From brunij at earthlink.net Fri Dec 1 02:41:36 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Fri Dec 1 02:39:50 2006 Subject: Importing my keys fails In-Reply-To: <200611301323.39754.msemtd@yahoo.co.uk> References: <26152351.1164836018568.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> <200611301152.34032.msemtd@yahoo.co.uk> <200611301323.39754.msemtd@yahoo.co.uk> Message-ID: <176AFBBC-B55E-4C66-A875-B6DCD3F51376@earthlink.net> On Nov 30, 2006, at 6:23 AM, Michael Erskine wrote: > >> My limited understanding was that symetric keys were just a pair >> of fancy numbers! :) > > Sorry, I meant asymmetric keys of course :) > > Regards, > Michael Erskine. The keys themselves are similar at a basic level. But the packaging and data file formats are not interoperable. An SSH key file is not much more than the key, but an OpenPGP key also contains elements of identity such as email addresses, etc. as well as signatures from other users. With some work, you could probably extract the RSA key data from the PGP key and convert it to the format used for OpenSSH, but honestly it isn't work the trouble. There is also some effort to make OpenPGP and X.509 certificates somewhat interoperable since they have more in common in both content and purpose. Someday there might be a grand unification of all things PKI, but I'm not holding my breath. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061130/47d5b539/smime.bin From larstiq at larstiq.dyndns.org Fri Dec 1 02:04:01 2006 From: larstiq at larstiq.dyndns.org (Wouter van Heyst) Date: Fri Dec 1 03:54:44 2006 Subject: Logo ballot reminder In-Reply-To: <456DCFA0.2040908@cs.cornell.edu> References: <8764d6b4zk.fsf@wheatstone.g10code.de> <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> <87r6vmnon5.fsf@wheatstone.g10code.de> <456DCFA0.2040908@cs.cornell.edu> Message-ID: <20061201010401.GB1493@larstiq.dyndns.org> On Wed, Nov 29, 2006 at 01:21:20PM -0500, Andrew Myers wrote: > Hi all, > > CIVS originally sent text/plain emails. But it was useful to be able to > embed links and to preserve election description formatting. The HTML it > sends is pretty minimal -- I don't think it should set off reasonable > spam filters. It certainly was enough to make my brain register it as unreadable, I only went back to it when Warner mentioned the deadline again. Looking at it now I agree it is rather minimal as far as html goes, but it's still not something I'd willingly read as email (had to spawn a browser to look at it). > At least, I haven't heard this complaint before. Making > HTML mail an option seems like a good idea, though there are already too > many options for my taste. If someone wants to write that patch I'd be > happy to include it. I had a look at the code, but unfortunately I'm not much of a perl coder. I'm sure there others on this list who can do a better job than I can. > I hope the election system has been working well for everyone otherwise. The system was fairly easy to use, the hardest part was deciding how the various entries ranked :) Wouter van Heyst -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : /pipermail/attachments/20061201/c4a537b9/attachment.pgp From tmz at pobox.com Fri Dec 1 04:09:14 2006 From: tmz at pobox.com (Todd Zullinger) Date: Fri Dec 1 04:07:13 2006 Subject: Logo ballot reminder In-Reply-To: <20061201010401.GB1493@larstiq.dyndns.org> References: <8764d6b4zk.fsf@wheatstone.g10code.de> <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> <87r6vmnon5.fsf@wheatstone.g10code.de> <456DCFA0.2040908@cs.cornell.edu> <20061201010401.GB1493@larstiq.dyndns.org> Message-ID: <20061201030914.GB11222@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wouter van Heyst wrote: > It certainly was enough to make my brain register it as unreadable, > I only went back to it when Warner mentioned the deadline again. > Looking at it now I agree it is rather minimal as far as html goes, > but it's still not something I'd willingly read as email (had to > spawn a browser to look at it). Egad, open a browser for that? :) I just have mutt dump html only messages through w3m -dump and display the text. That's after my other filters weed out the really obvious trash and spam. And then only for messages that are HTML only. If they are multipart alternative I prefer the text/plain part. Until it was mentioned here I hadn't noticed that the message was HTML only actually. > The system was fairly easy to use, the hardest part was deciding how > the various entries ranked :) I'll second that. :) - -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== Statistics are like a lamp-post to a drunken man - more for leaning on than illumination. