +0100]: > Is it correct that I have no way using --with-colons --list-keys to find > out the trust level of primary UIDs? If so, is there any other way to > get the calculated trust of UIDs correctly without needing to check all > signatures? What about --fixed-list-mode? Nicolas From pete at petesplace.id.au Tue Mar 15 10:47:37 2005 From: pete at petesplace.id.au (Peter Jones) Date: Tue Mar 15 10:44:05 2005 Subject: ASCII Armored example from rfc2440bis-12 In-Reply-To: <4235BAB6.8050608@bellsouth.net> References: <4235BAB6.8050608@bellsouth.net> Message-ID: <200503151947.55500.pete@petesplace.id.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 15 Mar 2005 02:24 am, Plan9 wrote: > If I edit the example and place a blank line after the Version: line > then pgp will also decrypt it. PGP 8.1 has no problems with either > form. > > -----BEGIN PGP MESSAGE----- > Version: OpenPrivacy 0.99 > > yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFqclFqUDBovzS > vBSFjNSiVHsuAA== > =njUN > -----END PGP MESSAGE----- As I understand it -- and I'm no expert -- the blank line is required to separate the header from the encrypted body. As well as version information, the header may also contain one (or more) comment line(s); without the blank line, the software has no way of knowing where the header ends and the body begins -- although it appears that PGP 8.1 is prepared to make an educated quess... Pete. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCNq9C+Kt3WDVX4jQRAp+QAKDHxf2eOY5FScs20CcRTdMwg9oYEwCfawl3 KrI4lyzIcSP+xc5F/hYncno= =B19H -----END PGP SIGNATURE----- From kraymer at kraymer.com Mon Mar 14 23:35:07 2005 From: kraymer at kraymer.com (kraymer@kraymer.com) Date: Tue Mar 15 11:01:38 2005 Subject: Decryption via UNIX shell script Message-ID: <50210.69.7.177.2.1110839707.squirrel@69.7.177.2> I am writing a shell script to automatically decrypt an encrypted file using GPG. How do I send the passphrase to the executable (GPG). I want no human intervention on this. I'm calling the shell script from a batch file to decrypt the file. Anyone have a UNIX shell script (Korn Shell) that does this? Thanks! Kelly Raymer From venona at gmx.ch Tue Mar 15 11:20:13 2005 From: venona at gmx.ch (venona@gmx.ch) Date: Tue Mar 15 12:19:47 2005 Subject: Lib\idea could not be found error In-Reply-To: <20050315022543.28759.qmail@web52509.mail.yahoo.com> References: <20050315022543.28759.qmail@web52509.mail.yahoo.com> Message-ID: <20050315190901.FD67.VENONA@gmx.ch> Hello Servie, > Home: C:/Documents and Settings/servie/Application > Data/GnuPG > Supported algorithms: > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > gpg: LoadLibrary failed: The system cannot find the > file specified. > > gpg: invalid module `Lib\idea': The specified module > could not be found. Firstly, download the IDEA library from ftp://ftp.gnupg.dk/pub/contrib-dk/ideadll.zip Next, create directory named "lib" in the above HomeDir and unzip idea.dll to the directory "lib" you created. Lastly, write the line "load-extension lib\idea" (without quotation) in your configuration file gpg.conf. Do't forget to hit ENTER at the end of the line mentioned above. Then gpg.exe will show the message "Cipher: IDEA, ..." when you type the command "gpg --version" in the command prompt. Regards, From servie_tech at yahoo.com Tue Mar 15 13:40:20 2005 From: servie_tech at yahoo.com (Servie Platon) Date: Tue Mar 15 13:36:52 2005 Subject: Lib\idea could not be found error In-Reply-To: 6667 Message-ID: <20050315124021.57536.qmail@web52506.mail.yahoo.com> Hello Venona, --- venona@gmx.ch wrote: > Hello Servie, > > > Home: C:/Documents and Settings/servie/Application > > Data/GnuPG > > Supported algorithms: > > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > > gpg: LoadLibrary failed: The system cannot find > the > > file specified. > > > > gpg: invalid module `Lib\idea': The specified > module > > could not be found. As what Mr. Clizbe suggested, if idea.dll is not really needed, I might as well remove this feature due to patent and other issues. After removing the idea.dll line from gpg.conf it finally worked. My worry only if this is the case, would others who uses commercial pgp product still be able to encrypt or decrypt messages coming from me??? I have no idea, but once I find out from you guys, I will do the steps below: > > Firstly, download the IDEA library from > ftp://ftp.gnupg.dk/pub/contrib-dk/ideadll.zip > > Next, create directory named "lib" in the above > HomeDir > and unzip idea.dll to the directory "lib" you > created. > > Lastly, write the line "load-extension lib\idea" > (without > quotation) in your configuration file gpg.conf. > > Do't forget to hit ENTER at the end of the line > mentioned above. > > Then gpg.exe will show the message "Cipher: IDEA, > ..." > when you type the command "gpg --version" in the > command prompt. Thank you very much. > > Regards, > Best regards, Servie > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ From x-phile at cryptophiles.net Tue Mar 15 14:29:03 2005 From: x-phile at cryptophiles.net (Terry Soucy) Date: Tue Mar 15 15:30:27 2005 Subject: disgest-algo question Message-ID: <200503150929.05878.x-phile@cryptophiles.net> Hi All, I have added an RSA subkey to my key so that I can sign messages with the SHA256 Algo. I have made sure that my version of gpg supports SHA256. My problem comes when I add digest-algo sha256 to my gpg.conf file, my kgpg doesn't display any keys, and my mailer (kmail) complains that no keys are available for signing. Once I comment out the digest-algo line, everything works fine as before. Am I missing something, or maybe my distro (suse 9.2) tossed out support for higher hash algorithms? Thanks Terry -- Terry Soucy Key fingerprint = DD46 C49C 6352 C7B0 15EE 5024 6851 22FF 1A79 1AD5 http://www.terrysoucy.ca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 676 bytes Desc: not available Url : /pipermail/attachments/20050315/0f5b1e09/attachment-0001.pgp From dshaw at jabberwocky.com Tue Mar 15 16:18:16 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 15 16:14:50 2005 Subject: disgest-algo question In-Reply-To: <200503150929.05878.x-phile@cryptophiles.net> References: <200503150929.05878.x-phile@cryptophiles.net> Message-ID: <20050315151816.GA18495@jabberwocky.com> On Tue, Mar 15, 2005 at 09:29:03AM -0400, Terry Soucy wrote: > Hi All, > > I have added an RSA subkey to my key so that I can sign messages with the > SHA256 Algo. I have made sure that my version of gpg supports SHA256. My > problem comes when I add digest-algo sha256 to my gpg.conf file, my kgpg > doesn't display any keys, and my mailer (kmail) complains that no keys are > available for signing. Once I comment out the digest-algo line, everything > works fine as before. Am I missing something, or maybe my distro (suse 9.2) > tossed out support for higher hash algorithms? Your signature says you are using GnuPG 1.2.5. If you want to use SHA256, upgrade to 1.4.0 or later and put: personal-digest-preferences sha256 in your gpg.conf file. David From sk at intertivity.com Tue Mar 15 16:23:20 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Tue Mar 15 16:19:24 2005 Subject: Key Generation: Batch Mode and Expire-Date Message-ID: <4236FDE8.6060409@intertivity.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, i would like to be exact on the Expire-Date, so is it possible to enter time information as well? Thanks. - --sk -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQjb9sAInDejiptdCEQLoAQCg4g0+ZWBE7OE0NIpSje+dsH5ZwzYAniWD TWTAWaNLdAud8eyST18TKKPT =tzYd -----END PGP SIGNATURE----- From areiner at tph.tuwien.ac.at Tue Mar 15 17:47:14 2005 From: areiner at tph.tuwien.ac.at (Albert Reiner) Date: Tue Mar 15 17:43:38 2005 Subject: Decryption via UNIX shell script In-Reply-To: <50210.69.7.177.2.1110839707.squirrel@69.7.177.2> References: <50210.69.7.177.2.1110839707.squirrel@69.7.177.2> Message-ID: [kraymer@kraymer.com, Mon, 14 Mar 2005 16:35:07 -0600 (CST)]: > I am writing a shell script to automatically decrypt an encrypted file > using GPG. How do I send the passphrase to the executable (GPG). I want > no human intervention on this. I'm calling the shell script from a batch > file to decrypt the file. > > Anyone have a UNIX shell script (Korn Shell) that does this? Read the man page; there is some --...-fd option you can use. Albert. From wk at gnupg.org Tue Mar 15 17:53:36 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 15 18:17:05 2005 Subject: [Announce] GnuPG 1.4.1 released Message-ID: <873buw7svj.fsf@wheatstone.g10code.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! We are pleased to announce the availability of a new stable GnuPG release: Version 1.4.1 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.4.1 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.4.1.tar.bz2 (2756k) gnupg-1.4.1.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.4.1.tar.gz (3964k) gnupg-1.4.1.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.4.0-1.4.1.diff.bz2 (650k) A patch file to upgrade a 1.4.0 GnuPG source. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.4.1.exe (1406k) gnupg-w32cli-1.4.1.exe.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and now comes with a graphical installer tool. The source files are the same as given above. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.1.tar.bz2 you would use this command: gpg --verify gnupg-1.4.1.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using "finger wk 'at' g10code.com" or "finger dd9jn 'at' gnu.org" or using the keyservers. I recently prolonged the expiration date; thus you might need a fresh copy of that key. Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.1.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.1.tar.bz2 and check that the output matches the first line from the following list: ebd16ef9d3fd3c38e38cf39e6347ed058fd12840 gnupg-1.4.1.tar.bz2 f8e982d5e811341a854ca9c15feda7d5aba6e09a gnupg-1.4.1.tar.gz db573a6c3707f65797b569efda7e0905c4c4469c gnupg-w32cli-1.4.1.exe Upgrade Information =================== If you are upgrading from a version prior to 1.0.7, you should run the script tools/convert-from-106 once. Please note also that due to a bug in versions prior to 1.0.6 it may not be possible to downgrade to such versions unless you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list. What's New =========== There are too many changes to list them here. Please check out the NEWS file or read the summary at the end of this announcement. Internationalization ==================== GnuPG comes with support for 28 languages: American English Indonesian (id)[*] Bela-Russian (be)[*] Italian (it)[*] Catalan (ca)[*] Japanese (ja) Czech (cs) Polish (pl)[*] Danish (da)[*] Brazilian Portuguese (pt_BR)[*] Dutch (nl)[*] Portuguese (pt)[*] Esperanto (eo)[*] Romanian (ro) Estonian (et)[*] Russian (ru)[*] Finnish (fi)[*] Slovak (sk)[*] French (fr) Spanish (es)[*] Galician (gl)[*] Swedish (sv)[*] German (de) [*] Traditional Chinese (zh_TW) Greek (el) [*] Simplified Chinese (zh_CN) Hungarian (hu) [*] Turkish (tr) [*] Languages marked with [*] were not updated for this release and you will most likely notice untranslated messages. Many thanks to the translators for their ongoing support of GnuPG. Due to a lot of stylistic changes to the strings and about 150 new strings, most translations are not up to date. However we don't think that this is reason enough to hold back the release. Updated translations will be added with the next releases. Future Directions ================= GnuPG 1.4.x is the current stable branch and will be kept as the easy to use and build single-executable versions. We plan to backport new features from the development series to 1.4. GnuPG 1.9.x is the new development series of GnuPG. This version merged the code from the Aegypten project and thus it includes the gpg-agent, a smartcard daemon and gpg's S/MIME cousin gpgsm. The design is different to the previous versions and we may not support all ancient systems - thus POSIX compatibility will be an absolute requirement for supported platforms. 1.9 is as of now based on an somewhat older 1.3 code but will peacefully coexist with other GnuPG versions. Support ======= Developing and maintaining GnuPG and related software is nothing one can do in the evening or on weekends. We all spend a lot of time and money on it. David is actually doing this in his spare time beside his day job; g10 Code employs Timo and Werner to work on this software and would appreciate to refinance it by entering into support contracts or other contributions. Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Kudos to David Shaw who did most of the new features in 1.4 and discussed various OpenPGP problems in lengths at several working groups. Happy Hacking, The GnuPG Team (David, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iEYEARECAAYFAkI3Eu4ACgkQYHhOlAEKV+1lTwCfSVtlldBYT2G3MZrxk+jHcH0i gYcAnArQgwu1RvaLp+713awo0QX6E6im =PGws -----END PGP SIGNATURE----- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Tue Mar 15 18:41:12 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 15 18:41:32 2005 Subject: Key Generation: Batch Mode and Expire-Date In-Reply-To: <4236FDE8.6060409@intertivity.com> (Sascha Kiefer's message of "Tue, 15 Mar 2005 16:23:20 +0100") References: <4236FDE8.6060409@intertivity.com> Message-ID: <87sm2w6c3r.fsf@wheatstone.g10code.de> On Tue, 15 Mar 2005 16:23:20 +0100, Sascha Kiefer said: > i would like to be exact on the Expire-Date, so is it possible to > enter time information as well? No, you can't add it with GnuPG. The reason for this is that the old v3 key format required anninterval measured in days. However you may enter a date directly at the prompt: e.g. 2005-12-31 . Salam-Shalom, Werner From henkdebruijn at wanadoo.nl Tue Mar 15 19:06:49 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Tue Mar 15 19:02:55 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: <873buw7svj.fsf@wheatstone.g10code.de> References: <873buw7svj.fsf@wheatstone.g10code.de> Message-ID: <1838292421.20050315190649@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 15 Mar 2005 17:53:36 +0100GMT (15-3-2005, 17:53 +0100, where I live), Werner Koch wrote: > We are pleased to announce the availability of a new stable GnuPG > release: Version 1.4.1 Thank you, up and running! - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.957 iD8DBQFCNyRDEgabk9vm5ngRAm+GAJ45P2hXW2nllMW4Xq+7AHghp+CxYwCgsPGQ QaOSfP4/8Kfb7aEzcF9qbtk= =yy1V -----END PGP SIGNATURE----- From DBSMITH at OhioHealth.com Tue Mar 15 19:17:37 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Tue Mar 15 19:13:37 2005 Subject: Decryption via UNIX shell script In-Reply-To: Message-ID: you have to have a file with your passphrase in it then ( I made mine a hidden file) you cat this file along with a | to the gpg command with - -decrypt - -passphrase-fd 0 "new file" "encrypted file" Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams Albert Reiner To Sent by: kraymer@kraymer.com gnupg-users-bounc cc es+dbsmith=ohiohe gnupg-users@gnupg.org alth.com@gnupg.or Subject g Re: Decryption via UNIX shell script 03/15/2005 11:47 AM [kraymer@kraymer.com, Mon, 14 Mar 2005 16:35:07 -0600 (CST)]: > I am writing a shell script to automatically decrypt an encrypted file > using GPG. How do I send the passphrase to the executable (GPG). I want > no human intervention on this. I'm calling the shell script from a batch > file to decrypt the file. > > Anyone have a UNIX shell script (Korn Shell) that does this? Read the man page; there is some --...-fd option you can use. Albert. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Tue Mar 15 18:22:11 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 15 19:24:08 2005 Subject: [Announce] GnuPG 1.4.1 News Message-ID: <87wts86czg.fsf@wheatstone.g10code.de> Hello! I forgot to insert the NEWS for 1.4.1; there are actually not that many as those for the last release. Here we go: * New --rfc2440-text option which controls how text is handled in signatures. This is in response to some problems seen with certain PGP/MIME mail clients and GnuPG version 1.4.0. More details about this are available at . * New "import-unusable-sigs" and "export-unusable-sigs" tags for --import-options and --export-options. These are off by default, and cause GnuPG to not import or export key signatures that are not usable (e.g. expired signatures). * New experimental HTTP, HTTPS, FTP, and FTPS keyserver helper that uses the cURL library to retrieve keys. This is disabled by default, but may be enabled with the configure option --with-libcurl. Without this option, the existing HTTP code is used for HTTP, and HTTPS, FTP, and FTPS are not supported. * When running a --card-status or --card-edit and a public key is available, missing secret key stubs will be created on the fly. Details of the key are listed too. * The implicit packet dumping in double verbose mode is now sent to stderr and not to stdout. * Added countermeasures against the Mister/Zuccherato CFB attack . * [W32] The algorithm for the default home directory changed: First we look at the environment variable GNUPGHOME, if this one is not set, we check whether the registry entry {HKCU,HKLM}\Software\GNU\GnuPG:HomeDir has been set. If this fails we use a GnuPG directory below the standard application data directory (APPDATA) of the current user. Only in the case that this directory cannot be determined, the old default of c:\gnupg will be used. The option --homedir still overrides all of them. * [W32] The locale selection under Windows changed. You need to enter the locale in the registry at HKCU\Software\GNU\GnuPG:Lang. For German you would use "de". If it is not set, GnuPG falls back to HKLM. The languages files "*.mo" are expected in a directory named "gnupg.nls" below the installation directory; that directory must be stored in the registry at the same key as above with the name "Install Directory". * Add new --edit-key command "bkuptocard" to allow restoring a card key from a backup. * The "fetch" command of --card-edit now retrieves the key using the default keyserver if no URL has been stored on the card. * New configure option --enable-noexecstack. Shalom-Salam, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From admin at buddhalinux.org Tue Mar 15 19:40:07 2005 From: admin at buddhalinux.org (Thomas Jones) Date: Tue Mar 15 19:28:38 2005 Subject: Decryption via UNIX shell script In-Reply-To: <50210.69.7.177.2.1110839707.squirrel@69.7.177.2> References: <50210.69.7.177.2.1110839707.squirrel@69.7.177.2> Message-ID: <200503151240.12785.admin@buddhalinux.org> On Monday 14 March 2005 04:35 pm, kraymer@kraymer.com wrote: > I am writing a shell script to automatically decrypt an encrypted file > using GPG. How do I send the passphrase to the executable (GPG). I want > no human intervention on this. I'm calling the shell script from a batch > file to decrypt the file. > > Anyone have a UNIX shell script (Korn Shell) that does this? > > Thanks! > > Kelly Raymer I use one file readable only by root for all local scripts. And run the script's in a jail or sandbox. I would also mention that you need to be sure not to export the variable into the user's environment. Be sure to keep the scope of the password(s) contained within the script's execution processes themselves. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050315/2474e991/attachment.pgp From shavital at mac.com Tue Mar 15 20:08:23 2005 From: shavital at mac.com (Charly Avital) Date: Tue Mar 15 20:05:02 2005 Subject: MacGPG 1.4.1. - [Announce] GnuPG 1.4.1 released In-Reply-To: <873buw7svj.fsf@wheatstone.g10code.de> References: <873buw7svj.fsf@wheatstone.g10code.de> Message-ID: <4616ea53410b6118ee75bc889925e45b@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Configured for: Darwin (powerpc-apple-darwin 7.8.0), and running fine under Mac OS X 10.3.8 Thanks to David, Timo and Werner. Charly On Mar 15, 2005, at 11:53 AM, Werner Koch wrote: [...] > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, administering the > servers, spreading the word or answering questions on the mailing > lists. Kudos to David Shaw who did most of the new features in 1.4 > and discussed various OpenPGP problems in lengths at several working > groups. > > Happy Hacking, > > The GnuPG Team (David, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: GnuPG for Privacy iQIVAwUBQjcyuG69XHxycyfPAQgSIBAAiWrT/RrlhiDel1cLU5ptyy3NwrBUev5Y om5fCRt+mSmxGIAX7GtMVNnRCfUnuBJPtIg8bqlvpEQUBGuGWD9pG7pPlkfI2t6q MPWSr1+S+ovai792gCxQfe+Kgq1HbUqUmN9ZgGTOtTZl++NVZdE0XEhC1/Fu1EXq hZNRjz9QjOGZnZuEuZ2qOnKxzwjEFpXTSQUgFpR8JCZ/i6lgXtNbqfXClNFuiKUJ PZKBpmxnlZ7+CX8AuzCSeLZwhR1Twf0zgHc0+KveFq4u2y/aVyPDyB0XPLqsTb2M DNq9yKsR3BcmkdKWObaERsjaRgM/teskuhY0rUoG2HuqNrr4lGn+lAvf1yJSDB/7 /AhCXCi5HCVbQb3cAUl9cY16/pQuh64usbPi2tbQjqs8GCQe1cgEzJBZ0sNbacR2 wXy7CR8rf9zfWvH1uYJwcPJialiMg1RuGMraRDOb2m2h6QhReaU8vP0GaybleN2z 9qb73+H4qIFC0HNAA6fomeq89lWN2S4w6AQTaGCHuAywoAVi3kT9/UilIWGLyv9x nCxqtFsZr/cDAWE7gfMSkAK9G6pHfXCBVchGDsZu8TrsFJ23hJGaOvy/U+98U1BA fr0KturBweCgjvfTmdl6SKqpi3AN7g3olY4Wpj8iuTGofWH3FHKBuEzWz3iueTTS DW+TLvH5v9Y= =NN0S -----END PGP SIGNATURE----- From bpm at idiom.com Tue Mar 15 19:24:03 2005 From: bpm at idiom.com (Breen Mullins) Date: Tue Mar 15 20:17:34 2005 Subject: [Announce] GnuPG 1.4.1 released Message-ID: <20050315182403.GB53463@idiom.com> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 15 Mar 2005 17:53:36 +0100GMT (15-3-2005, 17:53 +0100, where I > live), Werner Koch wrote: > > > We are pleased to announce the availability of a new stable GnuPG > > release: Version 1.4.1 Glad to see the release. At the moment I don't see a signature for the diff file at ftp://ftp.gnupg.org/gcrypt/ . Breen -- Breen Mullins Menlo Park, California From wk at gnupg.org Tue Mar 15 22:26:20 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 15 22:55:19 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: <20050315182403.GB53463@idiom.com> (Breen Mullins's message of "Tue, 15 Mar 2005 10:24:03 -0800") References: <20050315182403.GB53463@idiom.com> Message-ID: <87ekeg61oj.fsf@wheatstone.g10code.de> On Tue, 15 Mar 2005 10:24:03 -0800, Breen Mullins said: > Glad to see the release. At the moment I don't see a signature for the > diff file at ftp://ftp.gnupg.org/gcrypt/ . The diff files carry an embedded signature, similar to "gpg --clearsign": bzcat gnupg-1.4.0-1.4.1.diff.bz2 | gpg --verify will work. Salam-Shalom, Werner From dougb at dougbarton.net Wed Mar 16 00:31:03 2005 From: dougb at dougbarton.net (Doug Barton) Date: Wed Mar 16 01:02:49 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: <873buw7svj.fsf@wheatstone.g10code.de> References: <873buw7svj.fsf@wheatstone.g10code.de> Message-ID: <42377037.6020102@dougbarton.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: | Hello! | | We are pleased to announce the availability of a new stable GnuPG | release: Version 1.4.1 Passes all tests on FreeBSD 4.11-Stable, and 6-Current. I've passed a port update to the port's maintainer, should be in the ports tree soon. Doug - -- If you're never wrong, you're not trying hard enough -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCN3A2yIakK9Wy8PsRAjaSAJoD/4J2J3qzGWgLA5OA2Akyt+JXiQCfR2W0 rU+xW2IZ3uYVc2k+2mgmgIY= =m1f6 -----END PGP SIGNATURE----- From x-phile at cryptophiles.net Wed Mar 16 01:19:15 2005 From: x-phile at cryptophiles.net (Terry Soucy) Date: Wed Mar 16 01:15:38 2005 Subject: rpm build troubles with 1.4.1 Message-ID: <200503152019.17752.x-phile@cryptophiles.net> I build RPMs from 1.4.0 earlier this afternoon with no troubles, but I get this with 1.4.1 ... make[2]: Entering directory `/usr/src/packages/BUILD/gnupg-1.4.1/keyserver' test -z "/var/tmp/rpmbuild_gnupg-1.4.1//usr/libexec/gnupg" || mkdir -p -- "/var/tmp/rpmbuild_gnupg-1.4.1/var/tmp/rpmbuild_gnupg-1.4.1//usr/libexec/gnupg" /usr/bin/install -c 'gpgkeys_hkp' '/var/tmp/rpmbuild_gnupg-1.4.1/var/tmp/rpmbuild_gnupg-1.4.1//usr/libexec/gnupg/gpgkeys_hkp' /usr/bin/install -c 'gpgkeys_finger' '/var/tmp/rpmbuild_gnupg-1.4.1/var/tmp/rpmbuild_gnupg-1.4.1//usr/libexec/gnupg/gpgkeys_finger' /usr/bin/install -c 'gpgkeys_http' '/var/tmp/rpmbuild_gnupg-1.4.1/var/tmp/rpmbuild_gnupg-1.4.1//usr/libexec/gnupg/gpgkeys_http' test -z "/var/tmp/rpmbuild_gnupg-1.4.1//usr/libexec/gnupg" || mkdir -p -- "/var/tmp/rpmbuild_gnupg-1.4.1/var/tmp/rpmbuild_gnupg-1.4.1//usr/libexec/gnupg" Note the mkdir lines. This errors out with a standard Bad exit status. I'm running Suse 9.2 (but that shouldn''t matter since I built 1.4.0 with no errors earlier). Terry -- Terry Soucy Key fingerprint = DD46 C49C 6352 C7B0 15EE 5024 6851 22FF 1A79 1AD5 http://www.terrysoucy.ca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 676 bytes Desc: not available Url : /pipermail/attachments/20050315/25c517ee/attachment.pgp From jharris at widomaker.com Wed Mar 16 01:43:38 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Mar 16 01:39:54 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: <42377037.6020102@dougbarton.net> References: <873buw7svj.fsf@wheatstone.g10code.de> <42377037.6020102@dougbarton.net> Message-ID: <20050316004338.GB9105@wilma.widomaker.com> On Tue, Mar 15, 2005 at 03:31:03PM -0800, Doug Barton wrote: > Werner Koch wrote: > | We are pleased to announce the availability of a new stable GnuPG > | release: Version 1.4.1 > > Passes all tests on FreeBSD 4.11-Stable, and 6-Current. I've passed a port > update to the port's maintainer, should be in the ports tree soon. [I don't see a FreeBSD PR for this, so...] Does it specifically add --enable-mailto to install gpgkeys_mailto, and does it include a way to enable the CURL support? -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050315/5db5db73/attachment.pgp From dshaw at jabberwocky.com Wed Mar 16 02:05:24 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Mar 16 02:02:09 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: <20050316004338.GB9105@wilma.widomaker.com> References: <873buw7svj.fsf@wheatstone.g10code.de> <42377037.6020102@dougbarton.net> <20050316004338.GB9105@wilma.widomaker.com> Message-ID: <20050316010524.GA19414@jabberwocky.com> On Tue, Mar 15, 2005 at 07:43:38PM -0500, Jason Harris wrote: > On Tue, Mar 15, 2005 at 03:31:03PM -0800, Doug Barton wrote: > > Werner Koch wrote: > > > | We are pleased to announce the availability of a new stable GnuPG > > | release: Version 1.4.1 > > > > Passes all tests on FreeBSD 4.11-Stable, and 6-Current. I've passed a port > > update to the port's maintainer, should be in the ports tree soon. > > [I don't see a FreeBSD PR for this, so...] > Does it specifically add --enable-mailto to install gpgkeys_mailto, > and does it include a way to enable the CURL support? While I'm all in favor of people using (and testing) the cURL support, please do remember it's still experimental. David From kfitzner at excelcia.org Wed Mar 16 01:33:11 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Wed Mar 16 02:31:23 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: <873buw7svj.fsf@wheatstone.g10code.de> References: <873buw7svj.fsf@wheatstone.g10code.de> Message-ID: <42377EC7.3000009@excelcia.org> Werner Koch wrote: > We are pleased to announce the availability of a new stable GnuPG > release: Version 1.4.1 Does this release correct the bug when using --delete-secret-and-public-keys in expert mode where only the public key is deleted? From dougb at dougbarton.net Wed Mar 16 02:35:35 2005 From: dougb at dougbarton.net (Doug Barton) Date: Wed Mar 16 03:10:36 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: <20050316010524.GA19414@jabberwocky.com> References: <873buw7svj.fsf@wheatstone.g10code.de> <42377037.6020102@dougbarton.net> <20050316004338.GB9105@wilma.widomaker.com> <20050316010524.GA19414@jabberwocky.com> Message-ID: <42378D67.8040909@dougbarton.net> David Shaw wrote: > On Tue, Mar 15, 2005 at 07:43:38PM -0500, Jason Harris wrote: > >>On Tue, Mar 15, 2005 at 03:31:03PM -0800, Doug Barton wrote: >> >>>Werner Koch wrote: >> >>>| We are pleased to announce the availability of a new stable GnuPG >>>| release: Version 1.4.1 >>> >>>Passes all tests on FreeBSD 4.11-Stable, and 6-Current. I've passed a port >>>update to the port's maintainer, should be in the ports tree soon. >> >>[I don't see a FreeBSD PR for this, so...] >>Does it specifically add --enable-mailto to install gpgkeys_mailto, I didn't include that, no. Jun might want to though. >>and does it include a way to enable the CURL support? > > > While I'm all in favor of people using (and testing) the cURL support, > please do remember it's still experimental. Yeah, I did not include this for that reason, but once again, I'm not the port maintainer, I just wanted to help make sure we get this one updated before our next ports freeze. I put the patch I sent Jun at http://people.freebsd.org/~dougb/gnupg.diff if anyone is interested in experimenting with it. Enjoy, Doug -- If you're never wrong, you're not trying hard enough From dshaw at jabberwocky.com Wed Mar 16 02:58:38 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Mar 16 03:45:24 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: <42377EC7.3000009@excelcia.org> References: <873buw7svj.fsf@wheatstone.g10code.de> <42377EC7.3000009@excelcia.org> Message-ID: <20050316015838.GB19414@jabberwocky.com> On Tue, Mar 15, 2005 at 05:33:11PM -0700, Kurt Fitzner wrote: > Werner Koch wrote: > > We are pleased to announce the availability of a new stable GnuPG > > release: Version 1.4.1 > > Does this release correct the bug when using > --delete-secret-and-public-keys in expert mode where only the public key > is deleted? Yes. David From kzhtf at r6.dion.ne.jp Wed Mar 16 03:06:22 2005 From: kzhtf at r6.dion.ne.jp (FUKUDA Kazuhito) Date: Wed Mar 16 03:47:39 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: <1838292421.20050315190649@wanadoo.nl> References: <873buw7svj.fsf@wheatstone.g10code.de> <1838292421.20050315190649@wanadoo.nl> Message-ID: <4237949E.1030708@r6.dion.ne.jp> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello. I can suggest one patch for gnupg.spec. - --- ../SOURCES/gnupg-1.4.1/gnupg.spec 2005-03-16 00:53:02.000000000 +0900 +++ gnupg.spec 2005-03-16 10:43:11.000000000 +0900 @@ -188,14 +188,14 @@ %attr (0755,root,root) %{_libexecdir}/gnupg/* %post - -/sbin/install-info %{_infodir}/gpg.info %{_infodir}/dir 2>/dev/null || : - -/sbin/install-info %{_infodir}/gpgv.info %{_infodir}/dir 2>/dev/null || : +/sbin/install-info %{_infodir}/gpg.info.gz %{_infodir}/dir 2>/dev/null || : +/sbin/install-info %{_infodir}/gpgv.info.gz %{_infodir}/dir 2>/dev/null || : %preun if [ $1 = 0 ]; then - - /sbin/install-info --delete %{_infodir}/gpg.info \ + /sbin/install-info --delete %{_infodir}/gpg.info.gz \ %{_infodir}/dir 2>/dev/null || : - - /sbin/install-info --delete %{_infodir}/gpgv.info \ + /sbin/install-info --delete %{_infodir}/gpgv.info.gz \ %{_infodir}/dir 2>/dev/null || : fi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCN5SeVZNRNqjlRv0RA159AJ9wEBqB0JM/m3tcccfGuUgpqU8DZACePZLD 6vb4U3xcWcRnb3ZuoamBcgQ= =/kpp -----END PGP SIGNATURE----- From info at cilly.com Tue Mar 15 23:14:01 2005 From: info at cilly.com (Michael C. Haller) Date: Wed Mar 16 08:14:04 2005 Subject: [Macgpg-users] MacGPG 1.4.1. - [Announce] GnuPG 1.4.1 released In-Reply-To: <4616ea53410b6118ee75bc889925e45b@mac.com> References: <873buw7svj.fsf@wheatstone.g10code.de> <4616ea53410b6118ee75bc889925e45b@mac.com> Message-ID: <17fdca98112b10acbc080e54788bc271@cilly.com> Hm, atm I can't see that version 1.4.1 has been released, yet. Or may be the homepage http://www.gnupg.org has not been updated, yet? Michael On Mar 15, 2005, at 20:08, Charly Avital wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Configured for: Darwin (powerpc-apple-darwin 7.8.0), and running fine > under Mac OS X 10.3.8 > > Thanks to David, Timo and Werner. > > Charly > > On Mar 15, 2005, at 11:53 AM, Werner Koch wrote: > [...] > >> Thanks >> ====== >> >> We have to thank all the people who helped with this release, be it >> testing, coding, translating, suggesting, auditing, administering the >> servers, spreading the word or answering questions on the mailing >> lists. Kudos to David Shaw who did most of the new features in 1.4 >> and discussed various OpenPGP problems in lengths at several working >> groups. >> >> Happy Hacking, >> >> The GnuPG Team (David, Timo and Werner) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (Darwin) > Comment: GnuPG for Privacy > > iQIVAwUBQjcyuG69XHxycyfPAQgSIBAAiWrT/RrlhiDel1cLU5ptyy3NwrBUev5Y > om5fCRt+mSmxGIAX7GtMVNnRCfUnuBJPtIg8bqlvpEQUBGuGWD9pG7pPlkfI2t6q > MPWSr1+S+ovai792gCxQfe+Kgq1HbUqUmN9ZgGTOtTZl++NVZdE0XEhC1/Fu1EXq > hZNRjz9QjOGZnZuEuZ2qOnKxzwjEFpXTSQUgFpR8JCZ/i6lgXtNbqfXClNFuiKUJ > PZKBpmxnlZ7+CX8AuzCSeLZwhR1Twf0zgHc0+KveFq4u2y/aVyPDyB0XPLqsTb2M > DNq9yKsR3BcmkdKWObaERsjaRgM/teskuhY0rUoG2HuqNrr4lGn+lAvf1yJSDB/7 > /AhCXCi5HCVbQb3cAUl9cY16/pQuh64usbPi2tbQjqs8GCQe1cgEzJBZ0sNbacR2 > wXy7CR8rf9zfWvH1uYJwcPJialiMg1RuGMraRDOb2m2h6QhReaU8vP0GaybleN2z > 9qb73+H4qIFC0HNAA6fomeq89lWN2S4w6AQTaGCHuAywoAVi3kT9/UilIWGLyv9x > nCxqtFsZr/cDAWE7gfMSkAK9G6pHfXCBVchGDsZu8TrsFJ23hJGaOvy/U+98U1BA > fr0KturBweCgjvfTmdl6SKqpi3AN7g3olY4Wpj8iuTGofWH3FHKBuEzWz3iueTTS > DW+TLvH5v9Y= > =NN0S > -----END PGP SIGNATURE----- > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real > users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Macgpg-users mailing list > Macgpg-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/macgpg-users > From scc4fun at spamcop.net Wed Mar 16 05:43:15 2005 From: scc4fun at spamcop.net (Sean C. C.) Date: Wed Mar 16 08:14:07 2005 Subject: 1.4.1 announced Message-ID: <4237B963.2060001@spamcop.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 After reading the announcement from cross-posted on the enigmail and pgp-basics @ yahoo lists, and reading what minimal information is on the gnupg.org website (I couldn't find anything on there other than the download and a reference to a seemingly nonexistent NEWS file.) I noticed that it speaks very little about upgrading. Actually this is the only information I could find: >Upgrade Information >=================== > >If you are upgrading from a version prior to 1.0.7, you should run the >script tools/convert-from-106 once. Please note also that due to a >bug in versions prior to 1.0.6 it may not be possible to downgrade to >such versions unless you apply the patch >http://www.gnupg.org/developer/gpg-woody-fix.txt . > >If you have any problems, please see the FAQ and the mailing list >archive at http://lists.gnupg.org. Please direct questions to the >gnupg-users@gnupg.org mailing list. Are there any concerns with upgrading from gnupg 1.4.0a on win32 (WinXP Pro)? Thanks, Sean -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCN7ljRuOsNo+q2bkRAhnKAJ9tWODtwWgqE3BDPdhzLNHDl9pvHACaA4lE +UL52W1VokjpWEIPKcItrVU= =8eXX -----END PGP SIGNATURE----- From npcole at yahoo.co.uk Wed Mar 16 11:06:01 2005 From: npcole at yahoo.co.uk (Nicholas Cole) Date: Wed Mar 16 11:02:56 2005 Subject: memory on OS X Message-ID: <20050316100601.67872.qmail@web25403.mail.ukl.yahoo.com> I've just compiled gnupg-1.4.1 on Mac OS X, and noticed that it does not give the warning I'm used to on Linux about secure memory. Is that normal? There is a configure option to --enable-m-guard, but I can't find any documentation about it. Best, N Send instant messages to your online friends http://uk.messenger.yahoo.com From johanw at vulcan.xs4all.nl Wed Mar 16 10:27:20 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Mar 16 11:28:45 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: <873buw7svj.fsf@wheatstone.g10code.de> from Werner Koch at "Mar 15, 2005 05:53:36 pm" Message-ID: <200503160927.KAA00883@vulcan.xs4all.nl> Werner Koch wrote: >We are pleased to announce the availability of a new stable GnuPG >release: Version 1.4.1 Good. I was wondering how long it would take after rc2. :-) Works OK on Linux libc5 system, all tests pass and pgp2 compatibility is OK. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From thomas at tzis.net Wed Mar 16 11:44:48 2005 From: thomas at tzis.net (Thomas Zangl - Home) Date: Wed Mar 16 11:40:44 2005 Subject: Saving photo of a key to a given filename Message-ID: Hi, I am using GnuPG on a Win32 box and I have written a small keyring manager in Delphi. I thought a good idea would be, to display the photo associated with a KeyId if it exist. Here is my problem: how can I get the photo-data from GnuPG via batchmode using plain Windows utilities? TIA! Best regards, -- ---------------------------------------------------------------- ,yours Thomas Zangl -thomas@tzi.dhs.org- -TZ1-6BONE- -http://tzi.dhs.org - http://www.borg-kindberg.ac.at Use YAMC! now! Get it at http://www.borg-kindberg.ac.at/yamc/ From hhhobbit7 at netscape.net Wed Mar 16 15:11:29 2005 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Wed Mar 16 15:08:07 2005 Subject: Phil Zimmerman Message-ID: <28C8264C.42EE737D.0307202B@netscape.net> gnupg-users-@gnupg.org wrote (in the Digest): > Subject: Current Zimmerman > To: gnupg-users@gnupg.org > > ALL: > > Does anybody know the most up to date URL pages on where Phil > Zimmerman is and what he is doing? Evidently, everything I am > trying is the wrong to way to go about it in search engines. > I did see the page where he embedded his phone number in the > text, and wondered if that one is the most current one (which > alas, I did not bookmark). I wrote the query but was curious why you posted my query but not Werner's reply. Here is what Werner gave me: www: http://web.mit.edu/prz I won't give the rest because all of it is on the web page. I hope he is doing well. Most of you cannot remember what it was like in the old days. Most encryption books cost near $100. Even though I was working with some encryption code professionally at the time, when I tried to purchase the books, I couldn't get them. If they were classified as munitions, you could not buy them. Phil went through a lot to open things up in the United States, Shalom back at you Werner HHH -- Key Name: "Henry Hertz Hobbit" pub 1024D/1CC23BC0 2005-03-08 [expires: 2006-03-08] Key fingerprint = 9CD0 839E 79C9 5E20 B97A 15A6 9AB7 484D 1CC2 3BC0 __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From brunij at earthlink.net Wed Mar 16 15:34:07 2005 From: brunij at earthlink.net (Joseph Bruni) Date: Wed Mar 16 15:30:35 2005 Subject: memory on OS X In-Reply-To: <20050316100601.67872.qmail@web25403.mail.ukl.yahoo.com> References: <20050316100601.67872.qmail@web25403.mail.ukl.yahoo.com> Message-ID: <382ae956e741368592cbb7b9eb71e033@earthlink.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Yes. OS X does not require a process to run as root to request locked memory (up to a limit). See the man page on the "mlock()" function. On Mar 16, 2005, at 3:06 AM, Nicholas Cole wrote: > I've just compiled gnupg-1.4.1 on Mac OS X, and > noticed that it does not give the warning I'm used to > on Linux about secure memory. Is that normal? There > is a configure option to --enable-m-guard, but I can't > find any documentation about it. > > Best, > > N > > > Send instant messages to your online friends > http://uk.messenger.yahoo.com > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQjhD51GV1jrNVRjHAQhlEgf9GEQkqoUKzpEg6s/bRjx6y59Do5W4oqxx GtxiG3hziuUEq+grhjdYTLl8lzgOliFOMAkxU172itBVtpHDTtPdu9EkMqQrqGLv o5qWTDzHOreO+rZSJM37yElDQU7oEmYchbxE4oPN5bfs2zE+LsFWuJI67cVW5pvh sjvGWWL+mLCrnHvAqIabUd1syNrlGCZGv9iGi+BvvdCG8FOKvsDiG0RZMgiwnT6i Tv7FtvbPRCdPmCtyjpUZhRPp20yMvo7paZZKD/5ig9Q2z2HW6rdb2aeIM+DQG5+D EJemv8DVs29e8uw4uEmGMVNqkC2jtnen5NPnxTZ75WoT6FGZqYZTMQ== =bAFw -----END PGP SIGNATURE----- From sk at intertivity.com Wed Mar 16 15:49:27 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Wed Mar 16 15:45:43 2005 Subject: Saving photo of a key to a given filename In-Reply-To: References: Message-ID: <42384777.1040704@intertivity.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi. you can use the photo-viewer option. example: - --photo-viewer \"cmd /c copy /Y \"%i\"filename.tmp\"\" will copy the picture-file to filename.tmp Have fun - --sk -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQjhHYAInDejiptdCEQJJ9ACguWmhoH6+p0XFf59Au221T2CIrIIAnjqV D/7R/nimc5msiEV3NctdxEPd =u+zO -----END PGP SIGNATURE----- Thomas Zangl - Home schrieb: > >Hi, > >I am using GnuPG on a Win32 box and I have written a small keyring >manager in Delphi. I thought a good idea would be, to display the photo >associated with a KeyId if it exist. > >Here is my problem: how can I get the photo-data from GnuPG via >batchmode using plain Windows utilities? > >TIA! > >Best regards, > > From gpg at jason.markley.name Wed Mar 16 16:32:51 2005 From: gpg at jason.markley.name (Jason Markley) Date: Wed Mar 16 16:29:41 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <20050111160757.GC6496@jabberwocky.com> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> Message-ID: <423851A3.5030604@jason.markley.name> David, Sorry to bring this back up when it's supposed to be fixed, but with 1.4.1 I'm still having the same issue as before. Do you know what bug # it was specifically that was 'fixed'? Thanks. (http and hkp server types dont' seem to work, but if i retrieve using ldap, it seems to work. The end problem is that enigmail can't work through to completion because if I tell enigmail to use ldap, it can't search, and if i tell it to use http, it searches fine, but can't retrieve.) -Jason David Shaw wrote: >On Tue, Jan 11, 2005 at 07:55:21AM -0500, Jason Markley wrote: > > >>Here ya go....hope this helps..... >> >> > >Ah, this is a win32-specific bug that was fixed already. The fix will >be part of 1.4.1. > >David > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From thomas at tzis.net Wed Mar 16 17:28:02 2005 From: thomas at tzis.net (Thomas Zangl - Home) Date: Wed Mar 16 17:23:44 2005 Subject: Saving photo of a key to a given filename In-Reply-To: <42384777.1040704@intertivity.com> Message-ID: Am Wed, 16 Mar 2005 15:49:27 +0100, schrieb "Sascha Kiefer" : Hi, >you can use the photo-viewer option. >example: > >- --photo-viewer \"cmd /c copy /Y \"%i\"filename.tmp\"\" > >will copy the picture-file to filename.tmp Does work from the command line but not from within my Delphi App. It seems that "cmd" is not called at all - maybe because GPG is called from within a temporary batchfile which is executed through "CreateProcess"... Is there no easy way to get the jpeg w/o using tempfiles etc..? (Like I can parse the --list-keys output etc...) Best regards, -- ---------------------------------------------------------------- ,yours Thomas Zangl -thomas@tzi.dhs.org- -TZ1-6BONE- -http://tzi.dhs.org - http://www.borg-kindberg.ac.at Use YAMC! now! Get it at http://www.borg-kindberg.ac.at/yamc/ From JPClizbe at comcast.net Wed Mar 16 19:01:02 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Mar 16 18:57:55 2005 Subject: 1.4.1 announced In-Reply-To: <4237B963.2060001@spamcop.net> References: <4237B963.2060001@spamcop.net> Message-ID: <4238745E.2020906@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sean C. C. wrote: > After reading the announcement from cross-posted on the enigmail and > pgp-basics @ yahoo lists, and reading what minimal information is on the > gnupg.org website (I couldn't find anything on there other than the > download and a reference to a seemingly nonexistent NEWS file.) I > noticed that it speaks very little about upgrading. Actually this is the > only information I could find: > >>>Upgrade Information >>>=================== >>> >>>If you are upgrading from a version prior to 1.0.7, you should run the >>>script tools/convert-from-106 once. Please note also that due to a >>>bug in versions prior to 1.0.6 it may not be possible to downgrade to >>>such versions unless you apply the patch >>>http://www.gnupg.org/developer/gpg-woody-fix.txt . >>> >>>If you have any problems, please see the FAQ and the mailing list >>>archive at http://lists.gnupg.org. Please direct questions to the >>>gnupg-users@gnupg.org mailing list. > > Are there any concerns with upgrading from gnupg 1.4.0a on win32 (WinXP > Pro)? NEWS file: http://lists.gnupg.org/pipermail/gnupg-users/2005-March/025131.html Melissa Reese started a nice upgrade thread over on PGP-Basics. Perhaps you could check that. Your upgrade concerns will mainly be dependent upon how you first setup GnuPG. If you followed the old C:\GnuPG way you'll have more to change than if you followed the page at http://enigmail.mozdev.org/gpgconf.html. (Points go to Werner - his program location is /more correct/ than ours.) We agree on the keyring location, is all that should need to be changed in your PATH. FWIW the only change I had to make after using the installer was to add the characters "Gnu/" to my PATH environment variable. Of course, YMMV. If you use other programs such as GPGshell, WinPT, or GPGrelay, they make use of non-GnuPG registry entries such as OptFile and gpgProgram - You will have to fix these yourself. BTW, I had to change some of my build scripts to reference \Gnu\GnuPG instead of just \GnuPG under %ProgramFiles%, but that will only affect folks who build the code for themselves. We'll be rewriting the gpgconf page at the Enigmail site in the next few days to reflect the 1.4.1 installer. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCOHRbHQSsSmCNKhARAi03AKC/pURzrGcWazESCaZGLAojwXIGLACeOUjt 7OYqv1JY090YYw4b4gChdsE= =uFoJ -----END PGP SIGNATURE----- From sk at intertivity.com Wed Mar 16 18:38:13 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Mar 16 19:54:49 2005 Subject: Saving photo of a key to a given filename In-Reply-To: Message-ID: <000401c52a4e$ee432280$f500a8c0@HOME> Well, i use a c++ program to do the same (using CreateProcess and redirecting STDIN, STDOUT, STDERR) My code is STARTUPINFO si; BOOL result; memset(&si, 0, sizeof(si)); si.cb = sizeof(si); si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; si.hStdInput = m_childstdinrd; si.hStdOutput = m_childstdoutwr; si.hStdError = m_childstderrwr; si.wShowWindow = SW_HIDE; result = CreateProcess( NULL, (char *)m_cmdline.c_str(), NULL, NULL, TRUE, 0, NULL, NULL, &si, &m_procinfo ); And m_cmdline is defined as: m_cmdline = "gpg.exe"; m_cmdline += " --photo-viewer \"cmd /c copy /Y \"%i\" " + filename + "\"\""; m_cmdline += " --status-fd 1 --command-fd 0 --edit-key \"" + fingerprint + "\""; So the edit-key command requieres additional input (since i say '--command-fd 0' I'm able to use the redirected STDIN handle) that looks like the following input = "showphoto\n"; // the edit command input += "quit\n"; // quit is quit HTH > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Thomas > Zangl - Home > Sent: Mittwoch, 16. M?rz 2005 17:28 > To: (GnuPG users) > Subject: Re:Saving photo of a key to a given filename > > > > Am Wed, 16 Mar 2005 15:49:27 +0100, schrieb "Sascha Kiefer" > : > > Hi, > > >you can use the photo-viewer option. > >example: > > > >- --photo-viewer \"cmd /c copy /Y \"%i\"filename.tmp\"\" > > > >will copy the picture-file to filename.tmp > > Does work from the command line but not from within my Delphi > App. It seems that "cmd" is not called at all - maybe because > GPG is called from within a temporary batchfile which is > executed through "CreateProcess"... > > Is there no easy way to get the jpeg w/o using tempfiles > etc..? (Like I can parse the --list-keys output etc...) > > Best regards, > -- > ---------------------------------------------------------------- > ,yours Thomas Zangl -thomas@tzi.dhs.org- -TZ1-6BONE- > -http://tzi.dhs.org - http://www.borg-kindberg.ac.at Use > YAMC! now! Get it at http://www.borg-kindberg.ac.at/yamc/ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From rajam-s at chintech.org Wed Mar 16 17:00:52 2005 From: rajam-s at chintech.org (rajam) Date: Wed Mar 16 20:17:49 2005 Subject: Query on GPG - should I install GPG in every system? Message-ID: <1110988875.3830.34.camel@chin30.chintech.ac.in> Sir, Our institute has an intranet consisting of around 60 machines. I am planning to implement GPG in my mail server. Is it enough to install GPG only in the mail server. Then how do I create the keys for each user. Please help me on this. Regards Rajam S From kha at treskal.com Wed Mar 16 18:16:37 2005 From: kha at treskal.com (Karl =?iso-8859-1?Q?Hasselstr=F6m?=) Date: Wed Mar 16 20:17:53 2005 Subject: Saving photo of a key to a given filename In-Reply-To: References: <42384777.1040704@intertivity.com> Message-ID: <20050316171637.GA9868@malin> On 2005-03-16 17:28:02 +0100, Thomas Zangl - Home wrote: > Am Wed, 16 Mar 2005 15:49:27 +0100, schrieb "Sascha Kiefer" > : > > > you can use the photo-viewer option. example: > > > > - --photo-viewer \"cmd /c copy /Y \"%i\"filename.tmp\"\" > > > > will copy the picture-file to filename.tmp > > Does work from the command line but not from within my Delphi App. > It seems that "cmd" is not called at all - maybe because GPG is > called from within a temporary batchfile which is executed through > "CreateProcess"... You might have been bitten by the escaping. This example works on the command line because the shell evaluates the command line args before passing them to gpg. If you call gpg in a way that don't pass the args through a shell, you should not be escaping quotes. -- Karl Hasselstr?m, kha@treskal.com www.treskal.com/kalle From johanw at vulcan.xs4all.nl Wed Mar 16 20:38:21 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Mar 16 20:33:38 2005 Subject: Saving photo of a key to a given filename In-Reply-To: from Thomas Zangl - Home at "Mar 16, 2005 05:28:02 pm" Message-ID: <200503161938.UAA00882@vulcan.xs4all.nl> Thomas Zangl - Home wrote: >Does work from the command line but not from within my Delphi App. It >seems that "cmd" is not called at all Is your environment copied? Try the explicit call to C:\WINNT\cmd.exe instead of just calling cmd. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From brunij at earthlink.net Wed Mar 16 20:51:00 2005 From: brunij at earthlink.net (Joseph Bruni) Date: Wed Mar 16 20:47:06 2005 Subject: Query on GPG - should I install GPG in every system? In-Reply-To: <1110988875.3830.34.camel@chin30.chintech.ac.in> References: <1110988875.3830.34.camel@chin30.chintech.ac.in> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 GPG is primarily used to secure communications between individual users. To that end, the private key is just that -- private and would be trustworthy only if it is available to its owner exclusively. Using a server-based solution would require all users' private keys residing on the server. The fun part is then how to allow users to decrypt their private keys in a secure manner over a network -- not possible. Therefore, GPG should be installed on each user's workstation and have each user create their own keys. I strongly recommend the following article to assist you in a proper implementation: http://download.pgp.com/pdfs/Intro_to_Crypto_040600_F.pdf On Mar 16, 2005, at 9:00 AM, rajam wrote: > Sir, > > Our institute has an intranet consisting of around 60 machines. I am > planning to implement GPG in my mail server. Is it enough to install > GPG > only in the mail server. Then how do I create the keys for each user. > Please help me on this. > > Regards > Rajam S > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQjiOKVGV1jrNVRjHAQg2pAf/S63aWeJAiCiNvCLkS92Y6DjNW0E1L9Y0 2rgRbjMe5JumJqSrjBI6poWg6NIc+cVUDP3NMqhhuVyRx3hi41xRKPF74bE5ncNj W2YjY/3rN19EMOqNM6mBzfiQEwoZORNzxdwDVsrfHSyLm5k1dwMh0Ik4wwSd0/AL GMDffFd87N2jKwMPLgnOHR9EAWtGDgs7m7TJQ53yEOz0eSjdeqaKN93IlOdSyjCN UnIlVPqqS4rsNQntTTHCmBzvXa+eSRK6oCJ+echKtspudrl7ycebAzI3DFh2idpA Gi/MMOG3kBj1Ol7RldIUF+487vq+7ueDGhIjxsVikKnac940N26Czg== =FxTJ -----END PGP SIGNATURE----- From mreese at calarts.edu Thu Mar 17 00:32:55 2005 From: mreese at calarts.edu (Melissa Reese) Date: Thu Mar 17 00:29:27 2005 Subject: [Macgpg-users] MacGPG 1.4.1. - [Announce] GnuPG 1.4.1 released In-Reply-To: <17fdca98112b10acbc080e54788bc271@cilly.com> References: <873buw7svj.fsf@wheatstone.g10code.de> <4616ea53410b6118ee75bc889925e45b@mac.com> <17fdca98112b10acbc080e54788bc271@cilly.com> Message-ID: <1651834153.20050316153255@calarts.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Michael, On Tuesday, March 15, 2005, at 2:14:01 PM PST, you wrote: > Hm, atm I can't see that version 1.4.1 has been released, yet. Or > may be the homepage http://www.gnupg.org has not been updated, yet? You can get v1.4.1 directly from here via FTP: ftp://ftp.gnupg.org/gcrypt/ - -- Melissa PGP public keys: http://www.kuviahunnihautik.tk/ -----BEGIN PGP SIGNATURE----- iQCVAwUBQjjCH6cKCSqXMHPPAQPF2AP+OiyJc0u2k7RIUqS/O013+Uns9jr/ca1p t6aSLHMNX4xMqh876D17mb//rS514kclIL1Ree1+rtTVrVGlKdd3HSfaVM7uAAZM B7lF7f38nDizcQGvsRjUZYlnprpEuRhKqj+7Ym3Du4NH/bE6StJ5J9DUx+rgI3tG 42i0FNk4qtg= =BFYb -----END PGP SIGNATURE----- From mreese at calarts.edu Thu Mar 17 05:15:15 2005 From: mreese at calarts.edu (Melissa Reese) Date: Thu Mar 17 05:11:31 2005 Subject: gpg: WARNING: Using untrusted key! Message-ID: <17310361014.20050316201515@calarts.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi, I'm getting a peculiar warning message when I verify signed messages; even messages signed using my own keys (GnuPG v1.4.1). Here's a sample verification of one of my own messages: gpg: armor header: Hash: RIPEMD160 gpg: original file name='' gpg: Signature made 03/16/05 18:58:05 using RSA key ID 973073CF gpg: Good signature from "Melissa Reese " gpg: WARNING: Using untrusted key! gpg: textmode signature, digest algorithm RIPEMD160 I know that my key is given "Ultimate Trust", so I'm a bit confused about that, but I get this same warning when I verify anyone else's signed messages as well: gpg: WARNING: Using untrusted key! Does anyone know what this means? Oh, by the way, this is on a WinXP SP2 system, with GnuPG v1.4.1 Thanks! - -- Melissa PGP public keys: http://www.kuviahunnihautik.tk/ -----BEGIN PGP SIGNATURE----- iQCVAwUBQjkEPqcKCSqXMHPPAQMrwAP9EQOW8V2WwXM/cV1g0my2yVE72oZ2qsN/ Te9TGdPFzjhtt0Mx9KNQ6IIl32032IIlXYutijeeBKNj2ARXL831SicYuqa+bcME e3g7Zll3GGFW01rbY5bwIjG2w0oGuQqiNlioo4XX5TAVDW4EaeoTC330MlUkZzdH KVEpUw7IxNw= =x4lv -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Mar 17 05:49:01 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 17 05:45:51 2005 Subject: gpg: WARNING: Using untrusted key! In-Reply-To: <17310361014.20050316201515@calarts.edu> References: <17310361014.20050316201515@calarts.edu> Message-ID: <20050317044901.GB8734@jabberwocky.com> On Wed, Mar 16, 2005 at 08:15:15PM -0800, Melissa Reese wrote: > Hi, > > I'm getting a peculiar warning message when I verify signed messages; > even messages signed using my own keys (GnuPG v1.4.1). Here's a sample > verification of one of my own messages: > > gpg: armor header: Hash: RIPEMD160 > gpg: original file name='' > gpg: Signature made 03/16/05 18:58:05 using RSA key ID 973073CF > gpg: Good signature from "Melissa Reese " > gpg: WARNING: Using untrusted key! > gpg: textmode signature, digest algorithm RIPEMD160 > > I know that my key is given "Ultimate Trust", so I'm a bit confused > about that, but I get this same warning when I verify anyone else's > signed messages as well: > > gpg: WARNING: Using untrusted key! > > Does anyone know what this means? It means that you have "--trust-model always" set. GnuPG is warning you that it isn't checking trust. David From mreese at calarts.edu Thu Mar 17 05:59:34 2005 From: mreese at calarts.edu (Melissa Reese) Date: Thu Mar 17 05:56:06 2005 Subject: gpg: WARNING: Using untrusted key! In-Reply-To: <20050317044901.GB8734@jabberwocky.com> References: <17310361014.20050316201515@calarts.edu> <20050317044901.GB8734@jabberwocky.com> Message-ID: <213444823.20050316205934@calarts.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi David, On Wednesday, March 16, 2005, at 8:49:01 PM PST, you wrote: > It means that you have "--trust-model always" set. GnuPG is warning > you that it isn't checking trust. Thanks! I'll remove that option from my configuration file. For some reason, I was under the impression that I needed that option if I wanted to encrypt messages to keys that I haven't yet signed or assigned any trust to, but that doesn't seem to be the case. Thanks again! - -- Melissa PGP public keys: http://www.kuviahunnihautik.tk/ -----BEGIN PGP SIGNATURE----- iQCVAwUBQjkOsqcKCSqXMHPPAQPQHwP8CE6GXTucjbhrTic9Q42H5CAaiJd4DPkK hMqMEzjXxqYshaixYEWe5rtxJTB/qg9o9czm8ihyc1Y+E8JMaJSUp1kuQchTEAYm fM+EDqFlqJaBX8lX3APtO487/Ch04jofJ9IxC1EFQLqmcQ9DD7ciFN1f5DrDxpuR nx0hCB3t5SI= =ISjU -----END PGP SIGNATURE----- From kfitzner at excelcia.org Thu Mar 17 07:37:07 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Thu Mar 17 07:33:11 2005 Subject: Source for winptee, winfpse, or gpgsx Message-ID: <42392593.2020503@excelcia.org> I apoligize that this is slightly off topic for this mailing list, but I am at my wit's end. I am looking for the source code - any source code old or new - for winptee, winfpse, or gpgsx. Those are all Windows shell extension projects that add context menu support for GnuPG in windows. I've looked all over. I can find binaries in various locations, but no source anywhere. If anyone has or knows of where I can download said source, I would really appreciate the information. Thanks in advance, Kurt. From talmage at zero.ad.jp Thu Mar 17 13:49:55 2005 From: talmage at zero.ad.jp (Kory T) Date: Thu Mar 17 13:41:40 2005 Subject: PKSC#15 support Message-ID: <2d7efa49163ab3647edbbcdfb26e8445@zero.ad.jp> I remember reading about GnuPG supporting PKSC#15 (ISO7816-15) compatible cards for the smartcard support. I know currently only the OpenPGP Card is supported, but does anyone know if PKSC#15 support is what the developers are still thinking about for future version of gpg? Kory -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 312 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20050317/27cff85b/PGP.pgp From dshaw at jabberwocky.com Thu Mar 17 14:25:10 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 17 14:22:12 2005 Subject: gpg: WARNING: Using untrusted key! In-Reply-To: <213444823.20050316205934@calarts.edu> References: <17310361014.20050316201515@calarts.edu> <20050317044901.GB8734@jabberwocky.com> <213444823.20050316205934@calarts.edu> Message-ID: <20050317132509.GE8734@jabberwocky.com> On Wed, Mar 16, 2005 at 08:59:34PM -0800, Melissa Reese wrote: > Hi David, > > On Wednesday, March 16, 2005, at 8:49:01 PM PST, you wrote: > > > It means that you have "--trust-model always" set. GnuPG is warning > > you that it isn't checking trust. > > Thanks! I'll remove that option from my configuration file. For some > reason, I was under the impression that I needed that option if I > wanted to encrypt messages to keys that I haven't yet signed or > assigned any trust to, but that doesn't seem to be the case. No, as you discovered, you can still encrypt to any key you like (though GnuPG may ask "are you sure"). --trust-model always is really a special case for use in special situations (scripts or situations where the trust is checked outside of GnuPG). It completely bypasses all trust and signature checking and assumes all keys are fully trusted. David From zuxy.meng at gmail.com Thu Mar 17 15:42:50 2005 From: zuxy.meng at gmail.com (Zuxy) Date: Thu Mar 17 15:39:33 2005 Subject: How can I get a subkey's fingerprint? Message-ID: Either under edit-key or directly from the command line? I've tried edit-key, key N, fpr but it still showed the primary key's fingerprint. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From wk at gnupg.org Thu Mar 17 15:41:51 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 17 15:41:16 2005 Subject: PKSC#15 support In-Reply-To: <2d7efa49163ab3647edbbcdfb26e8445@zero.ad.jp> (Kory T.'s message of "Thu, 17 Mar 2005 21:49:55 +0900") References: <2d7efa49163ab3647edbbcdfb26e8445@zero.ad.jp> Message-ID: <871xaez64w.fsf@wheatstone.g10code.de> On Thu, 17 Mar 2005 21:49:55 +0900, Kory T said: > I remember reading about GnuPG supporting PKSC#15 (ISO7816-15) GnuPG 1.9 has support for S/MIME (i.e.X.509). However this requires OpenSC which has several drawbacks. However I have a new pkcs#15 module in the works which will be lean implementation and avoid the complexity, threading and versioning problems of OpenSC. Salam-Shalom, Werner From atom at smasher.org Thu Mar 17 16:01:09 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Mar 17 15:54:25 2005 Subject: How can I get a subkey's fingerprint? In-Reply-To: References: Message-ID: <20050317145823.52962.qmail@smasher.org> On Thu, 17 Mar 2005, Zuxy wrote: > Either under edit-key or directly from the command line? I've tried > edit-key, key N, fpr but it still showed the primary key's fingerprint. ================ $ gpg --fingerprint --fingerprint {keyid} -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes." -- Microsoft takes security seriously in Knowledge Base Article Q276304. From DGRIMES at scvl.com Thu Mar 17 15:41:33 2005 From: DGRIMES at scvl.com (Grimes, Dean) Date: Thu Mar 17 16:20:33 2005 Subject: Porting gnupg Message-ID: <59D747A62703354193CA17350FC3F7D9136A7F@telstar.scvl.com> Hi, I have successfully compiled and installed gnupg-1.4.1 on SCO OpenServer and everything works great. However, I have approximately 500 remote servers I need to install it on. I tried tarring up all of the installed binaries and associated directories and installing it on one of the remote servers but it won't run. These systems are identical in configuration except for the GNU development system not being installed on the remote system. I have successfully propagated other applications such as PHP, MySQL, Apache and others via this very same method. Is there something specific I need or should know in order to propagate GnuPG? The system just immediately kills the application whenever an attempt is made to execute it. It acts like a missing library. If I install the GNU development system and compile on the remote system everything runs fine. Any ideas? Thanks, Dean From dgc at uchicago.edu Thu Mar 17 17:48:37 2005 From: dgc at uchicago.edu (David Champion) Date: Thu Mar 17 18:18:36 2005 Subject: Porting gnupg In-Reply-To: <59D747A62703354193CA17350FC3F7D9136A7F@telstar.scvl.com> References: <59D747A62703354193CA17350FC3F7D9136A7F@telstar.scvl.com> Message-ID: <20050317164837.GX17186@monkey.uchicago.edu> * On 2005.03.17, in <59D747A62703354193CA17350FC3F7D9136A7F@telstar.scvl.com>, * "Grimes, Dean" wrote: > > I have successfully compiled and installed gnupg-1.4.1 on SCO OpenServer and > everything works great. However, I have approximately 500 remote servers I > need to install it on. I tried tarring up all of the installed binaries and > associated directories and installing it on one of the remote servers but it > won't run. These systems are identical in configuration except for the GNU > development system not being installed on the remote system. I'm taking a guess at your problem, based on something I've seen on Solaris. Recent versions of gcc will configure themselves to use a shared libgcc.so, and that library will then have to be in the runtime on each target system. It seems rather a poor idea for gcc ever to configure that way, unless it's the stock vendor-provided compiler for the system. I'm not sure what the value is believed to be. There are several solutions to this, if it's your problem. The easiest is to delete libgcc.so from your gcc library directory. On my system, it was at [/usr/local]/lib/gcc/sparc-sun-solaris2.9/3.4.1/libgcc.so* . You also can modify the specs file. You'll need to recompile gnupg (or distribute libgcc.so) in any case. -- -D. dgc@uchicago.edu NSIT::ENSS "So now, less than five years later, you can go up on a steep hill... and with the right kind of eyes you can almost see the high-water mark -- the place where the wave finally broke and rolled back." -HST From DGRIMES at scvl.com Thu Mar 17 19:31:41 2005 From: DGRIMES at scvl.com (Grimes, Dean) Date: Thu Mar 17 19:28:20 2005 Subject: Porting gnupg Message-ID: <59D747A62703354193CA17350FC3F7D9136A82@telstar.scvl.com> My problem is that libz on some of the remote systems is not current. I'm compiling on the development server with 1.1.4 now and some of the older remote systems have 1.1.3. I guess I have some recompiling to do to bring all of the remote systems up-to-date. Thanks, Dean -----Original Message----- From: David Champion [mailto:dgc@uchicago.edu] Sent: Thursday, March 17, 2005 10:49 AM To: Grimes, Dean Cc: 'gnupg-users@gnupg.org' Subject: Re: Porting gnupg * On 2005.03.17, in <59D747A62703354193CA17350FC3F7D9136A7F@telstar.scvl.com>, * "Grimes, Dean" wrote: > > I have successfully compiled and installed gnupg-1.4.1 on SCO OpenServer and > everything works great. However, I have approximately 500 remote servers I > need to install it on. I tried tarring up all of the installed binaries and > associated directories and installing it on one of the remote servers but it > won't run. These systems are identical in configuration except for the GNU > development system not being installed on the remote system. I'm taking a guess at your problem, based on something I've seen on Solaris. Recent versions of gcc will configure themselves to use a shared libgcc.so, and that library will then have to be in the runtime on each target system. It seems rather a poor idea for gcc ever to configure that way, unless it's the stock vendor-provided compiler for the system. I'm not sure what the value is believed to be. There are several solutions to this, if it's your problem. The easiest is to delete libgcc.so from your gcc library directory. On my system, it was at [/usr/local]/lib/gcc/sparc-sun-solaris2.9/3.4.1/libgcc.so* . You also can modify the specs file. You'll need to recompile gnupg (or distribute libgcc.so) in any case. -- -D. dgc@uchicago.edu NSIT::ENSS "So now, less than five years later, you can go up on a steep hill... and with the right kind of eyes you can almost see the high-water mark -- the place where the wave finally broke and rolled back." -HST From dlc at sevenroot.org Thu Mar 17 19:43:46 2005 From: dlc at sevenroot.org (Darren Chamberlain) Date: Thu Mar 17 19:44:37 2005 Subject: Porting gnupg In-Reply-To: <59D747A62703354193CA17350FC3F7D9136A82@telstar.scvl.com> References: <59D747A62703354193CA17350FC3F7D9136A82@telstar.scvl.com> Message-ID: <7808f4d8-2553-41b1-a87c-49a4eb8e7bc9@gir.boston.com> * Grimes, Dean [2005/03/17 12:31]: > My problem is that libz on some of the remote systems is not current. I'm > compiling on the development server with 1.1.4 now and some of the older > remote systems have 1.1.3. I guess I have some recompiling to do to bring > all of the remote systems up-to-date. Is building GPG statically not an option? (darren) -- The penalty that good men pay for not being interested in politics is to be governed by men worse than themselves. -- Plato -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20050317/46eb9444/attachment.pgp From void at fake.invalid Thu Mar 17 21:22:23 2005 From: void at fake.invalid (Anonymous) Date: Thu Mar 17 21:48:58 2005 Subject: Source for winptee, winfpse, or gpgsx References: <42392593.2020503__257.102135992859$1111041460$gmane$org@excelcia.org> Message-ID: winptee: This is a collection of gpg utilities, unfortunatly the explorer extentions (context menu) do not appear to be open source. winfpse: This is just the name for winPT's explorer extentions (context menu). gpgsx: This is open source (GPL) and is witten in delphi, but unfortunately the page is gone and the wayback machine did not cache the source. You might be able to reach the author at stievie@utanet.at ----- Original Message ----- From: "Kurt Fitzner" Newsgroups: gmane.comp.encryption.gpg.user Sent: Thursday, March 17, 2005 1:37 AM Subject: Source for winptee, winfpse, or gpgsx >I apoligize that this is slightly off topic for this mailing list, but I > am at my wit's end. > > I am looking for the source code - any source code old or new - for > winptee, winfpse, or gpgsx. Those are all Windows shell extension > projects that add context menu support for GnuPG in windows. I've > looked all over. I can find binaries in various locations, but no > source anywhere. > > If anyone has or knows of where I can download said source, I would > really appreciate the information. > > Thanks in advance, > > Kurt. From jharris at widomaker.com Thu Mar 17 21:55:23 2005 From: jharris at widomaker.com (Jason Harris) Date: Thu Mar 17 21:51:30 2005 Subject: [Announce] GnuPG 1.4.1 News In-Reply-To: <87wts86czg.fsf@wheatstone.g10code.de> References: <87wts86czg.fsf@wheatstone.g10code.de> Message-ID: <20050317205523.GF9105@wilma.widomaker.com> On Tue, Mar 15, 2005 at 06:22:11PM +0100, Werner Koch wrote: > I forgot to insert the NEWS for 1.4.1; there are actually not that > many as those for the last release. Here we go: > * New "import-unusable-sigs" and "export-unusable-sigs" tags for > --import-options and --export-options. These are off by > default, and cause GnuPG to not import or export key signatures > that are not usable (e.g. expired signatures). Gah! It seems these are _ON_ by default, are undocumented in the manual page, (aren't picked up when listed in ~/.gnupg/options,) and _CAN NOT_ be turned off: %gpg --no-options --no-auto-check-trustdb --import-options import-unusable-sigs --keyserver keyserver.kjsl.com -v --recv B56165AA gpg: please see http://www.gnupg.org/faq.html for more information gpg: requesting key B56165AA from hkp server keyserver.kjsl.com gpg: armor header: Version: 5.0 gpg: armor header: Comment: PGP Key Server 0.9.4+patch2+JHpatch2 gpg: pub 1024D/B56165AA 2003-02-22 Darren Chamberlain gpg: key B56165AA: removed multiple subkey binding gpg: key B56165AA: expired signature from key CA57AD7C - skipped gpg: key B56165AA: expired signature from key CA57AD7C - skipped gpg: key B56165AA: expired signature from key CA57AD7C - skipped gpg: key B56165AA: expired signature from key CA57AD7C - skipped gpg: key B56165AA: expired signature from key CA57AD7C - skipped gpg: key B56165AA: expired signature from key CA57AD7C - skipped gpg: key B56165AA: expired signature from key CA57AD7C - skipped gpg: key B56165AA: expired signature from key CA57AD7C - skipped gpg: key B56165AA: expired signature from key CA57AD7C - skipped gpg: key B56165AA: expired signature from key CA57AD7C - skipped gpg: using classic trust model gpg: key B56165AA: public key "Darren Chamberlain" imported gpg: Total number processed: 1 gpg: imported: 1 ("gpg --check-sigs" confirms only these sigs: sig! CA57AD7C 2005-03-05 PGP Global Directory Verification Key are on the key.) -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050317/018a4a8e/attachment.pgp From johanw at vulcan.xs4all.nl Thu Mar 17 21:45:36 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Mar 17 22:04:44 2005 Subject: Source for winptee, winfpse, or gpgsx In-Reply-To: <42392593.2020503@excelcia.org> from Kurt Fitzner at "Mar 16, 2005 11:37:07 pm" Message-ID: <200503172045.VAA00514@vulcan.xs4all.nl> You, Kurt Fitzner, wrote: >I am looking for the source code - any source code old or new - for >winptee, winfpse, or gpgsx. Those are all Windows shell extension >projects that add context menu support for GnuPG in windows. If you mean WinPT, the source can be found at http://www.winpt.org/ -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From rs at natchie.mine.nu Thu Mar 17 22:09:41 2005 From: rs at natchie.mine.nu (Rusty Shackleford) Date: Thu Mar 17 22:06:10 2005 Subject: How to create self-decrypting executable? Message-ID: <20050317210941.GA22102@mwilson.umlcoop.net> My office uses PGP to create self-extracting executable files. I found the -c option for GPG which encrypts with a symmetric key, but this doesn't seem to do the next step of making the encrypted data an executable program that prompts for a password. Is this feature possible with GPG? I'm trying to automate lots of processes and the less highlighting and right-clicking I have to do in Windows Explorer, the better. TIA PS: I've already bored everyone I work with by explaining how symmetric key encryption ain't all that secure, but switching to a key-based system is not possible in the short run. -- Give and take free stuff: http://freecycle.org From dshaw at jabberwocky.com Thu Mar 17 22:15:29 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 17 22:12:04 2005 Subject: [Announce] GnuPG 1.4.1 News In-Reply-To: <20050317205523.GF9105@wilma.widomaker.com> References: <87wts86czg.fsf@wheatstone.g10code.de> <20050317205523.GF9105@wilma.widomaker.com> Message-ID: <20050317211529.GA4096@jabberwocky.com> On Thu, Mar 17, 2005 at 03:55:23PM -0500, Jason Harris wrote: > On Tue, Mar 15, 2005 at 06:22:11PM +0100, Werner Koch wrote: > > > I forgot to insert the NEWS for 1.4.1; there are actually not that > > many as those for the last release. Here we go: > > > * New "import-unusable-sigs" and "export-unusable-sigs" tags for > > --import-options and --export-options. These are off by > > default, and cause GnuPG to not import or export key signatures > > that are not usable (e.g. expired signatures). > > Gah! It seems these are _ON_ by default, are undocumented in the > manual page, (aren't picked up when listed in ~/.gnupg/options,) > and _CAN NOT_ be turned off: Huh? Your own experiment shows they are off by default: > gpg: key B56165AA: expired signature from key CA57AD7C - skipped > gpg: key B56165AA: expired signature from key CA57AD7C - skipped > gpg: key B56165AA: expired signature from key CA57AD7C - skipped > gpg: key B56165AA: expired signature from key CA57AD7C - skipped > gpg: key B56165AA: expired signature from key CA57AD7C - skipped > gpg: key B56165AA: expired signature from key CA57AD7C - skipped > gpg: key B56165AA: expired signature from key CA57AD7C - skipped > gpg: key B56165AA: expired signature from key CA57AD7C - skipped > gpg: key B56165AA: expired signature from key CA57AD7C - skipped > gpg: key B56165AA: expired signature from key CA57AD7C - skipped They can be turned ON if you want. Like all --import-options and --export-options, they apply to --import and --export only. If you want them to apply to keyserver operations, list them in --keyserver-options. See the manual. David From johanw at vulcan.xs4all.nl Thu Mar 17 22:19:30 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Mar 17 22:14:44 2005 Subject: How to create self-decrypting executable? In-Reply-To: <20050317210941.GA22102@mwilson.umlcoop.net> from Rusty Shackleford at "Mar 17, 2005 04:09:41 pm" Message-ID: <200503172119.WAA01017@vulcan.xs4all.nl> Rusty Shackleford wrote: >Is this feature possible with GPG? This isn't portable: on what OS do you want these executables to create, and on which OS to run? A typical windows-only option that will probably never be supported. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Thu Mar 17 22:18:32 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 17 22:15:12 2005 Subject: How to create self-decrypting executable? In-Reply-To: <20050317210941.GA22102@mwilson.umlcoop.net> References: <20050317210941.GA22102@mwilson.umlcoop.net> Message-ID: <20050317211832.GB4096@jabberwocky.com> On Thu, Mar 17, 2005 at 04:09:41PM -0500, Rusty Shackleford wrote: > My office uses PGP to create self-extracting executable files. > > I found the -c option for GPG which encrypts with a symmetric key, but > this doesn't seem to do the next step of making the encrypted data an > executable program that prompts for a password. > > Is this feature possible with GPG? I'm trying to automate lots of > processes and the less highlighting and right-clicking I have to do in > Windows Explorer, the better. GnuPG is portable to many different operating systems, and so does not have a SDA feature since it would involve making an executable for every supported platform. You can more or less do this yourself by writing a script if you like. > PS: I've already bored everyone I work with by explaining how symmetric > key encryption ain't all that secure, but switching to a key-based > system is not possible in the short run. SDAs aren't all that secure either. David From jharris at widomaker.com Thu Mar 17 23:10:31 2005 From: jharris at widomaker.com (Jason Harris) Date: Thu Mar 17 23:06:38 2005 Subject: [Announce] GnuPG 1.4.1 News In-Reply-To: <20050317211529.GA4096@jabberwocky.com> References: <87wts86czg.fsf@wheatstone.g10code.de> <20050317205523.GF9105@wilma.widomaker.com> <20050317211529.GA4096@jabberwocky.com> Message-ID: <20050317221031.GG9105@wilma.widomaker.com> On Thu, Mar 17, 2005 at 04:15:29PM -0500, David Shaw wrote: > On Thu, Mar 17, 2005 at 03:55:23PM -0500, Jason Harris wrote: > > On Tue, Mar 15, 2005 at 06:22:11PM +0100, Werner Koch wrote: > > > I forgot to insert the NEWS for 1.4.1; there are actually not that > > > many as those for the last release. Here we go: > > > > > * New "import-unusable-sigs" and "export-unusable-sigs" tags for > > > --import-options and --export-options. These are off by > > > default, and cause GnuPG to not import or export key signatures > > > that are not usable (e.g. expired signatures). > > > > Gah! It seems these are _ON_ by default, are undocumented in the > > manual page, (aren't picked up when listed in ~/.gnupg/options,) > > and _CAN NOT_ be turned off: > > Huh? Your own experiment shows they are off by default: (Sorry, I meant the stripping of expired signatures is on by default.) It was my impression that expired sigs would be retained by default. Removing expired sigs is tantamount to removing expired/revoked userids and subkeys, IMO, and should not be done by default. > They can be turned ON if you want. Like all --import-options and > --export-options, they apply to --import and --export only. If you > want them to apply to keyserver operations, list them in > --keyserver-options. See the manual. I only see "unusable" in my manual page for the following: show-unusable-uids Show revoked and expired user IDs in key listings. Defaults to no. show-unusable-subkeys Show revoked and expired subkeys in key listings. Defaults to no. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050317/6fbf0fa1/attachment.pgp From twoaday at freakmail.de Thu Mar 17 22:58:36 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Thu Mar 17 23:12:32 2005 Subject: Source for winptee, winfpse, or gpgsx In-Reply-To: References: <42392593.2020503__257.102135992859$1111041460$gmane$org@excelcia.org> Message-ID: <20050317215836.GD383@daredevil.joesixpack.net> On Thu Mar 17 2005; 15:22, Anonymous wrote: > winptee: This is a collection of gpg utilities, unfortunatly the explorer > extentions (context menu) do not appear to be open source. All parts of WinPTEE are free software (GPL). But WinPTEE is obsolete and should not be used anymore. The successor is... > winfpse: This is just the name for winPT's explorer extentions (context > menu). ..WinFPSE which is GPL but its status is frozen due to the fact I don't have enough time to maintain it. Timo From dshaw at jabberwocky.com Thu Mar 17 23:31:41 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 17 23:28:23 2005 Subject: Retaining expired sigs In-Reply-To: <20050317221031.GG9105@wilma.widomaker.com> References: <87wts86czg.fsf@wheatstone.g10code.de> <20050317205523.GF9105@wilma.widomaker.com> <20050317211529.GA4096@jabberwocky.com> <20050317221031.GG9105@wilma.widomaker.com> Message-ID: <20050317223141.GC4096@jabberwocky.com> On Thu, Mar 17, 2005 at 05:10:31PM -0500, Jason Harris wrote: > On Thu, Mar 17, 2005 at 04:15:29PM -0500, David Shaw wrote: > > On Thu, Mar 17, 2005 at 03:55:23PM -0500, Jason Harris wrote: > > > On Tue, Mar 15, 2005 at 06:22:11PM +0100, Werner Koch wrote: > > > > > I forgot to insert the NEWS for 1.4.1; there are actually not that > > > > many as those for the last release. Here we go: > > > > > > > * New "import-unusable-sigs" and "export-unusable-sigs" tags for > > > > --import-options and --export-options. These are off by > > > > default, and cause GnuPG to not import or export key signatures > > > > that are not usable (e.g. expired signatures). > > > > > > Gah! It seems these are _ON_ by default, are undocumented in the > > > manual page, (aren't picked up when listed in ~/.gnupg/options,) > > > and _CAN NOT_ be turned off: > > > > Huh? Your own experiment shows they are off by default: > > (Sorry, I meant the stripping of expired signatures is on by default.) > > It was my impression that expired sigs would be retained by default. > Removing expired sigs is tantamount to removing expired/revoked > userids and subkeys, IMO, and should not be done by default. I don't agree. An expired signature is not relevant - it is just meaningless bytes at this point. Note also that expired user IDs and subkeys are, in fact, removed. That's not new behavior, by the way: it has been this way for as long as I can remember. > > They can be turned ON if you want. Like all --import-options and > > --export-options, they apply to --import and --export only. If you > > want them to apply to keyserver operations, list them in > > --keyserver-options. See the manual. > > I only see "unusable" in my manual page for the following: I mean the instructions to put the --import-options and --export-options in --keyserver-options if you want them to apply to keyserver operations. The command line you gave as an example was incorrect in that you specified --import-options but were doing a keyserver operation. David From jharris at widomaker.com Fri Mar 18 05:18:26 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Mar 18 05:14:43 2005 Subject: Retaining expired sigs In-Reply-To: <20050317223141.GC4096@jabberwocky.com> References: <87wts86czg.fsf@wheatstone.g10code.de> <20050317205523.GF9105@wilma.widomaker.com> <20050317211529.GA4096@jabberwocky.com> <20050317221031.GG9105@wilma.widomaker.com> <20050317223141.GC4096@jabberwocky.com> Message-ID: <20050318041825.GH9105@wilma.widomaker.com> On Thu, Mar 17, 2005 at 05:31:41PM -0500, David Shaw wrote: > On Thu, Mar 17, 2005 at 05:10:31PM -0500, Jason Harris wrote: > > It was my impression that expired sigs would be retained by default. > > Removing expired sigs is tantamount to removing expired/revoked > > userids and subkeys, IMO, and should not be done by default. > > I don't agree. An expired signature is not relevant - it is just > meaningless bytes at this point. Note also that expired user IDs and GPG currently has no use for expired sigs in its trust calculations, but sigcheck (as part of keyanalyze) does. They are used if you want to recalculate the WoT at a given point in the past (or future) based on a given keydump/keyring. Also, while the GD itself doesn't retain its past sigs, elsewhere one can see that 0xB56165AA was signed by 0xCA57AD7C starting on 2004-12-29 while 0x99242560 was signed by it starting 2004-12-08. Even if you consider such data points useless, particularly where the GD is concerned, rest assured that not everyone else does, particularly where human signers are concerned. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050317/486aa410/attachment.pgp From dshaw at jabberwocky.com Fri Mar 18 05:35:20 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 18 05:31:58 2005 Subject: Retaining expired sigs In-Reply-To: <20050318041825.GH9105@wilma.widomaker.com> References: <87wts86czg.fsf@wheatstone.g10code.de> <20050317205523.GF9105@wilma.widomaker.com> <20050317211529.GA4096@jabberwocky.com> <20050317221031.GG9105@wilma.widomaker.com> <20050317223141.GC4096@jabberwocky.com> <20050318041825.GH9105@wilma.widomaker.com> Message-ID: <20050318043520.GC5615@jabberwocky.com> On Thu, Mar 17, 2005 at 11:18:26PM -0500, Jason Harris wrote: > On Thu, Mar 17, 2005 at 05:31:41PM -0500, David Shaw wrote: > > On Thu, Mar 17, 2005 at 05:10:31PM -0500, Jason Harris wrote: > > > > It was my impression that expired sigs would be retained by default. > > > Removing expired sigs is tantamount to removing expired/revoked > > > userids and subkeys, IMO, and should not be done by default. > > > > I don't agree. An expired signature is not relevant - it is just > > meaningless bytes at this point. Note also that expired user IDs and > > GPG currently has no use for expired sigs in its trust calculations, > but sigcheck (as part of keyanalyze) does. They are used if you want > to recalculate the WoT at a given point in the past (or future) based > on a given keydump/keyring. Also, while the GD itself doesn't retain > its past sigs, elsewhere one can see that 0xB56165AA was signed by > 0xCA57AD7C starting on 2004-12-29 while 0x99242560 was signed by it > starting 2004-12-08. Even if you consider such data points useless, > particularly where the GD is concerned, rest assured that not everyone > else does, particularly where human signers are concerned. To be honest, I don't think I can possibly express just how much I don't care that "0xB56165AA was signed by 0xCA57AD7C starting on 2004-12-29 while 0x99242560 was signed by it starting 2004-12-08". All I care is that both signatures have since expired, and are therefore irrelevant to me. To say nothing of the fact that anyone who thinks that OpenPGP has strong date semantics - and bases their behavior on that - is fooling themselves in a wonderfully large way. It is not good design to hamper the majority of users to please the minority of users who like to calculate key signing statistics. In any event, I still fail to see a problem here. Anyone who wants to import and export expired signatures is free to do so. Even though the GD prompted this change, this isn't a GD-specific issue. Over time, keys build up cruft - expired user IDs, expired subkeys, and expired sigs. These items serve no useful purpose for the vast majority of users. If someone insists that they are useful and wants to include them, well, go right ahead. Just don't bother the rest of us with it. David From dlc at sevenroot.org Fri Mar 18 05:34:43 2005 From: dlc at sevenroot.org (Darren Chamberlain) Date: Fri Mar 18 06:29:02 2005 Subject: Retaining expired sigs In-Reply-To: <20050318041825.GH9105@wilma.widomaker.com> References: <87wts86czg.fsf@wheatstone.g10code.de> <20050317205523.GF9105@wilma.widomaker.com> <20050317211529.GA4096@jabberwocky.com> <20050317221031.GG9105@wilma.widomaker.com> <20050317223141.GC4096@jabberwocky.com> <20050318041825.GH9105@wilma.widomaker.com> Message-ID: <423A5A63.1030107@sevenroot.org> Jason Harris wrote: > [...]Also, while the GD itself doesn't retain its past sigs, elsewhere > one can see that 0xB56165AA was signed by 0xCA57AD7C starting on ^^^^^^^^^^ > 2004-12-29 while 0x99242560 was signed by it starting 2004-12-08. Hey, stop picking on me! :) (darren) -- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050317/4135fa7e/signature.pgp From clbianco at tiscalinet.it Fri Mar 18 13:48:46 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Fri Mar 18 13:45:28 2005 Subject: [Announce] GnuPG 1.4.1 released References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> Message-ID: Il /15 mar 2005/, *Werner Koch* ha scritto: > We are pleased to announce the availability of a new stable GnuPG > release: Version 1.4.1 Thanks, Werner. It builds fine with MinGW/MSYS, even using the new libcurl code. I have just updated my page accordingly. -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From dshaw at jabberwocky.com Fri Mar 18 16:48:58 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 18 16:45:41 2005 Subject: [Announce] GnuPG 1.4.1 released In-Reply-To: References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> Message-ID: <20050318154858.GB28771@jabberwocky.com> On Fri, Mar 18, 2005 at 01:48:46PM +0100, Carlo Luciano Bianco wrote: > Il /15 mar 2005/, *Werner Koch* ha scritto: > > > We are pleased to announce the availability of a new stable GnuPG > > release: Version 1.4.1 > > Thanks, Werner. It builds fine with MinGW/MSYS, even using the new libcurl > code. > > I have just updated my page accordingly. With libcurl as well? Excellent. There were some problems building that on MinGW in the release candidate and I'm glad to see the fix worked. David From clbianco at tiscalinet.it Fri Mar 18 18:09:11 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Fri Mar 18 18:07:44 2005 Subject: [Announce] GnuPG 1.4.1 released References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <20050318154858.GB28771__4233.31979332051$1111161487$gmane$org@jabberwocky.com> Message-ID: Il /18 mar 2005/, *David Shaw* ha scritto: > On Fri, Mar 18, 2005 at 01:48:46PM +0100, Carlo Luciano Bianco wrote: >> Il /15 mar 2005/, *Werner Koch* ha scritto: >> >> > We are pleased to announce the availability of a new stable GnuPG >> > release: Version 1.4.1 >> >> Thanks, Werner. It builds fine with MinGW/MSYS, even using the new >> libcurl code. >> >> I have just updated my page accordingly. > > With libcurl as well? Excellent. Yes, David, with libcurl as well. I used the ready-to-run libcurl mingw library described on my page. The resulting gpgkeys_curl.exe depends on libcurl.dll, so I think it is actually using it... > There were some problems building > that on MinGW in the release candidate and I'm glad to see the fix > worked. I seems so, but be careful. When I say "it build fine" I mean exactly this and not more than this: the exe files are produced by GCC without errors. I have not yet tested them extensively. Beside doing a "make check" (25 passed over 25), I have only tested GnuPG 1.4.1 with one day of regular use without finding any problem. However, there are many features I had not tested yet *including* keyserver support, i.e. *including* curl. So, I cannot be sure that the gpgkeys_curl.exe I have compiled is actually working right. I saw your post on gpg-devel about testing curl code and I hope to have time to make some tests in the week-end... -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From dshaw at jabberwocky.com Fri Mar 18 18:23:02 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 18 18:19:43 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) In-Reply-To: References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <20050318154858.GB28771__4233.31979332051$1111161487$gmane$org@jabberwocky.com> Message-ID: <20050318172302.GA28913@jabberwocky.com> On Fri, Mar 18, 2005 at 06:09:11PM +0100, Carlo Luciano Bianco wrote: > > With libcurl as well? Excellent. > > Yes, David, with libcurl as well. I used the ready-to-run libcurl mingw > library described on my page. The resulting gpgkeys_curl.exe depends on > libcurl.dll, so I think it is actually using it... > > > There were some problems building > > that on MinGW in the release candidate and I'm glad to see the fix > > worked. > > I seems so, but be careful. When I say "it build fine" I mean exactly this > and not more than this: the exe files are produced by GCC without errors. I > have not yet tested them extensively. Understood. I'm just pleased that it builds on MinGW at all. Build stuff can be very painful on different platforms. Now that it builds, everything else after that is "just a bug" ;) > So, I cannot be sure that the gpgkeys_curl.exe I have compiled is actually > working right. I saw your post on gpg-devel about testing curl code and I > hope to have time to make some tests in the week-end... That would be great, thanks. David From jharris at widomaker.com Fri Mar 18 18:30:32 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Mar 18 18:26:34 2005 Subject: Retaining expired sigs In-Reply-To: <20050318043520.GC5615@jabberwocky.com> References: <87wts86czg.fsf@wheatstone.g10code.de> <20050317205523.GF9105@wilma.widomaker.com> <20050317211529.GA4096@jabberwocky.com> <20050317221031.GG9105@wilma.widomaker.com> <20050317223141.GC4096@jabberwocky.com> <20050318041825.GH9105@wilma.widomaker.com> <20050318043520.GC5615@jabberwocky.com> Message-ID: <20050318173032.GJ9105@wilma.widomaker.com> On Thu, Mar 17, 2005 at 11:35:20PM -0500, David Shaw wrote: > All I care is that both signatures have since expired, and are > therefore irrelevant to me. To say nothing of the fact that anyone > who thinks that OpenPGP has strong date semantics - and bases their > behavior on that - is fooling themselves in a wonderfully large way. Your point is unclear. Unless revocation and signature targets are specified, dates are used to determine which signatures revoke/modify/ supercede other (chronologically earlier) signatures by the same issuer. Unsynchronized clocks are unfortunate, yes, but we still generally must take timestamps at face value. > It is not good design to hamper the majority of users to please the > minority of users who like to calculate key signing statistics. In Everyone who feels expiring signatures hamper their keys should raise the issue with those generating such burdensome signatures. Furthermore, I don't see a lot of difference between expired signatures and superceded signatures, yet GPG doesn't (currently) throw away the latter: pub 1024D/B56165AA 2003-02-22 uid Darren Chamberlain sig!3 B56165AA 2003-09-24 Darren Chamberlain sig!3 B56165AA 2003-02-26 Darren Chamberlain sig!3 B56165AA 2003-02-26 Darren Chamberlain -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050318/20d09ad9/attachment.pgp From dshaw at jabberwocky.com Fri Mar 18 19:23:39 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 18 19:20:17 2005 Subject: Retaining expired sigs In-Reply-To: <20050318173032.GJ9105@wilma.widomaker.com> References: <87wts86czg.fsf@wheatstone.g10code.de> <20050317205523.GF9105@wilma.widomaker.com> <20050317211529.GA4096@jabberwocky.com> <20050317221031.GG9105@wilma.widomaker.com> <20050317223141.GC4096@jabberwocky.com> <20050318041825.GH9105@wilma.widomaker.com> <20050318043520.GC5615@jabberwocky.com> <20050318173032.GJ9105@wilma.widomaker.com> Message-ID: <20050318182339.GB28913@jabberwocky.com> On Fri, Mar 18, 2005 at 12:30:32PM -0500, Jason Harris wrote: > > It is not good design to hamper the majority of users to please the > > minority of users who like to calculate key signing statistics. In > > Everyone who feels expiring signatures hamper their keys should > raise the issue with those generating such burdensome signatures. That's somewhat impractical. Should we ban expiring signatures? You seem to have a problem with the GD because it issues fast-expiring signatures, but many people use expiring signatures. Even if people issued 1-year signatures, there would be a problem eventually. In the real world, we cannot control what other people generate. The best we can do is "be liberal in what we accept, and conservative in what we generate". > Furthermore, I don't see a lot of difference between expired signatures > and superceded signatures, yet GPG doesn't (currently) throw away the > latter: There is a significant difference. An expired signature is *expired*. It's dead as Marley. A superceded signature is very much alive, and is used *unless something better is present*. In GPG, an expiring (but not yet expired) signature will supercede an earlier signature from the same signer. Once this signature expires, it still supercedes the earlier signature (thus effectively disabling the original signature). Thus you have a perfectly valid signature that is disabled by an expired signature. This is one of those interesting areas of the trust model where things get fuzzy: it's not clear what the semantics should be here, since it requires GPG to guess what the signer "really meant" to say, and worse, guess this without all the data at hand. It gets messy very fast: if I sign a key with no expiration, then sign it again with an expiration, then the second signature expires - is my original signature still valid? Maybe I actually revoked the first signature, but the revocation packet isn't present right now, or was stripped out by the key owner. Maybe the second signature was a short term signature because the original signature wasn't present at that time. Add to that the problems of packets being missing and bad clocks, and it's a very fuzzy question indeed. I recommend that if people want to replace an earlier signature with a new, expiring, signature, they first revoke the earlier signature, and only then issue the new expiring signature. This way there are much fewer questions as to the intent of the signer, and many fewer opportunities for the trust code to guess wrong. David From jharris at widomaker.com Fri Mar 18 20:06:46 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Mar 18 20:03:03 2005 Subject: Retaining expired sigs In-Reply-To: <20050318182339.GB28913@jabberwocky.com> References: <87wts86czg.fsf@wheatstone.g10code.de> <20050317205523.GF9105@wilma.widomaker.com> <20050317211529.GA4096@jabberwocky.com> <20050317221031.GG9105@wilma.widomaker.com> <20050317223141.GC4096@jabberwocky.com> <20050318041825.GH9105@wilma.widomaker.com> <20050318043520.GC5615@jabberwocky.com> <20050318173032.GJ9105@wilma.widomaker.com> <20050318182339.GB28913@jabberwocky.com> Message-ID: <20050318190646.GK9105@wilma.widomaker.com> On Fri, Mar 18, 2005 at 01:23:39PM -0500, David Shaw wrote: > On Fri, Mar 18, 2005 at 12:30:32PM -0500, Jason Harris wrote: > > Everyone who feels expiring signatures hamper their keys should > > raise the issue with those generating such burdensome signatures. > > That's somewhat impractical. Should we ban expiring signatures? You > seem to have a problem with the GD because it issues fast-expiring (Well, you modified GPG to help remove the GD sigs, not me. :) > > Furthermore, I don't see a lot of difference between expired signatures > > and superceded signatures, yet GPG doesn't (currently) throw away the > > latter: > > There is a significant difference. An expired signature is *expired*. > It's dead as Marley. A superceded signature is very much alive, and > is used *unless something better is present*. Right, and in the example, something better is present. GPG knows the newer sig. is valid, so the older sigs contribute nothing to the current state of the key. > In GPG, an expiring (but not yet expired) signature will supercede an > earlier signature from the same signer. Once this signature expires, > it still supercedes the earlier signature (thus effectively disabling > the original signature). Thus you have a perfectly valid signature > that is disabled by an expired signature. This is one of those > interesting areas of the trust model where things get fuzzy: it's not > clear what the semantics should be here, since it requires GPG to > guess what the signer "really meant" to say, and worse, guess this > without all the data at hand. OK, but none of the signatures in the example have expirations. My point is that once GPG sees a newer signature that overrides an older one, it can safely remove the older one, in all cases, in the interest of keeping keys clean. (Of course, the newest sig. should be valid, and the older sigs should be checked for validity as well, lest we run into a long keyid collision.) > It gets messy very fast: if I sign a key with no expiration, then sign > it again with an expiration, then the second signature expires - is my > original signature still valid? Maybe I actually revoked the first By your own explanation above, no. > signature, but the revocation packet isn't present right now, or was > stripped out by the key owner. Maybe the second signature was a short > term signature because the original signature wasn't present at that > time. Add to that the problems of packets being missing and bad > clocks, and it's a very fuzzy question indeed. > > I recommend that if people want to replace an earlier signature with a > new, expiring, signature, they first revoke the earlier signature, and > only then issue the new expiring signature. This way there are much > fewer questions as to the intent of the signer, and many fewer > opportunities for the trust code to guess wrong. Therein lies the problem: GPG, by removing expired signatures (at all), is removing history. As you point out, this can lead to problems when the expired signatures are no longer available to supercede earlier, unexpired signatures. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050318/827407b5/attachment.pgp From dshaw at jabberwocky.com Fri Mar 18 20:37:33 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 18 20:34:27 2005 Subject: Retaining expired sigs In-Reply-To: <20050318190646.GK9105@wilma.widomaker.com> References: <87wts86czg.fsf@wheatstone.g10code.de> <20050317205523.GF9105@wilma.widomaker.com> <20050317211529.GA4096@jabberwocky.com> <20050317221031.GG9105@wilma.widomaker.com> <20050317223141.GC4096@jabberwocky.com> <20050318041825.GH9105@wilma.widomaker.com> <20050318043520.GC5615@jabberwocky.com> <20050318173032.GJ9105@wilma.widomaker.com> <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> Message-ID: <20050318193733.GC28913@jabberwocky.com> On Fri, Mar 18, 2005 at 02:06:46PM -0500, Jason Harris wrote: > On Fri, Mar 18, 2005 at 01:23:39PM -0500, David Shaw wrote: > > On Fri, Mar 18, 2005 at 12:30:32PM -0500, Jason Harris wrote: > > > > Everyone who feels expiring signatures hamper their keys should > > > raise the issue with those generating such burdensome signatures. > > > > That's somewhat impractical. Should we ban expiring signatures? You > > seem to have a problem with the GD because it issues fast-expiring > > (Well, you modified GPG to help remove the GD sigs, not me. :) No. I modified GPG to help remove *expired signatures*. This has nothing to do with the GD specifically. I did, incidentally, consider a "don't export expired GD keys" flag, but that is not what the feature is. > My point is that once GPG sees a newer signature that overrides an > older one, it can safely remove the older one, in all cases, in the > interest of keeping keys clean. (Of course, the newest sig. should > be valid, and the older sigs should be checked for validity as well, > lest we run into a long keyid collision.) I don't disagree with this. It's not unreasonable to remove them, but it doesn't happen that way today. The problem at hand was expired sigs, so that is what I addressed. Removing superceded signatures, however, re-raises the semantic questions I asked in my last mail. What algorithm runs first: the "remove superceded" or "remove expired"? Depending on which runs first, you can get a different result. > > It gets messy very fast: if I sign a key with no expiration, then sign > > it again with an expiration, then the second signature expires - is my > > original signature still valid? Maybe I actually revoked the first > > By your own explanation above, no. But should it be? My point is not to say that such-and-such is the answer. My point is to say that it is not at all clear what the answer should be. I may take some time this weekend and run a few test cases against other OpenPGP implementations to see what they do. > Therein lies the problem: GPG, by removing expired signatures > (at all), is removing history. As you point out, this can lead > to problems when the expired signatures are no longer available > to supercede earlier, unexpired signatures. Only if the right behavior is that expired signatures *should* supercede earlier, unexpired signatures. If the answer is that expired signatures should supercede, then the current implementation of the expired sigs filter is insufficient - it needs to remove the earlier sigs as well to avoid re-awakening an old signature. If the answer is that expired signatures should not supercede, then the current implementation is correct. Which do you favor (and why)? Does every sig stand alone, or can sigs only be interpreted in terms of a series? I vaguely lean towards the idea that expired signatures should not supercede earlier unexpired signatures (the "sigs stand alone" answer), but only vaguely. I find the simplicity of it attractive. Interpreting sigs in a series raises a number of dangerous problems, like what happens when a sig is "unrevoked" by an attacker by removing packets from the key. David From DGRIMES at scvl.com Fri Mar 18 22:27:11 2005 From: DGRIMES at scvl.com (Grimes, Dean) Date: Fri Mar 18 22:23:47 2005 Subject: Searching Mail Archives Message-ID: <59D747A62703354193CA17350FC3F7D9136A8A@telstar.scvl.com> Is there a mail archive search function/screen that allows searching the mail archive for specific key words? I'm new to GnuPG and would like get more familiar with the application without asking 500 questions right off the bat. I have read all of the documentation on the gnupg.org site but I'm still not quite sure about some of the functionality as it relates to my environment and requirements. Thanks, Dean From dshaw at jabberwocky.com Fri Mar 18 22:35:17 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 18 22:31:55 2005 Subject: Searching Mail Archives In-Reply-To: <59D747A62703354193CA17350FC3F7D9136A8A@telstar.scvl.com> References: <59D747A62703354193CA17350FC3F7D9136A8A@telstar.scvl.com> Message-ID: <20050318213517.GF28913@jabberwocky.com> On Fri, Mar 18, 2005 at 03:27:11PM -0600, Grimes, Dean wrote: > Is there a mail archive search function/screen that allows searching the > mail archive for specific key words? I'm new to GnuPG and would like get > more familiar with the application without asking 500 questions right off > the bat. I have read all of the documentation on the gnupg.org site but I'm > still not quite sure about some of the functionality as it relates to my > environment and requirements. One good way to search is via google. Just add "site:lists.gnupg.org" to whatever you are searching for, and google will restrict matches to these mailing lists. David From mreese at calarts.edu Fri Mar 18 23:06:56 2005 From: mreese at calarts.edu (Melissa Reese) Date: Fri Mar 18 23:03:25 2005 Subject: Searching Mail Archives In-Reply-To: <59D747A62703354193CA17350FC3F7D9136A8A@telstar.scvl.com> References: <59D747A62703354193CA17350FC3F7D9136A8A@telstar.scvl.com> Message-ID: <1603654220.20050318140656@calarts.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Dean, On Friday, March 18, 2005, at 1:27:11 PM PST, you wrote: > Is there a mail archive search function/screen that allows searching > the mail archive for specific key words? I'm new to GnuPG and would > like get more familiar with the application without asking 500 > questions right off the bat. I have read all of the documentation on > the gnupg.org site but I'm still not quite sure about some of the > functionality as it relates to my environment and requirements. I hope I'm not misunderstanding your question here. GnuPG has nothing to do with searching email databases, archives, etc., as it's just an encryption/digital signature program. However, some email clients do offer various built-in search functions. My email client, The Bat!, has a pretty good search setup. I'm not sure if yours does or not, as I don't use it. There's also a nice email archive/search/etc. program that I use for various purposes, called "Mailbag Assistant" from Fookes Software: http://www.fookes.com/mailbag/index.php With Mailbag Assistant, you can access the email databases of several different email clients, then search on any of several variables at the same time. It can do a lot more than just search email databases though, and I've found this program to be very useful for several functions having to do with email databases. - -- Melissa PGP public keys: http://www.kuviahunnihautik.tk/ -----BEGIN PGP SIGNATURE----- iQCVAwUBQjtQ7acKCSqXMHPPAQO6SgP6A7kT9BHRqItDxhV2bugfImj5A7ipeE5P D/kQREgAHAMTJO6jv7NM7pSuVhGYXsmxzvcv4Qb3J4EMwjITZZr6lWK7AWgF2gb/ euzWIzrC/ndbN/7hf/ZA5KQ8LU/KMWbCGeG2ti9pMtXrJil+D5NFboBH0LyHofQC t5wgZ6nGHf8= =GMNk -----END PGP SIGNATURE----- From mreese at calarts.edu Fri Mar 18 23:15:57 2005 From: mreese at calarts.edu (Melissa Reese) Date: Fri Mar 18 23:12:09 2005 Subject: Searching Mail Archives In-Reply-To: <20050318213517.GF28913@jabberwocky.com> References: <59D747A62703354193CA17350FC3F7D9136A8A@telstar.scvl.com> <20050318213517.GF28913@jabberwocky.com> Message-ID: <943722569.20050318141557@calarts.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi David, On Friday, March 18, 2005, at 1:35:17 PM PST, you wrote: > One good way to search is via google. Just add > "site:lists.gnupg.org" to whatever you are searching for, and google > will restrict matches to these mailing lists. Eek! I did completely misunderstand Dean's question. Sorry! :-) - -- Melissa PGP public keys: http://www.kuviahunnihautik.tk/ -----BEGIN PGP SIGNATURE----- iQCVAwUBQjtTGKcKCSqXMHPPAQO2sgP/T8dID+nps6rk6MeuQmsxrcrrIErNbYEj Cd4AINLgp+ba61xZ5I04GhZwlO3X+ZV1alnlYX+L/kSOCKbYmbyEr1ygYPgrb+v0 97WEq2dSG3sXApd50buRNqB2xvThfOIF1vhqob/eZRM3drM8YiKWnOyZbUtJwjzh GQWZX80/BbI= =wu4j -----END PGP SIGNATURE----- From aldert at rotz.org Fri Mar 18 22:37:44 2005 From: aldert at rotz.org (Aldert J.B.P. Hazenberg) Date: Fri Mar 18 23:37:06 2005 Subject: Searching Mail Archives In-Reply-To: <59D747A62703354193CA17350FC3F7D9136A8A@telstar.scvl.com> References: <59D747A62703354193CA17350FC3F7D9136A8A@telstar.scvl.com> Message-ID: <423B4A28.3020104@rotz.org> Grimes, Dean wrote: > Is there a mail archive search function/screen that allows searching the > mail archive for specific key words? I'm new to GnuPG and would like get > more familiar with the application without asking 500 questions right off > the bat. I have read all of the documentation on the gnupg.org site but I'm > still not quite sure about some of the functionality as it relates to my > environment and requirements. > > Thanks, > Dean > Educated guess makes me believe you are a windows user, try these URL's: http://groups.yahoo.com/group/PGP-Basics/ http://enigmail.mozdev.org/index.html http://mozdev.sweetooth.org/enigmail/docs/beginners-manual.pdf http://lists.gnupg.org/mailman/listinfo/gnupg-users Aldert. From servie_tech at yahoo.com Sat Mar 19 03:34:26 2005 From: servie_tech at yahoo.com (Servie Platon) Date: Sat Mar 19 03:30:58 2005 Subject: Changing Home Directory of GPG Message-ID: <20050319023426.79531.qmail@web52507.mail.yahoo.com> Hi GPG gurus, After I have downloaded and installed the latest gpg binary for windows, when I did the command below: C:\Documents and Settings\servie>gpg --version gpg (GnuPG) 1.4.1 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: C:/GnuPG Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 For Windows XP, should the keyrings be stored in C:/Document and Settings/servie/Application Data/GnuPG\pubring.gpg? But my output is went like this: C:\Documents and Settings\servie>gpg --list-key C:/GnuPG\pubring.gpg -------------------- pub 1024D/1AEC5F92 2005-03-19 uid Serviliano S. Platon sub 2048g/50A8D61A 2005-03-19 Are there steps that I may have missed out? Or are these norm? Please kindly guide me through. Thank you very much. Sincerely, Servie __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ From torduninja at mail.pf Sat Mar 19 04:11:05 2005 From: torduninja at mail.pf (torduninja@mail.pf) Date: Sat Mar 19 04:11:09 2005 Subject: Cross-compiling instructions Message-ID: <288be4b3.df498985.8472300@mirapoint2.mana.pf> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Part of the instructions in README-W32 for cross-compiling for Windows could do with some clarification, I think. Specificly this: $ ./autogen.sh --build-w32 $ make $ cp g10/gpg*.exe /some_windows_drive/ I suggest: See the instructions in file README on how to check the integrity of - - that file. Wir a properly setup build environment, you unpack the + that file. With a properly setup build environment, you unpack the tarball change to the created directory and run $ ./autogen.sh --build-w32 $ make + $ strip g10/gpg*.exe + $ strip keyserver/gpgkeys*.exe + $ strip tools/gpgsplit.exe $ cp g10/gpg*.exe /some_windows_drive/ + $ cp keyserver/gpgkeys*.exe /some_windows_drive/ + $ cp tools/gpgsplit.exe /some_windows_drive/ Salut Maxine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: GPG-TO-GO http://www.torduninja.tk iD8DBQFCO5fOKBY/R6nbCcARAxbeAJ4qe3ZEfz4Fec0mbuvUqnLhYlugVwCdFery UTqu4zNsdfe9uLGkh55QlHE= =UM0Z -----END PGP SIGNATURE----- From JPClizbe at comcast.net Sat Mar 19 05:56:53 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Sat Mar 19 05:53:30 2005 Subject: Changing Home Directory of GPG In-Reply-To: <20050319023426.79531.qmail@web52507.mail.yahoo.com> References: <20050319023426.79531.qmail@web52507.mail.yahoo.com> Message-ID: <423BB115.5020600@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Servie Platon wrote: > Hi GPG gurus, > > After I have downloaded and installed the latest gpg > binary for windows, when I did the command below: > > C:\Documents and Settings\servie>gpg --version > gpg (GnuPG) 1.4.1 > Copyright (C) 2005 Free Software Foundation, Inc. > This program comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to > redistribute it > under certain conditions. See the file COPYING for > details. > > Home: C:/GnuPG > Supported algorithms: > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, > TWOFISH > Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > For Windows XP, should the keyrings be stored in > C:/Document and Settings/servie/Application > Data/GnuPG\pubring.gpg? > > But my output is went like this: > > C:\Documents and Settings\servie>gpg --list-key > C:/GnuPG\pubring.gpg > -------------------- > pub 1024D/1AEC5F92 2005-03-19 > uid Serviliano S. Platon > > sub 2048g/50A8D61A 2005-03-19 > > Are there steps that I may have missed out? Or are > these norm? Please kindly guide me through. The installer didn't change the registry key for GnuPG's HomeDir. Here's the upgrade step-by-step: (I posted this earlier in the week on PGP-Basics). This assumes you had everything in C:\GnuPG. 0) Keep C:\GnuPG as your backup. 1) Download and run installer. ftp://ftp.gnupg.org/GnuPG/binary/gnupg-w32cli-1.4.1.exe (1406k) ftp://ftp.gnupg.org/GnuPG/binary/gnupg-w32cli-1.4.1.exe.sig 2) Copy keyrings and option preferences. Open a CMD window cd C:\GnuPG copy *.gpg "%APPDATA%\GnuPG" copy gpg.conf "%APPDATA%\GnuPG" exit 4) Fix PATH if necessary. Right-click My Computer; select Properties. (same as Control Panel ->System). Win2k/XP: Advanced tab -> Environment Variables. Locate Path among the environment variables and click 'Edit'. If GnuPG was in the path before, change the location to the new location (default is C:\Program Files\Gnu\GnuPG). If not present, add it to the beginning of the string. 'Program Files' may usually be abbreviated 'Progra~1' if you're tight on room. Click OK three times to close the System Properties dialog. 5) Update Registry values: a) Using Regedit.exe Open the registry and expand HKEY_CURRENT_USER, then Software, Gnu and finally GnuPG. In the right-hand panel, double click "HomeDir" and change its value to reflect the new Home directory: "C:\Documents and Settings\servie\Application Data\GnuPG" This is the only change required for GnuPG. If you are also using or have used GPGrelay, GPGshell, or WinPT, you may have two additional values to change: gpgProgram = "C:\Program Files\Gnu\GnuPG\gpg.exe" or "C:\PROGRA~1\Gnu\GnuPG\gpg.exe" OptFile = "C:\Documents and Settings\servie\Application Data\GnuPG\gpg.conf" You don't include the quotes (") when entering the values in the text boxes. Ignore any other values under this key. Exit RegEdit. go to Step 6. b) Using a Registry patch file. We cover this in great detail on the Enigmail GnuPG for Windows page (http://enigmail.mozdev.org/gpgconf.html). Briefly you need to use notepad to construct a file containing your new values and save it with a .REG extension. Close Notepad and double-click the new .REG file in Explorer - answer Yes/OK to include the file into the Registry. Your file should look like (just the stuff between the "++++" lines): ++++ REGEDIT4 [HKEY_CURRENT_USER\Software\GNU] [HKEY_CURRENT_USER\Software\GNU\GNUPG] [HKEY_CURRENT_USER\Software\GNU\GNUPG] "HomeDir"="C:\\Documents and Settings\\user\\Application Data\\GnuPG" "gpgProgram"="C:\\Program Files\\Gnu\\GnuPG\\gpg.exe" "OptFile"="C:\\Documents and Settings\\user\\Application Data\\GnuPG\\gpg.conf" ++++ Change 'user' in the abouve to your user name (servie). The OptFile line should be all on one line - the email probably wrapped. 6) Test installation. Open a new CMD window, 'gpg --version' should show something similar to: C:\WINNT>gpg --version gpg (GnuPG) 1.4.1 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: C:/Documents and Settings/jpclizbe/Application Data/GnuPG Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 C:\WINNT> The version should be 1.4.1 and Home should be like the above but with your username, not mine. That's all there is to it. - From your post it sounds like the only steps remaining would e to copy the keyring *.gpg and options (gpg.conf) files from C:\GnuPG and update the Registry values. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCO7EUHQSsSmCNKhARAg7AAJ413IlYR36DqI1r0uQilBH3Vq9wBgCeJq58 x9rMZbnUFWiRrbApy/tnS6U= =fZa4 -----END PGP SIGNATURE----- From torduninja at mail.pf Sat Mar 19 03:44:15 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Sat Mar 19 06:05:26 2005 Subject: Cross-compiling instructions Message-ID: <200503181644.35818.torduninja@mail.pf> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Part of the instructions in README-W32 for cross-compiling for Windows could do with some clarification, I think. Specificly this: $ ./autogen.sh --build-w32 $ make $ cp g10/gpg*.exe /some_windows_drive/ I suggest: See the instructions in file README on how to check the integrity of - - that file. Wir a properly setup build environment, you unpack the + that file. With a properly setup build environment, you unpack the tarball change to the created directory and run $ ./autogen.sh --build-w32 $ make + $ strip g10/gpg*.exe + $ strip keyserver/gpgkeys*.exe + $ strip tools/gpgsplit.exe $ cp g10/gpg*.exe /some_windows_drive/ + $ cp keyserver/gpgkeys*.exe /some_windows_drive/ + $ cp tools/gpgsplit.exe /some_windows_drive/ Salut Maxine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCO5IHKBY/R6nbCcARAzanAJ4+/TsOqUQxge6s/nMD6P5H2nWx6ACgiSBx qV3shC6PEU9fXX7PbtNU66E= =khUw -----END PGP SIGNATURE----- From jharris at widomaker.com Sat Mar 19 06:22:54 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat Mar 19 06:19:37 2005 Subject: Retaining expired sigs In-Reply-To: <20050318193733.GC28913@jabberwocky.com> References: <20050317205523.GF9105@wilma.widomaker.com> <20050317211529.GA4096@jabberwocky.com> <20050317221031.GG9105@wilma.widomaker.com> <20050317223141.GC4096@jabberwocky.com> <20050318041825.GH9105@wilma.widomaker.com> <20050318043520.GC5615@jabberwocky.com> <20050318173032.GJ9105@wilma.widomaker.com> <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> Message-ID: <20050319052254.GL9105@wilma.widomaker.com> On Fri, Mar 18, 2005 at 02:37:33PM -0500, David Shaw wrote: > On Fri, Mar 18, 2005 at 02:06:46PM -0500, Jason Harris wrote: > > My point is that once GPG sees a newer signature that overrides an > > older one, it can safely remove the older one, in all cases, in the > > interest of keeping keys clean. (Of course, the newest sig. should > > be valid, and the older sigs should be checked for validity as well, > > lest we run into a long keyid collision.) > > I don't disagree with this. It's not unreasonable to remove them, but > it doesn't happen that way today. The problem at hand was expired > sigs, so that is what I addressed. > > Removing superceded signatures, however, re-raises the semantic > questions I asked in my last mail. What algorithm runs first: the > "remove superceded" or "remove expired"? Depending on which runs > first, you can get a different result. Indeed, why is why the correct answer is: c) Always keep the latest (valid) signature from a given issuer, even if it has expired. Sigs (esp. revocations) with targets should always be kept, too, lest their targets resurface alone and therefore unmodified. > > > It gets messy very fast: if I sign a key with no expiration, then sign > > > it again with an expiration, then the second signature expires - is my > > > original signature still valid? Maybe I actually revoked the first > > > > By your own explanation above, no. > > But should it be? My point is not to say that such-and-such is the > answer. My point is to say that it is not at all clear what the > answer should be. I may take some time this weekend and run a few > test cases against other OpenPGP implementations to see what they do. Hopefully they will behave as I describe above. > > Therein lies the problem: GPG, by removing expired signatures > > (at all), is removing history. As you point out, this can lead > > to problems when the expired signatures are no longer available > > to supercede earlier, unexpired signatures. > > Only if the right behavior is that expired signatures *should* > supercede earlier, unexpired signatures. Per draft-ietf-openpgp-rfc2440bis-12.txt, section 5.2.3.3, I think the intent is clear that an expired selfsig on a userid is the same as a revoked selfsig on a userid. There is no reason for this not to apply to non-selfsigs as well. Section "0x30: Certification revocation signature" mentions (non- targetted) 0x30 revocations as applying to "an earlier" sig. It also says: "The signature should have a later creation date than the signature it revokes." I believe it is generally understood that "all earlier" sigs are affected by non-targetted 0x30 sigs. Section 5.2.3.12 (non-revocable flag/subpacket) is very specific that no revocations apply to non-revocable signatures. However, it mentions nothing of non-revocable sigs being superceded. (Gah! "key holder" and "keyholder" are both used in the draft.) > If the answer is that expired signatures should supercede, then the > current implementation of the expired sigs filter is insufficient - it > needs to remove the earlier sigs as well to avoid re-awakening an old Actually, GPG needs to retain the latest valid sig., even if it has expired, so that it will be around to take precedence over older sigs. > signature. If the answer is that expired signatures should not > supercede, then the current implementation is correct. > > Which do you favor (and why)? Does every sig stand alone, or can sigs > only be interpreted in terms of a series? > > I vaguely lean towards the idea that expired signatures should not > supercede earlier unexpired signatures (the "sigs stand alone" > answer), but only vaguely. I find the simplicity of it attractive. > Interpreting sigs in a series raises a number of dangerous problems, > like what happens when a sig is "unrevoked" by an attacker by removing > packets from the key. I think it is understood that pubkeys and subkeys cannot be unrevoked after being revoked and non-revocable signatures cannot be revoked after being created, but otherwise anything can be superceded. The RFC fails to directly address the issue of a non-revocable sig. being superceded by a revocable one which is then revoked, however. In the strictest sense, non-revocable sigs cannot be undone, period, by any mechanism. This is certainly needed when a selfsig specifies a designated revoker, but I think it is good to treat all other non- revocable sigs as "backups" or "fallbacks" that can be superceded temporarily but always return as "standing orders" until superceded again. If this is not (to be) the case, then non-revocable sigs should really be called "non-modifiable" sigs. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050319/fcbffd97/attachment-0001.pgp From dshaw at jabberwocky.com Sat Mar 19 07:24:13 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Mar 19 07:20:49 2005 Subject: Retaining expired sigs In-Reply-To: <20050319052254.GL9105@wilma.widomaker.com> References: <20050317211529.GA4096@jabberwocky.com> <20050317221031.GG9105@wilma.widomaker.com> <20050317223141.GC4096@jabberwocky.com> <20050318041825.GH9105@wilma.widomaker.com> <20050318043520.GC5615@jabberwocky.com> <20050318173032.GJ9105@wilma.widomaker.com> <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> Message-ID: <20050319062413.GC7109@jabberwocky.com> On Sat, Mar 19, 2005 at 12:22:54AM -0500, Jason Harris wrote: > > Removing superceded signatures, however, re-raises the semantic > > questions I asked in my last mail. What algorithm runs first: the > > "remove superceded" or "remove expired"? Depending on which runs > > first, you can get a different result. > > Indeed, why is why the correct answer is: > > c) Always keep the latest (valid) signature from a given issuer, even if > it has expired. Why keep around the last expired signature and remove all others? I prefer: d) When stripping a signature, strip all earlier signatures from that particular issuer. Remember that the original thing that spawned this thread was the desire to keep expired signatures from clogging keys. In the case where the latest signature is expired, you don't need to keep *any* signatures. Using your desired semantics (superceding), the most recent sig invalidates all earlier ones. That leaves you with a single expired sig, which can be removed since there is no longer an earlier sig to supercede. > Sigs (esp. revocations) with targets should always be kept, too, lest > their targets resurface alone and therefore unmodified. I don't think it's viable to argue the "what if a signature comes back" game, since if you are presupposing packet manipulation, then most of the discussion we are having here is moot anyway. > > > Therein lies the problem: GPG, by removing expired signatures > > > (at all), is removing history. As you point out, this can lead > > > to problems when the expired signatures are no longer available > > > to supercede earlier, unexpired signatures. > > > > Only if the right behavior is that expired signatures *should* > > supercede earlier, unexpired signatures. > > Per draft-ietf-openpgp-rfc2440bis-12.txt, section 5.2.3.3, I think > the intent is clear that an expired selfsig on a userid is the same > as a revoked selfsig on a userid. There is no reason for this not > to apply to non-selfsigs as well. Keep reading to the end of 5.2.3.3. The draft, in fact, intentionally does not answer the question of multiple self-sigs. There is some advice about interpreting selfsigs as narrowly as possible, and biasing towards more recent, but "An implementation that encounters multiple self-signatures on the same object may resolve the ambiguity in any way it sees fit" means pretty much what it says. I'm not adverse to changing the code to implement superceding, but I don't think you can (or really need to) rationalize it from 2440bis. > I think it is understood that pubkeys and subkeys cannot be unrevoked > after being revoked and non-revocable signatures cannot be revoked > after being created, but otherwise anything can be superceded. Remember that OpenPGP does not really specify validity semantics. Unfortunately (or fortunately depending on how you look at it), some semantics have crept into what is supposedly just a message format document. In fact, this is another grey area: subkeys can theoretically be unrevoked by issuing a new binding signature, just like user IDs can. GnuPG doesn't do this for simplicity, but that's an implementation choice, and not specified (either way) in the standard. > The RFC fails to directly address the issue of a non-revocable sig. > being superceded by a revocable one which is then revoked, however. > In the strictest sense, non-revocable sigs cannot be undone, period, > by any mechanism. This is certainly needed when a selfsig specifies > a designated revoker, but I think it is good to treat all other non- > revocable sigs as "backups" or "fallbacks" that can be superceded > temporarily but always return as "standing orders" until superceded > again. > > If this is not (to be) the case, then non-revocable sigs should really > be called "non-modifiable" sigs. Grey area again. I happen to agree with part of what you say (non-revocable sigs can be superceded), but this is not specified in the standard anywhere. Dragging the conversation out of the standard and into implementation details for a moment, I'm rather inclined to change the expired-sigs trimming code to implement the change (d) from above. It's consistent and safe from signature resurrection problems. David From servie_tech at yahoo.com Sat Mar 19 12:53:29 2005 From: servie_tech at yahoo.com (Servie Platon) Date: Sat Mar 19 12:50:00 2005 Subject: Changing Home Directory of GPG - Was In-Reply-To: <423BB115.5020600@comcast.net> Message-ID: <20050319115329.7343.qmail@web52510.mail.yahoo.com> Hi Mr. Clizbe, --- John Clizbe wrote: Thank you very much for the help. > The installer didn't change the registry key for > GnuPG's HomeDir. > Here's the upgrade step-by-step: (I posted this > earlier in the week on > PGP-Basics). This assumes you had everything in > C:\GnuPG. > > 0) Keep C:\GnuPG as your backup. > > 1) Download and run installer. > > Did this step...... > ftp://ftp.gnupg.org/GnuPG/binary/gnupg-w32cli-1.4.1.exe > (1406k) > > ftp://ftp.gnupg.org/GnuPG/binary/gnupg-w32cli-1.4.1.exe.sig > > 2) Copy keyrings and option preferences. Open a CMD > window > > cd C:\GnuPG > copy *.gpg "%APPDATA%\GnuPG" (Up to this step) > copy gpg.conf "%APPDATA%\GnuPG" (Error here, it appears that gpg.conf is not present) > exit > > 4) Fix PATH if necessary. Right-click My Computer; > select Properties. (Did this step) > (same as Control Panel ->System). Win2k/XP: Advanced > tab -> Environment > Variables. Locate Path among the environment > variables and click 'Edit'. > If GnuPG was in the path before, change the location > to the new location > (default is C:\Program Files\Gnu\GnuPG). If not > present, add it to the > beginning of the string. 'Program Files' may usually > be abbreviated > 'Progra~1' if you're tight on room. Click OK three > times to close the > System Properties dialog. > > 5) Update Registry values: (Already present, as I did this step before). > a) Using Regedit.exe > Open the registry and expand HKEY_CURRENT_USER, > then Software, > Gnu and finally GnuPG. In the right-hand panel, > double click "HomeDir" > and change its value to reflect the new Home > directory: > "C:\Documents and Settings\servie\Application > Data\GnuPG" > This is the only change required for GnuPG. If > you are also using > or have used GPGrelay, GPGshell, or WinPT, you > may have two additional > values to change: > gpgProgram = "C:\Program > Files\Gnu\GnuPG\gpg.exe" > or "C:\PROGRA~1\Gnu\GnuPG\gpg.exe" > > OptFile = > "C:\Documents and Settings\servie\Application > Data\GnuPG\gpg.conf" > > You don't include the quotes (") when entering > the values in the > text boxes. Ignore any other values under this > key. Exit RegEdit. > go to Step 6. > > b) Using a Registry patch file. We cover this in > great detail on the > Enigmail GnuPG for Windows page > (http://enigmail.mozdev.org/gpgconf.html). > Briefly you need to use notepad to construct a file > containing your new > values and save it with a .REG extension. Close > Notepad and double-click > the new .REG file in Explorer - answer Yes/OK to > include the file into the > Registry. Your file should look like (just the > stuff between the "++++" > lines): > ++++ > REGEDIT4 > > [HKEY_CURRENT_USER\Software\GNU] > > [HKEY_CURRENT_USER\Software\GNU\GNUPG] > > [HKEY_CURRENT_USER\Software\GNU\GNUPG] > "HomeDir"="C:\\Documents and > Settings\\user\\Application Data\\GnuPG" > "gpgProgram"="C:\\Program > Files\\Gnu\\GnuPG\\gpg.exe" > "OptFile"="C:\\Documents and > Settings\\user\\Application > Data\\GnuPG\\gpg.conf" > > ++++ > Change 'user' in the abouve to your user name > (servie). The OptFile line > should be all on one line - the email probably > wrapped. > > 6) Test installation. Open a new CMD window, 'gpg > --version' should show > something similar to: > > C:\WINNT>gpg --version > gpg (GnuPG) 1.4.1 > Copyright (C) 2005 Free Software Foundation, Inc. > This program comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to > redistribute it > under certain conditions. See the file COPYING for > details. > > Home: C:/Documents and Settings/jpclizbe/Application > Data/GnuPG > Supported algorithms: > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, > AES256, TWOFISH > Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > C:\WINNT> > > The version should be 1.4.1 and Home should be like > the above but with > your username, not mine. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\servie>gpg --version gpg: error loading `iconv.dll': The specified module could not be found. gpg: please see http://www.gnupg.org/download/iconv.html for more information gpg (GnuPG) 1.4.1 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: C:/Documents and Settings/servie/Application Data/GnuPG (Seems fine here except for the iconv.dll problem which I deleted before). Should I reconstruct again the iconv.dll file and restore all the entries as stated in the gpg.conf file? Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 C:\Documents and Settings\servie> > That's all there is to it. > > - From your post it sounds like the only steps > remaining would e to copy the > keyring *.gpg and options (gpg.conf) files from > C:\GnuPG and update the > Registry values. > Again, thank you very much. > - -- > John P. Clizbe Inet: > JPClizbe(a)comcast DOT nyet > Golden Bear Networks PGP/GPG KeyID: > 0x608D2A10 > "Be who you are and say what you feel because those > who mind don't matter > and those who matter don't mind." - Dr Seuss, "Oh > the Places You'll Go" > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (MingW32) > Comment: When cryptography is outlawed, > b25seSBvdXRsYXdzIHdpbGwgdXNlIG > Comment: Be part of the £33t ECHELON -- Use Strong > Encryption. > Sincerely, Servie __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ From jharris at widomaker.com Sat Mar 19 18:02:45 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat Mar 19 17:58:54 2005 Subject: Retaining expired sigs In-Reply-To: <20050319062413.GC7109@jabberwocky.com> References: <20050317221031.GG9105@wilma.widomaker.com> <20050317223141.GC4096@jabberwocky.com> <20050318041825.GH9105@wilma.widomaker.com> <20050318043520.GC5615@jabberwocky.com> <20050318173032.GJ9105@wilma.widomaker.com> <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> Message-ID: <20050319170244.GM9105@wilma.widomaker.com> On Sat, Mar 19, 2005 at 01:24:13AM -0500, David Shaw wrote: > On Sat, Mar 19, 2005 at 12:22:54AM -0500, Jason Harris wrote: > > c) Always keep the latest (valid) signature from a given issuer, even if > > it has expired. > Remember that the original thing that spawned this thread was the > desire to keep expired signatures from clogging keys. In the case > where the latest signature is expired, you don't need to keep *any* > signatures. Using your desired semantics (superceding), the most That is not very defensive. If an unsynchronized keyserver is used, a old copy of the key with only the unsuperceded sig(s) can be returned. Why open yourself to essentially a replay attack when you've already seen and can easily save certain strategic signatures from each issuer? Also, my desired semantics require keeping non-revocable sigs. (See below.) > > Per draft-ietf-openpgp-rfc2440bis-12.txt, section 5.2.3.3, I think > > the intent is clear that an expired selfsig on a userid is the same > > as a revoked selfsig on a userid. There is no reason for this not > > to apply to non-selfsigs as well. > > Keep reading to the end of 5.2.3.3. The draft, in fact, intentionally > does not answer the question of multiple self-sigs. There is some > advice about interpreting selfsigs as narrowly as possible, and > biasing towards more recent, but "An implementation that encounters > multiple self-signatures on the same object may resolve the ambiguity > in any way it sees fit" means pretty much what it says. > > I'm not adverse to changing the code to implement superceding, but I > don't think you can (or really need to) rationalize it from 2440bis. ... > > I think it is understood that pubkeys and subkeys cannot be unrevoked > > after being revoked and non-revocable signatures cannot be revoked > > after being created, but otherwise anything can be superceded. > > Remember that OpenPGP does not really specify validity semantics. > Unfortunately (or fortunately depending on how you look at it), some > semantics have crept into what is supposedly just a message format > document. In fact, this is another grey area: subkeys can > theoretically be unrevoked by issuing a new binding signature, just > like user IDs can. GnuPG doesn't do this for simplicity, but that's > an implementation choice, and not specified (either way) in the > standard. Another quote from the document is in order, then: This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. I maintain that it misses its stated goals of leading to interoperable applications and avoiding security flaws insofar as it leaves the sub- jects of expired and superceded signatures untreated. > > The RFC fails to directly address the issue of a non-revocable sig. > > being superceded by a revocable one which is then revoked, however. > > In the strictest sense, non-revocable sigs cannot be undone, period, > > by any mechanism. This is certainly needed when a selfsig specifies > > a designated revoker, but I think it is good to treat all other non- > > revocable sigs as "backups" or "fallbacks" that can be superceded > > temporarily but always return as "standing orders" until superceded > > again. > > > > If this is not (to be) the case, then non-revocable sigs should really > > be called "non-modifiable" sigs. > > Grey area again. I happen to agree with part of what you say > (non-revocable sigs can be superceded), but this is not specified in > the standard anywhere. OK. > Dragging the conversation out of the standard and into implementation > details for a moment, I'm rather inclined to change the expired-sigs > trimming code to implement the change (d) from above. It's consistent > and safe from signature resurrection problems. [moved from above] > d) When stripping a signature, strip all earlier signatures from > that particular issuer. This will be safe iff the last (valid) sig. from a given issuer supercedes all previous sigs from that issuer, and, if expired, expires all previous sigs from that issuer, and, if a revocation signature, revokes all previous (even non-revocable) sigs from that issuer. (NB: Clearly, I don't think that last requirement can be met given even the most liberal interpretation of draft-ietf-openpgp-rfc2440bis-12.txt. Without meeting all these requirements, you have to at least keep the non-revocable sigs too.) Unless non-revocable userid cert. sigs are undone when newer revocable and/or expirable sigs that supercede them are undone (which neither of us agree with, correct?), you should keep the non-revocable sigs so they will take effect again once the sigs that supercede them become revoked/expired. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050319/cf99fb82/attachment.pgp From dshaw at jabberwocky.com Sat Mar 19 20:26:07 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Mar 19 20:22:49 2005 Subject: Retaining expired sigs In-Reply-To: <20050319170244.GM9105@wilma.widomaker.com> References: <20050317223141.GC4096@jabberwocky.com> <20050318041825.GH9105@wilma.widomaker.com> <20050318043520.GC5615@jabberwocky.com> <20050318173032.GJ9105@wilma.widomaker.com> <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> Message-ID: <20050319192607.GE7109@jabberwocky.com> On Sat, Mar 19, 2005 at 12:02:45PM -0500, Jason Harris wrote: > On Sat, Mar 19, 2005 at 01:24:13AM -0500, David Shaw wrote: > > On Sat, Mar 19, 2005 at 12:22:54AM -0500, Jason Harris wrote: > > > > c) Always keep the latest (valid) signature from a given issuer, even if > > > it has expired. > > > Remember that the original thing that spawned this thread was the > > desire to keep expired signatures from clogging keys. In the case > > where the latest signature is expired, you don't need to keep *any* > > signatures. Using your desired semantics (superceding), the most > > That is not very defensive. If an unsynchronized keyserver is used, > a old copy of the key with only the unsuperceded sig(s) can be returned. > Why open yourself to essentially a replay attack when you've already > seen and can easily save certain strategic signatures from each issuer? > Also, my desired semantics require keeping non-revocable sigs. (See > below.) This troubles me a bit, as it is getting into packet manipulation games. It's hard to say which packets an unsynchronized keyserver (or worse, an attacker) will suddenly resurrect. However, I do agree it does no harm to do this, and might help in some cases. Ok. > This document is maintained in order to publish all necessary > information needed to develop interoperable applications based on > the OpenPGP format. It is not a step-by-step cookbook for writing an > application. It describes only the format and methods needed to > read, check, generate, and write conforming packets crossing any > network. It does not deal with storage and implementation questions. > It does, however, discuss implementation issues necessary to avoid > security flaws. > > I maintain that it misses its stated goals of leading to interoperable > applications and avoiding security flaws insofar as it leaves the sub- > jects of expired and superceded signatures untreated. I agree. It's not just expired and superceded signatures. There are a good number of other semantic questions that are not covered in 2440 or 2440bis. For example, the so-called "PGP trust model" is not covered anywhere. This is historical: the original plan for the IETF group was that there would be multiple specifications (a message format document, a trust model document, etc). Unfortunately, only the message format document was written, and it became 2440. > > Dragging the conversation out of the standard and into implementation > > details for a moment, I'm rather inclined to change the expired-sigs > > trimming code to implement the change (d) from above. It's consistent > > and safe from signature resurrection problems. > > [moved from above] > > d) When stripping a signature, strip all earlier signatures from > > that particular issuer. > > This will be safe iff the last (valid) sig. from a given issuer > supercedes all previous sigs from that issuer, and, if expired, > expires all previous sigs from that issuer, and, if a revocation > signature, revokes all previous (even non-revocable) sigs from > that issuer. (NB: Clearly, I don't think that last requirement > can be met given even the most liberal interpretation of > draft-ietf-openpgp-rfc2440bis-12.txt. Without meeting all these > requirements, you have to at least keep the non-revocable sigs too.) > > Unless non-revocable userid cert. sigs are undone when newer revocable > and/or expirable sigs that supercede them are undone (which neither of > us agree with, correct?), you should keep the non-revocable sigs so > they will take effect again once the sigs that supercede them become > revoked/expired. I'm not sure I agree with this. I was under the impression you were arguing for something else, so let me make sure we're both talking about the same thing. Given this case: non-revocable sig 1-Jan-2000 revocable sig 2-Jan-2000 revocation 3-Jan-2000 One way of looking at this is the end result is nothing. That is, the revocable sig of 2-Jan-2000 has superceded the non-revocable sig of 1-Jan-2000, and then the revocation has revoked the sig of 2-Jan-2000. There are no valid sigs left, and all three can be disregarded. Another way of looking at this is that the revocable sig of 2-Jan-2000 has not superceded the non-revocable sig of 1-Jan-2000. The revocation of 3-Jan-2000 has revoked the sig of 2-Jan-2000, which leaves the non-revocable sig of 1-Jan-2000 as valid and usable. Now try this case: non-revocable sig 1-Jan-2000 expired sig 2-Jan-2000 (expired 3-Jan-2000) One answer here is that the expired sig of 2-Jan-2000 has superceded the nonrevocable sig of 1-Jan-2000. The end result is nothing and both sigs can be discarded. Another answer is that 2-Jan-2000 has expired, which leaves the sig of 1-Jan-2000 as valid and usable. What are you arguing for? David From jharris at widomaker.com Sat Mar 19 21:25:32 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat Mar 19 21:21:37 2005 Subject: Retaining expired sigs In-Reply-To: <20050319192607.GE7109@jabberwocky.com> References: <20050318041825.GH9105@wilma.widomaker.com> <20050318043520.GC5615@jabberwocky.com> <20050318173032.GJ9105@wilma.widomaker.com> <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> Message-ID: <20050319202532.GN9105@wilma.widomaker.com> On Sat, Mar 19, 2005 at 02:26:07PM -0500, David Shaw wrote: > I agree. It's not just expired and superceded signatures. There are > a good number of other semantic questions that are not covered in 2440 > or 2440bis. For example, the so-called "PGP trust model" is not > covered anywhere. This is historical: the original plan for the IETF > group was that there would be multiple specifications (a message > format document, a trust model document, etc). Unfortunately, only > the message format document was written, and it became 2440. That explains a lot. Thanks. > about the same thing. Given this case: > > non-revocable sig 1-Jan-2000 > revocable sig 2-Jan-2000 > revocation 3-Jan-2000 > > One way of looking at this is the end result is nothing. That is, the > revocable sig of 2-Jan-2000 has superceded the non-revocable sig of > 1-Jan-2000, and then the revocation has revoked the sig of 2-Jan-2000. > There are no valid sigs left, and all three can be disregarded. This would be letting the non-revocable sig. be indirectly revoked, which I don't believe anyone is advocating. > Another way of looking at this is that the revocable sig of 2-Jan-2000 > has not superceded the non-revocable sig of 1-Jan-2000. The > revocation of 3-Jan-2000 has revoked the sig of 2-Jan-2000, which > leaves the non-revocable sig of 1-Jan-2000 as valid and usable. This is what I am advocating. > Now try this case: > > non-revocable sig 1-Jan-2000 > expired sig 2-Jan-2000 (expired 3-Jan-2000) > > One answer here is that the expired sig of 2-Jan-2000 has superceded > the nonrevocable sig of 1-Jan-2000. The end result is nothing and > both sigs can be discarded. > > Another answer is that 2-Jan-2000 has expired, which leaves the sig of > 1-Jan-2000 as valid and usable. > > What are you arguing for? The sig. of 1-Jan-2000 is valid and usable. It can only be ignored when superceded. Also, if multiple non-revocable sigs. exist, the latest (valid) one supercedes all others, which can be safely removed. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050319/2ecf0465/attachment.pgp From JPClizbe at comcast.net Sat Mar 19 23:47:29 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Sat Mar 19 23:44:48 2005 Subject: Changing Home Directory of GPG - Was In-Reply-To: <20050319115329.7343.qmail@web52510.mail.yahoo.com> References: <20050319115329.7343.qmail@web52510.mail.yahoo.com> Message-ID: <423CAC01.7000204@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Servie Platon wrote: > Hi Mr. Clizbe, > > --- John Clizbe wrote: > > Thank you very much for the help. > >> >> cd C:\GnuPG >> copy *.gpg "%APPDATA%\GnuPG" (Up to this step) >> copy gpg.conf "%APPDATA%\GnuPG" > (Error here, it appears that gpg.conf is not present) >> exit If there is no gpg.conf file in your old home directory, C:\GnuPG, it could be under the old name 'options' or somethinf similar. It not, there are instructions on the Enigmail GnuG for Windows users page (http://enigmail.mozdev.org/gpgconf.html). > > C:\Documents and Settings\servie>gpg --version > gpg: error loading `iconv.dll': The specified module > could not be found. Run the installer again and iconv.dll will be restored. or download it fron the GnuPG.org ftp site ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip (644k) ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip.sig > Home: C:/Documents and Settings/servie/Application > Data/GnuPG (Seems fine here except for the iconv.dll > problem which I deleted before). Should I reconstruct > again the iconv.dll file and restore all the entries > as stated in the gpg.conf file? See above regarding iconv.dll. A starter gpg.conf would be: default-key 0xDecafBAD <--- replace with YOUR key ID default-recipient-self keyserver random.sks.keyserver.penguin.de keyserver-options auto-key-retrieve include-subkeys include-revoked no-secmem-warning > Again, thank you very much. You're most welcome. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCPKv/HQSsSmCNKhARAtu1AJ44ansmufNYK4OADopFKL60p9g0sQCfe51g PFolzyTVGXFVZuITQjZQZxk= =sGSK -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Mar 20 04:35:47 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Mar 20 05:26:17 2005 Subject: Retaining expired sigs In-Reply-To: <20050319202532.GN9105@wilma.widomaker.com> References: <20050318043520.GC5615@jabberwocky.com> <20050318173032.GJ9105@wilma.widomaker.com> <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> Message-ID: <20050320033547.GG7109@jabberwocky.com> On Sat, Mar 19, 2005 at 03:25:32PM -0500, Jason Harris wrote: > > about the same thing. Given this case: > > > > non-revocable sig 1-Jan-2000 > > revocable sig 2-Jan-2000 > > revocation 3-Jan-2000 > > > > One way of looking at this is the end result is nothing. That is, the > > revocable sig of 2-Jan-2000 has superceded the non-revocable sig of > > 1-Jan-2000, and then the revocation has revoked the sig of 2-Jan-2000. > > There are no valid sigs left, and all three can be disregarded. > > This would be letting the non-revocable sig. be indirectly revoked, > which I don't believe anyone is advocating. > > > Another way of looking at this is that the revocable sig of 2-Jan-2000 > > has not superceded the non-revocable sig of 1-Jan-2000. The > > revocation of 3-Jan-2000 has revoked the sig of 2-Jan-2000, which > > leaves the non-revocable sig of 1-Jan-2000 as valid and usable. > > This is what I am advocating. Good. Then we agree. What's more, there is nothing to change. GnuPG already effectively works this way (see below). > > Now try this case: > > > > non-revocable sig 1-Jan-2000 > > expired sig 2-Jan-2000 (expired 3-Jan-2000) > > > > One answer here is that the expired sig of 2-Jan-2000 has superceded > > the nonrevocable sig of 1-Jan-2000. The end result is nothing and > > both sigs can be discarded. > > > > Another answer is that 2-Jan-2000 has expired, which leaves the sig of > > 1-Jan-2000 as valid and usable. > > > > What are you arguing for? > > The sig. of 1-Jan-2000 is valid and usable. It can only be ignored when > superceded. I agree with your general idea here, but not the details, exactly. What GnuPG does in this case is to take the 1-Jan-2000 signature and ignore any that follow. I don't like the idea of a signature that is temporarily superceded. Either it is superceded (and can be removed) or it is not. It's a bit of a distinction without a difference, really. The end result is basically the same, but the rationale is different. > Also, if multiple non-revocable sigs. exist, the latest (valid) one > supercedes all others, which can be safely removed. Ok, I buy this. I'll change the unusable sig filter to remove earlier sigs in a series when filtering. It's a little different than the current implementation since this would allow a newly imported signature to cause older signatures already on the keyring to disappear (say, if an expired signature was imported that dated after all the signatures that were already present). David From zuxy.meng at gmail.com Sun Mar 20 06:12:33 2005 From: zuxy.meng at gmail.com (Zuxy) Date: Sun Mar 20 06:09:23 2005 Subject: Question about ultimate trust Message-ID: Hi List, Not until recently did I notice that I can trust any key ultimately, even those without secret part. Isn't ultimate trust expected to be assigned exclusively to my own keys? And what's the difference between ultimate and complete trust when calculating keys' validity? Thanks. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From jerri at jerri.de Sun Mar 20 10:09:52 2005 From: jerri at jerri.de (Gerhard Siegesmund) Date: Sun Mar 20 11:07:07 2005 Subject: gpg over ssh... Message-ID: <20050320090952.GB5389@base.jerri.home> Hello List I don't know, whether this is a dump thing to do, but I had the following idea, which I unfortunately didn't get to work. I am working on linux (debian) with gpg (GnuPG) 1.4.0. Say, I have a encrypted file somewhere on a server on the net. Naturally I don't have my private key on that "unsave" server. I want to use the output of the encrypted file in a pipe to do something with it. I don't like the idea to send the encrypted file back to my home-server to decrypt it there and then send back the decrypted file to the work-server. Also this would work, I would have to remember to remove the decrypted file after the action. My idea was to do something like the following: cat encrypted_file.gpg | ssh me@my.home.server gpg --decrypt | do_something.sh I don't want to do this automatically! Interactivly is great, as this secures my private key with two passwords. The ssh-password and the gpg-passphrase. Unfortunatly this doesn't work. The obvious fix seems to be cat encrypted_file.gpg | ssh -tt me@my.home.server gpg --decrypt | do_something.sh which doesn't work either. So. Does this way sound correctly in your ears? How about security (apart from the point, that my homeserver is available from the net, which I know lowers my security a lot. I hope, my password is good enough.)? Is this at all possible? My main-point is to hold the private key on one server and not copy it all over the internet. -- cu --== Jerri ==-- Homepage: http://www.jerri.de/ ICQ: 54160208 Public PGP Key: http://www.jerri.de/jerris_public_key.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050320/9159b6c7/attachment.pgp From JPClizbe at comcast.net Sun Mar 20 11:19:46 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Sun Mar 20 11:16:25 2005 Subject: gpg over ssh... In-Reply-To: <20050320090952.GB5389@base.jerri.home> References: <20050320090952.GB5389@base.jerri.home> Message-ID: <423D4E42.1080100@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gerhard Siegesmund wrote: > Hello List > > I don't know, whether this is a dump thing to do, but I had the > following idea, which I unfortunately didn't get to work. > > I am working on linux (debian) with gpg (GnuPG) 1.4.0. > > Say, I have a encrypted file somewhere on a server on the net. > Naturally I don't have my private key on that "unsave" server. I want > to use the output of the encrypted file in a pipe to do something with > it. > > I don't like the idea to send the encrypted file back to my home-server > to decrypt it there and then send back the decrypted file to the > work-server. Also this would work, I would have to remember to remove > the decrypted file after the action. > > My idea was to do something like the following: > > cat encrypted_file.gpg | ssh me@my.home.server gpg --decrypt | do_something.sh > > I don't want to do this automatically! Interactivly is great, as this > secures my private key with two passwords. The ssh-password and the > gpg-passphrase. > > Unfortunatly this doesn't work. > > The obvious fix seems to be > > cat encrypted_file.gpg | ssh -tt me@my.home.server gpg --decrypt | do_something.sh > > which doesn't work either. > > So. Does this way sound correctly in your ears? How about security > (apart from the point, that my homeserver is available from the net, > which I know lowers my security a lot. I hope, my password is good > enough.)? Is this at all possible? > > My main-point is to hold the private key on one server and not copy it > all over the internet. Dunno about the piping. Have you considered copying the encrypted file with scp, the opening a ssh sheel to decrypt & run? - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCPU5BHQSsSmCNKhARAvWwAJ4s9CSt5za//B5K1/Lub+2zb0LloACguTY/ s+17+W9qXwXGxRYSXazQFQk= =OFTm -----END PGP SIGNATURE----- From david.lorch at gmx.de Sun Mar 20 12:03:37 2005 From: david.lorch at gmx.de (David Lorch) Date: Sun Mar 20 12:00:31 2005 Subject: Revoking a key using the designated revoker Message-ID: <423D5889.4010005@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, GPG provides an option to add a designated revoker to a key. Having designated my primary key as revoker for a smart card key, I would like to know how I can actually revoke the latter should I lose its secret key (that is, the smart card). If I temporarily delete the card key's pseudo-secret key from GPG and type "gpg --edit-key " and then "revkey", GPG says it needs the secret key to do this. If I type "gpg --gen-revoke ", I get told "gpg: secret key not found: eof". Still, --edit-key always shows that "This key may be revoked by DSA key xxxxxxxx", but I don't seem to find a way to accomplish this special way of revoking even though the designated revoker's secret key is stored in my GPG keyring. Can anyone tell me how to make use of the designated revoker? Thanks for you help, David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQCVAwUBQj1Yh+ZYJaj3HSsiAQJHIAQAla1GweTjC69xqWn5/fe3f161nMUmBDJ8 kqBVorr96M0oIRCd0sCDAGGAR9gJZpZEDsmTMuD3KF8BJLrJWZKRd75BYlWgOPTa xWVeArTdN6C44pUkGxDAnWL6POa40fEFXaQimN9FzyvgxNDKVTHSVYE4Cjl+i0UH 4lw7BBZWU/c= =lOFH -----END PGP SIGNATURE----- From jerri at jerri.de Sun Mar 20 12:03:59 2005 From: jerri at jerri.de (Gerhard Siegesmund) Date: Sun Mar 20 12:00:46 2005 Subject: gpg over ssh... In-Reply-To: <423D4E42.1080100@comcast.net> References: <20050320090952.GB5389@base.jerri.home> <423D4E42.1080100@comcast.net> Message-ID: <20050320110359.GD5389@base.jerri.home> Hello John > Have you considered copying the encrypted file with scp, the opening a > ssh sheel to decrypt & run? Yes. As noted in my email this surely is one possibility. But this means I have to copy the encrypted file to my home-server, decrypt it there and then copy it back unencrypted to the work-server. After using the data in the unencrypted file I must not forget to delete the file afterwards. And you can't implement this simple in a script. With the piping this would simplify the whole process a lot. Maybe If I tell, what I want to do, this might simplify the answer. :) I have a small script, which creates all of my rc-files I normally use. As some of the rc-Files (like e.g. .muttrc) differ from server to server, I created template files which are filled by that mentioned script with the correct information to run as they should. Using darcs as revision control system I am able to always pull and push the newest versions of the configuration-files to/from all of the servers I am working at. Running update-configuration.sh at the server I get the newest and best configurations I am using right now (this is really great with vimrc, as I have some configurations in there which help my workflow a lot). Now comes the problematic part, which bites me a little bit. As I have all of the configurationfiles always on all servers (I have all of the different config-data in the repository too), if I have to add a password to a rc-file (like muttrc) all of my passwords for all servers are in this repository. Not a good idea and I am somehow nerveous about this. The great idea now was to put all of the sensitive data into an encrypted file, decryptable only with my private key. But now comes the misery. How to decrypt that file during update-configuration.sh without copying my private key to all of the servers I am using this script. I just remembered that symmetric encryption could solve the problem. But then I would have to have gpg installed on all servers (which might not be that big a problem). So. Is this piping at all doable, or should I use symmetric encryption with a good passphrase? -- cu --== Jerri ==-- Homepage: http://www.jerri.de/ ICQ: 54160208 Public PGP Key: http://www.jerri.de/jerris_public_key.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050320/eef7ff49/attachment-0001.pgp From dshaw at jabberwocky.com Sun Mar 20 15:24:38 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Mar 20 15:21:14 2005 Subject: Revoking a key using the designated revoker In-Reply-To: <423D5889.4010005@gmx.de> References: <423D5889.4010005@gmx.de> Message-ID: <20050320142438.GA737@jabberwocky.com> On Sun, Mar 20, 2005 at 12:03:37PM +0100, David Lorch wrote: > Hi all, > > GPG provides an option to add a designated revoker to a key. > Having designated my primary key as revoker for a smart card key, I > would like to know how I can actually revoke the latter should I lose > its secret key (that is, the smart card). > > If I temporarily delete the card key's pseudo-secret key from GPG and > type "gpg --edit-key " and then "revkey", GPG says it needs the > secret key to do this. > If I type "gpg --gen-revoke ", I get told "gpg: secret key > not found: eof". > > Still, --edit-key always shows that "This key may be revoked by DSA key > xxxxxxxx", but I don't seem to find a way to accomplish this special way > of revoking even though the designated revoker's secret key is stored in > my GPG keyring. > > Can anyone tell me how to make use of the designated revoker? gpg --desig-revoke David From dwerder at gmx.net Sun Mar 20 15:20:16 2005 From: dwerder at gmx.net (Dominik Werder) Date: Sun Mar 20 16:15:45 2005 Subject: Adding a receiver Message-ID: Hello! I've encrypted a large file and sent it over the internet. After that I realized that it is encrypted with the wrong public key. As far as I understand public key encryption it should be possible to reencrypt only the random session key for the symmetric cipher with the other public key of the receiver so that I don't have to retransmit the whole file. Is something like that possible with gpg? thanks and bye! Dominik From clbianco at tiscalinet.it Sun Mar 20 16:18:35 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Sun Mar 20 16:17:15 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <20050318154858.GB28771__4233.31979332051$1111161487$gmane$org@jabberwocky.com> <20050318172302.GA28913__41139.6839227111$1111166904$gmane$org@jabberwocky.com> Message-ID: Il /18 mar 2005/, *David Shaw* ha scritto: > On Fri, Mar 18, 2005 at 06:09:11PM +0100, Carlo Luciano Bianco wrote: > >> > With libcurl as well? Excellent. [...] > Understood. I'm just pleased that it builds on MinGW at all. Yes, it builds, but there is a small building problem I discovered in the tests I did yesterday. The libcurl mingw version I used supports SSL but has not a "config" script, so GnuPG's "configure" does not enable HTTPS and FTPS. I fixed this by manually editing "config.h" after "configure" and before "make", uncommenting the relevant definitions. Of course, this is not a GnuPG problem, but a mingw-libcurl one. >> So, I cannot be sure that the gpgkeys_curl.exe I have compiled is >> actually working right. I saw your post on gpg-devel about testing curl >> code and I hope to have time to make some tests in the week-end... > > That would be great, thanks. Thank you, David. Here is my report: 1) It seems that, when running a subprocess like a gpgkeys_*.exe, gpg.exe does not pass it the environment variables. Most notably, it does not pass the system %PATH%. Both gpg.exe and gpgkeys_*.exe depends on many dlls (zlib, bzip2, libiconv, libintl, ecc.) which I keep in a separate folder under "Common files" because they are used also by many other programs I have (e.g. GIMP, gnuplot, ecc.). Of course, this folder is in the system %PATH% and gpg.exe has no problems in finding the dlls he needs. But if I try to retrieve a key from a keyserver (no matter what protocol), gpg.exe tries to run the relevant gpgkeys_*.exe which returns an error saying that some dlls are missing. If I copy the dlls in the gnupg folder everithing works. 2) gpgkeys_hkp.exe, gpgkeys_finger.exe and gpgkeys_ldap.exe seem to work OK (provided the dlls are found), but gpgkeys_curl.exe does not run at all. As soon as it is started by gpg.exe, it crashes (and DrWatson comes out) even before trying to connect to the net (my firewall does not see any connection). I tried many times, but always with the same result: a crash. I have checked the temporary file gpg.exe uses to pass commands to gpgkeys_curl.exe, but it seems OK to me... Are there any other test I can do to understand better the problem? Does anybody else have these same problems? -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From jharris at widomaker.com Sun Mar 20 18:18:42 2005 From: jharris at widomaker.com (Jason Harris) Date: Sun Mar 20 18:15:20 2005 Subject: Retaining expired sigs In-Reply-To: <20050320033547.GG7109@jabberwocky.com> References: <20050318173032.GJ9105@wilma.widomaker.com> <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> Message-ID: <20050320171841.GO9105@wilma.widomaker.com> On Sat, Mar 19, 2005 at 10:35:47PM -0500, David Shaw wrote: > On Sat, Mar 19, 2005 at 03:25:32PM -0500, Jason Harris wrote: > > The sig. of 1-Jan-2000 is valid and usable. It can only be ignored when > > superceded. > > I agree with your general idea here, but not the details, exactly. > What GnuPG does in this case is to take the 1-Jan-2000 signature and > ignore any that follow. As I said, that makes them decidedly non-modifiable instead of simply non-revocable. > I don't like the idea of a signature that is temporarily superceded. > Either it is superceded (and can be removed) or it is not. It's a bit If one doesn't insist that the latest non-revocable, superceded sigs are to be removed, I don't see the problem with temporarily superceded sigs. However, GPG's current behavior can be circumvented by manually removing any non-revocable sigs that block other sigs from being considered, anyone affected by this behavior should be able to diagnose it quickly, and I don't recall seeing a lot of non-revocable 0x10-0x13 sigs, so this probably won't become a big issue anytime soon. BTW, what has your testing of other (OpenPGP(?)) encryption programs uncovered? -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050320/2193601f/attachment.pgp From dshaw at jabberwocky.com Sun Mar 20 19:37:04 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Mar 20 19:33:49 2005 Subject: Retaining expired sigs In-Reply-To: <20050320171841.GO9105@wilma.widomaker.com> References: <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> <20050320171841.GO9105@wilma.widomaker.com> Message-ID: <20050320183704.GA4697@jabberwocky.com> On Sun, Mar 20, 2005 at 12:18:42PM -0500, Jason Harris wrote: > On Sat, Mar 19, 2005 at 10:35:47PM -0500, David Shaw wrote: > > On Sat, Mar 19, 2005 at 03:25:32PM -0500, Jason Harris wrote: > > > > The sig. of 1-Jan-2000 is valid and usable. It can only be ignored when > > > superceded. > > > > I agree with your general idea here, but not the details, exactly. > > What GnuPG does in this case is to take the 1-Jan-2000 signature and > > ignore any that follow. > > As I said, that makes them decidedly non-modifiable instead of simply > non-revocable. > > > I don't like the idea of a signature that is temporarily superceded. > > Either it is superceded (and can be removed) or it is not. It's a bit > > If one doesn't insist that the latest non-revocable, superceded sigs > are to be removed, I don't see the problem with temporarily superceded > sigs. I think we're not communicating again. There is no visible difference between these two things. What's to have a problem with? Seriously, think about it: non-revocable sig 1-Jan-2000 expiring sig 2-Jan-2000 (expires 10-Jan-2000). Now, say it's January 3rd. According to what you want, the signature that gets used is the 2-Jan-2000. Then, suddenly, on 10-Jan-2000, when that signature expires, the 1-Jan-2000 signature is used. End result: there is always a signature. According to what actually happens, the signature that is used is 1-Jan-2000. End result: there is always a signature. I suggest that if it bothers you all that much, you pretend that it's doing what you want. It's not like there is a way to tell the difference. > BTW, what has your testing of other (OpenPGP(?)) encryption programs > uncovered? Haven't checked yet. I don't know that it'll be terribly illuminating on the subject of non-revocable sigs since so far as I know, GnuPG is the only one that implements them (except for the usual use in designated revokers). It might reveal something interesting about expiring sigs though. David From jharris at widomaker.com Sun Mar 20 21:10:44 2005 From: jharris at widomaker.com (Jason Harris) Date: Sun Mar 20 21:06:57 2005 Subject: Retaining expired sigs In-Reply-To: <20050320183704.GA4697@jabberwocky.com> <20050320033547.GG7109@jabberwocky.com> References: <20050318173032.GJ9105@wilma.widomaker.com> <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> Message-ID: <20050320201044.GP9105@wilma.widomaker.com> On Sun, Mar 20, 2005 at 01:37:04PM -0500, David Shaw wrote: > On Sun, Mar 20, 2005 at 12:18:42PM -0500, Jason Harris wrote: > > On Sat, Mar 19, 2005 at 10:35:47PM -0500, David Shaw wrote: > > > I agree with your general idea here, but not the details, exactly. > > > What GnuPG does in this case is to take the 1-Jan-2000 signature and > > > ignore any that follow. > > > > As I said, that makes them decidedly non-modifiable instead of simply > > non-revocable. > > > > > I don't like the idea of a signature that is temporarily superceded. > > > Either it is superceded (and can be removed) or it is not. It's a bit > > > > If one doesn't insist that the latest non-revocable, superceded sigs > > are to be removed, I don't see the problem with temporarily superceded > > sigs. > > I think we're not communicating again. There is no visible difference > between these two things. What's to have a problem with? From your last message, I remain under the impression that the non-revocable sig. is used and any sigs that might supercede it are _never_ used. > Seriously, think about it: > > non-revocable sig 1-Jan-2000 > expiring sig 2-Jan-2000 (expires 10-Jan-2000). > > Now, say it's January 3rd. According to what you want, the signature > that gets used is the 2-Jan-2000. Then, suddenly, on 10-Jan-2000, > when that signature expires, the 1-Jan-2000 signature is used. (Yes, I continue to advocate this (superceding of non-revocable sigs).) > End result: there is always a signature. > > According to what actually happens, the signature that is used is > 1-Jan-2000. > > End result: there is always a signature. There is only ever one signature (that GPG uses): the 1-Jan-2000 signature, correct? > I suggest that if it bothers you all that much, you pretend that it's > doing what you want. It's not like there is a way to tell the > difference. I can imagine scenarios where there would be a difference, regardless of how useful others may consider them in practice. For example, I issue a non-revocable 0x12 sig. Later, I want to upgrade it to a 0x13 sig. (revocable or non-revocable). IIUC, GPG will always use the non-revocable 0x12 sig., correct? If so, I think we're communicating just fine, but have a difference of opinion over this issue. > > BTW, what has your testing of other (OpenPGP(?)) encryption programs > > uncovered? > > Haven't checked yet. I don't know that it'll be terribly illuminating > on the subject of non-revocable sigs since so far as I know, GnuPG is > the only one that implements them (except for the usual use in > designated revokers). It might reveal something interesting about > expiring sigs though. OK. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050320/74a59738/attachment.pgp From atom at smasher.org Sun Mar 20 21:20:15 2005 From: atom at smasher.org (Atom Smasher) Date: Sun Mar 20 21:13:27 2005 Subject: gpg over ssh... In-Reply-To: <20050320090952.GB5389@base.jerri.home> References: <20050320090952.GB5389@base.jerri.home> Message-ID: <20050320201719.70691.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 this seems to work for me: $ ssh atom@smasher.org 'cat file1' | gpg | ssh atom@smasher.org 'cat - > file2' note the quotes. it reads an encrypted file (file1) from the server, decrypts it locally and writes the decrypted data back to a file (file2) on the server. my secret key and password stay away from the server. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "You have the right to remain silent. Anything you say can be used against you in a court of law. You have the right to have an attorney present now and during any future questioning. If you cannot afford an attorney, one will be appointed to you free of charge if you wish." -- Miranda Rights, Miranda vs. Arizona 1966 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCPdsKAAoJEAx/d+cTpVcinLMIALWvpMc4S0BbhjelB0zpSYiy 6agg0ajFkZwcXKFyJvmsdJRj69UThBtrPZOYWkA66EAWRSLWvx5hf4ANoN5NCE71 yAtSXSvfdmhVtJq72WmL3kZgKgNNwI66rrYdU2/1Qf/v/HwgGoxx3gaS+0VH//FM /oju8JAARjWxvAT5hdv7qWr/MKVEQO41OvSqbIzGI8x26FGEh2tCEg8DpC3f63cP yiKx1FtRtUEF5d2riVDHiWl17xs2qmDQV8d58LTY2BK9OS+3L2g3QIgJXTvWSy+W XnRUg25vZ0Xc2w9XyvFPPKKKLSRh+tuEbcCUWUr3XtJDsI3PZGVVYoAMber3F8M= =vbiJ -----END PGP SIGNATURE----- From mail at mark-kirchner.de Sun Mar 20 22:08:17 2005 From: mail at mark-kirchner.de (Mark Kirchner) Date: Sun Mar 20 22:04:45 2005 Subject: Adding a receiver In-Reply-To: References: Message-ID: <102209950.20050320220817@mark-kirchner.de> On Sunday, March 20, 2005, 3:20:16 PM, Dominik wrote: > I've encrypted a large file and sent it over the internet. > After that I realized that it is encrypted with the wrong public key. > As far as I understand public key encryption it should be possible to > reencrypt only the random session key for the symmetric cipher with the > other public key of the receiver so that I don't have to retransmit the > whole file. > Is something like that possible with gpg? Answered this question (accidentally) off-list. Short summary: It is doable by using --show-session-key and --override-session-key. Regards, Mark Kirchner -- _____________________________________________________________ Key (0x19DC86D3): http://www.mark-kirchner.de/keys/key-mk.asc From jharris at widomaker.com Sun Mar 20 22:50:25 2005 From: jharris at widomaker.com (Jason Harris) Date: Sun Mar 20 22:46:47 2005 Subject: new (2005-03-20) keyanalyze results (+sigcheck) Message-ID: <20050320215025.GQ9105@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-03-20/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: b2ba9fecbd934e52d67d3d81a23dd9da6718fac4 11576574 preprocess.keys 9a590e993fc9e895a1163b2ecf7bd1148e1c90ea 7242096 othersets.txt ceaec59cfe986016da9dec3f6025acbe48868bc1 2914752 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html f7281da5ae4f56206cf3184cede0d8687cac49fc 2290 keyring_stats 9c5abffda69062a8192495639714e22e457eda7b 1146477 msd-sorted.txt.bz2 d6a10ad99761a44105cded92329e833595e573b9 26 other.txt 67abb27242c1c82765b0f864d479a9ce4305def6 1561771 othersets.txt.bz2 958e30f623687064ff754d7b1b9a7e55598d0d2e 4679747 preprocess.keys.bz2 c0c789413e541cd811686a63ef5535e7afdb7e8c 11697 status.txt 46c21a4f7e57ef2bf112d4060a8059a47af1ac21 211548 top1000table.html e6dd66ed046af2f9691f76cf18681bb7fa6cb04f 30370 top1000table.html.gz 685af96a26caccceef5d0c9566d6be2fa288acc4 10954 top50table.html 5c35baeb21edf9953a8518b4f5a8c3b70c0f6b7f 2409 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050320/00b6c4c3/attachment.pgp From list at rachinsky.de Sun Mar 20 23:32:06 2005 From: list at rachinsky.de (Nicolas Rachinsky) Date: Sun Mar 20 23:28:09 2005 Subject: Retaining expired sigs In-Reply-To: <20050320183704.GA4697@jabberwocky.com> References: <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> <20050320171841.GO9105@wilma.widomaker.com> <20050320183704.GA4697@jabberwocky.com> Message-ID: <20050320223206.GA92954@pc5.i.0x5.de> * David Shaw [2005-03-20 13:37 -0500]: > Seriously, think about it: > > non-revocable sig 1-Jan-2000 > expiring sig 2-Jan-2000 (expires 10-Jan-2000). > > Now, say it's January 3rd. According to what you want, the signature > that gets used is the 2-Jan-2000. Then, suddenly, on 10-Jan-2000, > when that signature expires, the 1-Jan-2000 signature is used. > > End result: there is always a signature. > > According to what actually happens, the signature that is used is > 1-Jan-2000. > > End result: there is always a signature. > > I suggest that if it bothers you all that much, you pretend that it's > doing what you want. It's not like there is a way to tell the > difference. What about different Levels (sig1..sig3) of signatures? If the first one is sig3 and the second one sig1 and min-cert-level>1 there would be a difference. Nicolas From sean at tcob1.net Mon Mar 21 00:13:03 2005 From: sean at tcob1.net (Sean Rima) Date: Mon Mar 21 00:49:12 2005 Subject: Plugin for Outlook 2003 Message-ID: Is there a better plugin than the GPA plugin for OL 2003? Sean _____ avast! Antivirus : Outbound message clean. Virus Database (VPS): 0511-1, 17/03/2005 Tested on: 20/03/2005 23:13:03 avast! - copyright (c) 1988-2005 ALWIL Software. From dshaw at jabberwocky.com Mon Mar 21 02:33:35 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 21 02:30:19 2005 Subject: Retaining expired sigs In-Reply-To: <20050320201044.GP9105@wilma.widomaker.com> References: <20050318182339.GB28913@jabberwocky.com> <20050318190646.GK9105@wilma.widomaker.com> <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> <20050320201044.GP9105@wilma.widomaker.com> Message-ID: <20050321013335.GC4697@jabberwocky.com> On Sun, Mar 20, 2005 at 03:10:44PM -0500, Jason Harris wrote: > > Seriously, think about it: > > > > non-revocable sig 1-Jan-2000 > > expiring sig 2-Jan-2000 (expires 10-Jan-2000). > > > > Now, say it's January 3rd. According to what you want, the signature > > that gets used is the 2-Jan-2000. Then, suddenly, on 10-Jan-2000, > > when that signature expires, the 1-Jan-2000 signature is used. > > (Yes, I continue to advocate this (superceding of non-revocable sigs).) > > > End result: there is always a signature. > > > > According to what actually happens, the signature that is used is > > 1-Jan-2000. > > > > End result: there is always a signature. > > There is only ever one signature (that GPG uses): the 1-Jan-2000 > signature, correct? > > > I suggest that if it bothers you all that much, you pretend that it's > > doing what you want. It's not like there is a way to tell the > > difference. > > I can imagine scenarios where there would be a difference, regardless > of how useful others may consider them in practice. For example, I > issue a non-revocable 0x12 sig. Later, I want to upgrade it to a > 0x13 sig. (revocable or non-revocable). IIUC, GPG will always use > the non-revocable 0x12 sig., correct? > > If so, I think we're communicating just fine, but have a difference of > opinion over this issue. Ok, I see where you're coming from. You are correct: I do feel that a non-revocable signature must be a non-revocable + non-supercedable signature. I feel it really needs to be this way to fulfil the spirit as well as the letter of the standard. There is little point to a non-revocable signature (described as "They represent a commitment by the signer that he cannot revoke his signature for the life of his key." in the spec) if that signature can be effectively revoked by superceding it with an unusable signature (say, one with an unusable hash algorithm). The nice thing (in terms of the 0x12/0x13 question) is that it doesn't matter: GPG doesn't interpret 0x12 any differently than 0x13. Thus (from the earlier example), it genuinely makes no difference if the 1-Jan-2000 signature is 0x12 and the 2-Jan-2000 signature is 0x13. So long as GPG interprets either of those as a signature with no qualifications, then there is no advantage or disadvantage to either signature being used. Either one is just "signature". I'm aware that you want GPG to interpret 0x12 and 0x13 (and 0x11) differently, but that's already been discussed a number of times and will no doubt be discussed again. GPG doesn't do it today. > > > BTW, what has your testing of other (OpenPGP(?)) encryption programs > > > uncovered? > > > > Haven't checked yet. I don't know that it'll be terribly illuminating > > on the subject of non-revocable sigs since so far as I know, GnuPG is > > the only one that implements them (except for the usual use in > > designated revokers). It might reveal something interesting about > > expiring sigs though. > > OK. I just checked PGP 8.1 and the results were interesting. When importing a sig+expired sig set, PGP does what we ended up with: it strips the sig and leaves the expired sig. When importing a non-revoke-sig + revoked sig set, PGP doesn't strip anything, but does ignore the non-revokable sig (it isn't even visible in the GUI). David From dshaw at jabberwocky.com Mon Mar 21 02:36:09 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 21 02:32:47 2005 Subject: Retaining expired sigs In-Reply-To: <20050320223206.GA92954@pc5.i.0x5.de> References: <20050318193733.GC28913@jabberwocky.com> <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> <20050320171841.GO9105@wilma.widomaker.com> <20050320183704.GA4697@jabberwocky.com> <20050320223206.GA92954@pc5.i.0x5.de> Message-ID: <20050321013609.GA5338@jabberwocky.com> On Sun, Mar 20, 2005 at 11:32:06PM +0100, Nicolas Rachinsky wrote: > * David Shaw [2005-03-20 13:37 -0500]: > > Seriously, think about it: > > > > non-revocable sig 1-Jan-2000 > > expiring sig 2-Jan-2000 (expires 10-Jan-2000). > > > > Now, say it's January 3rd. According to what you want, the signature > > that gets used is the 2-Jan-2000. Then, suddenly, on 10-Jan-2000, > > when that signature expires, the 1-Jan-2000 signature is used. > > > > End result: there is always a signature. > > > > According to what actually happens, the signature that is used is > > 1-Jan-2000. > > > > End result: there is always a signature. > > > > I suggest that if it bothers you all that much, you pretend that it's > > doing what you want. It's not like there is a way to tell the > > difference. > > What about different Levels (sig1..sig3) of signatures? If the first > one is sig3 and the second one sig1 and min-cert-level>1 there would > be a difference. Yes, this is exactly why I don't want to do what Jason suggested. That would imply allowing a sig1 (which is ignored) to override a non-revocable signature, implicitly "revoking" it. David From timemaster at sillydog.org Mon Mar 21 04:00:41 2005 From: timemaster at sillydog.org (David Vallier) Date: Mon Mar 21 04:58:00 2005 Subject: Possable bug with winpt-0.9.90rc1 Message-ID: <423E38D9.8030505@sillydog.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Recently I tried signing a file using winpt-0.9.90rc1 and right after words I get a "box" popping up saying what? with 2 5-6 digit numbers separated by a slash and what appears to be a progress bar below that, and winpt just sits there like it wants an input or something. I have waited for about 10 mins but the program just sits there and finally I have to "kill" the process. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iEYEARECAAYFAkI+ONkACgkQCT6ogSjnGK9vGACgpyQ/MB2UgXEpzbT3L9HsRxZH ESAAn0KwQhZqDSJboCxnzo1jigahLkYi =cCCa -----END PGP SIGNATURE----- From jharris at widomaker.com Mon Mar 21 05:07:50 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Mar 21 05:04:01 2005 Subject: Retaining expired sigs In-Reply-To: <20050321013335.GC4697@jabberwocky.com> <20050321013609.GA5338@jabberwocky.com> References: <20050319052254.GL9105@wilma.widomaker.com> <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> <20050320171841.GO9105@wilma.widomaker.com> <20050320183704.GA4697@jabberwocky.com> <20050320223206.GA92954@pc5.i.0x5.de> <20050321013609.GA5338@jabberwocky.com> Message-ID: <20050321040750.GA62772@wilma.widomaker.com> On Sun, Mar 20, 2005 at 08:36:09PM -0500, David Shaw wrote: > On Sun, Mar 20, 2005 at 11:32:06PM +0100, Nicolas Rachinsky wrote: > > What about different Levels (sig1..sig3) of signatures? If the first > > one is sig3 and the second one sig1 and min-cert-level>1 there would > > be a difference. > > Yes, this is exactly why I don't want to do what Jason suggested. > That would imply allowing a sig1 (which is ignored) to override a > non-revocable signature, implicitly "revoking" it. 0x11 sigs are ignored by GPG by default, yes, but for users who set "--min-cert-level 0," 0x11 sigs are just as valid as all the others. In that case, they can't be construed as implicity revoking sigs at other levels. Also, when "--min-cert-level 1" is in effect, I imagine GPG will discard all 0x11 sigs, whether revocable or non-revocable. In that case, a 0x11 sig. definitely can't even begin to implicity revoke sigs at other levels. On Sun, Mar 20, 2005 at 08:33:35PM -0500, David Shaw wrote: > Ok, I see where you're coming from. You are correct: I do feel that a > non-revocable signature must be a non-revocable + non-supercedable > signature. Noted. > I feel it really needs to be this way to fulfil the spirit as well as > the letter of the standard. There is little point to a non-revocable > signature (described as "They represent a commitment by the signer > that he cannot revoke his signature for the life of his key." in the > spec) if that signature can be effectively revoked by superceding it > with an unusable signature (say, one with an unusable hash algorithm). Bad example. If a sig. can't be verified by the encryption client, it must be disregarded and therefore can't supercede any other sigs. > The nice thing (in terms of the 0x12/0x13 question) is that it doesn't > matter: GPG doesn't interpret 0x12 any differently than 0x13. Thus > (from the earlier example), it genuinely makes no difference if the > 1-Jan-2000 signature is 0x12 and the 2-Jan-2000 signature is 0x13. So > long as GPG interprets either of those as a signature with no > qualifications, then there is no advantage or disadvantage to either > signature being used. Either one is just "signature". Again, bad example. "--min-cert-level 2" (no matter how ridiculous you may personally find its use) will make GPG disregard 0x12 sigs. I really don't think it is worth trying to protect against these scenarios. A user can simply remove any non-revocable sigs they don't want in their local keyring. This cannot be protected against and is certainly not an act of revocation by the issuers of non-revocable sigs. Lowering the sig. level initially set in a non-revocable sig. can never "revoke" that sig. either, IMO (as my past messages should have made clear), and even GPG's --min-cert-level doesn't create the conditions for this to happen (as explained above). > I just checked PGP 8.1 and the results were interesting. > > When importing a sig+expired sig set, PGP does what we ended up with: > it strips the sig and leaves the expired sig. OK. > When importing a non-revoke-sig + revoked sig set, PGP doesn't strip > anything, but does ignore the non-revokable sig (it isn't even visible > in the GUI). Gah! PGP 8.1 allows non-revocable sigs to be revoked?! -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050320/74e936d1/attachment.pgp From dshaw at jabberwocky.com Mon Mar 21 05:36:42 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 21 05:33:19 2005 Subject: Retaining expired sigs In-Reply-To: <20050321040750.GA62772@wilma.widomaker.com> References: <20050319062413.GC7109@jabberwocky.com> <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> <20050320171841.GO9105@wilma.widomaker.com> <20050320183704.GA4697@jabberwocky.com> <20050320223206.GA92954@pc5.i.0x5.de> <20050321013609.GA5338@jabberwocky.com> <20050321040750.GA62772@wilma.widomaker.com> Message-ID: <20050321043642.GD5338@jabberwocky.com> On Sun, Mar 20, 2005 at 11:07:50PM -0500, Jason Harris wrote: > I really don't think it is worth trying to protect against these > scenarios. A user can simply remove any non-revocable sigs they > don't want in their local keyring. As soon as you posit a user who is going to edit their local keyring, there is nothing to discuss. Editing the keyring violates the trust "contract". I don't think there is anything left to discuss. We've about reached the stage where I'm saying "10+2!" and you're saying, "Bad example! It's 6+6!" > > When importing a non-revoke-sig + revoked sig set, PGP doesn't strip > > anything, but does ignore the non-revokable sig (it isn't even visible > > in the GUI). > > Gah! PGP 8.1 allows non-revocable sigs to be revoked?! No. So far as I can tell in a not particularly rigorous 5-minute test, it ignores the non-revocable sig completely. It's as if the uid is unsigned. This is a safe way to ignore such a signature. No idea what PGP 9 does. I haven't played with it yet. PGP 7, incidentally, did allow non-revocable sigs to be revoked. Nice to see that was fixed. David From zuxy.meng at gmail.com Mon Mar 21 07:06:35 2005 From: zuxy.meng at gmail.com (Zuxy) Date: Mon Mar 21 07:03:07 2005 Subject: Possable bug with winpt-0.9.90rc1 In-Reply-To: <423E38D9.8030505@sillydog.org> References: <423E38D9.8030505@sillydog.org> Message-ID: On Sun, 20 Mar 2005 20:00:41 -0700, David Vallier wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Recently I tried signing a file using winpt-0.9.90rc1 and right after > words I get a "box" popping up saying what? with 2 5-6 digit numbers > separated by a slash and what appears to be a progress bar below that, > and winpt just sits there like it wants an input or something. I have > waited for about 10 mins but the program just sits there and finally I > have to "kill" the process. Did you use ask-sig-expire in your gpg.conf? -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From twoaday at freakmail.de Mon Mar 21 08:45:35 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Mon Mar 21 09:04:41 2005 Subject: Possable bug with winpt-0.9.90rc1 In-Reply-To: <423E38D9.8030505@sillydog.org> References: <423E38D9.8030505@sillydog.org> Message-ID: <20050321074535.GC335@daredevil.joesixpack.net> On Sun Mar 20 2005; 20:00, David Vallier wrote: > Recently I tried signing a file using winpt-0.9.90rc1 and right after > words I get a "box" popping up saying what? with 2 5-6 digit numbers > separated by a slash and what appears to be a progress bar below that, Yes, this is a well known problem on some systems. Get 0.9.90 (final) or 0.9.91-cvs from http://www.winpt.org. This version fixes the problem. Timo From linux at codehelp.co.uk Mon Mar 21 09:21:43 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Mar 21 09:17:50 2005 Subject: new (2005-03-20) keyanalyze results (+sigcheck) In-Reply-To: <20050320215025.GQ9105@wilma.widomaker.com> References: <20050320215025.GQ9105@wilma.widomaker.com> Message-ID: <200503210821.44649.linux@codehelp.co.uk> On Sunday 20 March 2005 9:50 pm, Jason Harris wrote: > New keyanalyze results are available at: > > http://keyserver.kjsl.com/~jharris/ka/2005-03-20/ Jason, I've been meaning to ask you this for ages. In the analysis report, at the very tail, I get: 13 hops: 2 Farthest keys (13 hops): 576E20E9 9A0BF27D 01000000 2A000000 http://keyserver.kjsl.com/~jharris/ka/2005-03-20/28/28BCB3E3 That 01000000 2A000000 line - what's that all about? It looks like debugging output to me, the 2 farthest keys are the line above. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050321/e8b5799d/attachment.pgp From jerri at jerri.de Mon Mar 21 11:23:13 2005 From: jerri at jerri.de (Gerhard Siegesmund) Date: Mon Mar 21 11:19:49 2005 Subject: gpg over ssh... In-Reply-To: <20050320201719.70691.qmail@smasher.org> References: <20050320090952.GB5389@base.jerri.home> <20050320201719.70691.qmail@smasher.org> Message-ID: <20050321102312.GJ5389@base.jerri.home> Hello Atom Smasher > this seems to work for me: > $ ssh atom@smasher.org 'cat file1' | gpg | ssh atom@smasher.org 'cat - > file2' > note the quotes. > it reads an encrypted file (file1) from the server, decrypts it locally > and writes the decrypted data back to a file (file2) on the server. > my secret key and password stay away from the server. Almost. :-) But this is the other way round. I want to call gpg from the other server to decrypt something. I have the feeling, that it is not possible to send something for decryption to another server. This would have been a great feature. Imagine signing your mails on another server by calling your gpg at home. :) -- cu --== Jerri ==-- Homepage: http://www.jerri.de/ ICQ: 54160208 Public PGP Key: http://www.jerri.de/jerris_public_key.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050321/c5332c1f/attachment.pgp From timemaster at sillydog.org Mon Mar 21 14:06:57 2005 From: timemaster at sillydog.org (David Vallier) Date: Mon Mar 21 14:02:15 2005 Subject: Possable bug with winpt-0.9.90rc1 In-Reply-To: References: <423E38D9.8030505@sillydog.org> Message-ID: <423EC6F1.9070206@sillydog.org> Zuxy wrote: > On Sun, 20 Mar 2005 20:00:41 -0700, David Vallier > wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> Recently I tried signing a file using winpt-0.9.90rc1 and right >> after words I get a "box" popping up saying what? with 2 5-6 >> digit numbers separated by a slash and what appears to be a >> progress bar below that, and winpt just sits there like it wants >> an input or something. I have waited for about 10 mins but the >> program just sits there and finally I have to "kill" the process. >> > > > Did you use ask-sig-expire in your gpg.conf? > No. From what I gather from the GPG manual thats basically for PGP2 compatibility, or am I misreading it? From atom at smasher.org Mon Mar 21 16:27:53 2005 From: atom at smasher.org (Atom Smasher) Date: Mon Mar 21 16:21:09 2005 Subject: gpg over ssh... In-Reply-To: <20050321102312.GJ5389@base.jerri.home> References: <20050320090952.GB5389@base.jerri.home> <20050320201719.70691.qmail@smasher.org> <20050321102312.GJ5389@base.jerri.home> Message-ID: <20050321152442.62831.qmail@smasher.org> On Mon, 21 Mar 2005, Gerhard Siegesmund wrote: > Almost. :-) But this is the other way round. I want to call gpg from the > other server to decrypt something. I have the feeling, that it is not > possible to send something for decryption to another server. This would > have been a great feature. Imagine signing your mails on another server > by calling your gpg at home. :) =============== just shuffle around the commands and add some options/commands to the gpg command. question: if you wouldn't want to store your secret key or type your password on the server, why would you want to authenticate from your server to your desktop? if your server is compromised, someone would be able to steal your password for your desktop and secret key, then log into your desktop and steal your secret key. the only way to avoid that is by logging in to your desktop using one time passwords. what you're trying to do seems to offer little advantage over using gpg locally on the server. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The conservation movement is a breeding ground of Communists and other subversives. We intend to clean them out, even if it means rounding up every bird watcher in the country." -- John Mitchell, US Atty. General 1969-1972 From dshaw at jabberwocky.com Mon Mar 21 17:37:50 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 21 17:34:25 2005 Subject: Question about ultimate trust In-Reply-To: References: Message-ID: <20050321163750.GD22278@jabberwocky.com> On Sun, Mar 20, 2005 at 01:12:33PM +0800, Zuxy wrote: > Hi List, > > Not until recently did I notice that I can trust any key ultimately, > even those without secret part. Isn't ultimate trust expected to be > assigned exclusively to my own keys? Not necessarily. You can set ultimate trust to any key you want to allow to make trust decisions for you - for example, if you work at a company with a corporate signing key. > And what's the difference between ultimate and complete trust when > calculating keys' validity? They're similar, but ultimate trust has more power. Think of ultimate trust as combining complete trust, plus automatically making the key fully valid, plus bypassing any restrictions on how many completely trusted sigs make a key valid - any key signed by an ultimately trusted key is always valid. David From jharris at widomaker.com Mon Mar 21 19:41:46 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Mar 21 19:38:01 2005 Subject: Retaining expired sigs In-Reply-To: <20050321043642.GD5338@jabberwocky.com> References: <20050319170244.GM9105@wilma.widomaker.com> <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> <20050320171841.GO9105@wilma.widomaker.com> <20050320183704.GA4697@jabberwocky.com> <20050320223206.GA92954@pc5.i.0x5.de> <20050321013609.GA5338@jabberwocky.com> <20050321040750.GA62772@wilma.widomaker.com> <20050321043642.GD5338@jabberwocky.com> Message-ID: <20050321184146.GR9105@wilma.widomaker.com> On Sun, Mar 20, 2005 at 11:36:42PM -0500, David Shaw wrote: > On Sun, Mar 20, 2005 at 11:07:50PM -0500, Jason Harris wrote: > > I really don't think it is worth trying to protect against these > > scenarios. A user can simply remove any non-revocable sigs they > > don't want in their local keyring. > > As soon as you posit a user who is going to edit their local keyring, > there is nothing to discuss. Editing the keyring violates the trust > "contract". It is no different than having all users (by default) ignore 0x11 sigs, or allowing them to also ignore 0x12 sigs. Using anything other than "--min-cert-level 0" is "editing the keyring," period. > I don't think there is anything left to discuss. We've about reached > the stage where I'm saying "10+2!" and you're saying, "Bad example! > It's 6+6!" I don't understand how you can fear people removing sigs so much. You have recently given users the opportunity to do it, and, worse, defaulted the feature to removing all 0x11 sigs, because _you_ _personally_ dislike 0x11 sigs. Yet, you argue for _days_ that people can't disregard non-revocable sigs, ever. (Then, you say it is "safe" when PGP 8.1 does it.) What you seem to fail to understand is that people will always be able to decide which issuers and signatures they trust. Whether they do this as GPG allows by managing their trustdb, whether they do this as GPG allows by manually removing sigs (as part of --edit-key), or whether they do this as GPG allows by using --min-cert-level makes no difference. If you disagree that "people will always be able to decide which issuers and signatures they trust," then please make it _extremely_ clear in your reply. As you seem to have concluded, that fact takes precedence in my logic, and as I have concluded, it seems to take no precedence in yours. > > > When importing a non-revoke-sig + revoked sig set, PGP doesn't strip > > > anything, but does ignore the non-revokable sig (it isn't even visible > > > in the GUI). > > > > Gah! PGP 8.1 allows non-revocable sigs to be revoked?! > > No. So far as I can tell in a not particularly rigorous 5-minute > test, it ignores the non-revocable sig completely. It's as if the uid You recently described this very behavior as (implicity) revoking a non-revocable sig. _and_ said GPG should not do it - both of which I agree with. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050321/1f7ad3e1/attachment.pgp From dshaw at jabberwocky.com Mon Mar 21 20:03:06 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 21 19:59:43 2005 Subject: Retaining expired sigs In-Reply-To: <20050321184146.GR9105@wilma.widomaker.com> References: <20050319192607.GE7109@jabberwocky.com> <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> <20050320171841.GO9105@wilma.widomaker.com> <20050320183704.GA4697@jabberwocky.com> <20050320223206.GA92954@pc5.i.0x5.de> <20050321013609.GA5338@jabberwocky.com> <20050321040750.GA62772@wilma.widomaker.com> <20050321043642.GD5338@jabberwocky.com> <20050321184146.GR9105@wilma.widomaker.com> Message-ID: <20050321190306.GA22598@jabberwocky.com> On Mon, Mar 21, 2005 at 01:41:46PM -0500, Jason Harris wrote: > As you seem to have concluded, that fact takes precedence in my > logic, and as I have concluded, it seems to take no precedence in > yours. I can only conclude that we are talking completely past one another. You do seem to be very upset about all this, but I'm not detecting any more signal amidst the noise. I'm afraid I need to drop out of this thread as I'm not really sure what you are advocating, or why, or if you're just arguing to argue. I'm genuinely sorry you don't seem to be parsing what I'm saying, but there is nowhere else to go at this point. If you have an actual change suggestion, I'd love to hear it. But I really do need: 1) What you think the current behavior is 2) What you want it to be 3) Why you feel this is better David From dshaw at jabberwocky.com Mon Mar 21 20:12:01 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 21 20:08:36 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) In-Reply-To: References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <20050318154858.GB28771__4233.31979332051$1111161487$gmane$org@jabberwocky.com> <20050318172302.GA28913__41139.6839227111$1111166904$gmane$org@jabberwocky.com> Message-ID: <20050321191201.GB22598@jabberwocky.com> On Sun, Mar 20, 2005 at 04:18:35PM +0100, Carlo Luciano Bianco wrote: > 1) It seems that, when running a subprocess like a gpgkeys_*.exe, gpg.exe > does not pass it the environment variables. Most notably, it does not pass > the system %PATH%. Both gpg.exe and gpgkeys_*.exe depends on many dlls > (zlib, bzip2, libiconv, libintl, ecc.) which I keep in a separate folder > under "Common files" because they are used also by many other programs I > have (e.g. GIMP, gnuplot, ecc.). Of course, this folder is in the system > %PATH% and gpg.exe has no problems in finding the dlls he needs. But if I > try to retrieve a key from a keyserver (no matter what protocol), gpg.exe > tries to run the relevant gpgkeys_*.exe which returns an error saying that > some dlls are missing. If I copy the dlls in the gnupg folder everithing > works. That's odd. The only thing that jumps to mind is are you building with the configure option "--disable-keyserver-path" or using the GPG option "exec-path" ? > 2) gpgkeys_hkp.exe, gpgkeys_finger.exe and gpgkeys_ldap.exe seem to work > OK (provided the dlls are found), but gpgkeys_curl.exe does not run at > all. As soon as it is started by gpg.exe, it crashes (and DrWatson comes > out) even before trying to connect to the net (my firewall does not see > any connection). I tried many times, but always with the same result: a > crash. I have checked the temporary file gpg.exe uses to pass commands to > gpgkeys_curl.exe, but it seems OK to me... Can you try running gpgkeys_curl.exe under gdb? Just run it with the temporary file you already got as the only command line argument. It would be very useful to see where it is failing. I've gotten a number of successful reports of gpgkeys_curl on Unix-ish machine, but has anyone had success with MinGW? David From DGRIMES at scvl.com Mon Mar 21 20:28:30 2005 From: DGRIMES at scvl.com (Grimes, Dean) Date: Mon Mar 21 20:25:01 2005 Subject: Multiple Subkeys/UIDs Message-ID: <59D747A62703354193CA17350FC3F7D9136A91@telstar.scvl.com> I have been searching the mail archives for a while but have not yet found any discussion related to the situation I have. I'm new to GnuPG and data encryption in general so if some of my ideas or thoughts go completely against common sense then..... Anyway here is my situation. I have about 300 remote locations totaling around 500 servers out in the field. There are several data files that we collect on a daily basis that, even though we are dialup to these locations, we want to begin encrypting them for transfer and storage. All of these files come back to a central location where they will need to be decrypted for processing and the encrypted file placed in a storage location. All of this must happen in an automated scripted environment. This much I've figured out how to do. We also have a support department that will from time to time need to decrypt one or more of these files in order to track down problems or answer questions related to the data in the files. What I was hoping to be able to do was create encrypt only keys at the remote locations and all locations would use these keys for encrypting their data. My problem is having to give the support department the master keys to decrypt the data. This isn't a problem until some leaves the company. What I would like to do is to assign a key to a specific user that they would use to decrypt a file by. It would have a unique pass phrase associated with it that only that user would know. This would be generated by Operations department and assigned to the user. The user would be able to decrypt only the files that were encrypted with a particular key. Multiple users would be able to decrypt a single file using their assigned decryption key and pass phrase. If a user leaves the company their key would be revoked/deleted but they would never have had access to the master key. All of the other users would still be able to use the keys that were assigned to them. Is this possible to do with GnuPG? It wise to do something like this? Is there anyone else besides me who has this situation or one similar? If so, how did you/they solve the problem? Any help would be greatly appreciated. Thanks, Dean From dshaw at jabberwocky.com Mon Mar 21 20:40:23 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 21 20:37:05 2005 Subject: Multiple Subkeys/UIDs In-Reply-To: <59D747A62703354193CA17350FC3F7D9136A91@telstar.scvl.com> References: <59D747A62703354193CA17350FC3F7D9136A91@telstar.scvl.com> Message-ID: <20050321194023.GA22697@jabberwocky.com> On Mon, Mar 21, 2005 at 01:28:30PM -0600, Grimes, Dean wrote: > Is this possible to do with GnuPG? It wise to do something like this? Is > there anyone else besides me who has this situation or one similar? If so, > how did you/they solve the problem? Any help would be greatly appreciated. There seem to be a few ways to accomplish what you want to do here. Can I get a little more information before I comment? You mention that all data enters the central location encrypted, but is then decrypted ("for processing") and then re-encrypted. Do I understand that correctly? Also: once a file is archived, is it still writable? That is, is it permissible to go back and edit this file to remove a particular key from it? David From dshaw at jabberwocky.com Mon Mar 21 20:51:49 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 21 20:48:27 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <423851A3.5030604@jason.markley.name> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <423851A3.5030604@jason.markley.name> Message-ID: <20050321195149.GB22697@jabberwocky.com> On Wed, Mar 16, 2005 at 10:32:51AM -0500, Jason Markley wrote: > David, > > Sorry to bring this back up when it's supposed to be fixed, but with > 1.4.1 I'm still having the same issue as before. Do you know what bug # > it was specifically that was 'fixed'? Thanks. I'm not sure if it ever made it into the bug tracker. The issue, if I recall correctly, was a line ending problem. Unix-ish machines use \n (LF) at the end of a line, W32 uses \r\n (CRLF). The W32 libraries, unless told otherwise, automatically transform LF into CRLF on the way out. We were ending up in some cases with data coming in from a keyserver that was already CRLF, and W32 was happily transforming that to CRCRLF, which GPG didn't handle. Can someone else on W32 confirm if this works for them? Possibly the problem is something else this time. Hmm - do you have --openpgp set in your gpg.conf file? David From jharris at widomaker.com Mon Mar 21 20:08:04 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Mar 21 21:13:40 2005 Subject: new (2005-03-20) keyanalyze results (+sigcheck) In-Reply-To: <200503210821.44649.linux@codehelp.co.uk> References: <20050320215025.GQ9105@wilma.widomaker.com> <200503210821.44649.linux@codehelp.co.uk> Message-ID: <20050321190804.GS9105@wilma.widomaker.com> On Mon, Mar 21, 2005 at 08:21:43AM +0000, Neil Williams wrote: > On Sunday 20 March 2005 9:50 pm, Jason Harris wrote: > > New keyanalyze results are available at: > > > > http://keyserver.kjsl.com/~jharris/ka/2005-03-20/ > > Jason, I've been meaning to ask you this for ages. In the analysis report, at > the very tail, I get: > > 13 hops: 2 > > Farthest keys (13 hops): > 576E20E9 9A0BF27D > 01000000 2A000000 > http://keyserver.kjsl.com/~jharris/ka/2005-03-20/28/28BCB3E3 > > That 01000000 2A000000 line - what's that all about? It looks like debugging > output to me, the 2 farthest keys are the line above. (Short answer: There is only 1 (long) keyid per line.) In that file: %esha1sum 28BCB3E3 6ca95ff434ed076b9f8a86ba130813f1409603e4 1894 28BCB3E3 0x010000002A000000 is the second of the farthest 2 keys: %tail -3 28BCB3E3 Farthest keys (13 hops): 576E20E9 9A0BF27D 01000000 2A000000 and is an actual key: %gpg --recv 0x010000002A000000 gpg: requesting key 2A000000 from hkp server keyserver.kjsl.com Host: keyserver.kjsl.com Command: GET gpgkeys: HTTP URL is `hkp://keyserver.kjsl.com/pks/lookup?op=get&options=mr&search=0x2A000000' gpg: key 2A000000: accepted non self-signed user ID "Trustcenter_EU " gpg: key 2A000000: public key "Trustcenter_EU " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) %gpg -kc 0x010000002A000000 pub 1024R/2A000000 1997-07-16 Key fingerprint = E3 FE D7 2E E3 57 99 0A 3F 2C 72 5E 9B 50 F4 C5 uid Trustcenter_EU See also: http://www.dtype.org/pipermail/keyanalyze-discuss/ http://www.dtype.org/keyanalyze/ -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050321/96660724/attachment.pgp From kfitzner at excelcia.org Mon Mar 21 23:18:45 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Mon Mar 21 23:15:03 2005 Subject: GPGee - GPG Explorer Extension (context menu) front end Message-ID: <423F4845.2030901@excelcia.org> I've written a new Windows explorer extension front end for gpg. I know that Timo has winfpse, and somewhere out there is gpgsx. But as I've never been able to find gpgsx nor get winfpse to work, I figured I'd take a stab at it. I've always wanted an excuse to write an Explorer extension anyways. :) Oh, and it's released under the GPL of course. The program is called "GPGee" (GPG Explorer Extension). Say that ginal "Gee" just like you'd say "Golly Gee Wiz". :) Right now it signs, encrypts (public and symmetric), or both. No verify yet. This was more a proof-of-concept version than anything final, but it does have a couple useful features: - Installer - no registering or manual installation needed. - Will sign and/or encrypt multiple files at once. Just select multiple files in Explorer, and right-click on them all. - A single unified window that has all the settings for all operations. Picking "Sign" from the menu sets the defaults, but you're not limited to signing, you can still change to encryption. Ever pick the wrong setting from a right-click context menu? Well, now you can just roll with it. Source and installer are available from: http://www.excelcia.org/modules.php?name=Downloads&d_op=viewdownload&cid=1 Thanks goes to the GPGME team and Timo Shulz for his "MyGPGME" version, which is what I used for the back-end communication to GPG. In case anyone ever has wanted to use Borland's C++ Builder to write GPG front ends/plugins/etc, I ported Timo's MyGPGME to compile on C++ Builder. The source for GPGee has that with it. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050321/d407d677/signature.pgp From DGRIMES at scvl.com Mon Mar 21 23:25:07 2005 From: DGRIMES at scvl.com (Grimes, Dean) Date: Mon Mar 21 23:21:53 2005 Subject: Multiple Subkeys/UIDs Message-ID: <59D747A62703354193CA17350FC3F7D9136A92@telstar.scvl.com> >You mention that all data enters the central location encrypted, but is then decrypted ("for processing") and then re-encrypted. The processing script would most likely decrypt the file piping the output into the processing program. Once processing is complete, the script would then mv/cp the already encrypted file to it's storage location. There would be no need to re-encrypt the file. >Also: once a file is archived, is it still writable? That is, is it >permissible to go back and edit this file to remove a particular key >from it? No. The file would not be editable nor would any other process write to the file. The only activity allowed on the file would be to decrypt for reading purposes in a designated work area to be determined and set forth in the policy. Dean -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org]On Behalf Of David Shaw Sent: Monday, March 21, 2005 1:40 PM To: gnupg-users@gnupg.org Subject: Re: Multiple Subkeys/UIDs On Mon, Mar 21, 2005 at 01:28:30PM -0600, Grimes, Dean wrote: > Is this possible to do with GnuPG? It wise to do something like this? Is > there anyone else besides me who has this situation or one similar? If so, > how did you/they solve the problem? Any help would be greatly appreciated. There seem to be a few ways to accomplish what you want to do here. Can I get a little more information before I comment? You mention that all data enters the central location encrypted, but is then decrypted ("for processing") and then re-encrypted. Do I understand that correctly? Also: once a file is archived, is it still writable? That is, is it permissible to go back and edit this file to remove a particular key from it? David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From sk at intertivity.com Mon Mar 21 23:34:37 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Mon Mar 21 23:30:30 2005 Subject: GPGee - GPG Explorer Extension (context menu) front end In-Reply-To: <423F4845.2030901@excelcia.org> Message-ID: <004d01c52e66$2d4e1140$f500a8c0@HOME> Well, It would be nice to have a control to select the keyring location. I keep my keys on a memory stick, so i'm not able to use your tool! --esskar > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Kurt Fitzner > Sent: Montag, 21. M?rz 2005 23:19 > To: gnupg-users@gnupg.org > Subject: GPGee - GPG Explorer Extension (context menu) front end > > > I've written a new Windows explorer extension front end for > gpg. I know that Timo has winfpse, and somewhere out there > is gpgsx. But as I've never been able to find gpgsx nor get > winfpse to work, I figured I'd take a stab at it. I've > always wanted an excuse to write an Explorer extension > anyways. :) Oh, and it's released under the GPL of course. > > The program is called "GPGee" (GPG Explorer Extension). Say > that ginal "Gee" just like you'd say "Golly Gee Wiz". :) > > Right now it signs, encrypts (public and symmetric), or both. > No verify yet. This was more a proof-of-concept version > than anything final, but it does have a couple useful features: > - Installer - no registering or manual installation needed. > - Will sign and/or encrypt multiple files at once. Just > select multiple files in Explorer, and right-click on them all. > - A single unified window that has all the settings for all > operations. Picking "Sign" from the menu sets the defaults, > but you're not limited to signing, you can still change to > encryption. Ever pick the wrong setting from a right-click > context menu? Well, now you can just roll with it. > > Source and installer are available from: > http://www.excelcia.org/modules.php?name=Downloads&d_op=viewdo wnload&cid=1 Thanks goes to the GPGME team and Timo Shulz for his "MyGPGME" version, which is what I used for the back-end communication to GPG. In case anyone ever has wanted to use Borland's C++ Builder to write GPG front ends/plugins/etc, I ported Timo's MyGPGME to compile on C++ Builder. The source for GPGee has that with it. From dshaw at jabberwocky.com Mon Mar 21 23:35:34 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 21 23:32:15 2005 Subject: Multiple Subkeys/UIDs In-Reply-To: <59D747A62703354193CA17350FC3F7D9136A92@telstar.scvl.com> References: <59D747A62703354193CA17350FC3F7D9136A92@telstar.scvl.com> Message-ID: <20050321223534.GA22865@jabberwocky.com> On Mon, Mar 21, 2005 at 04:25:07PM -0600, Grimes, Dean wrote: > >You mention that all data enters the central location encrypted, but is > then decrypted ("for processing") and then re-encrypted. > > The processing script would most likely decrypt the file piping the output > into the processing program. Once processing is complete, the script would > then mv/cp the already encrypted file to it's storage location. There would > be no need to re-encrypt the file. > > >Also: once a file is archived, is it still writable? That is, is it > >permissible to go back and edit this file to remove a particular key > >from it? > > No. The file would not be editable nor would any other process write to the > file. The only activity allowed on the file would be to decrypt for reading > purposes in a designated work area to be determined and set forth in the > policy. That makes things very difficult, unfortunately. Given those restrictions, I think your best bet is to have some sort of "check out" process when someone needs to read a file. At that point, the file is decrypted by the master key and then re-encrypted to that persons key. Your local policy and setup will need to be written in such a way that this person cannot make their own copy of the file while reading it. However, given that restriction (that the user has no way to make their own copy), I wonder what the point is in re-encrypting. Why not decrypt as part of the check-out and give it to them in the clear? David From alex at bofh.net.pl Mon Mar 21 22:52:07 2005 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Mon Mar 21 23:36:35 2005 Subject: signature level Message-ID: <20050321215206.GC6404@syjon.fantastyka.net> How is signature level specification done in 1.4+? Alex -- mors ab alto 0x46399138 From dshaw at jabberwocky.com Mon Mar 21 23:51:34 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 21 23:48:02 2005 Subject: signature level In-Reply-To: <20050321215206.GC6404@syjon.fantastyka.net> References: <20050321215206.GC6404@syjon.fantastyka.net> Message-ID: <20050321225134.GB22865@jabberwocky.com> On Mon, Mar 21, 2005 at 10:52:07PM +0100, Janusz A. Urbanowicz wrote: > How is signature level specification done in 1.4+? By default, GnuPG does not prompt you for a signature level. If you want to be prompted, use '--ask-cert-level'. If you want to specify, but not be prompted each time, use '--default-cert-level n' where n is 0, 1, 2 or 3. The default is 0. GnuPG can be configured to ignore certain signature levels. Use '--min-cert-level' to set the minimum level you want to accept. The default is 2. David From clbianco at tiscalinet.it Tue Mar 22 00:18:03 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Mar 22 00:19:33 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <20050318154858.GB28771__4233.31979332051$1111161487$gmane$org@jabberwocky.com> <20050318172302.GA28913__41139.6839227111$1111166904$gmane$org@jabberwocky.com> <20050321191201.GB22598__4665.25674933127$1111432573$gmane$org@jabberwocky.com> Message-ID: Il /21 mar 2005/, *David Shaw* ha scritto: > On Sun, Mar 20, 2005 at 04:18:35PM +0100, Carlo Luciano Bianco wrote: > >> 1) It seems that, when running a subprocess like a gpgkeys_*.exe, gpg.exe >> does not pass it the environment variables. Most notably, it does not pass >> the system %PATH%. Both gpg.exe and gpgkeys_*.exe depends on many dlls [...] > That's odd. The only thing that jumps to mind is are you building > with the configure option "--disable-keyserver-path" or using the > GPG option "exec-path" ? No, David. The only configure options I used are "--prefix" and "--with- libcurl". The only one difference between the configure commmand line reported on my web page and the one I actually used is in the CFLAGS part, where I used, e.g., "-march=athlon-xp" and some other optimizations. And exec-path is not in my gpg.conf (I checked, to be double sure). I have only modified, like reported on my web page, the lines in the "configure" script where the directories are defined (lines 23881-23885): #define G10_LOCALEDIR "c:\\\\programmi\\\\gnupg\\\\locale" #define GNUPG_LIBDIR "c:\\\\programmi\\\\gnupg" #define GNUPG_LIBEXECDIR "c:\\\\programmi\\\\gnupg" #define GNUPG_DATADIR "c:\\\\programmi\\\\gnupg" #define GNUPG_HOMEDIR "h:\\\\gnupg" >> 2) gpgkeys_hkp.exe, gpgkeys_finger.exe and gpgkeys_ldap.exe seem to work >> OK (provided the dlls are found), but gpgkeys_curl.exe does not run at >> all. As soon as it is started by gpg.exe, it crashes (and DrWatson comes [...] > Can you try running gpgkeys_curl.exe under gdb? Yes, I can. I think it is better I rebuild it with "-g" and without optimizations, right? I'll do it tomorrow as soon as I can. -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From dshaw at jabberwocky.com Tue Mar 22 00:43:14 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 22 00:39:45 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) In-Reply-To: References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <20050318154858.GB28771__4233.31979332051$1111161487$gmane$org@jabberwocky.com> <20050318172302.GA28913__41139.6839227111$1111166904$gmane$org@jabberwocky.com> <20050321191201.GB22598__4665.25674933127$1111432573$gmane$org@jabberwocky.com> Message-ID: <20050321234314.GC22865@jabberwocky.com> On Tue, Mar 22, 2005 at 12:18:03AM +0100, Carlo Luciano Bianco wrote: > Il /21 mar 2005/, *David Shaw* ha scritto: > > > On Sun, Mar 20, 2005 at 04:18:35PM +0100, Carlo Luciano Bianco wrote: > > > >> 1) It seems that, when running a subprocess like a gpgkeys_*.exe, gpg.exe > >> does not pass it the environment variables. Most notably, it does not pass > >> the system %PATH%. Both gpg.exe and gpgkeys_*.exe depends on many dlls > [...] > > That's odd. The only thing that jumps to mind is are you building > > with the configure option "--disable-keyserver-path" or using the > > GPG option "exec-path" ? > > No, David. The only configure options I used are "--prefix" and "--with- > libcurl". The only one difference between the configure commmand line > reported on my web page and the one I actually used is in the CFLAGS part, > where I used, e.g., "-march=athlon-xp" and some other optimizations. And > exec-path is not in my gpg.conf (I checked, to be double sure). > > I have only modified, like reported on my web page, the lines in the > "configure" script where the directories are defined (lines 23881-23885): > #define G10_LOCALEDIR "c:\\\\programmi\\\\gnupg\\\\locale" > #define GNUPG_LIBDIR "c:\\\\programmi\\\\gnupg" > #define GNUPG_LIBEXECDIR "c:\\\\programmi\\\\gnupg" > #define GNUPG_DATADIR "c:\\\\programmi\\\\gnupg" > #define GNUPG_HOMEDIR "h:\\\\gnupg" Interesting. Some difference between POSIX style $PATH and W32 style %PATH% maybe? Now that I think about it, GPG on MinGW is going to end up appending ':c:\\programmi\gnupg" to your PATH. That may well result in a problem since W32 wants ';c:\\programmi\gnupg' (with a leading semicolon). The odd thing is the code has been this way for years (literally since 2002!) and I don't recall this exact problem popping up before. Also, there are other current MinGW builds that do work properly, so I suspect there is still something not understood here. Still, for curiosity's sake, try this patch to g10/exec.c: Index: exec.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/exec.c,v retrieving revision 1.18 diff -u -r1.18 exec.c --- exec.c 28 Oct 2004 02:14:06 -0000 1.18 +++ exec.c 21 Mar 2005 23:36:13 -0000 @@ -107,7 +107,7 @@ if(curpath) { strcat(p,curpath); - strcat(p,":"); + strcat(p,";"); } strcat(p,path); > >> 2) gpgkeys_hkp.exe, gpgkeys_finger.exe and gpgkeys_ldap.exe seem to work > >> OK (provided the dlls are found), but gpgkeys_curl.exe does not run at > >> all. As soon as it is started by gpg.exe, it crashes (and DrWatson comes > [...] > > Can you try running gpgkeys_curl.exe under gdb? > > Yes, I can. I think it is better I rebuild it with "-g" and without > optimizations, right? I'll do it tomorrow as soon as I can. Yes, with -g and no -O. Thanks! David From atom at smasher.org Tue Mar 22 01:20:14 2005 From: atom at smasher.org (Atom Smasher) Date: Tue Mar 22 01:13:05 2005 Subject: signature level In-Reply-To: <20050321215206.GC6404@syjon.fantastyka.net> References: <20050321215206.GC6404@syjon.fantastyka.net> Message-ID: <20050322001659.91645.qmail@smasher.org> On Mon, 21 Mar 2005, Janusz A. Urbanowicz wrote: > How is signature level specification done in 1.4+? ================ --ask-cert-level previously this was on by default. apparently it caused too much confusion, so now you have to specify it if you want it. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The sum of intelligence on the planet is a constant. The population is increasing." -- Cole's Axiom From kimp05702 at sneakemail.com Tue Mar 22 01:41:39 2005 From: kimp05702 at sneakemail.com (Jason Wallwork) Date: Tue Mar 22 02:42:28 2005 Subject: gpg: WARNING: unsafe ownership on configuration file "/home/jason/.gnupg/gpg.conf" Message-ID: <200503211941.39678.kimp05702@sneakemail.com> Received the warning message: gpg: WARNING: unsafe ownership on configuration file "/home/jason/.gnupg/gpg.conf" after running gpg --version as root. I don't get the warning if I run the same command as a regular user. Here's the permissions on the file: jason@starbuck:~> ls -l .gnupg/gpg.conf -rw------- 1 jason users 8565 2005-03-17 12:43 .gnupg/gpg.conf Should I be concerned? I can't find this in the FAQ. I hope it's not a case of not looking hard enough. :-/ -- Jason Wallwork From DGRIMES at scvl.com Tue Mar 22 03:46:01 2005 From: DGRIMES at scvl.com (Grimes, Dean) Date: Tue Mar 22 03:42:57 2005 Subject: Multiple Subkeys/UIDs Message-ID: <59D747A62703354193CA17350FC3F7D9136A93@telstar.scvl.com> >That makes things very difficult, unfortunately. Given those >restrictions, I think your best bet is to have some sort of "check >out" process when someone needs to read a file. At that point, the >file is decrypted by the master key and then re-encrypted to that >persons key. Your local policy and setup will need to be written in >such a way that this person cannot make their own copy of the file >while reading it. I like the idea of a check out system. This would eliminate the need to create individual subkeys altogether. I could even use CVS as the warehousing system. This accomplishes two goals: 1. Check in/out procedures and 2. Logging all activity for checked out files. >However, given that restriction (that the user has no way to make >their own copy), I wonder what the point is in re-encrypting. Why not >decrypt as part of the check-out and give it to them in the clear? I agree. There is no need to re-encrypt the files. These are trusted employees who have the authority to view the data. I'm not too worried that they wouldn't adhere to company policy. However, just to be sure: There is no way to create multiple subkeys with individual pass phrases that have the ability to decrypt messages/files encrypted by a master key. Is this correct? Thanks, Dean -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org]On Behalf Of David Shaw Sent: Monday, March 21, 2005 4:36 PM To: gnupg-users@gnupg.org Subject: Re: Multiple Subkeys/UIDs On Mon, Mar 21, 2005 at 04:25:07PM -0600, Grimes, Dean wrote: > >You mention that all data enters the central location encrypted, but is > then decrypted ("for processing") and then re-encrypted. > > The processing script would most likely decrypt the file piping the output > into the processing program. Once processing is complete, the script would > then mv/cp the already encrypted file to it's storage location. There would > be no need to re-encrypt the file. > > >Also: once a file is archived, is it still writable? That is, is it > >permissible to go back and edit this file to remove a particular key > >from it? > > No. The file would not be editable nor would any other process write to the > file. The only activity allowed on the file would be to decrypt for reading > purposes in a designated work area to be determined and set forth in the > policy. That makes things very difficult, unfortunately. Given those restrictions, I think your best bet is to have some sort of "check out" process when someone needs to read a file. At that point, the file is decrypted by the master key and then re-encrypted to that persons key. Your local policy and setup will need to be written in such a way that this person cannot make their own copy of the file while reading it. However, given that restriction (that the user has no way to make their own copy), I wonder what the point is in re-encrypting. Why not decrypt as part of the check-out and give it to them in the clear? David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From clbianco at tiscalinet.it Tue Mar 22 10:16:19 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Mar 22 10:13:11 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <20050318154858.GB28771__4233.31979332051$1111161487$gmane$org@jabberwocky.com> <20050318172302.GA28913__41139.6839227111$1111166904$gmane$org@jabberwocky.com> <20050321191201.GB22598__4665.25674933127$1111432573$gmane$org@jabberwocky.com> <20050321234314.GC22865__46177.1983690143$1111448667$gmane$org@jabberwocky.com> Message-ID: Il /22 mar 2005/, *David Shaw* ha scritto: > On Tue, Mar 22, 2005 at 12:18:03AM +0100, Carlo Luciano Bianco wrote: >> Il /21 mar 2005/, *David Shaw* ha scritto: >> >> > On Sun, Mar 20, 2005 at 04:18:35PM +0100, Carlo Luciano Bianco wrote: >> > >> >> 1) It seems that, when running a subprocess like a gpgkeys_*.exe, >> >> gpg.exe does not pass it the environment variables. Most notably, it >> >> does not pass the system %PATH%. Both gpg.exe and gpgkeys_*.exe [...] > Interesting. Some difference between POSIX style $PATH and W32 style > %PATH% maybe? Now that I think about it, GPG on MinGW is going to end > up appending ':c:\\programmi\gnupg" to your PATH. That may well > result in a problem since W32 wants ';c:\\programmi\gnupg' (with a > leading semicolon). This can be a problem, yes, but it would affect only the last two folders of the path (the ones with ":" instead of ";"). Are you sure the gnupg path is not added as the first one followed by ":"? Can the presence of "spaces" in the path (e.g. "C:\Programmi\File comuni") be a problem, also? > The odd thing is the code has been this way for years (literally since > 2002!) and I don't recall this exact problem popping up before. Also, > there are other current MinGW builds that do work properly, so I > suspect there is still something not understood here. Well... I agree, but to experience this problem you need two very uncommon things: 1) You must have dll-linked gnupg executables, which is very uncommon (the official MinGW build is statically linked). 2) You must have the dlls not in the gnupg folder but in a different one. > Still, for curiosity's sake, try this patch to g10/exec.c: Thanks! I'll try when I rebuild with "-g" and I'll let you know. >> > Can you try running gpgkeys_curl.exe under gdb? >> >> Yes, I can. I think it is better I rebuild it with "-g" and without >> optimizations, right? I'll do it tomorrow as soon as I can. > > Yes, with -g and no -O. Thanks! OK, I hope to have some time this afternoon... -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From clbianco at tiscalinet.it Tue Mar 22 10:46:10 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Mar 22 10:42:28 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <20050318154858.GB28771__4233.31979332051$1111161487$gmane$org@jabberwocky.com> <20050318172302.GA28913__41139.6839227111$1111166904$gmane$org@jabberwocky.com> <20050321191201.GB22598__4665.25674933127$1111432573$gmane$org@jabberwocky.com> <20050321234314.GC22865__46177.1983690143$1111448667$gmane$org@jabberwocky.com> Message-ID: Il /22 mar 2005/, *Carlo Luciano Bianco* ha scritto: > Il /22 mar 2005/, *David Shaw* ha scritto: I did much earlier than expected... ;-) >> Still, for curiosity's sake, try this patch to g10/exec.c: > > Thanks! I'll try when I rebuild with "-g" and I'll let you know. I tried your patch, but the problem is exactly the same. >>> > Can you try running gpgkeys_curl.exe under gdb? [...] Well... I never used gdb before, I hope I did not too many mistakes... Here is what I did: -------------------------------------------------------------------------- $ gdb --args ./gpgkeys_curl.exe ./tempin.txt GNU gdb 6.0 Copyright 2003 Free Software Foundation, Inc. [...] (gdb) run Starting program: c:\Docume~1\Carlol~1\Documenti\Programmazione\mingw\gnupg- 1.4.1\keyserver/./gpgkeys_curl.exe ./tempin.txt Program received signal SIGSEGV, Segmentation fault. 0x77c16137 in strdup () from C:\WINDOWS\system32\msvcrt.dll (gdb) continue Continuing. Program received signal SIGSEGV, Segmentation fault. 0x77c16137 in strdup () from C:\WINDOWS\system32\msvcrt.dll (gdb) continue Continuing. Program exited with code 030000000005. -------------------------------------------------------------------------- Should I try something else? -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From linux at codehelp.co.uk Tue Mar 22 11:19:50 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Mar 22 11:18:18 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) In-Reply-To: References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> Message-ID: <200503221019.55199.linux@codehelp.co.uk> On Tuesday 22 March 2005 9:46 am, Carlo Luciano Bianco wrote: > Program received signal SIGSEGV, Segmentation fault. > 0x77c16137 in strdup () from C:\WINDOWS\system32\msvcrt.dll To find out what caused that fault, use the bt command: backtrace. It happened in strdup() so that's usually because the string you are trying to copy (or copy to) is not accessible - maybe not properly initialised. The fault is not necessarily in the file identified above, it just showed up there. Use up and down commands after getting the backtrace to inspect the calls that lead to the segmentation fault. > (gdb) continue > Continuing. You can't usually continue after a segmentation fault - or if you try you won't get predictable behaviour. > Should I try something else? bt -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050322/cbb5ce47/attachment.pgp From johanw at vulcan.xs4all.nl Tue Mar 22 12:06:30 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Mar 22 12:03:00 2005 Subject: signature level In-Reply-To: <20050321225134.GB22865@jabberwocky.com> from David Shaw at "Mar 21, 2005 05:51:34 pm" Message-ID: <200503221106.MAA01031@vulcan.xs4all.nl> David Shaw wrote: >By default, GnuPG does not prompt you for a signature level. If you >want to be prompted, use '--ask-cert-level'. And the default, without specifying and without the option --default-cert-level, is 0? >If you want to specify, but not be prompted each time, use >'--default-cert-level n' where n is 0, 1, 2 or 3. The default is 0. > >GnuPG can be configured to ignore certain signature levels. Use >'--min-cert-level' to set the minimum level you want to accept. The >default is 2. Does that mean that gnupg in the default setup will ignore all signatures made with the default setup? From the code (keyedit.c line 872 and further) I understand that it will generate 0x10 sigs in the default setup. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From clbianco at tiscalinet.it Tue Mar 22 13:15:15 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Mar 22 13:11:41 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> Message-ID: Il /22 mar 2005/, *Neil Williams* ha scritto: > On Tuesday 22 March 2005 9:46 am, Carlo Luciano Bianco wrote: >> Program received signal SIGSEGV, Segmentation fault. >> 0x77c16137 in strdup () from C:\WINDOWS\system32\msvcrt.dll > > To find out what caused that fault, use the bt command: backtrace. Thanks, Nail. As I told, I am quite new to this sort of things. Here is the result: -------------------------------------------------------------------------- [...] (gdb) bt #0 0x77c16137 in strdup () from C:\WINDOWS\system32\msvcrt.dll #1 0x003d52e0 in ?? () #2 0x0022f088 in ?? () #3 0x69f51e6d in libcurl!curl_slist_free_all () from c:\programmi\mingw\bin\libcurl.dll -------------------------------------------------------------------------- > It happened in strdup() so that's usually because the string you are > trying to copy (or copy to) is not accessible - maybe not properly > initialised. The fault is not necessarily in the file identified above, > it just showed up there. Use up and down commands after getting the > backtrace to inspect the calls that lead to the segmentation fault. The above four are all the frames I get. >> (gdb) continue >> Continuing. > > You can't usually continue after a segmentation fault - or if you try > you won't get predictable behaviour. Good to know for the next time, thanks again! ;-) -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From clbianco at tiscalinet.it Tue Mar 22 13:22:29 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Mar 22 13:19:26 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> Message-ID: Il /22 mar 2005/, *Carlo Luciano Bianco* ha scritto: > Thanks, Nail. As I told, I am quite new to this sort of things. Here is > the result: I mean "Neil", of course, I am really sorry about that... -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From dshaw at jabberwocky.com Tue Mar 22 14:55:36 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 22 14:52:11 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) In-Reply-To: References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> Message-ID: <20050322135536.GA23086@jabberwocky.com> On Tue, Mar 22, 2005 at 01:15:15PM +0100, Carlo Luciano Bianco wrote: > [...] > (gdb) bt > #0 0x77c16137 in strdup () from C:\WINDOWS\system32\msvcrt.dll > #1 0x003d52e0 in ?? () > #2 0x0022f088 in ?? () > #3 0x69f51e6d in libcurl!curl_slist_free_all () from > c:\programmi\mingw\bin\libcurl.dll > -------------------------------------------------------------------------- > > > It happened in strdup() so that's usually because the string you are > > trying to copy (or copy to) is not accessible - maybe not properly > > initialised. The fault is not necessarily in the file identified above, > > it just showed up there. Use up and down commands after getting the > > backtrace to inspect the calls that lead to the segmentation fault. > > The above four are all the frames I get. The strdup segfault is happening due to a call from inside libcurl itself. That doesn't necessarily mean a bug in curl, though. What version of curl are you using here? Also, can you try and rebuild libcurl with -g and no optimization? Maybe we can get a better stacktrace. David From dshaw at jabberwocky.com Tue Mar 22 14:56:23 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 22 14:52:53 2005 Subject: signature level In-Reply-To: <200503221106.MAA01031@vulcan.xs4all.nl> References: <20050321225134.GB22865@jabberwocky.com> <200503221106.MAA01031@vulcan.xs4all.nl> Message-ID: <20050322135623.GB23086@jabberwocky.com> On Tue, Mar 22, 2005 at 12:06:30PM +0100, Johan Wevers wrote: > David Shaw wrote: > > >By default, GnuPG does not prompt you for a signature level. If you > >want to be prompted, use '--ask-cert-level'. > > And the default, without specifying and without the option > --default-cert-level, is 0? Correct. > >If you want to specify, but not be prompted each time, use > >'--default-cert-level n' where n is 0, 1, 2 or 3. The default is 0. > > > >GnuPG can be configured to ignore certain signature levels. Use > >'--min-cert-level' to set the minimum level you want to accept. The > >default is 2. > > Does that mean that gnupg in the default setup will ignore all signatures > made with the default setup? From the code (keyedit.c line 872 and further) > I understand that it will generate 0x10 sigs in the default setup. No. 0x10 sigs are always accepted regardless of the --min-cert-level. David From dshaw at jabberwocky.com Tue Mar 22 15:08:57 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 22 15:05:28 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <42401B85.5040903@jason.markley.name> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <423851A3.5030604@jason.markley.name> <20050321195149.GB22697@jabberwocky.com> <42401B85.5040903@jason.markley.name> Message-ID: <20050322140857.GA26177@jabberwocky.com> On Tue, Mar 22, 2005 at 08:20:05AM -0500, Jason Markley wrote: > David, > > Yes, i do have --openpgp in my gpg.conf file, and i did a > --keyserver-options keep-temp-files from the command line with the > --openpgp option. The results are attached. Thanks. I'll take a look. However, I asked about --openpgp because in some cases, that *causes* this problem, not fixes it. Can you try again without --openpgp set? David From dshaw at jabberwocky.com Tue Mar 22 15:06:27 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 22 15:45:26 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) In-Reply-To: References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <20050318154858.GB28771__4233.31979332051$1111161487$gmane$org@jabberwocky.com> <20050318172302.GA28913__41139.6839227111$1111166904$gmane$org@jabberwocky.com> <20050321191201.GB22598__4665.25674933127$1111432573$gmane$org@jabberwocky.com> <20050321234314.GC22865__46177.1983690143$1111448667$gmane$org@jabberwocky.com> Message-ID: <20050322140627.GC23086@jabberwocky.com> On Tue, Mar 22, 2005 at 10:16:19AM +0100, Carlo Luciano Bianco wrote: > Il /22 mar 2005/, *David Shaw* ha scritto: > > > On Tue, Mar 22, 2005 at 12:18:03AM +0100, Carlo Luciano Bianco wrote: > >> Il /21 mar 2005/, *David Shaw* ha scritto: > >> > >> > On Sun, Mar 20, 2005 at 04:18:35PM +0100, Carlo Luciano Bianco wrote: > >> > > >> >> 1) It seems that, when running a subprocess like a gpgkeys_*.exe, > >> >> gpg.exe does not pass it the environment variables. Most notably, it > >> >> does not pass the system %PATH%. Both gpg.exe and gpgkeys_*.exe > [...] > > Interesting. Some difference between POSIX style $PATH and W32 style > > %PATH% maybe? Now that I think about it, GPG on MinGW is going to end > > up appending ':c:\\programmi\gnupg" to your PATH. That may well > > result in a problem since W32 wants ';c:\\programmi\gnupg' (with a > > leading semicolon). > > This can be a problem, yes, but it would affect only the last two folders of > the path (the ones with ":" instead of ";"). Are you sure the gnupg path is > not added as the first one followed by ":"? Yes. If there is a path to add, it's always appended. However, try setting your --exec-path directly to the path you want. That replaces the current path completely. So: exec-path c:\\whatever;c:\\programmi\gnupg David From SThutika at Satyam.odc.ml.com Tue Mar 22 16:02:39 2005 From: SThutika at Satyam.odc.ml.com (Thutika, Srinivas (ODC - Satyam)) Date: Tue Mar 22 16:53:36 2005 Subject: Renaming error Message-ID: <5967AD625B62D5118D180002A50926AB03A9588F@AGNI> Hi frinds, I am facing the following renaming problem.. C:\keyrings>C:\gnupg\gpg.exe --homedir . --list-keys .\pubring.gpg ------------- gpg: checking the trustdb gpg: renaming `.\pubring.gpg' to `.\pubring.bak' failed: Permission denied gpg: failed to rebuild keyring cache: file rename error gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u pub 1024D/75DD4C2B 2005-03-22 uid Merrill Lynch CLEAR system DH sub 1024g/070343B1 2005-03-22 pub 1024D/33C13FEF 2005-03-22 uid MerrillDefault sub 1024g/9CEC8F78 2005-03-22 pub 1024D/F286EFEF 2005-03-22 uid thutika sub 1024g/ADEEB454 2005-03-22 Regards, Srinivas. -------------------------------------------------------- If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail. http://www.ml.com/email_terms/ -------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 2559 bytes Desc: not available Url : /pipermail/attachments/20050322/0cf1a390/attachment.bin From clbianco at tiscalinet.it Tue Mar 22 18:39:12 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Mar 22 18:48:58 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <20050318154858.GB28771__4233.31979332051$1111161487$gmane$org@jabberwocky.com> <20050318172302.GA28913__41139.6839227111$1111166904$gmane$org@jabberwocky.com> <20050321191201.GB22598__4665.25674933127$1111432573$gmane$org@jabberwocky.com> <20050321234314.GC22865__46177.1983690143$1111448667$gmane$org@jabberwocky.com> <20050322140627.GC23086__35211.475523147$1111503505$gmane$org@jabberwocky.com> Message-ID: Il /22 mar 2005/, *David Shaw* ha scritto: [...] >> >> >> 1) It seems that, when running a subprocess like a gpgkeys_*.exe, >> >> >> gpg.exe does not pass it the environment variables. Most notably, >> >> >> it does not pass the system %PATH%. Both gpg.exe and >> >> >> gpgkeys_*.exe [...] > Yes. If there is a path to add, it's always appended. However, try > setting your --exec-path directly to the path you want. That replaces > the current path completely. So: > > exec-path c:\\whatever;c:\\programmi\gnupg Well, I did the following test: If I issue: gpg --keyserver hkp://whatever --recv-keys 99999999 then gpgkeys_hkp.exe does not start due to a missing dll. But, if I issue: gpg --keyserver hkp://whatever --exec-path "%PATH%" --recv-keys 99999999 then all works OK. So, it seems the problem is in the path created by exec.c... Maybe due to the blank spaces in the folder names... -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From clbianco at tiscalinet.it Tue Mar 22 18:50:20 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Mar 22 19:00:14 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> Message-ID: Il /22 mar 2005/, *David Shaw* ha scritto: [...] > The strdup segfault is happening due to a call from inside libcurl > itself. That doesn't necessarily mean a bug in curl, though. What > version of curl are you using here? The last one available for MinGW: 7.13.0 > Also, can you try and rebuild libcurl with -g and no optimization? > Maybe we can get a better stacktrace. I did a quite different test. I downloaded the pre-compiled libcurl binary for MSVC, which is the last version (7.13.1). Then I simply replaced the libcurl.dll with this new version and it works perfectly! So, it was a problem of the MinGW build of the dll, maybe because it is an old version. The gpgkeys_curl.exe so obtained has been compiled with the *.h files of mingw-libcurl 7.13.0 and linked against the .a library of mingw-libcurl 7.13.0, but uses MSVC version 7.13.1 of "libcurl.dll" and works perfectly. I will update as soon as possible my page about this problem. Is this of libcurl 7.13.0 a known problem? Or maybe is just a problem of that particular build? If you think it is important, I can try to rebuild with MinGW both libcurl 7.13.0 and libcurl 7.13.1 to debug them... -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From vedaal at hush.com Tue Mar 22 19:54:07 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Tue Mar 22 19:50:17 2005 Subject: gpg-2-go + winpt + usb drive // do-able ! Message-ID: <200503221854.j2MIsAxb060651@mailserver3.hushmail.com> as winpt does not need any 'path' or registry entries in windows, it can easily be set up on a usb drive to run with gpg-2-go, without any installation into windows, and then run just by double-clicking on the WinPT.exe file what is necessary is: [a] gpg-2-go (http://www.torduninja.tk/) [b] winpt 0.9.90 (http://www.stud.uni- hannover.de/~twoaday/winpt.html) [c] a windows .dll file (shell32.dll) (this is in the windows 'system32' folder, on win xp pro, this is an 8 mb file, on win 2k pro, it is 2.3 mb) it might be a good idea to get one for each windows system, and keep them in a backup folder in the usb drive, (i have not tried using the one from xp on any other windows system) once these are gotten, then: [1] unzip winpt into the root usb directory [2] copy the shell32.dll into the same usb root directory where winpt is [3] in gpg.conf, change the home directory drive letter from A:\ to the letter of the usb drive (n.b. this will often change from computer to computer, depending on how many cd, dvd, zip, or other drives are already present,) [4] double-click on the 'go.bat' file in gpg-2-go, and a dos window should open, type gpg -h and confirm that gnupg is running [5] double-click on the WinPT.exe file winpt will give several error message alerts as it looks for the keys and other gnupg files, then it will ask for their locations, and a winpt 'gpg preferences' window will open, asking for the locations of the gnupg home directory, gpg.conf, gpg.exe, and locale directory (again, these may need to be changed when the usb drive letter changes when moving from host to host) once these are entered, just double-click again on WinPT.exe and the keys will load, and the familiar winpt key icon will be in the right-hand side of the windows tray toolbar and then, all winpt functions work, including wipe original, wipe files, and wipe free-space (the one thing that may not work is the keyserver access, if the host system allows only http and no non-browser internet access) minor interesting tweak: if the public host computer doesn't allow a usb key attachment, and allows only front-loading usb connectors of different types, then the entire above setup can easily be stored on a 16 meg memory card of a digital camera (with enough room left over for a few pictures ;-) ), and gpg-2go + winpt can be run by connecting the camera usb port, and accessing the drive the same way as any other connected usb drive using winpt this way, in addition to providing a comfortable gui, also provides an 'eraser'-type wipe function, (DoD or Gutmann settings) that isn't available in the gnupg command-line vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From dshaw at jabberwocky.com Tue Mar 22 19:59:04 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 22 19:55:40 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) In-Reply-To: References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> Message-ID: <20050322185904.GB26177@jabberwocky.com> On Tue, Mar 22, 2005 at 06:50:20PM +0100, Carlo Luciano Bianco wrote: > So, it was a problem of the MinGW build of the dll, maybe because it > is an old version. > > The gpgkeys_curl.exe so obtained has been compiled with the *.h files of > mingw-libcurl 7.13.0 and linked against the .a library of mingw-libcurl > 7.13.0, but uses MSVC version 7.13.1 of "libcurl.dll" and works perfectly. > > I will update as soon as possible my page about this problem. > > Is this of libcurl 7.13.0 a known problem? Or maybe is just a > problem of that particular build? If you think it is important, I > can try to rebuild with MinGW both libcurl 7.13.0 and libcurl 7.13.1 > to debug them... I don't know. This isn't a GnuPG issue, but a libcurl one. You might ask the curl folks, as they are naturally much more familiar with libcurl than I am. I'm very pleased it is working for you! David From dshaw at jabberwocky.com Tue Mar 22 22:12:00 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 22 22:08:48 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <42403243.6060105@jason.markley.name> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <423851A3.5030604@jason.markley.name> <20050321195149.GB22697@jabberwocky.com> <42401B85.5040903@jason.markley.name> <20050322140857.GA26177@jabberwocky.com> <42403243.6060105@jason.markley.name> Message-ID: <20050322211200.GD26177@jabberwocky.com> On Tue, Mar 22, 2005 at 09:57:07AM -0500, Jason Markley wrote: > Taking out the --openpgp in the gpg.conf file seems to have worked for > the hkp keyserver type. What am I losing by taking that option out of > the gpgconf file? I don't want to break something else while 'fixing' > this. Attached are the temp files from this last successful search/import. Despite the name, you usually don't want to run with --openpgp set. --openpgp uses a fairly strict interpretation of RFC-2440, the OpenPGP standard, and the real world is a little more loose than that. The default setting is --gnupg, and that is the recommended way to run. That said, keyserver imports on W32 should work with --openpgp set as well. I will fix that. David From gpg at jason.markley.name Tue Mar 22 22:22:03 2005 From: gpg at jason.markley.name (Jason Markley) Date: Tue Mar 22 22:18:38 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <20050322211200.GD26177@jabberwocky.com> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <423851A3.5030604@jason.markley.name> <20050321195149.GB22697@jabberwocky.com> <42401B85.5040903@jason.markley.name> <20050322140857.GA26177@jabberwocky.com> <42403243.6060105@jason.markley.name> <20050322211200.GD26177@jabberwocky.com> Message-ID: <42408C7B.5060806@jason.markley.name> David Shaw wrote: >That said, keyserver imports on W32 should work with --openpgp set as >well. I will fix that. > > Thanks! -Jason >David > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From clbianco at tiscalinet.it Tue Mar 22 23:38:47 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Mar 22 23:35:28 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> <20050322185904.GB26177__44366.2190846682$1111518152$gmane$org@jabberwocky.com> Message-ID: Il /22 mar 2005/, *David Shaw* ha scritto: > On Tue, Mar 22, 2005 at 06:50:20PM +0100, Carlo Luciano Bianco wrote: [...] >> Is this of libcurl 7.13.0 a known problem? Or maybe is just a [...] > I don't know. This isn't a GnuPG issue, but a libcurl one. You might > ask the curl folks, as they are naturally much more familiar with > libcurl than I am. > > I'm very pleased it is working for you! Well, I am very pleased too! ;-) So, my report about the new libcurl code is very positive, at the end... ;-) Thank you very much, David, for your help. And thanks also to Neil (this time without typos...). I have already updated my page to deal with this libcurl issue. By the way, what do you think about the path problem? I tried to add "exec- path "%PATH%"" in gpg.conf, but it does not work. It needs to be used from the command line. I will make some other tests and I will let you know... Thanks again! Carlo Luciano -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From dshaw at jabberwocky.com Tue Mar 22 23:57:02 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 22 23:53:36 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) In-Reply-To: References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> <20050322185904.GB26177__44366.2190846682$1111518152$gmane$org@jabberwocky.com> Message-ID: <20050322225702.GE26177@jabberwocky.com> On Tue, Mar 22, 2005 at 11:38:47PM +0100, Carlo Luciano Bianco wrote: > By the way, what do you think about the path problem? I tried to add > "exec- path "%PATH%"" in gpg.conf, but it does not work. It needs to > be used from the command line. I will make some other tests and I > will let you know... Yes, that makes sense as it is the shell that expands %PATH% for you, so it would only work on the command line. Can you try running with '--debug 1024' ? Do two runs, one with, and one without --exec-path (on the command line). David From torduninja at mail.pf Tue Mar 22 23:51:09 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Wed Mar 23 00:07:05 2005 Subject: gpg-2-go + winpt + usb drive // do-able ! In-Reply-To: <200503221854.j2MIsAxb060651@mailserver3.hushmail.com> References: <200503221854.j2MIsAxb060651@mailserver3.hushmail.com> Message-ID: <200503221251.24560.torduninja@mail.pf> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Tuesday 22 March 2005 08:54, vedaal@hush.com wrote: > as winpt does not need any 'path' or registry entries in windows, > it can easily be set up on a usb drive to run with gpg-2-go, > without any installation into windows, and then run just by > This seems incorrect, Vedaal. I installed WinPT on my USB drive with gpg2go, on w2k, and it seems to work OK from the limited trial I gave it. But I ran a registry search and I found a whole heap of entries for WinPT, and some of them in areas of the registry where non-admin users have no rights. So I deleted all the registry entries to see what would happen, and the only thing WinPT did was stop my computer from closing down. Salut Maxine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCQKFlKBY/R6nbCcARA5ZlAJ9+5lWCXyxW6BKSClM1/GmFkWEXSgCeO7+W cwmfgrCTs/czPKjeJVxyJNQ= =glsl -----END PGP SIGNATURE----- From iam-est-hora-surgere at despammed.com Wed Mar 23 00:14:25 2005 From: iam-est-hora-surgere at despammed.com (Marcus Frings) Date: Wed Mar 23 00:10:41 2005 Subject: signature level References: <20050321215206.GC6404@syjon.fantastyka.net> <20050322001659.91645.qmail__9970.6958084882$1111450769$gmane$org@smasher.org> Message-ID: * Atom Smasher wrote: > On Mon, 21 Mar 2005, Janusz A. Urbanowicz wrote: >> How is signature level specification done in 1.4+? > ================ > --ask-cert-level > previously this was on by default. apparently it caused too much > confusion, so now you have to specify it if you want it. I wish the old behaviour would still be the default. Regards, Marcus -- "Ist die Zeitkoordinate nur lang genug, sinkt die ?berlebensquote auf Null." From dshaw at jabberwocky.com Wed Mar 23 00:21:14 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Mar 23 00:17:45 2005 Subject: signature level In-Reply-To: References: <20050321215206.GC6404@syjon.fantastyka.net> <20050322001659.91645.qmail__9970.6958084882$1111450769$gmane$org@smasher.org> Message-ID: <20050322232114.GF26177@jabberwocky.com> On Wed, Mar 23, 2005 at 12:14:25AM +0100, Marcus Frings wrote: > * Atom Smasher wrote: > > On Mon, 21 Mar 2005, Janusz A. Urbanowicz wrote: > > >> How is signature level specification done in 1.4+? > > ================ > > > --ask-cert-level > > > previously this was on by default. apparently it caused too much > > confusion, so now you have to specify it if you want it. > > I wish the old behaviour would still be the default. Stick 'ask-cert-level' in your gpg.conf file, and it will be your default again. David From sk at intertivity.com Wed Mar 23 01:37:54 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Mar 23 01:33:42 2005 Subject: Bug or Feature in rndw32.c ? Message-ID: <002601c52f40$8f08d3e0$f500a8c0@HOME> I just had a look on the source to get an idee of gathering entropy. I noticed the following: Line 660-664: (*add) ( &minimumWorkingSetSize, sizeof (&minimumWorkingSetSize), requester ); (*add) ( &maximumWorkingSetSize, sizeof (&maximumWorkingSetSize), requester ); Of course, on a 32-bit maschine, the size of a ptr is 4 which is the same as the size of a DWORD but i think you meant (*add) ( &minimumWorkingSetSize, sizeof (minimumWorkingSetSize), requester ); (*add) ( &maximumWorkingSetSize, sizeof (maximumWorkingSetSize), requester ); here. Line 691: (*add) (&performanceCount, sizeof (&performanceCount), requester); Here you just add LowPart of the LARGE_INTEGER (which makes sense since it changes the most) but then I would prefer (*add) (&performanceCount.LowPart, sizeof (performanceCount.LowPart), requester); HTH esskar From jharris at widomaker.com Wed Mar 23 02:11:48 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Mar 23 02:07:57 2005 Subject: Retaining expired sigs In-Reply-To: <20050321190306.GA22598@jabberwocky.com> References: <20050319202532.GN9105@wilma.widomaker.com> <20050320033547.GG7109@jabberwocky.com> <20050320171841.GO9105@wilma.widomaker.com> <20050320183704.GA4697@jabberwocky.com> <20050320223206.GA92954@pc5.i.0x5.de> <20050321013609.GA5338@jabberwocky.com> <20050321040750.GA62772@wilma.widomaker.com> <20050321043642.GD5338@jabberwocky.com> <20050321184146.GR9105@wilma.widomaker.com> <20050321190306.GA22598@jabberwocky.com> Message-ID: <20050323011147.GA69628@wilma.widomaker.com> On Mon, Mar 21, 2005 at 02:03:06PM -0500, David Shaw wrote: > On Mon, Mar 21, 2005 at 01:41:46PM -0500, Jason Harris wrote: > > As you seem to have concluded, that fact takes precedence in my > > logic, and as I have concluded, it seems to take no precedence in > > yours. > > I can only conclude that we are talking completely past one another. Then that only started with your last message, AFAICT. Prior to that, you seemed quite clear that the subject was about superceded non- revocable sigs. You even provided examples which, although they failed to prove your assertions, were about superceded non-revocable sigs. > You do seem to be very upset about all this, but I'm not detecting any Not at all. All my past statements still stand - the underlining and change in tone were for emphasis only. > more signal amidst the noise. I'm afraid I need to drop out of this > thread as I'm not really sure what you are advocating, or why, or if OK. > you're just arguing to argue. I'm genuinely sorry you don't seem to > be parsing what I'm saying, but there is nowhere else to go at this > point. I understand your statements quite well, as I had hoped would be clear each time I summarized them, found them to be bad examples, etc. > If you have an actual change suggestion, I'd love to hear it. But I > really do need: > > 1) What you think the current behavior is > 2) What you want it to be > 3) Why you feel this is better AFAICT, each and every one of my messages on the subject of superceded non-revocable signatures has carried the same message: they should be allowed. Last time I mentioned this, it seemed to help, so I'll say it again: We have a difference of opinion (over superceded non-revocable signatures). AFAICT, I understand your opinions just fine, and I thought we were communicating just fine. But, I do not wish to continue this thread either. My past posts still stand, of course, as I presume yours do, and I'll leave it at that. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050322/9e198c89/attachment.pgp From atom at smasher.org Wed Mar 23 02:29:44 2005 From: atom at smasher.org (Atom Smasher) Date: Wed Mar 23 02:22:22 2005 Subject: signature level In-Reply-To: References: <20050321215206.GC6404@syjon.fantastyka.net> <20050322001659.91645.qmail__9970.6958084882$1111450769$gmane$org@smasher.org> Message-ID: <20050323012622.44890.qmail@smasher.org> On Wed, 23 Mar 2005, Marcus Frings wrote: >> --ask-cert-level > >> previously this was on by default. apparently it caused too much >> confusion, so now you have to specify it if you want it. > > I wish the old behaviour would still be the default. ================ me too... but you can add "ask-cert-level" to the config file and it'll work that way. you can also add a "default-cert-level" line to specify what the default should be, if you find yourself issuing a certain level most often. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "You don't get everything you want. A dictatorship would be a lot easier." -- George "dubya" Bush, describing what it's like to be governor of Texas. (Governing Magazine 7/98) "I told all four that there are going to be some times where we don't agree with each other, but that's OK. If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator." -- George "dubya" Bush http://www.cnn.com/TRANSCRIPTS/0012/18/nd.01.html 18 Dec 2000 CNN.com "A dictatorship would be a heck of a lot easier, there's no question about it." George "dubya" Bush, 27 Jul 2001 Associated Press From wk at gnupg.org Wed Mar 23 09:44:44 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Mar 23 09:41:24 2005 Subject: Bug or Feature in rndw32.c ? In-Reply-To: <002601c52f40$8f08d3e0$f500a8c0@HOME> (Sascha Kiefer's message of "Wed, 23 Mar 2005 01:37:54 +0100") References: <002601c52f40$8f08d3e0$f500a8c0@HOME> Message-ID: <87d5tqoio3.fsf@wheatstone.g10code.de> On Wed, 23 Mar 2005 01:37:54 +0100, Kiefer, Sascha said: > (*add) ( &minimumWorkingSetSize, > sizeof (&minimumWorkingSetSize), requester ); Rigfht. This is a bug. > (*add) (&performanceCount, sizeof (&performanceCount), requester); As well as this one. Fixed in CVS of gnupg and libgcrypt. Thanks, Werner From wk at gnupg.org Wed Mar 23 09:46:44 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Mar 23 09:46:21 2005 Subject: Renaming error In-Reply-To: <5967AD625B62D5118D180002A50926AB03A9588F@AGNI> (Srinivas Thutika's message of "Tue, 22 Mar 2005 20:32:39 +0530") References: <5967AD625B62D5118D180002A50926AB03A9588F@AGNI> Message-ID: <878y4eoikr.fsf@wheatstone.g10code.de> On Tue, 22 Mar 2005 20:32:39 +0530, "Thutika, Srinivas (ODC said: > I am facing the following renaming problem.. Are you using 1.4.1? Shalom-Salam, Werner From clbianco at tiscalinet.it Wed Mar 23 10:06:03 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Wed Mar 23 10:02:23 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <873buw7svj.fsf__45501.6475906179$1110907615$gmane$org@wheatstone.g10code.de> <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> <20050322185904.GB26177__44366.2190846682$1111518152$gmane$org@jabberwocky.com> <20050322225702.GE26177@jabberwocky.com> Message-ID: Il /22 mar 2005/, *David Shaw* ha scritto: > On Tue, Mar 22, 2005 at 11:38:47PM +0100, Carlo Luciano Bianco wrote: > >> By the way, what do you think about the path problem? I tried to add [...] > Can you try running with '--debug 1024' ? Do two runs, one with, and > one without --exec-path (on the command line). Sure. Without exec-path: -------------------------------------------------------------------------- c:\>gpg --keyserver http://whatever --debug 1024 --recv-keys 99999999 gpg: lettura delle opzioni da `H:/GnuPG\gpg.conf' gpg: DBG: set_exec_path method 0: PATH=c:\programmi\gnupg gpg: DBG: expanding string "gpgkeys_curl -o "%o" "%i"" gpg: DBG: args expanded to "gpgkeys_curl -o "[]tempout.txt" "[]tempin.txt"", use 1, keep 0 gpg: DBG: using temp file `[]tempin.txt' gpg: requesting key 99999999 from http server whatever gpg: DBG: system() command is gpgkeys_curl -o "[]tempout.txt" "[]tempin.txt" [...] secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 -------------------------------------------------------------------------- and with exec-path: -------------------------------------------------------------------------- c:\>gpg --keyserver http://whatever --debug 1024 --exec-path "%PATH%" --recv-keys 99999999 gpg: lettura delle opzioni da `H:/GnuPG\gpg.conf' gpg: DBG: set_exec_path method 0: PATH=Whole_PATH gpg: DBG: set_exec_path method 1: PATH=Whole_PATH gpg: DBG: expanding string "gpgkeys_curl -o "%o" "%i"" gpg: DBG: args expanded to "gpgkeys_curl -o "[]tempout.txt" "[]tempin.txt"", use 1, keep 0 gpg: DBG: using temp file `[]tempin.txt' gpg: requesting key 99999999 from http server whatever gpg: DBG: system() command is gpgkeys_curl -o "[]tempout.txt" "[]tempin.txt" [...] secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 -------------------------------------------------------------------------- I have summarized a bit the reports, to make them easier to read. When I wrote "[]" I mean the real full path of the files tempin and tempout in the temporary folder, and with "Whole_PATH" I mean the real value of my system %PATH% (which is more than 10 lines long, that's why I removed it). By the way, I have inspected, while running, gpg.exe with SysInternals' Process Explorer. It seems that gpg.exe itself does not see the real %PATH%. The environment associated with the running image of gpg.exe has a PATH limited to c:\programmi\gnupg. Can the extra-lenght of my %PATH% be a problem? It is 701 characters. -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From dshaw at jabberwocky.com Wed Mar 23 15:11:18 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Mar 23 15:07:55 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) In-Reply-To: References: <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> <20050322185904.GB26177__44366.2190846682$1111518152$gmane$org@jabberwocky.com> <20050322225702.GE26177@jabberwocky.com> Message-ID: <20050323141118.GG26177@jabberwocky.com> On Wed, Mar 23, 2005 at 10:06:03AM +0100, Carlo Luciano Bianco wrote: > Il /22 mar 2005/, *David Shaw* ha scritto: > > > On Tue, Mar 22, 2005 at 11:38:47PM +0100, Carlo Luciano Bianco wrote: > > > >> By the way, what do you think about the path problem? I tried to add > [...] > > Can you try running with '--debug 1024' ? Do two runs, one with, and > > one without --exec-path (on the command line). > > Sure. Without exec-path: > > -------------------------------------------------------------------------- > c:\>gpg --keyserver http://whatever --debug 1024 --recv-keys 99999999 > gpg: lettura delle opzioni da `H:/GnuPG\gpg.conf' > gpg: DBG: set_exec_path method 0: PATH=c:\programmi\gnupg > gpg: DBG: expanding string "gpgkeys_curl -o "%o" "%i"" > gpg: DBG: args expanded to "gpgkeys_curl -o "[]tempout.txt" "[]tempin.txt"", > use 1, keep 0 > gpg: DBG: using temp file `[]tempin.txt' > gpg: requesting key 99999999 from http server whatever > gpg: DBG: system() command is gpgkeys_curl -o "[]tempout.txt" "[]tempin.txt" > [...] > secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 > -------------------------------------------------------------------------- > > and with exec-path: > > -------------------------------------------------------------------------- > c:\>gpg --keyserver http://whatever --debug 1024 --exec-path "%PATH%" > --recv-keys 99999999 > gpg: lettura delle opzioni da `H:/GnuPG\gpg.conf' > gpg: DBG: set_exec_path method 0: PATH=Whole_PATH > gpg: DBG: set_exec_path method 1: PATH=Whole_PATH > gpg: DBG: expanding string "gpgkeys_curl -o "%o" "%i"" > gpg: DBG: args expanded to "gpgkeys_curl -o "[]tempout.txt" "[]tempin.txt"", > use 1, keep 0 > gpg: DBG: using temp file `[]tempin.txt' > gpg: requesting key 99999999 from http server whatever > gpg: DBG: system() command is gpgkeys_curl -o "[]tempout.txt" "[]tempin.txt" > [...] > secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 > -------------------------------------------------------------------------- > > I have summarized a bit the reports, to make them easier to read. When I > wrote "[]" I mean the real full path of the files tempin and tempout in the > temporary folder, and with "Whole_PATH" I mean the real value of my system > %PATH% (which is more than 10 lines long, that's why I removed it). > > By the way, I have inspected, while running, gpg.exe with SysInternals' > Process Explorer. It seems that gpg.exe itself does not see the real %PATH%. > The environment associated with the running image of gpg.exe has a PATH > limited to c:\programmi\gnupg. Thanks for running that test. I can see what happened now. It's amusing that this comes up so many years later, and it seems nobody noticed. When starting a keyserver subprocess, GPG sets the path to where the subprocess binary exists (in your case c:\programmi\gnupg). In doing so, it removes the earlier %PATH%. This is intentional, as I did not want to search the whole PATH for a program named 'gpgkeys_xxx', and run the risk of running the wrong one. However, removing the whole PATH removes your DLL directory as well. I did not account for someone putting the DLLs in a special directory, separate from the system and the programs. This is easy to fix, but I need to think for a moment on which fix is best and keeps the current semantics of exec-path. David From iam-est-hora-surgere at despammed.com Wed Mar 23 15:10:09 2005 From: iam-est-hora-surgere at despammed.com (Marcus Frings) Date: Wed Mar 23 15:23:16 2005 Subject: signature level References: <20050321215206.GC6404@syjon.fantastyka.net> <20050322001659.91645.qmail__9970.6958084882$1111450769$gmane$org@smasher.org> <20050322232114.GF26177__7678.84459714896$1111533711$gmane$org@jabberwocky.com> Message-ID: * David Shaw wrote: > On Wed, Mar 23, 2005 at 12:14:25AM +0100, Marcus Frings wrote: >> I wish the old behaviour would still be the default. > Stick 'ask-cert-level' in your gpg.conf file, and it will be your > default again. That's what I did. :-) Regards, Marcus -- Poison Ivy: "Ich lasse Euch jetzt alleine. So viele Menschen warten darauf zu sterben. Da will ich keine Zeit verschwenden!" From iam-est-hora-surgere at despammed.com Wed Mar 23 15:56:08 2005 From: iam-est-hora-surgere at despammed.com (Marcus Frings) Date: Wed Mar 23 16:15:14 2005 Subject: signature level References: <20050321215206.GC6404@syjon.fantastyka.net> <20050322001659.91645.qmail__9970.6958084882$1111450769$gmane$org@smasher.org> <20050323012622.44890.qmail__44857.5287628502$1111541244$gmane$org@smasher.org> Message-ID: * Atom Smasher wrote: > you can also add a "default-cert-level" line to specify what the default > should be, if you find yourself issuing a certain level most often. Not really, according to my signing policy I have to use level "2" or "3" quite often thus a fixed setting doesn't really make sense (for me). Regards, Marcus -- Rafael: "Wieviele Welten m?ssen noch brennen, bevor Du genug hast, Gabriel?" Gabriel: "Nur noch eine. Diese. Ich bin nicht gierig." From vedaal at hush.com Wed Mar 23 16:38:26 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Mar 23 16:34:30 2005 Subject: gpg-2-go + winpt + usb drive // do-able Message-ID: <20050323153826.EEE9E33C92@mailserver5.hushmail.com> >Message: 3 >Date: Tue, 22 Mar 2005 12:51:09 -1000 >From: Maxine Brandt >Subject: Re: gpg-2-go + winpt + usb drive // do-able ! >On Tuesday 22 March 2005 08:54, vedaal@hush.com wrote: >> as winpt does not need any 'path' or registry entries in >windows, >> it can easily be set up on a usb drive to run with gpg-2-go, >> without any installation into windows, and then run just by >> >This seems incorrect, Vedaal. > >I installed WinPT on my USB drive with gpg2go, on w2k, and it >seems >to work OK from the limited trial I gave it. But I ran a registry >search >and I found a whole heap of entries for WinPT, and some of them >in areas of the registry where non-admin users have no rights. > >So I deleted all the registry entries to see what would happen, >and >the only thing WinPT did was stop my computer from closing down. you are probably right ;-( i tested it on a neutral public system [win2k pro], that (afaik), has never had gnupg or winpt before. (not especially a 'spying' system, but also one with no rights for me to install anything) gpg-2-go + winpt worked fine from the usb port, as described in the original post, i had no rights to edit the registry, so i couldn't see what things winpt added just by double-clicking WinPT.exe when you re-booted on your test system after you removed the registry winpt additions, did winpt just 're-add' them and work again? i guess it should *not* be used for the 'without-a-trace' needs that gpg-2-go can be used for, but does allow for a portable gnupg with front-end for those who want it for a public cafe setting, and are not concerned with winpt registry traces on the host system (n.b. key-logger / screen capture issues still apply) vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From samphan at actiwhiz.com Wed Mar 23 15:22:07 2005 From: samphan at actiwhiz.com (Samphan Raruenrom) Date: Wed Mar 23 17:01:33 2005 Subject: Win32 gpg --gen-key never finish Message-ID: <42417B8F.8090705@actiwhiz.com> I try using Win32 Gnu GPG 1.4.0 and 1.4.1 to do 'gpg --gen-key' using the default setting. The generation process rarely ever finish. Most of the time the generation process run and never finish. 8<------------------------------------------------------------------------->8 gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Samphan Raruenrom Email address: samphan@access.inet.co.th Comment: You selected this USER-ID: "Samphan Raruenrom " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.+++++.+++++.++++++++++.+++++++++++++++++++++++++ ....+++++.++++++++++..+++++.....................>+++++...................................+++++ 8<-------------------------------------------------------------->8 The output stop here and never continue. I tried using the disk, keyboard, mouse. I can't make gpg to finish generating keys. I happen to have cygwin and cygwin version of gpg works. Are there anything wrong with the Win32 version of GPG? or my setting? -- _/|\_ Samphan Raruenrom. From clbianco at tiscalinet.it Wed Mar 23 18:24:57 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Wed Mar 23 18:44:54 2005 Subject: Libcurl (was Re: [Announce] GnuPG 1.4.1 released) References: <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> <20050322185904.GB26177__44366.2190846682$1111518152$gmane$org@jabberwocky.com> <20050322225702.GE26177@jabberwocky.com> <20050323141118.GG26177@jabberwocky.com> Message-ID: Il /23 mar 2005/, *David Shaw* ha scritto: > Thanks for running that test. I can see what happened now. It's > amusing that this comes up so many years later, and it seems nobody > noticed. Well... Consider that 99% of Win32 GnuPG users has a statically linked executable and that, moreover, 99% of the remaining ones keeps the dlls in GnuPG folder. So I was the only one who could have this problem... ;-) > When starting a keyserver subprocess, GPG sets the path to where the > subprocess binary exists (in your case c:\programmi\gnupg). In doing > so, it removes the earlier %PATH%. This is intentional, as I did not > want to search the whole PATH for a program named 'gpgkeys_xxx', and > run the risk of running the wrong one. OK, I agree with you on this. Just looking the entire PATH for a keyserver helper is far too risky... > This is easy to fix, but I need to think for a moment on which fix is > best and keeps the current semantics of exec-path. Maybe it is possible to run the keyserver helpers not just by their name, but by their *entire* name: instead of running "gpgkeys_xxx.exe", gpg.exe should run "c:\programmi\gnupg\gpgkeys_xxx.exe". In other words, instead of putting its own folder in the PATH, gpg.exe should put its own folder in front of the name of the keyserver helper to be executed. In this way you should be pretty sure that you execute the right file, and you can keep the system PATH as it is. But maybe it is not so simple... In any case, thank you again for all your help! Carlo Luciano -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From henkdebruijn at wanadoo.nl Wed Mar 23 19:29:21 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Wed Mar 23 19:25:18 2005 Subject: could not check signature Message-ID: <1508113249.20050323192921@wanadoo.nl> Hi, When I verified one of my own messages which had been signed pgp/mime I got this errormessage: gpg: Signature made 03/23/05 12:16:08 using DSA key ID DBE6E678 gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error I checked my messages of the last couple of days and this has happened several times. Before this happened I have never seen this message??? Till now 1.4.1 worked like a charm. The only thing I changed was from SHA1 to RIPEMD160. Does this mean that I can not use PGP/MIME with RIPEMD160? PGP 9.0.0 verified ok though.. -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.9.9 Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050323/0b19cc06/attachment.pgp From dshaw at jabberwocky.com Wed Mar 23 20:51:59 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Mar 23 20:48:31 2005 Subject: could not check signature In-Reply-To: <1508113249.20050323192921@wanadoo.nl> References: <1508113249.20050323192921@wanadoo.nl> Message-ID: <20050323195159.GC5690@jabberwocky.com> On Wed, Mar 23, 2005 at 07:29:21PM +0100, Henk de Bruijn wrote: > Hi, > > When I verified one of my own messages which had been signed pgp/mime > I got this errormessage: > > gpg: Signature made 03/23/05 12:16:08 using DSA key ID DBE6E678 > gpg: WARNING: signature digest conflict in message > gpg: Can't check signature: general error > > I checked my messages of the last couple of days and this has happened > several times. Before this happened I have never seen this message??? > > Till now 1.4.1 worked like a charm. > > The only thing I changed was from SHA1 to RIPEMD160. What, exactly, do you mean by this? What exact change did you make? Can you send me an example of such a message? David From torduninja at mail.pf Wed Mar 23 20:51:16 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Wed Mar 23 20:49:55 2005 Subject: gpg-2-go + winpt + usb drive // do-able In-Reply-To: <20050323153826.EEE9E33C92@mailserver5.hushmail.com> References: <20050323153826.EEE9E33C92@mailserver5.hushmail.com> Message-ID: <200503230952.14739.torduninja@mail.pf> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Wednesday 23 March 2005 05:38, vedaal@hush.com wrote: > > i tested it on a neutral public system [win2k pro], > that (afaik), has never had gnupg or winpt before. > > (not especially a 'spying' system, but also one with no rights for > me to install anything) > > gpg-2-go + winpt worked fine from the usb port, > as described in the original post, > > i had no rights to edit the registry, > so i couldn't see what things winpt added > just by double-clicking WinPT.exe > > when you re-booted on your test system after you removed the > registry winpt additions, > > did winpt just 're-add' them and work again? > > > i guess it should *not* be used for the 'without-a-trace' needs > that gpg-2-go can be used for, > > but does allow for a portable gnupg with front-end > for those who want it for a public cafe setting, > and are not concerned with winpt registry traces on the host system > Hi Vedaal, I had some time to check this out more thoroughly last night on a w2k box, and I found that what entries are put in the registry depend on the privileges of the account, but in all cases there will be some registry entries. If you are on a Limited User or Guest account, these will be restricted to HKEY_LOCAL_USER and HKEY_USER, and WinPT will work fine with gpg2go. But here's the most interesting point: if you're using a Guest account the registry entries are transient and you only have to reboot to get rid of them. This would have to be verified on other flavors of Windows of course. Salut Maxine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCQci8KBY/R6nbCcARA6NtAJ44DUJ/rzGKq/+yjGHWbkTlPsl4tQCdHYLj VjHTovzkSXYuWT4SrNrpx9w= =GPFW -----END PGP SIGNATURE----- From henkdebruijn at wanadoo.nl Wed Mar 23 21:02:27 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Wed Mar 23 20:58:24 2005 Subject: could not check signature In-Reply-To: <20050323195159.GC5690@jabberwocky.com> References: <1508113249.20050323192921@wanadoo.nl> <20050323195159.GC5690@jabberwocky.com> Message-ID: <212657161.20050323210227@wanadoo.nl> On Wed, 23 Mar 2005 14:51:59 -0500GMT (23-3-2005, 20:51 +0100, where I live), David Shaw wrote: > On Wed, Mar 23, 2005 at 07:29:21PM +0100, Henk de Bruijn wrote: >> When I verified one of my own messages which had been signed pgp/mime >> I got this errormessage: >> >> gpg: Signature made 03/23/05 12:16:08 using DSA key ID DBE6E678 >> gpg: WARNING: signature digest conflict in message >> gpg: Can't check signature: general error >> >> I checked my messages of the last couple of days and this has happened >> several times. Before this happened I have never seen this message??? >> >> Till now 1.4.1 worked like a charm. >> >> The only thing I changed was from SHA1 to RIPEMD160. > What, exactly, do you mean by this? What exact change did you make? I changed the digest algo from SHA1 to RIPEMD160 > Can you send me an example of such a message? Done! -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.9.9 Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050323/15a8d408/attachment.pgp From dshaw at jabberwocky.com Wed Mar 23 21:08:19 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Mar 23 21:04:54 2005 Subject: could not check signature In-Reply-To: <212657161.20050323210227@wanadoo.nl> References: <1508113249.20050323192921@wanadoo.nl> <20050323195159.GC5690@jabberwocky.com> <212657161.20050323210227@wanadoo.nl> Message-ID: <20050323200819.GE5690@jabberwocky.com> On Wed, Mar 23, 2005 at 09:02:27PM +0100, Henk de Bruijn wrote: > On Wed, 23 Mar 2005 14:51:59 -0500GMT (23-3-2005, 20:51 +0100, where I > live), David Shaw wrote: > > > On Wed, Mar 23, 2005 at 07:29:21PM +0100, Henk de Bruijn wrote: > > >> When I verified one of my own messages which had been signed pgp/mime > >> I got this errormessage: > >> > >> gpg: Signature made 03/23/05 12:16:08 using DSA key ID DBE6E678 > >> gpg: WARNING: signature digest conflict in message > >> gpg: Can't check signature: general error > >> > >> I checked my messages of the last couple of days and this has happened > >> several times. Before this happened I have never seen this message??? > >> > >> Till now 1.4.1 worked like a charm. > >> > >> The only thing I changed was from SHA1 to RIPEMD160. > > > What, exactly, do you mean by this? What exact change did you make? > > I changed the digest algo from SHA1 to RIPEMD160 This does not tell me anything useful. I don't know what mailer you are using, and I don't know how you are calling GnuPG. Specifically, and *exactly*, what did you change. Did you stick "digest-algo ripemd160" in your gpg.conf? Did you do something in a mailer config file? Did you change something on the command line? Did you do something else? David From henkdebruijn at wanadoo.nl Thu Mar 24 03:21:08 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Mar 24 03:17:05 2005 Subject: could not check signature In-Reply-To: <20050323200819.GE5690@jabberwocky.com> References: <1508113249.20050323192921@wanadoo.nl> <20050323195159.GC5690@jabberwocky.com> <212657161.20050323210227@wanadoo.nl> <20050323200819.GE5690@jabberwocky.com> Message-ID: <358804611.20050324032108@wanadoo.nl> On Wed, 23 Mar 2005 15:08:19 -0500GMT (23-3-2005, 21:08 +0100, where I live), David Shaw wrote: > On Wed, Mar 23, 2005 at 09:02:27PM +0100, Henk de Bruijn wrote: >> I changed the digest algo from SHA1 to RIPEMD160 > This does not tell me anything useful. I don't know what mailer you > are using, and I don't know how you are calling GnuPG. Specifically, > and *exactly*, what did you change. Did you stick "digest-algo > ripemd160" in your gpg.conf? Did you do something in a mailer config > file? Did you change something on the command line? Did you do > something else? Sorry for not telling relevant information. As you can see in my signature I am using The Bat! Further I use GnuPG 1.4.1 with GPGShell 3.40rc2. In GPGshell under Preferences GnuPG, on the second tab I changed the digest algo from default to RIPEMD160. After having kept this change, the gpg.conf has a line: digest-algo RIPEMD160 When I now send messages signed inlined, these messages verify ok but when I send a message like this one, signed PGP/MIME, I get this error message. -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.9.9 Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050324/1558b5e6/attachment.pgp From dshaw at jabberwocky.com Thu Mar 24 03:33:18 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 24 03:30:08 2005 Subject: could not check signature In-Reply-To: <358804611.20050324032108@wanadoo.nl> References: <1508113249.20050323192921@wanadoo.nl> <20050323195159.GC5690@jabberwocky.com> <212657161.20050323210227@wanadoo.nl> <20050323200819.GE5690@jabberwocky.com> <358804611.20050324032108@wanadoo.nl> Message-ID: <20050324023318.GA7442@jabberwocky.com> On Thu, Mar 24, 2005 at 03:21:08AM +0100, Henk de Bruijn wrote: > On Wed, 23 Mar 2005 15:08:19 -0500GMT (23-3-2005, 21:08 +0100, where I > live), David Shaw wrote: > > > On Wed, Mar 23, 2005 at 09:02:27PM +0100, Henk de Bruijn wrote: > > >> I changed the digest algo from SHA1 to RIPEMD160 > > > This does not tell me anything useful. I don't know what mailer you > > are using, and I don't know how you are calling GnuPG. Specifically, > > and *exactly*, what did you change. Did you stick "digest-algo > > ripemd160" in your gpg.conf? Did you do something in a mailer config > > file? Did you change something on the command line? Did you do > > something else? > > Sorry for not telling relevant information. As you can see in my > signature I am using The Bat! Further I use GnuPG 1.4.1 with GPGShell > 3.40rc2. > In GPGshell under Preferences GnuPG, on the second tab I changed the > digest algo from default to RIPEMD160. > After having kept this change, the gpg.conf has a line: > digest-algo RIPEMD160 > > When I now send messages signed inlined, these messages verify ok but > when I send a message like this one, signed PGP/MIME, I get this error > message. You get the error when you *send* a message, or when you *verify* a message? What happens if you remove the 'digest-algo RIPEMD160' line from gpg.conf? I see also that you are using The Bat! v3.0.9.9. That version is a pre-beta that came out yesterday. You're not the first person who is reporting this error with The Bat! so I'm wondering if the Bat folks changed something internally. David From henkdebruijn at wanadoo.nl Thu Mar 24 03:54:08 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Mar 24 03:50:12 2005 Subject: could not check signature In-Reply-To: <20050324023318.GA7442@jabberwocky.com> References: <1508113249.20050323192921@wanadoo.nl> <20050323195159.GC5690@jabberwocky.com> <212657161.20050323210227@wanadoo.nl> <20050323200819.GE5690@jabberwocky.com> <358804611.20050324032108@wanadoo.nl> <20050324023318.GA7442@jabberwocky.com> Message-ID: <783739615.20050324035408@wanadoo.nl> On Wed, 23 Mar 2005 21:33:18 -0500GMT (24-3-2005, 3:33 +0100, where I live), David Shaw wrote: > On Thu, Mar 24, 2005 at 03:21:08AM +0100, Henk de Bruijn wrote: >> Sorry for not telling relevant information. As you can see in my >> signature I am using The Bat! Further I use GnuPG 1.4.1 with GPGShell >> 3.40rc2. >> In GPGshell under Preferences GnuPG, on the second tab I changed the >> digest algo from default to RIPEMD160. >> After having kept this change, the gpg.conf has a line: >> digest-algo RIPEMD160 >> >> When I now send messages signed inlined, these messages verify ok but >> when I send a message like this one, signed PGP/MIME, I get this error >> message. > You get the error when you *send* a message, or when you *verify* a > message? Not while sending, but when I verify a message. > What happens if you remove the 'digest-algo RIPEMD160' line from > gpg.conf? If I do that and save the new gpg.conf the second tab shows digest algo default. > I see also that you are using The Bat! v3.0.9.9. That version is a > pre-beta that came out yesterday. You're not the first person who is > reporting this error with The Bat! so I'm wondering if the Bat folks > changed something internally. We are talking about this possibility in tbbeta too. But what I find strange is that when I change within The Bat! from GnuPG to PGP, these messages verify ok. -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.9.9 Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050324/e00bc8a6/attachment.pgp From dshaw at jabberwocky.com Thu Mar 24 05:12:41 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 24 05:09:17 2005 Subject: could not check signature In-Reply-To: <783739615.20050324035408@wanadoo.nl> References: <1508113249.20050323192921@wanadoo.nl> <20050323195159.GC5690@jabberwocky.com> <212657161.20050323210227@wanadoo.nl> <20050323200819.GE5690@jabberwocky.com> <358804611.20050324032108@wanadoo.nl> <20050324023318.GA7442@jabberwocky.com> <783739615.20050324035408@wanadoo.nl> Message-ID: <20050324041241.GA7816@jabberwocky.com> On Thu, Mar 24, 2005 at 03:54:08AM +0100, Henk de Bruijn wrote: > On Wed, 23 Mar 2005 21:33:18 -0500GMT (24-3-2005, 3:33 +0100, where I > live), David Shaw wrote: > > > On Thu, Mar 24, 2005 at 03:21:08AM +0100, Henk de Bruijn wrote: > > >> Sorry for not telling relevant information. As you can see in my > >> signature I am using The Bat! Further I use GnuPG 1.4.1 with GPGShell > >> 3.40rc2. > >> In GPGshell under Preferences GnuPG, on the second tab I changed the > >> digest algo from default to RIPEMD160. > >> After having kept this change, the gpg.conf has a line: > >> digest-algo RIPEMD160 > >> > >> When I now send messages signed inlined, these messages verify ok but > >> when I send a message like this one, signed PGP/MIME, I get this error > >> message. > > > You get the error when you *send* a message, or when you *verify* a > > message? > > Not while sending, but when I verify a message. > > > What happens if you remove the 'digest-algo RIPEMD160' line from > > gpg.conf? > > If I do that and save the new gpg.conf the second tab shows digest > algo default. But does the message verify correctly if you remove the 'digest-algo RIPEMD160' ? > > I see also that you are using The Bat! v3.0.9.9. That version is a > > pre-beta that came out yesterday. You're not the first person who is > > reporting this error with The Bat! so I'm wondering if the Bat folks > > changed something internally. > > We are talking about this possibility in tbbeta too. > > But what I find strange is that when I change within > The Bat! from GnuPG to PGP, these messages verify ok. Yes, PGP and GnuPG have a difference in their sig verification routines. GnuPG is more strict to the standard. PGP actually allows you to (for example) present a message that claims to be SHA1 but is really RIPEMD160 and will successfully verify it. I'm curious how The Bat! verifies PGP/MIME signed messages. That particular error sort of implies that they are constructing a brand new OpenPGP message out of the various MIME parts and passing it to GnuPG. David From henkdebruijn at wanadoo.nl Thu Mar 24 07:16:10 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Mar 24 07:12:08 2005 Subject: could not check signature In-Reply-To: <20050324041241.GA7816@jabberwocky.com> References: <1508113249.20050323192921@wanadoo.nl> <20050323195159.GC5690@jabberwocky.com> <212657161.20050323210227@wanadoo.nl> <20050323200819.GE5690@jabberwocky.com> <358804611.20050324032108@wanadoo.nl> <20050324023318.GA7442@jabberwocky.com> <783739615.20050324035408@wanadoo.nl> <20050324041241.GA7816@jabberwocky.com> Message-ID: <43798874.20050324071610@wanadoo.nl> On Wed, 23 Mar 2005 23:12:41 -0500GMT (24-3-2005, 5:12 +0100, where I live), David Shaw wrote: ... >>> You get the error when you *send* a message, or when you *verify* a >>> message? >> Not while sending, but when I verify a message. >> >>> What happens if you remove the 'digest-algo RIPEMD160' line from >>> gpg.conf? >> >> If I do that and save the new gpg.conf the second tab shows digest >> algo default. > But does the message verify correctly if you remove the 'digest-algo > RIPEMD160' ? Simular message: gpg: Signature made 03/23/05 04:49:07 using DSA key ID DBE6E678 gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error ... > Yes, PGP and GnuPG have a difference in their sig verification > routines. GnuPG is more strict to the standard. PGP actually allows > you to (for example) present a message that claims to be SHA1 but is > really RIPEMD160 and will successfully verify it. > I'm curious how The Bat! verifies PGP/MIME signed messages. That > particular error sort of implies that they are constructing a brand > new OpenPGP message out of the various MIME parts and passing it to > GnuPG. I have received several messages that my messages verify ok in/with other MUA's. I will add a note on The Bat's bugtracker. Thanks for all the help. -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.9.9 Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050324/7d585d97/attachment.pgp From adam00f at ducksburg.com Thu Mar 24 13:04:52 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Thu Mar 24 13:01:21 2005 Subject: Shouldn't keyservers store and provide subkeys? Message-ID: <200503241204.j2OC4qg12267@Porthos.co.umist.ac.uk> Following a recent discussion about subkeys, I decided to add a new subkey and revoke the old one on each of my keys (one used at work, one at home). Then I tried to update each machine to have the new public subkeys (using pgp.mit.edu): work $ gpg --send-key WORKKEYID home $ gpg --recv-key WORKKEYID home $ gpg --send-key HOMEKEYID work $ gpg --recv-key HOMEKEYID In both cases, the output of "gpg -v --list-key KEYID" showed that the new subkey had not been added. I had to use --export and --import to get the subkeys transferred in both directions. Is this normal behaviour or did I do something wrong? From wk at gnupg.org Thu Mar 24 18:34:58 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 24 18:31:26 2005 Subject: Shouldn't keyservers store and provide subkeys? In-Reply-To: <200503241204.j2OC4qg12267@Porthos.co.umist.ac.uk> (Adam Funk's message of "Thu, 24 Mar 2005 12:04:52 GMT") References: <200503241204.j2OC4qg12267@Porthos.co.umist.ac.uk> Message-ID: <87acothrr1.fsf@wheatstone.g10code.de> On Thu, 24 Mar 2005 12:04:52 GMT, Adam Funk said: > one at home). Then I tried to update each machine to have the new > public subkeys (using pgp.mit.edu): That keyserver as well as all other servers running the old HKS software are broken. YOu should move away from that keyserver and use an SKS one (e.g. random.sks.keyserver.penguin.de) or at least those at subkeys.pgp.net. BTW, to avoid answering these questions over and over, should we just setup working keyservers under the gnupg.net domain? It seems the old and broken pgp.net servers will never vanish. Shalom-Salam, Werner From servie_tech at yahoo.com Thu Mar 24 18:44:53 2005 From: servie_tech at yahoo.com (Servie Platon) Date: Thu Mar 24 18:41:22 2005 Subject: Lib\idea could not be found error - Follow-up In-Reply-To: 6667 Message-ID: <20050324174453.59968.qmail@web52509.mail.yahoo.com> > Hello Venona and co-gpg gurus, > > Thank you very much for the help. > > --- venona@gmx.ch wrote: > > Hello Servie, > > > > > Home: C:/Documents and > Settings/servie/Application > > > Data/GnuPG > > > Supported algorithms: > > > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > > > gpg: LoadLibrary failed: The system cannot find > > the > > > file specified. > > > > > > gpg: invalid module `Lib\idea': The specified > > module > > > could not be found. > > > > Firstly, download the IDEA library from > > ftp://ftp.gnupg.dk/pub/contrib-dk/ideadll.zip > > > > Did this step and downloaded the idea.dll.zip file. > > > Next, create directory named "lib" in the above > > HomeDir > > and unzip idea.dll to the directory "lib" you > > created. > > > > Did this step too... > > > Lastly, write the line "load-extension lib\idea" > > (without > > quotation) in your configuration file gpg.conf. > > > > Do't forget to hit ENTER at the end of the line > > mentioned above. > > > > Then gpg.exe will show the message "Cipher: IDEA, > > ..." > > when you type the command "gpg --version" in the > > command prompt. > > > And finally, followed these religiously. But, I > still > got this error message below. > > C:\Documents and Settings\servie>gpg --version > gpg: C:/Documents and Settings/servie/Application > Data/GnuPG\gpg.conf:5: i > nvalid option > gpg (GnuPG) 1.4.0 > Copyright (C) 2004 Free Software Foundation, Inc. > This program comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to > redistribute it > under certain conditions. See the file COPYING for > details. > > Home: C:/Documents and Settings/servie/Application > Data/GnuPG > Supported algorithms: > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > gpg: LoadLibrary failed: The system cannot find the > file specified. > > gpg: invalid module `lib\idea': The specified module > could not be found. > > Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, > TWOFISH > Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > C:\Documents and Settings\servie> > > Does the invalid option on :5 mean that there seems > to > be a syntax error on line 5 of my gpg.conf file? > > For the complete steps, these what I have done so > far: > > 1. Created an installation folder in C:\Program > Files\GnuPG directory. > > 2. Created in home directory, a GnuPG folder in C:\ > Documents and Settings\servie\Application Data > > 3. Extracted the GnuPG zip file and its contents to > C:\Program Files\GnuPG from the GnuPG ftp site. > > 4. Made two subdirectories Doc and Locale. Moved all > .mo files into the Locale directory and everything > left except for .exe files to the Doc directory. > > 5. Unzip the libiconv-1.9.1.dll.zip file and placed > it > in the C:\Program Files\GnuPG > > 6. Modified the path by going to Start-Control > Panel-System-Advanced-Environment Variables and > edited > the path variable under system variables and added > ;C:\Program Files\GnuPG > > 7. Created registry entries (gnupg_xp.reg) and > pasted > it in the GnuPG home directory where I modified the > user entry in the HomeDir and OptFile lines with the > name servie as user for this profile. Run the > gnupg_xp.reg by double clicking it. > > 8. Created gpg.conf file in Homedir of servie > wherein > I have added the entry line load-extension Lib\idea > > 9. Test if it works by typing in gpg --version and > got > the error above. > > 10. Created C:\Documents and > Settings\servie\Application Data\GnuPG\Lib directory > wherein it has the idea .dll file downloaded as > suggested. > > 11. Test if it works this time by issuing the > command > gpg --version and still got the same error. > > Based from the above steps I made, what would be the > possible cause of gpg not working? Is it on the > syntax > on one of the gpg file or registry files created or > are there steps unturned that I may have missed out? > > Hoping for remedies for this problem from gpg or > gnupg > experts. > > Thank you very much. > > Sincerely, > Servie > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From sk at intertivity.com Thu Mar 24 18:52:00 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Thu Mar 24 18:47:40 2005 Subject: Shouldn't keyservers store and provide subkeys? In-Reply-To: <87acothrr1.fsf@wheatstone.g10code.de> Message-ID: <002301c5309a$2e271fe0$f500a8c0@HOME> Go for it! > BTW, to avoid answering these questions over and over, should > we just setup working keyservers under the gnupg.net domain? > It seems the old and broken pgp.net servers will never vanish. From mobil at tzis.net Wed Mar 16 21:21:12 2005 From: mobil at tzis.net (Thomas Zangl - Mobil) Date: Thu Mar 24 18:51:04 2005 Subject: Saving photo of a key to a given filename In-Reply-To: <20050316171637.GA9868@malin> Message-ID: Am Wed, 16 Mar 2005 18:16:37 +0100, schrieb "Karl Hasselstr?m" : Hi, >You might have been bitten by the escaping. This example works on the >command line because the shell evaluates the command line args before >passing them to gpg. If you call gpg in a way that don't pass the args >through a shell, you should not be escaping quotes. I tried to remove the quotes but did not help too :-/ If I remove them the execution hangs - maybe due some quoting of the temp file (%i substitution) needed. Best regards, -- ---------------------------------------------------------------- ,yours Thomas Zangl -thomas@tzi.dhs.org- -TZ1-6BONE- -http://tzi.dhs.org - http://www.borg-kindberg.ac.at Use YAMC! now! Get it at http://www.borg-kindberg.ac.at/yamc/ From mobil at tzis.net Wed Mar 16 21:19:31 2005 From: mobil at tzis.net (Thomas Zangl - Mobil) Date: Thu Mar 24 18:51:33 2005 Subject: Saving photo of a key to a given filename In-Reply-To: <200503161938.UAA00882@vulcan.xs4all.nl> Message-ID: Am Wed, 16 Mar 2005 20:38:21 +0100 (MET), schrieb "Johan Wevers" : Hi, >Is your environment copied? Try the explicit call to C:\WINNT\cmd.exe >instead of just calling cmd. Nope - does not help. I tried simplifieng the filename to e.g. C:\temp.jpg but to no avail. The file is not created... Best regards, -- ---------------------------------------------------------------- ,yours Thomas Zangl -thomas@tzi.dhs.org- -TZ1-6BONE- -http://tzi.dhs.org - http://www.borg-kindberg.ac.at Use YAMC! now! Get it at http://www.borg-kindberg.ac.at/yamc/ From dborkov at yahoo.com Sat Mar 19 00:23:52 2005 From: dborkov at yahoo.com (D. Borkovic) Date: Thu Mar 24 18:51:39 2005 Subject: Encrypting when secret keyring is not available Message-ID: <20050318232352.68106.qmail@web30905.mail.mud.yahoo.com> Hi, I prefer to keep my secret keyring in a flash memory stick. The public keyring is always on my disk. Sometimes I want to encrypt a message when my memory stick is not available. The public keyring is available. However, Gnupg will NOT encrypt a message when a secret keyring is not available. I know I can have an empty file on the disk be my substitute secret keyring, but then I have to change the "secret-keyring" entry in my gpg.conf file every time I insert or remove my memory stick. Does anyone know a better solution for this problem? Thanks, D. Borkovic __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ From netcrusher88 at gmail.com Sun Mar 20 20:47:00 2005 From: netcrusher88 at gmail.com (Joey Harrison) Date: Thu Mar 24 18:51:46 2005 Subject: using gnupg with web-based email Message-ID: <423DD334.3050100@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there anyway to use GnuPG with a webmail, such as Yahoo! or Hotmail? And yes, Gmail is web based, but it has POP access also, so I use Thunderbird with Enigmail. Thanks -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCPdM0yRZ2es9m7m4RAoJDAJwPME8drffKb+ok1d94i/eo4aWGRACeMD2b l3q0BfPGCjhzWIYmrc41NYw= =cidH -----END PGP SIGNATURE----- From emilynelf at cox.net Mon Mar 21 20:02:10 2005 From: emilynelf at cox.net (S. Stacey Hansen) Date: Thu Mar 24 18:51:53 2005 Subject: Total n00b asking for help Message-ID: <423F1A32.8070205@cox.net> Hello, I am trying to install GnuPG to use with Thunderbird 0.9. I read the instructions at http://enigmail.mozdev.org/gpgconf.html#win32, but honestly, I am lost. I am no coder, but am intermediate "user". Basically, I know enough to know what I don't know. Any help would be greatly appreciated, though I ask you don't assume I have too much of a clue. I am most confused about what exactly I need to download as several files are mentioned at enigmail.mozdev.org. I thank you in advance for your assistance. Peace, Stacey aka Emily Nelfnoffen From thomas.marx at gmx.de Tue Mar 22 19:04:17 2005 From: thomas.marx at gmx.de (Thomas Marx) Date: Thu Mar 24 18:51:59 2005 Subject: (Import-)Problem in gnupg 1.4.1 Message-ID: <42405E21.7060601@gmx.de> Hello, I'm using gnupg 1.4.1 on MS Windows XP. When I execute the command "gpg --list-keys", I get the following output: C:\>gpg --list-keys D:/Data/TMarx/GnuPG-Data\pubring.gpg ------------------------------------ pub 1024D/4FF48635 2005-03-07 [expires: 2006-03-07] uid Thomas Marx sub 2048g/DB1A5A90 2005-03-07 [expires: 2006-03-07] pub 1024D/838DD61E 1999-05-16 uid Thomas Marx uid Thomas Marx sub 2048g/904E3ABE 1999-05-16 d:\data\tmarx\gnupg-data\pubring.gpg ------------------------------------ pub 1024D/4FF48635 2005-03-07 [expires: 2006-03-07] uid Thomas Marx sub 2048g/DB1A5A90 2005-03-07 [expires: 2006-03-07] pub 1024D/838DD61E 1999-05-16 uid Thomas Marx uid Thomas Marx sub 2048g/904E3ABE 1999-05-16 every key is listed twice. The difference is the usage of the slash and the back slash. This behavior correspond to an error. When I try to import a key from key servers, I get the following output: gpg: requesting key xxx from hkp server sks.keyserver.penguin.de gpg: renaming `D:/Data/TMarx/GnuPG-Data\pubring.gpg' to `D:/Data/TMarx/GnuPG-Data\pubring.bak' failed: Permission denied gpg: Fehler beim Schreiben des Schl?sselbundes `D:/Data/TMarx/GnuPG-Data\pubring.gpg': Fehler beim Umbenennen einer Datei gpg: key xxx: public key "[User-ID nicht gefunden]" imported gpg: Fehler beim Lesen von `[stream]': Fehler beim Umbenennen einer Datei gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 0 gpg: importiert: 1 No key is imported. Other users noticed this error too. Can anybody give any hints to correct this? Greetings, Thomas From cornelis at kuit.de Wed Mar 23 14:47:02 2005 From: cornelis at kuit.de (Cornelis Kuit) Date: Thu Mar 24 18:52:05 2005 Subject: Gnupg 1.4.0 - duplicate keys Message-ID: <42417356.3020508@kuit.