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6rc1 (GNU/Linux) iQFDBAEBAgAtBQJFb5zaJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90 bXouYXNjAAoJEEMlk4u+rwzj3zcIAITZK+Yse2sJjXBcp4av4XK3aS/cOI1c5/Uc BLRG4F7cYcJgbjQuVOpV70Ts07q5NSSsJ7fqfWDoRNP9nxpmKiSHQhbhq7q580GP su4WI4cVpKcEH/fyfYi4PO8h0ZsYd963qGmdktLrBUBuAFuCnJstQ+4QHXpAOQGA 71VM58ldNJb7n8F8iYx8cCSYQkXOtLkjGuy9WEZtLSkEj15pnGBJBDn63zDWSc/s TJ3x6f1gUQ6BTAlR+LgHShHcjULqESB70mHqsrUkvehaqyWp6xiuzVPRveDUBRrL oy6qheye0mGEx6kIwrw6ShX1ysob1RMlSr6gHCKrT3CnlL8fXmY= =26us -----END PGP SIGNATURE----- From alphasigmax at gmail.com Fri Dec 1 04:26:34 2006 From: alphasigmax at gmail.com (Alphax) Date: Fri Dec 1 04:25:45 2006 Subject: Logo ballot reminder In-Reply-To: <20061201010401.GB1493@larstiq.dyndns.org> References: <8764d6b4zk.fsf@wheatstone.g10code.de> <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> <87r6vmnon5.fsf@wheatstone.g10code.de> <456DCFA0.2040908@cs.cornell.edu> <20061201010401.GB1493@larstiq.dyndns.org> Message-ID: <456FA0EA.9000604@gmail.com> Wouter van Heyst wrote: > On Wed, Nov 29, 2006 at 01:21:20PM -0500, Andrew Myers wrote: >> I hope the election system has been working well for everyone otherwise. > > The system was fairly easy to use, the hardest part was deciding how the > various entries ranked :) > I saw something weird where moving entries around didn't preserve the order that you had put things in... I ended up writing out all the option numbers on scraps of paper and shuffling them around until they were in the order I wanted :) -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061201/e8530302/signature.pgp From peter at stoddard.name Fri Dec 1 06:30:32 2006 From: peter at stoddard.name (Peter Stoddard) Date: Fri Dec 1 10:50:41 2006 Subject: Compile of Gnupg 2.0.1 failed - no libintl Message-ID: <3F441A29-B3D7-4799-97FB-0D8FC349B209@stoddard.name> Hi folks I tried compiling Gnupg 2.0.1 on a 733 MHz PowerPC G4 running Mac OSX 10.4.8 and the make failed with the following error: In file included from sysutils.c:41: i18n.h:27:23: error: libintl.h: No such file or directory sysutils.c: In function 'disable_core_dumps': sysutils.c:88: warning: implicit declaration of function 'gettext' sysutils.c:88: warning: incompatible implicit declaration of built-in function 'gettext' make[2]: *** [libcommon_a-sysutils.o] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 I looked libintl up and it involves native language support. Is this really necessary to ild Gnupg 2.x? If so, is there source code somewhere I can download? Thanks Pete -- Peter Stoddard -- GPG Key 4A1F5DA0 From linux at thorstenhau.de Fri Dec 1 07:16:23 2006 From: linux at thorstenhau.de (Thorsten Haude) Date: Fri Dec 1 12:26:39 2006 Subject: Logo ballot reminder In-Reply-To: <456DCFA0.2040908@cs.cornell.edu> References: <8764d6b4zk.fsf@wheatstone.g10code.de> <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> <87r6vmnon5.fsf@wheatstone.g10code.de> <456DCFA0.2040908@cs.cornell.edu> Message-ID: <20061201060837.GA2037@eumel.yoo.local> Hi, * Andrew Myers wrote (2006-11-29 13:21): >CIVS originally sent text/plain emails. But it was useful to be able to >embed links and to preserve election description formatting. The HTML it >sends is pretty minimal -- I don't think it should set off reasonable >spam filters. I also picked the vote mail from the trashcan. In my case wasn't so much the words but the fact that it was HTML-only. Even in complete Outlook shops mails will have an alternative text part. The vote mail was the third or so HTML-only mail which proved to be ham, this served as a very good yardstick in the past. >At least, I haven't heard this complaint before. Maybe you don't regularly have votes by people thinking a lot about email communication. Thorsten -- Rarely do we find people who willingly engage in hard, solid thinking. There is an almost universal quest for easy answers and half-baked solutions. Nothing pains some people more than having to think. - Martin Luther King -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061201/5c84450f/attachment.pgp From sydbarrett74 at hotmail.com Fri Dec 1 19:32:25 2006 From: sydbarrett74 at hotmail.com (Victor Escobar) Date: Fri Dec 1 20:55:05 2006 Subject: Problem building libksba Message-ID: Hi all, I'm trying to build libksba in order to build gnupg, and here's the output. make all-recursive Making all in gl cp ./alloca_.h alloca.h-t mv alloca.h-t alloca.h make all-am /bin/sh ../libtool --tag=CC --mode=link gcc -g -O2 -Wall -Wcast-align -Wshadow -Wstrict-prototypes -Wno-pointer-sign -o libgnu.la mkdir .libs ar cru .libs/libgnu.a ar: no archive members specified usage: ar -d [-TLsv] archive file ... ar -m [-TLsv] archive file ... ar -m [-abiTLsv] position archive file ... ar -p [-TLsv] archive [file ...] ar -q [-cTLsv] archive file ... ar -r [-cuTLsv] archive file ... ar -r [-abciuTLsv] position archive file ... ar -t [-TLsv] archive [file ...] ar -x [-ouTLsv] archive [file ...] make[3]: *** [libgnu.la] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 Please advise. From reynt0 at cs.albany.edu Sat Dec 2 03:52:04 2006 From: reynt0 at cs.albany.edu (reynt0) Date: Sat Dec 2 03:50:36 2006 Subject: Logo ballot reminder In-Reply-To: <456FA0EA.9000604@gmail.com> References: <8764d6b4zk.fsf@wheatstone.g10code.de> <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> <87r6vmnon5.fsf@wheatstone.g10code.de> <456DCFA0.2040908@cs.cornell.edu> <20061201010401.GB1493@larstiq.dyndns.org> <456FA0EA.9000604@gmail.com> Message-ID: On Fri Dec 01, 2006, Alphax wrote: > I saw something weird where moving entries around didn't preserve the > order that you had put things in... I ended up writing out all the > option numbers on scraps of paper and shuffling them around until they > were in the order I wanted :) Similar for me moving entries by clicking movement buttons. And the display redrew quite slowly each time I changed a numerical value by direct respecification, though not when I clicked a movement button. So I ended up being precise only for the top few rank values and bottom few. From jmoore3rd at bellsouth.net Sat Dec 2 05:24:01 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat Dec 2 05:30:29 2006 Subject: Logo ballot reminder In-Reply-To: References: <8764d6b4zk.fsf@wheatstone.g10code.de> <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> <87r6vmnon5.fsf@wheatstone.g10code.de> <456DCFA0.2040908@cs.cornell.edu> <20061201010401.GB1493@larstiq.dyndns.org> <456FA0EA.9000604@gmail.com> Message-ID: <4570FFE1.1000708@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 reynt0 wrote: > On Fri Dec 01, 2006, Alphax wrote: > >> I saw something weird where moving entries around didn't preserve the >> order that you had put things in... I ended up writing out all the >> option numbers on scraps of paper and shuffling them around until they >> were in the order I wanted :) > > Similar for me moving entries by clicking movement buttons. > And the display redrew quite slowly each time I changed a > numerical value by direct respecification, though not when > I clicked a movement button. So I ended up being precise only > for the top few rank values and bottom few. This was My experience also. JOHN :-\ Timestamp: Friday 01 Dec 2006, 23:23 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4350: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFcP/fAAoJEBCGy9eAtCsP2j4H/3AHScNsBLr48gpBD7CQUYUD FzhZE1k9GFfplmUyjaHT9w6Trpxqib5/mImf4WdfCcQGbAApfIzTynbodoDh4jHe rVs0PLvhpZwA5v4F5gbI0fC1DZQtrr6PaH5yk7+rEWNKhrwdNj7HcSO1gz+FDhSm efRhE4ChW2kWB5SBK279k0BSuwrO0vkD6cUVDz/HHytqpG5y5PxF9DuMePk5WGit gAELJC2kmszINn8Wm6VCw1JRYGuJ2Mx2qRIvNgt5kqqhSYlJsr5sQKkjgHVed3ng KgHsZ4LUX1k9qXRhVUNDZQoYoja5pRe7ty0XWSvhjQNYKWsQbiS15t/QHP+azrE= =zXns -----END PGP SIGNATURE----- From wk at gnupg.org Sat Dec 2 18:01:07 2006 From: wk at gnupg.org (Werner Koch) Date: Sat Dec 2 18:06:47 2006 Subject: Problem building libksba In-Reply-To: (Victor Escobar's message of "Fri\, 01 Dec 2006 13\:32\:25 -0500") References: Message-ID: <87ac26b5bg.fsf@wheatstone.g10code.de> On Fri, 1 Dec 2006 19:32, sydbarrett74@hotmail.com said: > I'm trying to build libksba in order to build gnupg, and here's the > ar cru .libs/libgnu.a > ar: no archive members specified Get libksba 1.0.1 where this problem has been fixed. ftp://ftp.gnupg.org/gcrypt/libksba/libksba-1.0.1.tar.bz2 ftp://ftp.gnupg.org/gcrypt/libksba/libksba-1.0.1.tar.bz2.sig Salam-Shalom, Werner From wk at gnupg.org Sat Dec 2 18:08:56 2006 From: wk at gnupg.org (Werner Koch) Date: Sat Dec 2 18:11:52 2006 Subject: Logo ballot reminder In-Reply-To: <456DCFA0.2040908@cs.cornell.edu> (Andrew Myers's message of "Wed\, 29 Nov 2006 13\:21\:20 -0500") References: <8764d6b4zk.fsf@wheatstone.g10code.de> <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> <87r6vmnon5.fsf@wheatstone.g10code.de> <456DCFA0.2040908@cs.cornell.edu> Message-ID: <8764cub4yf.fsf@wheatstone.g10code.de> On Wed, 29 Nov 2006 19:21, andru@cs.cornell.edu said: > before. Making HTML mail an option seems like a good idea, though > there