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, All Ive recently started using Enigmail in T-Bird with GNUPG 1.4.0 Now the funny thing is, that when I use OpenPGP Key Management I see my own Key Pub end Sec twice (2x). Also any imported other public keys are shown in duplicate. The same appears with gpg --list-keys etc. e.g Account/User ID Key ID Type CalculT OwnerT Cornelis Kuit 25D0xxxx pub/sec ultimat ultimat Cornelis Kuit 25D0xxxx pub/sec ultimat ultimat Karstenkoehler DC72xxxx pub ultimat ultimat Karstenkoehler DC72xxxx pub ultimat ultimat Why are the keys appearing twice ?? Is this a bug in GNUPG ? - -- _*Cornelis-H. Kuit*_ sent with: Get Thunderbird -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCQXNWA7pvtyXQanYRAhcaAJoCTGEX0UUnQ2tiUNrBkkRpdy6JzgCeJG1X RMmbgWw6j5X22kpB/aezJBE= =CO4s -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3186 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20050323/80a4f21a/smime.bin From matt at overlook.homelinux.net Thu Mar 17 21:02:11 2005 From: matt at overlook.homelinux.net (Matthew Wilson) Date: Thu Mar 24 18:52:08 2005 Subject: How to create self-extracting executable? Message-ID: <20050317200211.GB20742@mwilson.umlcoop.net> My office uses PGP to create self-extracting executable files. I found the -c option for GPG which encrypts with a symmetric key, but this doesn't seem to do the next step of making the encrypted data an executable program that prompts for a password. Is this feature possible with GPG? I'm trying to automate lots of processes and the less highlighting and right-clicking I have to do in Windows Explorer, the better. TIA PS: I've already bored everyone I work with by explaining how symmetric key encryption ain't all that secure, but switching to a key-based system is not possible in the short run. -- Distributed OS wiki: http://en.wikibooks.org/wiki/ComputerScience:Distributed_Systems From shavital at mac.com Thu Mar 24 20:50:01 2005 From: shavital at mac.com (Charly Avital) Date: Thu Mar 24 20:46:24 2005 Subject: (Import-)Problem in gnupg 1.4.1 In-Reply-To: <42405E21.7060601@gmx.de> References: <42405E21.7060601@gmx.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The difference does not seem to be only in the usage of slash and back slash: > D:/Data/TMarx/GnuPG-Data\pubring.gpg > d:\data\tmarx\gnupg-data\pubring.gpg There is a difference in the use of upper and lower case. And please note that pubring.gpg is, in both cases, preceded by a back slash. I am not a Windows user, but IMO you have your pubring.gpg located in, maybe, two different directories (D: and d: with different permissions), which could account for the double listing, and for the error in failing to rename pubring to pubring.bak I hope you get better information from a Windows user. Charly MacOS X 10.3.8 On Mar 22, 2005, at 1:04 PM, Thomas Marx wrote: > Hello, > > I'm using gnupg 1.4.1 on MS Windows XP. > > When I execute the command "gpg --list-keys", I get the following > output: > > C:\>gpg --list-keys > D:/Data/TMarx/GnuPG-Data\pubring.gpg > ------------------------------------ > pub 1024D/4FF48635 2005-03-07 [expires: 2006-03-07] > uid Thomas Marx > sub 2048g/DB1A5A90 2005-03-07 [expires: 2006-03-07] > > pub 1024D/838DD61E 1999-05-16 > uid Thomas Marx > uid Thomas Marx > sub 2048g/904E3ABE 1999-05-16 > > d:\data\tmarx\gnupg-data\pubring.gpg > ------------------------------------ > pub 1024D/4FF48635 2005-03-07 [expires: 2006-03-07] > uid Thomas Marx > sub 2048g/DB1A5A90 2005-03-07 [expires: 2006-03-07] > > pub 1024D/838DD61E 1999-05-16 > uid Thomas Marx > uid Thomas Marx > sub 2048g/904E3ABE 1999-05-16 > > > every key is listed twice. The difference is the usage of the slash and > the back slash. > > This behavior correspond to an error. When I try to import a key from > key servers, I get the following output: > > > gpg: requesting key xxx from hkp server sks.keyserver.penguin.de > gpg: renaming `D:/Data/TMarx/GnuPG-Data\pubring.gpg' to > `D:/Data/TMarx/GnuPG-Data\pubring.bak' failed: Permission denied > gpg: Fehler beim Schreiben des Schl?sselbundes > `D:/Data/TMarx/GnuPG-Data\pubring.gpg': Fehler beim Umbenennen einer > Datei > gpg: key xxx: public key "[User-ID nicht gefunden]" imported > gpg: Fehler beim Lesen von `[stream]': Fehler beim Umbenennen einer > Datei > gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 0 > gpg: importiert: 1 > > > No key is imported. Other users noticed this error too. > Can anybody give any hints to correct this? > > Greetings, > > Thomas > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: GnuPG for Privacy iQIVAwUBQkMZ9W69XHxycyfPAQh+mBAAgfmQ3bxdIGfW1B2DBFHVhdi2IkoEQNzm tuKsFEBCw4tbw5aNOmX2tpMHjUjIzUi+f+EpNdpPH4Ws+XfgSv85rjzBwx4zyOr6 F/vUvAQmxFHOcShdbewHmn8gMnIQ+5+HKnZfhPltqMOZygRJjHHfIy8eHHFU1cq1 y7MiR940LxkcWBTTnhGb9+fhX6RzNtjqvCdP//nmjQtpQMRJfhJYHasO1E0+dHX0 6pBhw0Nx0y8sOmvve4VeMyJDgvn7Xg+EqO0NLX/GO/IrHEF/ZAFyh2vz9Itm2qW+ ArN2HPbLmDne2vlFkz8E9uPNbuYofSDvNt4AslwlosthTyThi6SDV3j62UonUUEX Q17DaRphLLMRiaOF78iYRNxczXABcN8potddC6Dj94/Y1U5gXZylHX0v6Acc8wlP t3YtZoDTovv4vyT0hPAAUcRhLnB2n79eUS923nMBg5wfkHPH+7YpRQH0BJgsiVRc Jlsmhkd37NFbwGbwJzyCaIrXhiy7Dwpsh3vPPprLcEBC/IzrwatoxKR4WwM+W8JR MXs4UGJXm2gqnXj0bMLG4XH4LmQCr8Ozea8cQ0L7//LSlv8oWoNOoyTI/2pNRRSx E/1Fm+NORb8LYzCQPLGdtqvw2LCaoJ0UaDXTf6F40DDYp13atkfQoTBLYKZvG82q L8ok5NADhdw= =qqFc -----END PGP SIGNATURE----- From alver at dodocultus.com Fri Mar 25 02:29:35 2005 From: alver at dodocultus.com (Alver) Date: Thu Mar 24 21:31:34 2005 Subject: gpg/keyboard issue Message-ID: <200503242029.36413.alver@dodocultus.com> Hello, I just imported my gpg keys from my previous install. However, when trying to use them to sign/encrypt/decrypt, my passphrase fails, even though I'm one hundred percent certain it's correct. Possible cause: my passphrase contains a character that I added to my keyboard manually through xmodmap - the scandinavian "?" character. Even though the character works, and I can type my passphrase apparently correctly, it fails. People suggested that it might be related to my keyboard mapping; I can't remember offhand what it was set to before so I tried possible settings, but so far no luck. Is there a procedure to get this working? Alver From minnesotan at runbox.com Thu Mar 24 20:53:23 2005 From: minnesotan at runbox.com (Randy Burns) Date: Thu Mar 24 21:49:54 2005 Subject: Shouldn't keyservers store and provide subkeys? In-Reply-To: <87acothrr1.fsf@wheatstone.g10code.de> Message-ID: <20050324195323.18378.qmail@web205.biz.mail.re2.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > On Thu, 24 Mar 2005 12:04:52 GMT, Adam Funk said: > > > one at home). Then I tried to update each machine to have the new > > public subkeys (using pgp.mit.edu): > > That keyserver as well as all other servers running the old HKS > software are broken. YOu should move away from that keyserver and > use an SKS one (e.g. random.sks.keyserver.penguin.de) or at least > those at subkeys.pgp.net. > > BTW, to avoid answering these questions over and over, should we > just setup working keyservers under the gnupg.net domain? It seems > the old and broken pgp.net servers will never vanish. > > > Shalom-Salam, > > Werner > I think that's a great idea. I assume there would be a web interface, as well. What about a search option for the web interface that excludes any expired keys? by means of a check-box, like the check-box for "verbose" on some web keyservers. Maybe that's harder than it sounds, but I'd like that. :-) Randy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGshell v3.40 Comment: Public Keys: www.geocities.com/burns98/pgp iD8DBQFCQxoUO1wFkBRYxW8RAyB9AKD38kkR05jRFBYIanL5dh4dn9rqUwCgy4Wr N9OAelepCsEwouRbJNAgzfo= =WPAl -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Mar 24 22:20:02 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 24 22:16:45 2005 Subject: Shouldn't keyservers store and provide subkeys? In-Reply-To: <87acothrr1.fsf@wheatstone.g10code.de> References: <200503241204.j2OC4qg12267@Porthos.co.umist.ac.uk> <87acothrr1.fsf@wheatstone.g10code.de> Message-ID: <20050324212002.GD12643@jabberwocky.com> On Thu, Mar 24, 2005 at 06:34:58PM +0100, Werner Koch wrote: > On Thu, 24 Mar 2005 12:04:52 GMT, Adam Funk said: > > > one at home). Then I tried to update each machine to have the new > > public subkeys (using pgp.mit.edu): > > That keyserver as well as all other servers running the old HKS > software are broken. YOu should move away from that keyserver and use > an SKS one (e.g. random.sks.keyserver.penguin.de) or at least those at > subkeys.pgp.net. > > BTW, to avoid answering these questions over and over, should we just > setup working keyservers under the gnupg.net domain? It seems the old > and broken pgp.net servers will never vanish. I'm all for it. It would be nice to point people to a keyserver set that works properly with everything: multiple subkeys, photo IDs, and MR output. At the moment, this is just SKS servers. David From jharris at widomaker.com Thu Mar 24 22:44:49 2005 From: jharris at widomaker.com (Jason Harris) Date: Thu Mar 24 22:40:57 2005 Subject: Shouldn't keyservers store and provide subkeys? In-Reply-To: <20050324212002.GD12643@jabberwocky.com> References: <200503241204.j2OC4qg12267@Porthos.co.umist.ac.uk> <87acothrr1.fsf@wheatstone.g10code.de> <20050324212002.GD12643@jabberwocky.com> Message-ID: <20050324214449.GX9105@wilma.widomaker.com> On Thu, Mar 24, 2005 at 04:20:02PM -0500, David Shaw wrote: > On Thu, Mar 24, 2005 at 06:34:58PM +0100, Werner Koch wrote: > > That keyserver as well as all other servers running the old HKS > > software are broken. YOu should move away from that keyserver and use > > an SKS one (e.g. random.sks.keyserver.penguin.de) or at least those at > > subkeys.pgp.net. > > > > BTW, to avoid answering these questions over and over, should we just > > setup working keyservers under the gnupg.net domain? It seems the old > > and broken pgp.net servers will never vanish. > > I'm all for it. It would be nice to point people to a keyserver set > that works properly with everything: multiple subkeys, photo IDs, and > MR output. At the moment, this is just SKS servers. You (gnupg.{org,net}) should run your own keyserver(s) rather than creating yet another DNS RR name. I'd be happy to get you going with either an email feed from pks or an SKS feed. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050324/887302f0/attachment.pgp From dshaw at jabberwocky.com Thu Mar 24 22:49:56 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 24 22:46:39 2005 Subject: Shouldn't keyservers store and provide subkeys? In-Reply-To: <20050324214449.GX9105@wilma.widomaker.com> References: <200503241204.j2OC4qg12267@Porthos.co.umist.ac.uk> <87acothrr1.fsf@wheatstone.g10code.de> <20050324212002.GD12643@jabberwocky.com> <20050324214449.GX9105@wilma.widomaker.com> Message-ID: <20050324214956.GF12643@jabberwocky.com> On Thu, Mar 24, 2005 at 04:44:49PM -0500, Jason Harris wrote: > On Thu, Mar 24, 2005 at 04:20:02PM -0500, David Shaw wrote: > > On Thu, Mar 24, 2005 at 06:34:58PM +0100, Werner Koch wrote: > > > > That keyserver as well as all other servers running the old HKS > > > software are broken. YOu should move away from that keyserver and use > > > an SKS one (e.g. random.sks.keyserver.penguin.de) or at least those at > > > subkeys.pgp.net. > > > > > > BTW, to avoid answering these questions over and over, should we just > > > setup working keyservers under the gnupg.net domain? It seems the old > > > and broken pgp.net servers will never vanish. > > > > I'm all for it. It would be nice to point people to a keyserver set > > that works properly with everything: multiple subkeys, photo IDs, and > > MR output. At the moment, this is just SKS servers. > > You (gnupg.{org,net}) should run your own keyserver(s) rather than > creating yet another DNS RR name. I'd be happy to get you going > with either an email feed from pks or an SKS feed. I'm curious why it is better to run our own, when (with permission) there are many well run SKS servers out there we can point to. David From dshaw at jabberwocky.com Thu Mar 24 22:56:20 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 24 22:53:00 2005 Subject: gpg: WARNING: unsafe ownership on configuration file "/home/jason/.gnupg/gpg.conf" In-Reply-To: <200503211941.39678.kimp05702@sneakemail.com> References: <200503211941.39678.kimp05702@sneakemail.com> Message-ID: <20050324215620.GG12643@jabberwocky.com> On Mon, Mar 21, 2005 at 07:41:39PM -0500, Jason Wallwork wrote: > Received the warning message: > gpg: WARNING: unsafe ownership on configuration file > "/home/jason/.gnupg/gpg.conf" > > after running gpg --version as root. I don't get the warning if I run the same > command as a regular user. > > Here's the permissions on the file: > > jason@starbuck:~> ls -l .gnupg/gpg.conf > -rw------- 1 jason users 8565 2005-03-17 12:43 .gnupg/gpg.conf > > Should I be concerned? I can't find this in the FAQ. I hope it's not a case of > not looking hard enough. :-/ It means that the user you are running GPG as was not the owner of the gpg.conf file. That can be a security problem (as someone other than you can manipulate it), so GPG is warning you about it. Since you're running as root on purpose, it's presumably not a security problem, but GPG doesn't know that. David From alex at bofh.net.pl Thu Mar 24 23:12:56 2005 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Thu Mar 24 23:11:37 2005 Subject: How to create self-extracting executable? In-Reply-To: <20050317200211.GB20742@mwilson.umlcoop.net> References: <20050317200211.GB20742@mwilson.umlcoop.net> Message-ID: <20050324221256.GB27708@syjon.fantastyka.net> On Thu, Mar 17, 2005 at 03:02:11PM -0500, Matthew Wilson wrote: > My office uses PGP to create self-extracting executable files. [] > Is this feature possible with GPG? I'm trying to automate lots of > processes and the less highlighting and right-clicking I have to do in > Windows Explorer, the better. [] > PS: I've already bored everyone I work with by explaining how symmetric > key encryption ain't all that secure, but switching to a key-based > system is not possible in the short run. I can relate to your pain, but GPG hasn't any such functionality. It is difficult to implement since GPG is a multi-platform appplication. Also, running untrusted binaries rececived from unverifiable sources is a very bad idea anyway (and source of today's most security problems). If you have access to/control/advisory power over involved computers' configuration, associating .pgp .gpg and .asc filename suffixes with GPG itself or a suitable shell application gives roughly the same results as self-extracting archives - user click a file, enters a password, file is decrypted. Alex -- mors ab alto 0x46399138 From johanw at vulcan.xs4all.nl Thu Mar 24 23:14:38 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Mar 24 23:13:47 2005 Subject: using gnupg with web-based email In-Reply-To: <423DD334.3050100@gmail.com> from Joey Harrison at "Mar 20, 2005 11:47:00 am" Message-ID: <200503242214.XAA00597@vulcan.xs4all.nl> Joey Harrison wrote: >Is there anyway to use GnuPG with a webmail, such as Yahoo! or Hotmail? Sure: encrypt the file with the -a option present, then copy the file into the browser window. Some win32 shells like WinPT do this even automagically for you with the "encrypt current window" option. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Thu Mar 24 23:12:41 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Mar 24 23:13:55 2005 Subject: How to create self-extracting executable? In-Reply-To: <20050317200211.GB20742@mwilson.umlcoop.net> from Matthew Wilson at "Mar 17, 2005 03:02:11 pm" Message-ID: <200503242212.XAA00577@vulcan.xs4all.nl> Matthew Wilson wrote: >Is this feature possible with GPG? This can't be done cross platform, so no, it isn't. But you can deliver the gpg binary for a specific platform with the file and a script to call it. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From sk at intertivity.com Thu Mar 24 23:38:51 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Thu Mar 24 23:34:33 2005 Subject: OpenPGP Message Encryption in JavaScript Message-ID: <003301c530c2$414b74e0$f500a8c0@HOME> Hi. I just found this website: http://www.hanewin.de/encrypt/main.htm I think it's pretty nice. Would do you think about it? --sk From samuel at Update.UU.SE Thu Mar 24 22:42:00 2005 From: samuel at Update.UU.SE (Samuel ]slund) Date: Thu Mar 24 23:44:50 2005 Subject: gpg/keyboard issue In-Reply-To: <200503242029.36413.alver@dodocultus.com> References: <200503242029.36413.alver@dodocultus.com> Message-ID: <20050324214200.GB20691@Update.UU.SE> On Thu, Mar 24, 2005 at 08:29:35PM -0500, Alver wrote: > Hello, > > I just imported my gpg keys from my previous install. However, when > trying to use them to sign/encrypt/decrypt, my passphrase fails, even > though I'm one hundred percent certain it's correct. > > Possible cause: my passphrase contains a character that I added to my > keyboard manually through xmodmap - the scandinavian "?" character. > Even though the character works, and I can type my passphrase > apparently correctly, it fails. People suggested that it might be > related to my keyboard mapping; I can't remember offhand what it was > set to before so I tried possible settings, but so far no luck. Is > there a procedure to get this working? If you used that character only once, throw computing power at it, there are less than 256 possible choices. You should be able to do something simple with a list of all possible passphrases, a for-loop and the "passphrase-fd" switch. You might want to find a shread command for your platform also... HTH //Samuel From dshaw at jabberwocky.com Fri Mar 25 00:08:16 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 25 00:04:51 2005 Subject: Shouldn't keyservers store and provide subkeys? In-Reply-To: <20050324224908.GD31829@earth.li> References: <200503241204.j2OC4qg12267@Porthos.co.umist.ac.uk> <87acothrr1.fsf@wheatstone.g10code.de> <20050324212002.GD12643@jabberwocky.com> <20050324214449.GX9105@wilma.widomaker.com> <20050324224908.GD31829@earth.li> Message-ID: <20050324230816.GH12643@jabberwocky.com> On Thu, Mar 24, 2005 at 10:49:08PM +0000, Jonathan McDowell wrote: > [I'm guessing the original mail was on gnupg-users; I'm not on that list > though I do read pgp-keyserver-folk.] > > On Thu, Mar 24, 2005 at 04:44:49PM -0500, Jason Harris wrote: > > On Thu, Mar 24, 2005 at 04:20:02PM -0500, David Shaw wrote: > > > I'm all for it. It would be nice to point people to a keyserver set > > > that works properly with everything: multiple subkeys, photo IDs, and > > > MR output. At the moment, this is just SKS servers. > > onak should handle all of these; if anyone has examples of keys that it > doesn't deal with then please do let me know the details. > > I appreciate that the.earth.li [wwwkeys.uk.pgp.net] is probably the > only public keyserver running the code, but I do try to react to any > bug reports I receive. That's great news. I didn't realize that onak was actively running yet. > It can be found at: > > http://www.earth.li/projectpurple/progs/onak.html I'll check it out. David From scc4fun at spamcop.net Thu Mar 24 20:55:56 2005 From: scc4fun at spamcop.net (Sean C. C.) Date: Fri Mar 25 01:18:43 2005 Subject: Total n00b asking for help In-Reply-To: <423F1A32.8070205@cox.net> References: <423F1A32.8070205@cox.net> Message-ID: <42431B4C.1050205@spamcop.net> Stacey, 1. First download GnuPG. They now have version 1.4.1 which has a windows installer, so that should be easy enough. (I'm still using the previous version which you had to unzip and move the files around.) I'm not sure if you will need it but there is a link on the enigmail website for libiconv#whatever#.zip. The previous version requested it, so the new version probably will too. 2. I'd upgrade to a newer version of Thunderbird. I believe Thunderbird 1.0.2 is the latest. You should be able to go to Tools > Options > Advanced > Software Update > Update from within Thunderbird (same for Firefox). 3. From the enigmail website download and install Enigmail 0.90.2.0. You'll have to save it by right-clicking it and then from the Tools > Extensions window in Thunderbird choose the Install button to install it in Thunderbird. 4. After that you can create a key pair that you will use. You can either use the OpenPGP Key Management window or the command line. *DISCLAIMER* I'm fairly new to GnuPG/Enigmail/Thunderbird myself so I don't know everything. The steps above I learned from installing it myself just a couple months ago. This advice is devoid of any Warranty for a particular purpose or Warranty of merchantability or anything else you can think of. It's my own experience. S. Stacey Hansen wrote: > Hello, > > I am trying to install GnuPG to use with Thunderbird 0.9. I read the > instructions at http://enigmail.mozdev.org/gpgconf.html#win32, but > honestly, I am lost. I am no coder, but am intermediate "user". > Basically, I know enough to know what I don't know. > > Any help would be greatly appreciated, though I ask you don't assume I > have too much of a clue. > I am most confused about what exactly I need to download as several > files are mentioned at enigmail.mozdev.org. > > I thank you in advance for your assistance. > > Peace, > > Stacey > aka Emily Nelfnoffen > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From dshaw at jabberwocky.com Fri Mar 25 05:50:12 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 25 05:46:48 2005 Subject: The PATH problem (was Re: Libcurl) In-Reply-To: References: <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> <20050322185904.GB26177__44366.2190846682$1111518152$gmane$org@jabberwocky.com> <20050322225702.GE26177@jabberwocky.com> <20050323141118.GG26177@jabberwocky.com> Message-ID: <20050325045012.GA13390@jabberwocky.com> On Wed, Mar 23, 2005 at 06:24:57PM +0100, Carlo Luciano Bianco wrote: > Maybe it is possible to run the keyserver helpers not just by their > name, but by their *entire* name: instead of running > "gpgkeys_xxx.exe", gpg.exe should run > "c:\programmi\gnupg\gpgkeys_xxx.exe". In other words, instead of > putting its own folder in the PATH, gpg.exe should put its own > folder in front of the name of the keyserver helper to be executed. > > In this way you should be pretty sure that you execute the right > file, and you can keep the system PATH as it is. But maybe it is not > so simple... That is basically the plan. The only (not very) complex thing is that it needs to take into account --exec-path as well as the configure option --disable-keyserver-path, and the various combinations of those options or lack thereof. Can you try this patch? David -------------- next part -------------- Index: keyserver.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/keyserver.c,v retrieving revision 1.82 diff -u -r1.82 keyserver.c --- keyserver.c 17 Mar 2005 22:55:17 -0000 1.82 +++ keyserver.c 25 Mar 2005 04:42:35 -0000 @@ -860,20 +860,39 @@ opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES; #endif - /* Push the libexecdir into path. If DISABLE_KEYSERVER_PATH is set, - use the 0 arg to replace the path. */ + /* Build the filename for the helper to execute */ + scheme=keyserver_typemap(keyserver->scheme); + #ifdef DISABLE_KEYSERVER_PATH - set_exec_path(GNUPG_LIBEXECDIR,0); + /* Destroy any path we might have. Note that this sets PATH to an + empty string, rather than deleting the PATH environment variable. + That's intentional, so we don't fall back to a system built-in + PATH. This is not that meaningful on Unix-like systems (since + we're going to give a full path to gpgkeys_foo), but on W32 it + prevents loading any DLLs from directories in %PATH%. */ + set_exec_path("",0); #else - set_exec_path(GNUPG_LIBEXECDIR,opt.exec_path_set); + if(opt.exec_path_set) + { + /* If exec-path was set, and DISABLE_KEYSERVER_PATH is + undefined, then don't specify a full path to gpgkeys_foo, so + that the PATH can work. */ + command=m_alloc(strlen("gpgkeys_")+strlen(scheme)+1); + command[0]='\0'; + } + else #endif + { + /* Specify a full path to gpgkeys_foo. */ + command=m_alloc(strlen(GNUPG_LIBEXECDIR)+1+ + strlen("gpgkeys_")+strlen(scheme)+1); + strcpy(command,GNUPG_LIBEXECDIR); + strcat(command,"/"); + } - /* Build the filename for the helper to execute */ - scheme=keyserver_typemap(keyserver->scheme); - command=m_alloc(strlen("gpgkeys_")+strlen(scheme)+1); - strcpy(command,"gpgkeys_"); + strcat(command,"gpgkeys_"); strcat(command,scheme); - + if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES) { if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES) From jeffery.hsu at gmail.com Fri Mar 25 10:14:29 2005 From: jeffery.hsu at gmail.com (Jeffery Hsu) Date: Fri Mar 25 11:11:03 2005 Subject: (no subject) Message-ID: <20050325171348.3C1C.JEFFERY.HSU@gmail.com> -- Jeffery Hsu From wk at gnupg.org Fri Mar 25 13:42:55 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Mar 25 13:41:24 2005 Subject: [Abimbola, Gbenga] RE: Shouldn't keyservers store and provide subkeys? Message-ID: <87ll8bhp68.fsf@wheatstone.g10code.de> Mail From: Abimbola, Gbenga /**** Message starts here ****/ Hi: I sent the message below, and did not see the request in March 2005 Archive. Is this the right mailing list? Can you help with respect to the message below? Meanwhile, during the configuration (./configure) and the make & make install, I received a lot of warning messages (like ...incompatible data types, etc), but in the end I got the binary. Has anyone compiled gnupg without any errors? Thanks. Gbenga -----Original Message----- From: Abimbola, Gbenga Sent: Wednesday, March 23, 2005 4:41 PM To: 'gnupg-users@gnupg.org' Subject: FW: Help on information with Gnupg Hi: I recently tried to install GnuPG and after compilation (I got lot of warning errors though), I did type: $ gpg -v and got the following message: gpg: conversion from `utf-8' to `roman8' not available Can anyone point me to any quick solution? This is my first time. Thanks. Gbenga Abimbola Columbus, OH /**** Message ends here ****/ From clbianco at tiscalinet.it Sat Mar 26 01:47:36 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Sat Mar 26 01:47:21 2005 Subject: The PATH problem (was Re: Libcurl) References: <200503221019.55199.linux__45863.7927113616$1111486979$gmane$org@codehelp.co.uk> <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> <20050322185904.GB26177__44366.2190846682$1111518152$gmane$org@jabberwocky.com> <20050322225702.GE26177@jabberwocky.com> <20050323141118.GG26177@jabberwocky.com> <20050325045012.GA13390__34035.1133062088$1111726840$gmane$org@jabberwocky.com> Message-ID: Il /25 mar 2005/, *David Shaw* ha scritto: > On Wed, Mar 23, 2005 at 06:24:57PM +0100, Carlo Luciano Bianco wrote: > >> Maybe it is possible to run the keyserver helpers not just by their >> name, but by their *entire* name: instead of running [...] > That is basically the plan. The only (not very) complex thing is that > it needs to take into account --exec-path as well as the configure > option --disable-keyserver-path, and the various combinations of those > options or lack thereof. Yes, I see... > Can you try this patch? Of course! I have tried and it seems it is working OK! Some more details: -------------------------------------------------------------------------- gpg --keyserver http://whatever --debug 1024 --recv-keys 99999999 gpg: lettura delle opzioni da `H:/GnuPG\gpg.conf' gpg: DBG: expanding string "c:\programmi\gnupg/gpgkeys_curl -o "%o" "%i"" gpg: DBG: args expanded to "c:\programmi\gnupg/gpgkeys_curl -o [...] gpg: DBG: using temp file `[]tempin.txt' gpg: requesting key 99999999 from http server whatever gpg: DBG: system() command is c:\programmi\gnupg/gpgkeys_curl -o "[]tempout.txt" "[]tempin.txt" -------------------------------------------------------------------------- -------------------------------------------------------------------------- gpg --keyserver http://whatever --debug 1024 --exec-path c:\ --recv-keys 99999999 gpg: lettura delle opzioni da `H:/GnuPG\gpg.conf' gpg: DBG: set_exec_path method 0: PATH=c:\ gpg: DBG: expanding string "gpgkeys_curl -o "%o" "%i"" gpg: DBG: args expanded to "gpgkeys_curl -o [...] gpg: DBG: using temp file `[]tempin.txt' gpg: requesting key 99999999 from http server whatever gpg: DBG: system() command is gpgkeys_curl -o "[]tempout.txt" "[]tempin.txt" -------------------------------------------------------------------------- I have also checked with SysInternals' Process Explorer and the PATHs inside gpg.exe image are correct in both cases (i.e. the system PATH in the first case and "c:\" in the second one). Thanks again, David! Is there any other test I can make to check this patch? -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From samphan at actiwhiz.com Sat Mar 26 05:58:24 2005 From: samphan at actiwhiz.com (Samphan Raruenrom) Date: Sat Mar 26 05:54:58 2005 Subject: Anyone use GPG 1.4.x on Windows successfully? In-Reply-To: <42417B8F.8090705@actiwhiz.com> References: <42417B8F.8090705@actiwhiz.com> Message-ID: <4244EBF0.1080506@actiwhiz.com> Are there anyone being able to use GPG 1.4.0/1.4.1 on Windows successfully? Samphan Raruenrom wrote: > I try using Win32 Gnu GPG 1.4.0 and 1.4.1 to do 'gpg --gen-key' > using the default setting. The generation process rarely ever finish. > Most of the time the generation process run and never finish. > > 8<------------------------------------------------------------------------->8 > > gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc. > This program comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to redistribute it > under certain conditions. See the file COPYING for details. > > Please select what kind of key you want: > (1) DSA and Elgamal (default) > (2) DSA (sign only) > (5) RSA (sign only) > Your selection? > DSA keypair will have 1024 bits. > ELG-E keys may be between 1024 and 4096 bits long. > What keysize do you want? (2048) > Requested keysize is 2048 bits > Please specify how long the key should be valid. > 0 = key does not expire > = key expires in n days > w = key expires in n weeks > m = key expires in n months > y = key expires in n years > Key is valid for? (0) > Key does not expire at all > Is this correct? (y/N) y > > You need a user ID to identify your key; the software constructs the > user ID > from the Real Name, Comment and Email Address in this form: > "Heinrich Heine (Der Dichter) " > > Real name: Samphan Raruenrom > Email address: samphan@access.inet.co.th > Comment: > You selected this USER-ID: > "Samphan Raruenrom " > > Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o > You need a Passphrase to protect your secret key. > > We need to generate a lot of random bytes. It is a good idea to perform > some other action (type on the keyboard, move the mouse, utilize the > disks) during the prime generation; this gives the random number > generator a better chance to gain enough entropy. > .++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.+++++.+++++.++++++++++.+++++++++++++++++++++++++ > ....+++++.++++++++++..+++++.....................>+++++...................................+++++ > > 8<-------------------------------------------------------------->8 > The output stop here and never continue. I tried using the disk, > keyboard, mouse. I can't make gpg to finish generating keys. > I happen to have cygwin and cygwin version of gpg works. > > Are there anything wrong with the Win32 version of GPG? or my setting? -- _/|\_ Samphan Raruenrom. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050326/50637f92/signature.pgp From hhhobbit7 at netscape.net Sat Mar 26 06:14:16 2005 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Sat Mar 26 06:11:26 2005 Subject: Total n00b asking for help Message-ID: <78A32EB2.4F4E37B4.0307202B@netscape.net> >Message: 1 >Date: Mon, 21 Mar 2005 12:02:10 -0700 >From: "S. Stacey Hansen" >Subject: Total n00b asking for help >To: Gnupg-users@gnupg.org >Message-ID: <423F1A32.8070205@cox.net> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >Hello, > >I am trying to install GnuPG to use with Thunderbird 0.9. I read the >instructions at http://enigmail.mozdev.org/gpgconf.html#win32, but >honestly, I am lost. I am no coder, but am intermediate "user". >Basically, I know enough to know what I don't know. > >Any help would be greatly appreciated, though I ask you don't assume I >have too much of a clue. >I am most confused about what exactly I need to download as several >files are mentioned at enigmail.mozdev.org. > >I thank you in advance for your assistance. > >Peace, > >Stacey >aka Emily Nelfnoffen Okay, here are the instructions: First, this web page MAY be a little bit outdated. I will note any deviations for 1.4.1 if I see them. http://enigmail.mozdev.org/gpgconf.html#win32 DOWNLOADING & INTEGRITY CHECKS: =============================== I am assuming you are from an English speaking area, and worse yet, that you are in the United States. If not, go back to the starting web page: http://gnupg.org/ and pick your language. Then go to the mirrors and get ready to download. For English & the United States: http://www.gnupg.org/(en)/download/mirrors.html The United States: http://mirrors.rootmode.com/ftp.gnupg.org/ Go into the binary directory: http://mirrors.rootmode.com/ftp.gnupg.org/binary/ Download the following files: gnupg-w32cli-1.4.1.exe libiconv-1.9.1.dll.zip sha1sum.exe and optionally these: gnupg-w32cli-1.4.1.exe.sig libiconv-1.9.1.dll.zip.sig sha1sum.exe.sig Once GnuPG is installed and working, and you have added Werner Koch's public key to your key ring, you could verify that all of the above are okay by typing (IN a Command Prompt INSIDE a folder where both the gnupg-w32cli-1.4.1.exe and the gnupg-w32cli-1.4.1.exe.sig files are) for the installer of GnuPG: gpg --verify gnupg-w32cli-1.4.1.exe.sig I just checked all of them this way, and every one of them are okay, but you can't do that right now (chicken versus the egg problem), so they have kindly provided a sha1sum check sum program that you can check the integrity: sha1sum sha1sum.exe 4a578ecd09a2d0c8431bdd8cf3d5c5f3ddcddfc9 sha1sum.exe sha1sum gnupg-w32cli-1.4.1.exe db573a6c3707f65797b569efda7e0905c4c4469c gnupg-w32cli-1.4.1.exe The SHA1 check sums can be found here: http://www.gnupg.org/(en)/download/integrity_check.html INSTALLING GNUPG: ================= I am going to make another assumption, and that is that you are using Home XP with the default C: system disk. For Windows 2000 / NT / XP Pro, substitute C:\WINNT for C:\Windows. If you have a different SYSTEM drive, substitute accordingly. [1] Double click on the gnupg-w32cli-1.4.1.exe file and take the defaults for the install. The web page is wrong on steps 3 and 4. The install does all of it for you now. [1a] (optional) I copy the *.exe and *.dll files from the C:\Program Files\GNU\GnuPG to C:\Windows. If you do this just remember that each time you reinstall do the same thing each time. If not, then add GnuPG to your PATH environment variable as the Mozilla page outlines in step 5. [2] If you don't have it already, create the folder: C:\Documents and Settings\YOURNAME\Application Data\GnuPG Actually, GnuPG should create it for you. You should substitute YOUR user name for "YOURNAME." [3] Edit the attached gnupg_bob.reg file. Every place it says "bob", replace it with YOUR user name. Then double click on the file to enter the registry entries. I just automated step 6 somewhat, but REALIZE THAT THE PATH TO THE EXECUTABLES HAS CHANGED! [4] To create your keys, Start a Command Prompt, and in it type "gpg --gen-key". Take the default key size, BUT MAKE YOUR KEY EXPIRE IN ONE YEAR! The keys should be in the folder you created in Step 2. You can find more on doing this some place OTHER than this short instruction list. PICK YOUR PASS PHRASE CAREFULLY! It should be easy for you to remember, and hard for others to guess. [5] Since you may forget your pass phrase, you need to generate a revocation key. To do this type: gpg --list-keys REM Find your KEYID, or use your mail account name. gpg -a --gen-revoke > YOURNAME_rev.asc [6] If GnuPG didn't create a gpg.conf file for you, then do it per the instructions on the Mozilla web instruction list. [7] copy the secring.gpg and pubring.gpg files and your REVOKE key off and store them some place safe. If you need to revoke your public key at a later date, you will need to --import the revocation, and submit that to a keyserver (IF YOU SUBMIT IT TO A KEYSERVER). There are some good tips on the web page. I just provided a bridge to the new way of doing things with GPG 1.4.1, since they bundled everything into one install package, and you don't have to do anything except verify, then point and double click - mostly. Integrating GnuPG into ThunderBird: =================================== Just follow the steps at: http://enigmail.mozdev.org/ http://enigmail.mozdev.org/download.html It seems fairly easy for me to do. It is a lot easier than the struggling I did to get it shoehorned into Outlook Express. It works much better as well. Now somebody else is going to have to tell you how to make Norton Anti-Virus to stop marking encrypted messages as SPAM just because it can't make sense out of them. I don't mind Norton scanning for viruses / worms, but it is the responsibility of them to look for the PGP and GnuPG and other OpenPGP compliant messages to realize what they are without me saying ANYTHING. HHH -- Key Name: "Henry Hertz Hobbit" pub 1024D/1CC23BC0 2005-03-08 [expires: 2006-03-08] Key fingerprint = 9CD0 839E 79C9 5E20 B97A 15A6 9AB7 484D 1CC2 3BC0 __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp -------------- next part -------------- A non-text attachment was scrubbed... Name: gnupg_bob.reg Type: application/octet-stream Size: 707 bytes Desc: gnupg_bob.reg Url : /pipermail/attachments/20050326/1b9c3835/gnupg_bob-0001.obj From hhhobbit7 at netscape.net Sat Mar 26 06:30:30 2005 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Sat Mar 26 06:27:21 2005 Subject: Total n00b asking for help Message-ID: <0D4D880D.72020573.0307202B@netscape.net> hhhobbit7 wrote: >gnupg-w32cli-1.4.1.exe >libiconv-1.9.1.dll.zip >sha1sum.exe > >and optionally these: > >gnupg-w32cli-1.4.1.exe.sig >libiconv-1.9.1.dll.zip.sig >sha1sum.exe.sig Since somebody else wrote it and got it wrong as well, I will correct it for everybody. I do NOT think it needs the libiconv zip file with 1.4.1. I did the install, and it put the dll file in there. Works like a charm for me. Somebody with a language other than English please speak up so we know what is going on. YOU still will need the gnupg.reg file or enter everything manually for the registry entry. You COULD make shortcuts for executables in Windows, or add the path, or copy the executables like I do. Actually, I copy them into the C:\bin folder which is used by CygWin and is already in my path. I WOULD advise that before you get ready to integrate it into 0.9 Thunderbird that you upgrade Thunderbird to the latest version as well. That would be version 1.0.2. It fixes some very noticeable security problems (phishing), and you should also upgrade to the latest version of Firefox as well. HHH -- Key Name: "Henry Hertz Hobbit" pub 1024D/1CC23BC0 2005-03-08 [expires: 2006-03-08] Key fingerprint = 9CD0 839E 79C9 5E20 B97A 15A6 9AB7 484D 1CC2 3BC0 __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From fteg at london.com Sat Mar 26 11:15:15 2005 From: fteg at london.com (Fafa Diliha Romanova) Date: Sat Mar 26 11:11:47 2005 Subject: how to beautify gpg+mutt Message-ID: <20050326101515.0FF0D86FBA@cal1-1.us4.outblaze.com> hello i'm a stupid newbie. but i'm trying to get a decent gpg+mutt setup. i've generated my public key but i think that signing using that is a bad idea. people get confused, thinking they're attachments that they are unable to open. besides, mutt gives them bad names like untitled(2) or 1.dat. 1) what other options do i have for signing my messages? i like the way hushmail for instance signs my messages: btw this is a signature right ... not the public key? is it easy generating a signature? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Example message -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkJEgdgACgkQgrhgoMygEH5zuACgoKvM67sQV6aVK+3oECyZvBMhjFQA oLwM/S0bteviF5SD5wNhBU3DULWs =cTDp -----END PGP SIGNATURE----- 2) that looks, however, kinda messy. is it possible making my signature more good looking? like this, maybe, more consistent and solid? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Example good looking message -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) wkYEARECAAYFAkJEgdgACgkQgrhgoMygEH5zuACgoKvM67sQV6aV 0bteviF5SD5wNhBU3DULWs0bteviF5SD5wNhBU3DULWs0bteviF5 -----END PGP SIGNATURE----- 3) the same applies to the end of my public key. it ends like this: EORr3YWE6W98CMw/QYpjTGmxOIhJBBgRAgAJBQJBgkwYAhsMAAoJEHhe0auuyFds WJsAni5+AYlGlvGI83Py3yBVTs7LL8ZOAJ9jhl7rS+NublDbxLGMeTL6MTxYIw== =+Wyz being very concerned about aesthetics, that orphan =+Wyz really bugs me. is there no way of telling gpg that i want clean slices? *** here is my .muttrc pertaining to gpg: source ~/.gpgrc set pgp_replysign set pgp_replyencrypt set pgp_verify_sig=yes set pgp_sign_as="AEC8576C" set pgp_strict_enc unset pgp_autosign unset pgp_autoencrypt *** and here is my .gpgrc: set pgp_decode_command="/usr/local/bin/gpg %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f" set pgp_verify_command="/usr/local/bin/gpg --no-verbose --quiet --batch --output - --verify %s %f" set pgp_decrypt_command="/usr/local/bin/gpg --passphrase-fd 0 --no-verbose --quiet --batch --output - %f" set pgp_sign_command="/usr/local/bin/gpg --no-verbose --batch --quiet --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f" set pgp_clearsign_command="/usr/local/bin/gpg --no-verbose --batch --quiet --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f" set pgp_encrypt_only_command="pgpewrap /usr/local/bin/gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f" set pgp_encrypt_sign_command="pgpewrap /usr/local/bin/gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f" set pgp_import_command="/usr/local/bin/gpg --no-verbose --import -v %f" set pgp_export_command="/usr/local/bin/gpg --no-verbose --export --armor %r" set pgp_verify_key_command="/usr/local/bin/gpg --verbose --batch --fingerprint --check-sigs %r" set pgp_list_pubring_command="/usr/local/bin/gpg --no-verbose --batch --quiet --with-colons --list-keys %r" set pgp_list_secring_command="/usr/local/bin/gpg --no-verbose --batch --quiet --with-colons --list-secret-keys %r" set pgp_good_sign="`gettext -d gnupg -s 'Good signature from "' | tr -d '"'`" what am i missing out on? i appreciate any help i can get ... and i promise to remain in this community till i'm in you people's shoes, so i can return this help to someone as dumb as me :) best wishes, -- fafa -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm From cedar at 3web.net Sat Mar 26 15:51:10 2005 From: cedar at 3web.net (C. D. Rok) Date: Sat Mar 26 15:47:58 2005 Subject: how to beautify gpg+mutt In-Reply-To: <20050326101515.0FF0D86FBA@cal1-1.us4.outblaze.com> References: <20050326101515.0FF0D86FBA@cal1-1.us4.outblaze.com> Message-ID: <424576DE.1040708@3web.net> > i've generated my public key but i think that signing using that > is a bad idea. people get confused, thinking they're attachments that > they are unable to open. In addition, I've discovered there are more and more of those that simply filter all messages with unsolicited attachmets straight into trash, on the (not entirely unreasonable) assumption that such attachments are viruses and/or such messages are spam. C. Rok From bdesham at gmail.com Sun Mar 27 03:31:33 2005 From: bdesham at gmail.com (Benjamin Esham) Date: Sun Mar 27 03:27:38 2005 Subject: Good introduction to GPG concepts? Message-ID: <44dc113e7b2e7f08ce72555e68f1c8f4@gmail.com> Where can I find a fairly basic introduction to GPG concepts like trust models and signatures? I've been using GPG for personal use for five years, but somehow missed some of the more basic concepts. I took a look at the GPG Privacy Handbook, but it looks like it hasn't been updated for six years. Thanks for the help! -- Benjamin D. Esham bdesham@gmail.com | http://bdesham.net | AIM: bdesham128 Wikipedia, the Free Encyclopedia --- http://en.wikipedia.org From zuxy.meng at gmail.com Sun Mar 27 08:15:41 2005 From: zuxy.meng at gmail.com (Zuxy) Date: Sun Mar 27 08:12:12 2005 Subject: Problem about gpa 0.7 Message-ID: Hi list, I work under Fedora Core 3. GPA 0.7 can't start, with the following error message: glibc detected *** double free or corruption (out): 0x08781088 Neither the li built rpm (http://apt.ling.li/rpms/gpa/gpa-0.7.0-3.li.fc3.i586.rpm) or my build from source work:-( Is is a glibc related problem? My version is glibc-2.3.4-2.fc3.3 -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From vedaal at hush.com Sun Mar 27 16:12:51 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Sun Mar 27 16:08:57 2005 Subject: ? problem with verification of pgp armored signed files using sha-256 ? Message-ID: <200503271412.j2RECuJC061066@mailserver3.hushmail.com> have recently looked at an old pgpckt version, and found that gnupg 1.4.1 does not verify armored signed files done in ckt (i don't remember which was the last version of gnupg that did verify it, but do remember that it was not a problem in earlier versions) here is the gnupg output, followed by the actual armored signed file: $ gpg t/cktasf.asc gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: 6.5.8ckt 9b3 gpg: armor header: Comment: Acts of Kindness better the World, and protect the Soul :compressed packet: algo=1 :signature packet: algo 1, keyid 5AA20C866A589A97 version 3, created 1111931695, md5len 5, sigclass 01 digest algo 8, begin of digest 61 c1 data: [4095 bits] :literal data packet: mode t (74), created 2516582400, name="", raw data: 50 bytes gpg: original file name='' gpg: old style (PGP 2.x) signature gpg: Signature made 03/27/05 08:54:55 using RSA key ID 6A589A97 gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error here is the armored signed file: -----BEGIN PGP MESSAGE----- Version: 6.5.8ckt 9b3 Comment: Acts of Kindness better the World, and protect the Soul owEBUgKt/YkCFQMFAUJGuy9aogyGalialwEIYcEP/1PU5NdNgRjpJvvQFJ/F2HXE hnuzkdFQrSAcBJdsxCjll0mU63A5chwWXXRfFxz8jcvY37xfOcIzgz9wUrv6qjRG UVsUyhBehATHFknw9eU4yfwfGtAmjs3vSq/4N77NZju5SfV9otAYuHRNMyI4jh5U kPwCI/WmqtjNHO3vLHs+b8USlFilyjPoV/ccKFWgyMjvchniTIcfZ4j5RuzSeoPE MzKuDk2qdKOA/QM5P1FP0VMYztLU9Cc4zUsXUgdQI/odVGi3fkAHrOyeqDoOoYD2 7YxJRRRBcdDbz01XazYH4ZkoC//TEgXVzKvJhmJbXpMzwTkSEi9qi49VUqtQFiPD Jp4RVcqQd23RhbL3gzt9pUISsMWFhD4MedBgtEuVAfXlUsKsm4n3boqAyz84dYgV WljI1po1mIv8di3MT0QIz1LK9WE6jZz+AUl1BPNozQGI41591kUnDVJW00LaPibS cpIZ4W+UDozdgN6Qpa/v1hPeFZjES2/ZwwRf2KSLPgDppiQvk2cmgs3brkkYwxc0 LVKgnXMkbBf0z5EgioejmuNJJemRk2TdZmG31/LB1DdO5+s8jd32hPl8tTDG97So hDrqduAqjPTmoIZzGwJTgBke7JZs7JVPp0avwzlVMiPpvbogQpxAB5XAVG3AVj5r jXfV+CEvuwx9Ng4lSNVzrDh0AJYAAAB0ZXN0IGFybW9yZWQgc2lnbmVkIG1lc3Nh Z2UNCmNrdDliMyB2NGtleSBzaGEyNTYNCg== =1yaA -----END PGP MESSAGE----- (official)pgp9beta does not have the pgptools easilyaccessible, so i couldn't create an armored signed file there to test, so am reporting this for further testing / followup i suspect that it may be limited to the old ckt builds, but there may be a potential incompatibility with verification of armored signed files done in pgp9 too tia, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From agwn at libero.it Sun Mar 27 16:54:57 2005 From: agwn at libero.it (agwn@libero.it) Date: Sun Mar 27 17:44:05 2005 Subject: Entropy + SHA1 Message-ID: I've read an old post(April 2000?) where Werner Koch said he didn't like the choose of Twofish with a keylenght of 256 bits for different reasons: -128 bits would suffice -nobody uses a passphrase with the same order of magnitude of entropy to protect the secret key -256 bits keylenght is a risk for the precious bits in the entropy pool I'm particularly interested in the third issue. Today the default symmetric algo in gpg is AES256, I don't like AES, and Twofish is out(not in the OpenPGP standard, isn't it?), but the keylenght issue remains. Is there any way to know the amount of entropy in the pool, available trough /dev/random (Linux kernel 2.4)? The second question, maybe already discussed, regards the recent attack on SHA1; I don't know how successful it is since I read only a preliminary paper containing some collisions without the mathematics behind them. DSA requires a 160 bit hash, but it seems that only SHA1 is allowed. Is there any future plan to replace SHA1 with RIPEMD160? Agwn -- OpenPGP public key available trough keyservers, ID: 0x0642A90B Key fingerprint: 6C25 677F E058 D2A6 8759 9BD5 7658 4B23 0642 A90B Always check key fingerprints! ____________________________________________________________ 6X velocizzare la tua navigazione a 56k? 6X Web Accelerator di Libero! Scaricalo su INTERNET GRATIS 6X http://www.libero.it From david at midrange.com Sun Mar 27 20:03:06 2005 From: david at midrange.com (David Gibbs) Date: Sun Mar 27 21:01:40 2005 Subject: Winpt error -- Sorry, you need a newer gpg version Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I get this error anytime I try to start up WinPT on my XP SP2 system. "Sorry, you need a newer GPG version. GPG version 1.0.4 requred GPG version 1.2.4" I'm running the following ... WinPT version 0.9.90 ... and ... [C:/GnuPG] ./gpg --version gpg (GnuPG) 1.4.1 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: C:/GnuPG Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 ... both are in c:/gnupg Any suggestions? Thanks! david -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCRvVad5EkU9GYADMRAvZtAJ9YDK7YxVCTCKQYjpyyxa/fewQITACeJnBa VPm7Jmxsu4Kx6Vo5XwXJIGw= =a+Ob -----END PGP SIGNATURE----- From jmh17 at pitt.edu Mon Mar 28 00:50:33 2005 From: jmh17 at pitt.edu (John Harrold) Date: Mon Mar 28 01:35:14 2005 Subject: Clarification on purpose of subordinate keys Message-ID: <20050327225033.GD5043@sage.che.pitt.edu> Hello, I've been signing my emails with my gpg key (F65A739E) at least that is what mutt says. However, when it's sent it appears to be signed with a sub key (B23241CB). Can someone explain the purpose of subordinate keys and what I'm doing wrong? ----------------------------- pub 1024D/F65A739E 2002-10-02 uid "John M. Harrold" uid John Mark Harrold uid [jpeg image of size 5337] sub 1024D/B23241CB 2003-10-01 sub 1024R/C7658196 2003-10-02 -- ---------------------------------------------------------- | /"\ john harrold | \ / ASCII ribbon campaign jmh at member.fsf.org | X against HTML mail the most useful idiot | / \ ---------------------------------------------------------- What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is brought under the name of totalitarianism or the holy name of liberty and democracy? --Gandhi ---------------------------------------------------------- gpg --keyserver pgp.mit.edu --recv-key F65A739E ---------------------------------------------------------- From minnesotan at runbox.com Mon Mar 28 07:33:52 2005 From: minnesotan at runbox.com (Randy Burns) Date: Mon Mar 28 07:30:32 2005 Subject: Good introduction to GPG concepts? In-Reply-To: <44dc113e7b2e7f08ce72555e68f1c8f4@gmail.com> Message-ID: <20050328053352.69098.qmail@web201.biz.mail.re2.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > Where can I find a fairly basic introduction to GPG concepts > like trust models and signatures? I've been using GPG for > personal use for five years, but somehow missed some of the more > basic concepts. I took a look at the GPG Privacy Handbook, but > it looks like it hasn't been updated for six years. > > Thanks for the help! > > -- > Benjamin D. Esham Try: http://www.pgpi.org/doc/pgpintro/#p17 http://www.rubin.ch/pgp/weboftrust.en.html All the best, Randy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) - GPGshell v3.41 Comment: Public Keys: www.geocities.com/burns98/pgp iD8DBQFCR5NdO1wFkBRYxW8RA9kDAJ9OL2Q45s3X6h1ze7xwZ15bynBNiACguClF qHCkRybILxTUPgnR1kiztMo= =VcdQ -----END PGP SIGNATURE----- From shavital at mac.com Mon Mar 28 08:53:30 2005 From: shavital at mac.com (Charly Avital) Date: Mon Mar 28 08:49:50 2005 Subject: Clarification on purpose of subordinate keys In-Reply-To: <20050327225033.GD5043@sage.che.pitt.edu> References: <20050327225033.GD5043@sage.che.pitt.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John, here's the information I get on your key: pub 1024D/F65A739E created: 2002-10-02 expires: never usage: CS trust: unknown validity: unknown sub 1024R/C7658196 created: 2003-10-02 expires: never usage: E sub 1024g/C6C536C3 created: 2002-10-02 expired: 2003-10-02 usage: E sub 1024D/B23241CB created: 2003-10-01 expires: never usage: SA [ unknown] (1). "John M. Harrold" [ unknown] (2) John Mark Harrold [ unknown] (3) [jpeg image of size 5337] On 2003-10-01 you generated an additional subkey B23241CB (usage: SA = Sign Authenticate). This is the subkey that is being used for signing, instead of the primary key F65A739E. In order to authenticate your signature, the recipient of your signed messages must have this additional subkey in your key's keyblock, in his/her pubring. The other subkeys (usage: E) are used to encrypt (to you). Don't pay attention to the "unknown", it means that in my keyring, your key's trust is unknown, because I have not signed your key and have not assigned trust to it. Charly On Mar 27, 2005, at 5:50 PM, John Harrold wrote: > Hello, > > I've been signing my emails with my gpg key (F65A739E) at least that > is what > mutt says. However, when it's sent it appears to be signed with a > sub key > (B23241CB). Can someone explain the purpose of subordinate keys and > what I'm > doing wrong? > > ----------------------------- > pub 1024D/F65A739E 2002-10-02 > uid "John M. Harrold" > uid John Mark Harrold > uid [jpeg image of size 5337] > sub 1024D/B23241CB 2003-10-01 > sub 1024R/C7658196 2003-10-02 > > [...] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: GnuPG for Privacy iQIVAwUBQkep+G69XHxycyfPAQhw+w/9HSpvO4a9id4k8/siqZEMDAFgXh7KePlW iYwYe6fS0d3JUoeXsMH6lo1+sVu0aWuJtPgEi4tbfebY50sWVHp2/FSY2a2Xvlkb vviBTQ+gT6aRoLCiJsm5lMIsCVIuaZ6uMRHGxYAVLLIUCip4igW4uq51DhvCX2Zz a2ldaedh/mFYeKsml5GXFTqqW0zWvB1Mj7YA77yJq6Ak8gV0vh0FKUMSHJt0dWHe TcIykaJlLGjBAVjM01b1GRkkuRuyza9PO7P9JT6ILuV/cibKQHF4xdk9FwLROCgP Y/izs/Fx8ZygxaaO+LXKZDheD77kr+FTPrhhn6HBdjL7skPRSHqg+wtYWk0bZDZJ SvMMRpBh4AVBWeJfyfc7D/JAXlJttApoDf15T47u1VbPU7nJLQYqzkCvPttfrOrF w/iyxO6qeAt5OKEZ6PlKIMyT/JHYoyP0qyyXaLn5gZgbhO8Nwmi3+aKKDDEsT+OF flWKryGj/4g1GuYivs75V3yKe1IB1Iqxe5LE9+B6+8rcrOpKh0XariORuPaukizo H3W5yMvOFmdLCHvBGO6GRsNGRkCGX2BnQJ+Nv6MoLQGTqtnmhqoPQ45ZrRBoQEZw vgqDiZekPgXkbT/GZg6ZtM0S8sDrgKXd7wXknSLMYgygGXKUw5fpbK4QaK/BV5qk HfVN/flQYAM= =/o6S -----END PGP SIGNATURE----- From messtic at oreka.com Mon Mar 28 10:07:15 2005 From: messtic at oreka.com (Alain Bench) Date: Mon Mar 28 15:19:41 2005 Subject: unavailable conversion (was: Help on information with Gnupg) In-Reply-To: <87ll8bhp68.fsf@wheatstone.g10code.de> References: <87ll8bhp68.fsf@wheatstone.g10code.de> Message-ID: <20050328080715.GA10577@oreka.com> Hello Gbenga, On Wednesday, March 23, 2005 at 4:41 PM, Gbenga Abimbola wrote: >| $ gpg -v >| gpg: conversion from `utf-8' to `roman8' not available On HP-UX? Then: In fact the said conversion *is* available, but a bug makes GnuPG request it under a wrong name, unknown by the HP iconv library. GnuPG says "utf-8", while HP expects "utf8". There may perhaps be a workaround on the system: Creating an alias utf-8 to utf8 in /usr/lib/nls/iconv/config.iconv or something like that. There is an alias section, and comments about the expected format. Or install libiconv 1.9.2 to replace HP iconv. Bye! Alain. -- How to Report Bugs Effectively From jmh17 at pitt.edu Mon Mar 28 16:27:27 2005 From: jmh17 at pitt.edu (John Harrold) Date: Mon Mar 28 16:20:21 2005 Subject: Clarification on purpose of subordinate keys In-Reply-To: References: <20050327225033.GD5043@sage.che.pitt.edu> Message-ID: <20050328142727.GA15768@sage.che.pitt.edu> Sometime in March Charly Avital assaulted the keyboard and produced: | John, | | here's the information I get on your key: | pub 1024D/F65A739E created: 2002-10-02 expires: never usage: CS | trust: unknown validity: unknown | sub 1024R/C7658196 created: 2003-10-02 expires: never usage: E | sub 1024g/C6C536C3 created: 2002-10-02 expired: 2003-10-02 usage: E | sub 1024D/B23241CB created: 2003-10-01 expires: never usage: SA | | [ unknown] (1). "John M. Harrold" | [ unknown] (2) John Mark Harrold | [ unknown] (3) [jpeg image of size 5337] | | On 2003-10-01 you generated an additional subkey B23241CB (usage: SA = | Sign Authenticate). This is the subkey that is being used for signing, | instead of the primary key F65A739E. In order to authenticate your | signature, the recipient of your signed messages must have this | additional subkey in your key's keyblock, in his/her pubring. Ok, that makes sense. I honestly don't remember making the SA key, but given the time frame it probably happened when I was trying to unexpire the key F65A739E. Can you elaborate on the reasons for using a separate key for signing messages? -- ---------------------------------------------------------- | /"\ john harrold | \ / ASCII ribbon campaign jmh at member.fsf.org | X against HTML mail the most useful idiot | / \ ---------------------------------------------------------- What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is brought under the name of totalitarianism or the holy name of liberty and democracy? --Gandhi ---------------------------------------------------------- gpg --keyserver pgp.mit.edu --recv-key B23241CB ---------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050328/282d4fb1/attachment.pgp From noodles at earth.li Thu Mar 24 23:49:08 2005 From: noodles at earth.li (Jonathan McDowell) Date: Tue Mar 29 11:01:42 2005 Subject: Shouldn't keyservers store and provide subkeys? In-Reply-To: <20050324214449.GX9105@wilma.widomaker.com> References: <200503241204.j2OC4qg12267@Porthos.co.umist.ac.uk> <87acothrr1.fsf@wheatstone.g10code.de> <20050324212002.GD12643@jabberwocky.com> <20050324214449.GX9105@wilma.widomaker.com> Message-ID: <20050324224908.GD31829@earth.li> [I'm guessing the original mail was on gnupg-users; I'm not on that list though I do read pgp-keyserver-folk.] On Thu, Mar 24, 2005 at 04:44:49PM -0500, Jason Harris wrote: > On Thu, Mar 24, 2005 at 04:20:02PM -0500, David Shaw wrote: > > I'm all for it. It would be nice to point people to a keyserver set > > that works properly with everything: multiple subkeys, photo IDs, and > > MR output. At the moment, this is just SKS servers. onak should handle all of these; if anyone has examples of keys that it doesn't deal with then please do let me know the details. I appreciate that the.earth.li [wwwkeys.uk.pgp.net] is probably the only public keyserver running the code, but I do try to react to any bug reports I receive. It can be found at: http://www.earth.li/projectpurple/progs/onak.html which also has details of the arch repository. J. -- 101 things you can't have too much of : 41 - Tea. This .sig brought to you by the letter E and the number 3 Product of the Republic of HuggieTag -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050324/cdb4a52b/attachment-0001.pgp From lists at stinkfoot.org Thu Mar 24 23:57:52 2005 From: lists at stinkfoot.org (Ethan Weinstein) Date: Tue Mar 29 11:01:51 2005 Subject: Shouldn't keyservers store and provide subkeys? In-Reply-To: <20050324224908.GD31829@earth.li> References: <200503241204.j2OC4qg12267@Porthos.co.umist.ac.uk> <87acothrr1.fsf@wheatstone.g10code.de> <20050324212002.GD12643@jabberwocky.com> <20050324214449.GX9105@wilma.widomaker.com> <20050324224908.GD31829@earth.li> Message-ID: <424345F0.3010003@stinkfoot.org> Jonathan McDowell wrote: >onak should handle all of these; if anyone has examples of keys that it >doesn't deal with then please do let me know the details. > >I appreciate that the.earth.li [wwwkeys.uk.pgp.net] is probably the >only public keyserver running the code, but I do try to react to any >bug reports I receive. > >It can be found at: > >http://www.earth.li/projectpurple/progs/onak.html > >which also has details of the arch repository. > > I suppose I'll chime in here. I'm finally going to trash PKS in the coming days, sad but true. I've been playing around with SKS recently, and it seems fairly stable. I'd forgotten about onak, I'll give it a try as well. I'll [obviously] let my sync partners know what I eventually decide to do. -E From DRussell at siriusradio.com Thu Mar 24 21:56:14 2005 From: DRussell at siriusradio.com (Russell David) Date: Tue Mar 29 11:01:55 2005 Subject: passphrase-fd works on linux but not windows Message-ID: echo "cowards die many times"| gpg --passphrase-fd 0 --output c:\test\wes_test.txt --decrypt c:\test\wes_test.txt.asc Somebody help me here. Why is this not working... David Russell Sirius Satellite Radio Staff, CA Systems SQL Server DBA 212-584-5179 From fteg at london.com Fri Mar 25 22:34:57 2005 From: fteg at london.com (Fafa Diliha Romanova) Date: Tue Mar 29 11:01:57 2005 Subject: how to beautify gpg+mutt Message-ID: <20050325213458.177544BEAE@ws1-1.us4.outblaze.com> hello i'm a stupid newbie. but i'm trying to get a decent gpg+mutt setup. i've generated my public key but i think that signing using that is a bad idea. people get confused, thinking they're attachments that they are unable to open. besides, mutt gives them bad names like untitled(2) or 1.dat. 1) what other options do i have for signing my messages? i like the way hushmail for instance signs my messages: btw this is a signature right ... not the public key? is it easy generating a signature? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Example message -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkJEgdgACgkQgrhgoMygEH5zuACgoKvM67sQV6aVK+3oECyZvBMhjFQA oLwM/S0bteviF5SD5wNhBU3DULWs =cTDp -----END PGP SIGNATURE----- 2) that looks, however, kinda messy. is it possible making my signature more good looking? like this, maybe, more consistent and solid? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Example good looking message -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) wkYEARECAAYFAkJEgdgACgkQgrhgoMygEH5zuACgoKvM67sQV6aV 0bteviF5SD5wNhBU3DULWs0bteviF5SD5wNhBU3DULWs0bteviF5 -----END PGP SIGNATURE----- 3) the same applies to the end of my public key. it ends like this: EORr3YWE6W98CMw/QYpjTGmxOIhJBBgRAgAJBQJBgkwYAhsMAAoJEHhe0auuyFds WJsAni5+AYlGlvGI83Py3yBVTs7LL8ZOAJ9jhl7rS+NublDbxLGMeTL6MTxYIw== =+Wyz being very concerned about aesthetics, that orphan =+Wyz really bugs me. is there no way of telling gpg that i want clean slices? *** here is my .muttrc pertaining to gpg: source ~/.gpgrc set pgp_replysign set pgp_replyencrypt set pgp_verify_sig=yes set pgp_sign_as="AEC8576C" set pgp_strict_enc unset pgp_autosign unset pgp_autoencrypt *** and here is my .gpgrc: set pgp_decode_command="/usr/local/bin/gpg %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f" set pgp_verify_command="/usr/local/bin/gpg --no-verbose --quiet --batch --output - --verify %s %f" set pgp_decrypt_command="/usr/local/bin/gpg --passphrase-fd 0 --no-verbose --quiet --batch --output - %f" set pgp_sign_command="/usr/local/bin/gpg --no-verbose --batch --quiet --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f" set pgp_clearsign_command="/usr/local/bin/gpg --no-verbose --batch --quiet --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f" set pgp_encrypt_only_command="pgpewrap /usr/local/bin/gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f" set pgp_encrypt_sign_command="pgpewrap /usr/local/bin/gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f" set pgp_import_command="/usr/local/bin/gpg --no-verbose --import -v %f" set pgp_export_command="/usr/local/bin/gpg --no-verbose --export --armor %r" set pgp_verify_key_command="/usr/local/bin/gpg --verbose --batch --fingerprint --check-sigs %r" set pgp_list_pubring_command="/usr/local/bin/gpg --no-verbose --batch --quiet --with-colons --list-keys %r" set pgp_list_secring_command="/usr/local/bin/gpg --no-verbose --batch --quiet --with-colons --list-secret-keys %r" set pgp_good_sign="`gettext -d gnupg -s 'Good signature from "' | tr -d '"'`" what am i missing out on? i appreciate any help i can get ... and i promise to remain in this community till i'm in you people's shoes, so i can return this help to someone as dumb as me :) best wishes, -- fafa -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm From kaisung at gmail.com Tue Mar 29 03:27:23 2005 From: kaisung at gmail.com (Kai-Min Sung) Date: Tue Mar 29 11:02:00 2005 Subject: gpg script to remove passphrase from secret key Message-ID: <7256a45f050328172773a934c4@mail.gmail.com> Hi, I'm trying to write a script that will remove the passphrase from a secret key. Here's the command I'm using: gpg --passphrase-fd 0 --command-fd 0 --edit-key user@domain.com < input The input file looks like: ---input start--- oldpassphrase passwd save quit Y ---input end--- gpg doesn't seem to be reading the new passphrase from fd 0. The man page says --passphrase-fd will only work if you're using one passphrase, which is probably why this fails. Is there any other way to make this work? Thanks in advance, -Kai From kaisung at gmail.com Tue Mar 29 04:43:12 2005 From: kaisung at gmail.com (Kai-Min Sung) Date: Tue Mar 29 11:02:03 2005 Subject: gpg script to remove passphrase from secret key In-Reply-To: <7256a45f050328172773a934c4@mail.gmail.com> References: <7256a45f050328172773a934c4@mail.gmail.com> Message-ID: <7256a45f05032818431aa278fd@mail.gmail.com> Nevermind, I think I figured it out. Here's the command to use: gpg --status-fd 1 --command-fd 0 --edit-key user@domain.com < input and here's the input file: ---input start--- passwd old_pass Y save Y ---input end--- Replace the first blank line with a new passphrase if you want to change the passphrase instead of removing it. Cheers, -Kai On Mon, 28 Mar 2005 17:27:23 -0800, Kai-Min Sung wrote: > Hi, > > I'm trying to write a script that will remove the passphrase from a > secret key. Here's the command I'm using: > > gpg --passphrase-fd 0 --command-fd 0 --edit-key user@domain.com < input > > The input file looks like: > > ---input start--- > oldpassphrase > passwd > > save > quit > Y > ---input end--- > > gpg doesn't seem to be reading the new passphrase from fd 0. The man > page says --passphrase-fd will only work if you're using one > passphrase, which is probably why this fails. Is there any other way > to make this work? > > Thanks in advance, > -Kai > From DELEE at TRANSENTRIC.COM Tue Mar 29 11:13:58 2005 From: DELEE at TRANSENTRIC.COM (DELEE@TRANSENTRIC.COM) Date: Tue Mar 29 11:11:00 2005 Subject: David E. Lee is out of the office. Message-ID: I will be out of the office starting 03/28/2005 and will not return until 04/04/2005. On vacation, if you really need me, call my cell phone 314-749-9265 From wk at gnupg.org Tue Mar 29 11:15:56 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 29 11:16:25 2005 Subject: Clarification on purpose of subordinate keys In-Reply-To: <20050328142727.GA15768@sage.che.pitt.edu> (John Harrold's message of "Mon, 28 Mar 2005 09:27:27 -0500") References: <20050327225033.GD5043@sage.che.pitt.edu> <20050328142727.GA15768@sage.che.pitt.edu> Message-ID: <87r7hyersj.fsf@wheatstone.g10code.de> On Mon, 28 Mar 2005 09:27:27 -0500, John Harrold said: > given the time frame it probably happened when I was trying to unexpire the > key F65A739E. Can you elaborate on the reasons for using a separate key for > signing messages? It is mostly useful if you keep your primary key offline (cf. --export-secret-subkeys). In the case of a key compromise, you would only need to revoke the existing subkeys and create new subkeys. This saves you all the key signatures (Web Of Trust) as they are signing the primary key only. Shalom-Salam, Werner From wk at gnupg.org Tue Mar 29 12:18:52 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 29 12:16:27 2005 Subject: gpg script to remove passphrase from secret key In-Reply-To: <7256a45f05032818431aa278fd@mail.gmail.com> (Kai-Min Sung's message of "Mon, 28 Mar 2005 18:43:12 -0800") References: <7256a45f050328172773a934c4@mail.gmail.com> <7256a45f05032818431aa278fd@mail.gmail.com> Message-ID: <87br92eovn.fsf@wheatstone.g10code.de> On Mon, 28 Mar 2005 18:43:12 -0800, Kai-Min Sung said: > and here's the input file: > ---input start--- > passwd > old_pass > Y > save > Y > ---input end--- If you use such a canned input file, make sure that it is only used with gpg versions you tested. The correct way is to parse the status-fd messages and provide the answers as required. Salam-Shalom, Werner From netcrusher88 at gmail.com Wed Mar 30 05:45:09 2005 From: netcrusher88 at gmail.com (Joey Harrison) Date: Wed Mar 30 05:41:09 2005 Subject: online email usage with gnupg Message-ID: is there any way to use gnupg with online email services like gmail, yahoo, and hotmail? From brunij at earthlink.net Wed Mar 30 08:11:20 2005 From: brunij at earthlink.net (Joseph Bruni) Date: Wed Mar 30 08:07:29 2005 Subject: online email usage with gnupg In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Not likely. To do so would require uploading your private key to the various services assuming that they have built the necessary web pages to prompt you for your encryption passphrase, etc. This would make your private key accessible to anyone on the service (an administrator) and would nullify any security benefit. Indeed, the only way you can ensure security using public-key cryptography is to ensure your exclusive access to the private key itself. There is probably a way to use public-key cryptography using webmail but would be really cumbersome to use. Barring the use of digital signatures, it is conceivable to design a webmail system whereby you could send encrypted emails if the public keys of the recipients could be loaded onto the webmail servers. But does that really solve the problem? Without the private key to digitally sign the email, anyone could forge an email as if from you. On Mar 29, 2005, at 8:45 PM, Joey Harrison wrote: > is there any way to use gnupg with online email services like gmail, > yahoo, and hotmail? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iQEVAwUBQkpDDlGV1jrNVRjHAQhunAf/UILLt3Bs5LcjtWOVfgk9moNiVcBMn6Yr BepSDD51lAZ8cKRVXskiYBYT8ZlMTHabxQZwlz7KoHObr1A8mb2Q2bMrXRtv/Mn0 ZvDZ//lDujaS7nxx1MQbJIyOzeYOhvqUcAAAqrwLkbU+QOhH4qy0AEumNlFmDbBC 3xxdGoPIsVkX6qBMlGyKUIcei36vIhsMOptN3+DvaLtgFQiKXx2NwOjZ0DV87yhL NBwMcW3Z1PXD4eIvLz+i/WoaIQGLUEsTht2A2sCKITN0blNtaXRlbNR4SKlhv8yM wJuLtyucHXfK+rc5paDOTNnLXME6Xe+kDJl86aahcGZ2DfBJLUMlEA== =KTly -----END PGP SIGNATURE----- From eocsor at gmail.com Wed Mar 30 09:08:53 2005 From: eocsor at gmail.com (Roscoe) Date: Wed Mar 30 10:05:20 2005 Subject: online email usage with gnupg In-Reply-To: References: Message-ID: gmail supports pop so thats one way with the help of a pop3 speaking email client. I personally just write my email in my text editor then pipe it through gpg --clearsign [or -ae] then paste it into the webmail interface. Sure its not the worlds fastest operation but hey, its <5% of the time it took to write the email. From johanw at vulcan.xs4all.nl Wed Mar 30 11:09:25 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Mar 30 11:04:34 2005 Subject: online email usage with gnupg In-Reply-To: from Joey Harrison at "Mar 29, 2005 07:45:09 pm" Message-ID: <200503300909.LAA00828@vulcan.xs4all.nl> Joey Harrison wrote: >is there any way to use gnupg with online email services like gmail, >yahoo, and hotmail? Sure: encrypt and sign the mail locally and paste the result in the edit window of the webmail provider of your choice. I don't know if attachments with a hand-set type are possible, otherwise signing mail will be limited to inline signatures only. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Wed Mar 30 12:34:07 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Mar 30 12:31:36 2005 Subject: Winpt error -- Sorry, you need a newer gpg version In-Reply-To: (David Gibbs's message of "Sun, 27 Mar 2005 12:03:06 -0600") References: Message-ID: <878y45bexs.fsf@wheatstone.g10code.de> On Sun, 27 Mar 2005 12:03:06 -0600, David Gibbs said: > I get this error anytime I try to start up WinPT on my XP SP2 system. > "Sorry, you need a newer GPG version. > GPG version 1.0.4 requred GPG version 1.2.4" You probably have an old version of GnuPG somewhere. I suggest to install the latest winpt as well as the latest gnupg (1.4.1) and make sure that WinPT's preferences are correct. Under preferences->gpg you need to enter the full path to gpg.exe. With gpg 1.4.1 this is something like c:\Program Files\GNU\GnuPGH\gpg.exe Shalom-Salam, Werner From wk at gnupg.org Wed Mar 30 12:38:29 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Mar 30 12:36:26 2005 Subject: Anyone use GPG 1.4.x on Windows successfully? In-Reply-To: <4244EBF0.1080506@actiwhiz.com> (Samphan Raruenrom's message of "Sat, 26 Mar 2005 11:58:24 +0700") References: <42417B8F.8090705@actiwhiz.com> <4244EBF0.1080506@actiwhiz.com> Message-ID: <874qetbeqi.fsf@wheatstone.g10code.de> On Sat, 26 Mar 2005 11:58:24 +0700, Samphan Raruenrom said: > Are there anyone being able to use GPG 1.4.0/1.4.1 on Windows successfully? Works for me on W2000 and I know that it works for about everyone on every Windows version. >> 8<-------------------------------------------------------------->8 >> The output stop here and never continue. I tried using the disk, >> keyboard, mouse. I can't make gpg to finish generating keys. Start another application and do some work; "dir /s c:\" in a terminal window should also help It will soon continue the key generation. Salam-Shalom, Werner From smfabac at att.net Wed Mar 30 00:29:52 2005 From: smfabac at att.net (Steve M. Fabac, Jr.) Date: Wed Mar 30 14:35:42 2005 Subject: New user problems please help Message-ID: <4249D6E0.544A5F99@att.net> I have downloaded the gnupg-1.4.1.tar.gz from http://mirrors.rootmode.com/ftp.gnupg.org/ as well as gnupg-1.4.1.tar.gz.sig and followed the steps to verify the archive by running gpg --verify gnupg-1.4.1.tar.gz.asc (after renaming gnupg-1.4.1.tar.gz.sig to gnupg-1.4.1.tar.gz.asc ) I get: gpg: Signature made Tue Mar 15 10:29:15 2005 CST using DSA key ID 57548DCD gpg: BAD signature from "Werner Koch (gnupg sig) " From bogus@does.not.exist.com Sun Mar 27 03:27:39 2005 From: bogus@does.not.exist.com () Date: Wed Mar 30 14:35:43 2005 Subject: No subject Message-ID: problem. What's wrong? PS, I downloaded gnupg 1.2 pre-compiled and installed it and used it to run the gpg commands above. -- Steve Fabac S.M. Fabac & Associates 816/765-1670 From fteg at london.com Wed Mar 30 12:13:34 2005 From: fteg at london.com (Fafa Diliha Romanova) Date: Wed Mar 30 14:35:47 2005 Subject: how to beautify gpg+mutt Message-ID: <20050330101334.5644F4BEAD@ws1-1.us4.outblaze.com> Exactly! So how do you prevent this? What signature method do you use? I still haven't gotten any reply to my post. All the best, -- Fafa ----- Original Message ----- From: "C. D. Rok" To: gnupg-users@gnupg.org Subject: Re: how to beautify gpg+mutt Date: Sat, 26 Mar 2005 14:51:10 +0000 > > > i've generated my public key but i think that signing using that > > is a bad idea. people get confused, thinking they're attachments that > > they are unable to open. > > In addition, I've discovered there are more and more of those > that simply filter all messages with unsolicited attachmets > straight into trash, on the (not entirely unreasonable) assumption > that such attachments are viruses and/or such messages are spam. > > C. Rok > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm From wk at gnupg.org Wed Mar 30 17:37:25 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 31 06:40:40 2005 Subject: New user problems please help In-Reply-To: <4249D6E0.544A5F99@att.net> (Steve M. Fabac, Jr.'s message of "Tue, 29 Mar 2005 16:29:52 -0600") References: <4249D6E0.544A5F99@att.net> Message-ID: <87y8c587re.fsf@wheatstone.g10code.de> On Tue, 29 Mar 2005 16:29:52 -0600, Steve M Fabac, said: > gpg --verify gnupg-1.4.1.tar.gz.asc > (after renaming gnupg-1.4.1.tar.gz.sig to > gnupg-1.4.1.tar.gz.asc ) Out of curiosity, why did you rename it? Using .sig works just fine. > gpg: Signature made Tue Mar 15 10:29:15 2005 CST using DSA key ID 57548DCD > gpg: BAD signature from "Werner Koch (gnupg sig) " Someone modified the tarball! However, it is more likely that you had a problem during download (e.g. not using binary mode). Check the size: 4059170 Mar 15 17:11 gnupg-1.4.1.tar.gz as well as the checksum $ sha1sum gnupg-1.4.1.tar.gz f8e982d5e811341a854ca9c15feda7d5aba6e09a gnupg-1.4.1.tar.gz If the length does not match, you had a download problem: check local diskspace as well as binary/ascii setting of the FTP client. If the checksum matches and the signature does not, then there is a problem with the .sig file. > PS, I downloaded gnupg 1.2 pre-compiled and installed it and used it > to run the gpg commands above. And how did you make sure that this version has not been modified? Salam-Shalom, Werner From wk at gnupg.org Wed Mar 30 17:59:41 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 31 06:40:49 2005 Subject: Encrypting when secret keyring is not available In-Reply-To: <20050318232352.68106.qmail@web30905.mail.mud.yahoo.com> (D. Borkovic's message of "Fri, 18 Mar 2005 15:23:52 -0800 (PST)") References: <20050318232352.68106.qmail@web30905.mail.mud.yahoo.com> Message-ID: <87acol86qa.fsf@wheatstone.g10code.de> On Fri, 18 Mar 2005 15:23:52 -0800 (PST), D Borkovic said: > Sometimes I want to encrypt a message when my memory stick is > not available. The public keyring is available. However, Gnupg > will NOT encrypt a message when a secret keyring is not available. No problem here: $ ls -la total 64 dr-xr-xr-x 2 wk wk 4096 Mar 30 17:55 . drwxr-xr-x 9 wk wk 4096 Mar 30 17:49 .. -rw------- 1 wk wk 47077 Mar 30 17:50 pubring.gpg -rw------- 1 wk wk 600 Mar 30 17:55 random_seed -rw------- 1 wk wk 1200 Mar 30 17:55 trustdb.gpg $ gpg --homedir . -eavr wk@gnupg.org --always-trust --lock-never " -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.1 (GNU/Linux) hQEMA3KZxii2BPFIAQf/ceX/CmTvapNFlz++KWFi/3mn1KnboOQVYrxb+c6nDO1Z fCbgPq8oyzEpBGwgyMiDB3EXQpGQrwd/kcdp8XP06+78KdVR27auYApW3Ay21X8B TpRN0PqqAV621o6WoLLa5RMOu92WNV/EbsK7FzRyL+ZQMTbBL7jtF9UKGGeZH9Zn xfniI82mGQ21ssqwV6GHU+rTHmhEvoqIZlu6409+ZlJTQnnR5wOYbR/qedpdWl+I Icx+WT8kqEyUacUIfcZ2yRROXRCt2cdbk0DbsHTIRSUbQkI0YpWHUfBcvjEvXQFj /nKVedvL0bM37w7cdZyVENb2kmWGy703aY1BJ5GxVtLAfwHtmy80WGMOsmLL9Vc3 pzIS5fc0luz7OHtic/95YCCa9hI007GBOTkprcvj/SmjLn+5I1dRjWMWP1Tp+HiC Oj6TvtNz15NjQlJdwgOr4Wwzkjvfii/4dtNZMBa2hjShaAJjBiUfkTBzuH7JuH0o vUEWz178+6dlYEjNngxlwGm8H0PnOV0JCTRc7FBtebmJaQU8o63syGqKSBzl8KBO p4aF5iwHJuKQ/uF7dO1UraS0C+JVfByXfBfqW2mQChpMOE95GmjPpXlY6r697vIM wsVxAntCc3LigvksIyp624dYHRyY/1Guzj56V0EY2Vw18pCi1yK0/FjVWNvHnyl2 p6mw5emi1IQLGMF5eBAzdB66Gp4BAPb9oXBtkkMr0fmDsdJ3BODVZgB1qwLn4p7a gj16fJkBMr1ckfuogiI6A1g= =J+gg -----END PGP MESSAGE----- Make sure that you did not requested signing and encryption. A secret key is required for signing. Shalom-Salam, Werner From mark at evilcomputing.co.uk Wed Mar 30 18:13:30 2005 From: mark at evilcomputing.co.uk (Mark) Date: Thu Mar 31 06:41:11 2005 Subject: New user problems please help In-Reply-To: <4249D6E0.544A5F99@att.net> References: <4249D6E0.544A5F99@att.net> Message-ID: <424AD02A.10109@evilcomputing.co.uk> Steve M. Fabac, Jr. said the following on 29/03/2005 23:29: > and followed the steps to verify the > archive by running > > gpg --verify gnupg-1.4.1.tar.gz.asc > (after renaming gnupg-1.4.1.tar.gz.sig to > gnupg-1.4.1.tar.gz.asc ) Curious as to why you had to rename? gpg --verify gnupg.1.4.1.tar.gz.sig /should/ work. HTH Mark -- http://www.evilcomputing.net From johanw at vulcan.xs4all.nl Wed Mar 30 18:18:30 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Mar 31 06:41:30 2005 Subject: how to beautify gpg+mutt In-Reply-To: <20050330101334.5644F4BEAD@ws1-1.us4.outblaze.com> from Fafa Diliha Romanova at "Mar 30, 2005 05:13:34 am" Message-ID: <200503301618.SAA00630@vulcan.xs4all.nl> Fafa Diliha Romanova wrote: Please don't toppost. >> In addition, I've discovered there are more and more of those >> that simply filter all messages with unsolicited attachmets >> straight into trash, on the (not entirely unreasonable) assumption >> that such attachments are viruses and/or such messages are spam. >So how do you prevent this? Use inline signatures instead of mime-attaching a signature. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Wed Mar 30 18:17:02 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Mar 31 06:41:40 2005 Subject: New user problems please help In-Reply-To: <4249D6E0.544A5F99@att.net> from "Steve M. Fabac, Jr." at "Mar 29, 2005 04:29:52 pm" Message-ID: <200503301617.SAA00599@vulcan.xs4all.nl> Steve M. Fabac, Jr. wrote: > (after renaming gnupg-1.4.1.tar.gz.sig to > gnupg-1.4.1.tar.gz.asc ) Why did you rename the file? Not that it matters, gnupg will ignore extensions anyway, but .asc is usually used for base-64 encoded files. The signature on the source is in binary format. >I get: >gpg: Signature made Tue Mar 15 10:29:15 2005 CST using DSA key ID 57548DCD >gpg: BAD signature from "Werner Koch (gnupg sig) " > >>From the second line above, I take it that the "BAD" indicates some >problem. What's wrong? The signature file doesn't match with the source file. This could mean that the source was modified, a corrupt download, or a corrupt signature file. Most probably, however, your browser unpacked the gzipped file but didn't rename it. How big is the file? It should be around 3.8 MB. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From mark at evilcomputing.co.uk Wed Mar 30 18:03:27 2005 From: mark at evilcomputing.co.uk (Mark) Date: Thu Mar 31 06:41:53 2005 Subject: how to beautify gpg+mutt In-Reply-To: <20050325213458.177544BEAE@ws1-1.us4.outblaze.com> References: <20050325213458.177544BEAE@ws1-1.us4.outblaze.com> Message-ID: <424ACDCF.609@evilcomputing.co.uk> Fafa Diliha Romanova said the following on 25/03/2005 21:34: > but i'm trying to get a decent gpg+mutt setup. A little out-of-date but have a look at: http://www.faqs.org/docs/Linux-HOWTO/Mutt-GnuPG-PGP-HOWTO.html [big snip] > is it possible making my signature more good looking? like this, > maybe, more consistent and solid? Sorry, this is pretty serious (though accessible) crypto - aesthetics has never really been high during development. HTH (consider it a bump if nothing else) Mark -- http://www.evilcomputing.net From wk at gnupg.org Wed Mar 30 18:13:14 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 31 06:42:12 2005 Subject: (Import-)Problem in gnupg 1.4.1 In-Reply-To: <42405E21.7060601@gmx.de> (Thomas Marx's message of "Tue, 22 Mar 2005 19:04:17 +0100") References: <42405E21.7060601@gmx.de> Message-ID: <873bud863p.fsf@wheatstone.g10code.de> On Tue, 22 Mar 2005 19:04:17 +0100, Thomas Marx said: > every key is listed twice. The difference is the usage of the slash and > the back slash. I just checked it and the reason for the duplicate listing is that we use a caseinsensitive compare but care about slash and backslash. In this regard the files are different and both get listed. I hesitate to change the comparison due to possible side effects. You have specified the keyrings at two different places or simply added the default keyring a second time in the gpg.conf. Please make sure to consistently use slashes or backslashes. Compare gpg.conf against the Registry setting HKCU\Software\GNU\GnuPG:HomeDir - I guess that the Registry entry used forward slashes for historic reasons. Salam-Shalom, Werner From johanw at vulcan.xs4all.nl Wed Mar 30 18:23:10 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Mar 31 06:42:20 2005 Subject: WinPT error on win95 Message-ID: <200503301623.SAA00667@vulcan.xs4all.nl> Hello, When I tried to install GnuPG 1.4.1 and WinPT 0.9.90 on an old win95 machine, GnuPG worked fine but WinPT gave the error that WS_32.dll was missing. Can I just copy that file from a newer windows version? Is win95 supported at all? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dirk.traulsen at lypso.de Wed Mar 30 13:53:47 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Thu Mar 31 08:26:40 2005 Subject: Clarification on purpose of subordinate keys In-Reply-To: <87r7hyersj.fsf@wheatstone.g10code.de> References: <20050328142727.GA15768@sage.che.pitt.edu> (John Harrold's message of "Mon, 28 Mar 2005 09:27:27 -0500") Message-ID: <424AAF6B.19365.ECDB1C@localhost> Am 29 Mar 2005 um 11:15 hat Werner Koch geschrieben: > On Mon, 28 Mar 2005 09:27:27 -0500, John Harrold said: > > > given the time frame it probably happened when I was trying to unexpire the > > key F65A739E. Can you elaborate on the reasons for using a separate key for > > signing messages? > > It is mostly useful if you keep your primary key offline > (cf. --export-secret-subkeys). In the case of a key compromise, you > would only need to revoke the existing subkeys and create new subkeys. > This saves you all the key signatures (Web Of Trust) as they are > signing the primary key only. > This sounds interesting. Please help me to clarify it a bit. After some tests and reading in my understanding it works like this: 1. add signing subkey to KEY 2. --export-secret-subkey KEY (without specifying the subkey) => key.sec.asc 3. --export KEY => key.asc 4. nothing changes on system1 5. import the exported (crippled) secret key on system2 --import key.sec.asc 6. import the signatures: --import key.asc 7. Result: On system2 I can use gpg normally and sign with the signing subkey, but the main key is deleted/crippled/deactivated(?) and not usable for signing. As I'm not able to sign with the main key, it is for example impossible to add a new uid, a new subkey or to revoke. When system2 would be cracked, an attacker would not have access to the secret part of my main key (really?). But for me it would still be possible to go to system1 and a. change my passphrase b. revoke the compromised subkeys c. add new subkeys and start the cycle again without loosing all the signatures on my uid in the primary key, what would have been the case, if I had to revoke the complete key. The only negative point is, that I have to go to system1 to maintain my key. Is this correct? Dirk From paphal at fiatauto.com.ar Wed Mar 30 17:33:43 2005 From: paphal at fiatauto.com.ar (Fernandez Aphal, Pedro) Date: Thu Mar 31 08:26:47 2005 Subject: passphrase-fd works on linux but not windows Message-ID: proba esto:(try this!!) echo "cowards die many times"| gpg --passphrase-fd 0 --output c:\test\wes_test.txt --decrypt c:\test\wes_test.txt.asc < c:\passphrase.txt ============================================================================ ===*************** saludos Ing. Pedro Fernandez Aphal Tel (54 11) 4344-5713 Fax(54 11) 4344-5761 Este correo electr?nico puede contener informaci?n confidencial dirigida exclusivamente al destinatario. Est? prohibido el uso, la difusi?n, la distribuci?n o la reproducci?n por parte de otras personas o entidad distinta a aquellas especificadas. En el caso de haber recibido por error este e-mail, le rogamos informarlo inmediatamente al remitente y eliminar el mensaje recibido. This electronic mail transmission may contain confidential information addressed only to the person(s) named. Any use, distribution, copying or disclosure by any other person and/or entities other than the intended recipient is prohibited. If you received this transmission in error, please inform the sender immediately and delete the material. Il messaggio trasmesso pu? contenere informazioni di carattere confidenziale rivolte esclusivamente al destinatario. Ne ? vietato l'uso, la diffusione, la distribuzione o la riproduzione da parte di altre persone e/o entit? diverse da quelle specificate. Nel caso aveste ricevuto questo messaggio per errore, siete pregati di segnalarlo immediatamente al mittente e cancellare quanto ricevuto. From wk at gnupg.org Thu Mar 31 10:47:14 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 31 10:46:30 2005 Subject: Clarification on purpose of subordinate keys In-Reply-To: <424AAF6B.19365.ECDB1C@localhost> (Dirk Traulsen's message of "Wed, 30 Mar 2005 13:53:47 +0200") References: <20050328142727.GA15768@sage.che.pitt.edu> <424AAF6B.19365.ECDB1C@localhost> Message-ID: <87ekdw5hil.fsf@wheatstone.g10code.de> On Wed, 30 Mar 2005 13:53:47 +0200, Dirk Traulsen said: > This sounds interesting. Please help me to clarify it a bit. > After some tests and reading in my understanding it works like this: [1...7] Correct. > When system2 would be cracked, an attacker would not have access to > the secret part of my main key (really?). Correct. The secret key is not on system2. This is indicated by a hash mark like: sec# 1024D/5B0358A2 1999-03-15 [expires: 2009-07-11] uid Werner Koch uid Werner Koch ssb 1024D/010A57ED 2004-03-21 ssb 2048R/B604F148 2004-03-21 (A similar thing is with smartcards, there a '>' indicates that the secret key is actually stored on a smartcard). > But for me it would still be possible to go to system1 and > a. change my passphrase > b. revoke the compromised subkeys > c. add new subkeys and start the cycle again > without loosing all the signatures on my uid in the primary key, what > would have been the case, if I had to revoke the complete key. Correct. > The only negative point is, that I have to go to system1 to maintain > my key. > Is this correct? Yes. Salam-Shalom, Werner From SThutika at Satyam.odc.ml.com Thu Mar 31 16:01:08 2005 From: SThutika at Satyam.odc.ml.com (Thutika, Srinivas (ODC - Satyam)) Date: Thu Mar 31 15:56:49 2005 Subject: --sign-key problem Message-ID: <5967AD625B62D5118D180002A50926AB03B51A9C@AGNI> Hi Werner, Sorry for disturbing u again.. Iam facing problem in --sign-keys for 1.4.1. When I used the --sign-key in 1.2.x it is generating sig 3 keys as below But I am not getting the sig 3 keys in 1.4.1. 1.4.1 is having any problem in --sign-key Regards, Srinivas. -----Original Message----- From: Werner Koch [mailto:wk@gnupg.org] Sent: Wednesday, March 23, 2005 4:00 PM To: Thutika, Srinivas (ODC - Satyam) Subject: Re: Renaming error On Wed, 23 Mar 2005 14:27:03 +0530, "Thutika, Srinivas (ODC said: > I am using gnupg-w32cli-1.4.0a.zip We fixed such a renaming error in 1.4.1 (look for an exe file as it now comes with an installer). Salam-Shalom, Werner -------------------------------------------------------- If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important additional terms relating to this e-mail. http://www.ml.com/email_terms/ -------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 2315 bytes Desc: not available Url : /pipermail/attachments/20050331/42c3d9da/attachment.bin From johanw at vulcan.xs4all.nl Thu Mar 31 15:39:40 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Mar 31 16:02:43 2005 Subject: WinPT error on win95 In-Reply-To: <424BF2E6.3010302@insynergie.de> from "[Ulf Jaenicke-R__ler]" at "Mar 31, 2005 02:53:58 pm" Message-ID: <200503311339.PAA00908@vulcan.xs4all.nl> Ulf Jaenicke-Rler, wrote: >You might need to install the Win95 Winsock2 Update. Try to google for >"Win95 winsock update" and download it from Microsoft. I'll try to find it. The machine in question has no internet connection so windows update won't work. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From peter.smilde at smilde-becker.net Thu Mar 31 16:20:29 2005 From: peter.smilde at smilde-becker.net (Peter L. Smilde) Date: Thu Mar 31 17:32:58 2005 Subject: OpenPGP Smartcard with Cygwin Message-ID: <424C072D.8010601@smilde-becker.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Under Cygwin I get the next error message: gpg --card-edit gpg: apdu_open_reader: failed to open driver `libpcsclite.so': dlopen, Win32 error 126 gpg: card reader not available gpg: OpenPGP card not available: general error I tried installing pcsc-lite from their website, but this only installs a libpcsclite.a and libpcsclite.la. How do I get the Smartcard working under Cygwin? I found no information on this topic (OpenPGP smartcard cygwin) in the web. Under Windows itself the OpenPGP card works fine. (Except, that when no card is inserted in the (SCR335) card reader while signing an error window pops up telling that "Die Anweisung in 0x7c9211de" veweist auf Speicher in "0x00000000" Der Vorgang "read" konnte nicht auf dem Speicher durchgef?hrt werden". When no (usb) card reader is plugged-in a normal gpg warning is issued.) Thanks, - -- Peter L. Smilde Finther Strasse 6, D-55257 Budenheim, Germany Tel: +49 6139 5325, Fax: +49 721 151517676 E-Mail: peter.smilde@smilde-becker.net, OpenPGP Key: 0xB0E4BF99 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCTAcsFCtQzrDkv5kRAkCRAKC0ZWGS8ozRy7xgt1zFBs6W7RtshgCgnZyP UuEHsIuQP1wU0CM1KGpoBaY= =sF1Z -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Mar 31 18:49:03 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 31 18:45:52 2005 Subject: The PATH problem (was Re: Libcurl) In-Reply-To: References: <20050322135536.GA23086__46715.5534112409$1111499852$gmane$org@jabberwocky.com> <20050322185904.GB26177__44366.2190846682$1111518152$gmane$org@jabberwocky.com> <20050322225702.GE26177@jabberwocky.com> <20050323141118.GG26177@jabberwocky.com> <20050325045012.GA13390__34035.1133062088$1111726840$gmane$org@jabberwocky.com> Message-ID: <20050331164903.GA7849@jabberwocky.com> On Sat, Mar 26, 2005 at 01:47:36AM +0100, Carlo Luciano Bianco wrote: > Il /25 mar 2005/, *David Shaw* ha scritto: > > > On Wed, Mar 23, 2005 at 06:24:57PM +0100, Carlo Luciano Bianco wrote: > > > >> Maybe it is possible to run the keyserver helpers not just by their > >> name, but by their *entire* name: instead of running > [...] > > That is basically the plan. The only (not very) complex thing is that > > it needs to take into account --exec-path as well as the configure > > option --disable-keyserver-path, and the various combinations of those > > options or lack thereof. > > Yes, I see... > > > Can you try this patch? > > Of course! I have tried and it seems it is working OK! Excellent. Thanks for testing. I've put the fix in for 1.4.2. David From adam00f at ducksburg.com Thu Mar 31 21:55:53 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Thu Mar 31 21:51:49 2005 Subject: Shouldn't keyservers store and provide subkeys? In-Reply-To: References: Message-ID: <200503312055.53339.adam00f@ducksburg.com> Werner Koch wrote: > That keyserver as well as all other servers running the old HKS > software are broken. ?YOu should move away from that keyserver and use > an SKS one (e.g. random.sks.keyserver.penguin.de) or at least those at > subkeys.pgp.net. Thanks very much for the information. I was not aware of this problem. > BTW, to avoid answering these questions over and over, Sorry! From archimedes at infinito.it Thu Mar 31 23:36:19 2005 From: archimedes at infinito.it (archimedes@infinito.it) Date: Fri Apr 1 00:32:42 2005 Subject: New user problems please help Message-ID: Steve M. Fabac, Jr. wrote: [..snip..] >> PS, I downloaded gnupg 1.2 pre-compiled and installed it and used it >> to run the gpg commands above. Only for the sake of curiosity: you've downloaded gpg 1.2 for the only purpose of verifying the source of gpg 1.4.1 or you've received it trough a secure verifiable source(for example: a purchased Linux distribution)? In the former case you have got no extra security. -- G OpenPGP public key available trough keyservers, ID: 0x0642A90B Key fingerprint: 6C25 677F E058 D2A6 8759 9BD5 7658 4B23 0642 A90B Always check key fingerprints! _______________________________________ Connessione ed e-mail gratuita da 10 mb consultabile tramite web e tramite pop. www.infinito.it vieni a scoprire tutti i nostri servizi! http://www.infinito.it/xmail From hurone at gmx.de Thu Mar 31 11:35:14 2005 From: hurone at gmx.de (Hurone) Date: Tue Apr 5 09:45:39 2005 Subject: (Import-)Problem in gnupg 1.4.1 Message-ID: <424BC452.6060902@gmx.de> -------------- next part -------------- An embedded message was scrubbed... From: Thomas Marx Subject: Re: (Import-)Problem in gnupg 1.4.1 Date: Thu, 31 Mar 2005 10:49:07 +0200 Size: 1821 Url: /pipermail/attachments/20050331/51ab23d0/Import-Problemingnupg1.4-0001.mht -------------- next part -------------- A non-text attachment was scrubbed... Name: hurone.vcf Type: text/x-vcard Size: 115 bytes Desc: not available Url : /pipermail/attachments/20050331/51ab23d0/hurone-0001.vcf