are already too many options for my taste. If someone wants to > write that patch I'd be happy to include it. I'd really like it because I drop all mail with any HTML part into the spam folder except if my real name is included with the address. This is still a very effective spam filter. > I hope the election system has been working well for everyone Yes, it worked well. My feature requests would be: * A note that only 1000 addresses may be entered at once might be helpful * An extra prompt to verify whether the election shall really be terminated. * A note that the election will not be terminated automatically at the specified time. * An option to create a static page of the results without Javascript and an included stylesheet for easy integration into other websites as a reference to the outcome of the election Thanks for this great service. Shalom-Salam, Werner From wk at gnupg.org Sat Dec 2 18:45:07 2006 From: wk at gnupg.org (Werner Koch) Date: Sat Dec 2 19:03:49 2006 Subject: [Announce] Re: GnuPG Logo Contest In-Reply-To: <87ac4w9fji.fsf@wheatstone.g10code.de> (Werner Koch's message of "Tue\, 19 Sep 2006 15\:01\:05 +0200") References: <87ac4w9fji.fsf@wheatstone.g10code.de> Message-ID: <87slfy9opo.fsf@wheatstone.g10code.de> Hello, Back in September I announced a contest for a new GnuPG logo. By the end of October I received 41 submissions from 31 parties. The original plan was to let all the authors of GnuPG who signed a copyright assignment with the FSF to vote on a new logo. However, I only received 11 answers and there was no clear result: Only one submission got 2 votes. It would have been unfair to take this as a decision. So I looked around and found the CIVS [1] which implements a Condorcet voting system. I fed it with the addresses of all subscribers of the gnupg-users and gnupg-devel mailing lists and started the process. >From the 1231 unique subscribers, 199 took the time to rank the submissions and casted their vote. This time the result is pretty clear: Thomas Wittek [2] from Cologne is the lucky winner. He will soon see his design used with GnuPG and also receive 50 percent of the received donation (we received as of now 215 Euro but further donations won't be rejected [3]). Unfortunately I can't offer him a mail alias thomas at gnupg because this has been assigned to the creator of the old logo. Ranks 2 and 3 are held by Robbie Tingey and Michel Blinn. They will receive an email alias for their contribution. If you like to see the new logo, point your browser to http://logo-contest.gnupg.org You will also find also the detailed results of the ballot, all submissions and the list of sponsors. I want to thank all who submitted a logo to the contest as well as those who worked on a logo but submitted it too late. There are some really cool designs and I hope that some can be reused for another project. Special thanks to the sponsors: Intevation GmbH, Markus Komosinski, Parag Mehta, Folkert van Heusden, Ralph Angenendt, Alexander Tomisch, Robert Workman, Simon Josefsson. The remaining funds will be used to help with a new website design. Many thanks to all, Werner [1] http://www.cs.cornell.edu/andru/civs.html [2] http://gedankenkonstrukt.de/ueber/ (German) [3] http://www.gnupg.org/misc/logo-contest.html -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From randy at randyburns.us Sat Dec 2 20:02:49 2006 From: randy at randyburns.us (Randy Burns) Date: Sat Dec 2 20:01:34 2006 Subject: GnuPG Logo Contest In-Reply-To: <87slfy9opo.fsf@wheatstone.g10code.de> Message-ID: <359436.34809.qm@web50904.mail.yahoo.com> It's a good result. I hope you keep the sky blue color too. It would go well on an arm-logo t-shirt. :-) example: http://preview.tinyurl.com/yn8ot3 Randy --- Werner Koch wrote: > Hello, > > Back in September I announced a contest for a new GnuPG logo. By the > end of October I received 41 submissions from 31 parties. The > original plan was to let all the authors of GnuPG who signed a > copyright assignment with the FSF to vote on a new logo. However, I > only received 11 answers and there was no clear result: Only one > submission got 2 votes. It would have been unfair to take this as a > decision. > > So I looked around and found the CIVS [1] which implements a Condorcet > voting system. I fed it with the addresses of all subscribers of the > gnupg-users and gnupg-devel mailing lists and started the process. > >From the 1231 unique subscribers, 199 took the time to rank the > submissions and casted their vote. This time the result is pretty > clear: > > Thomas Wittek [2] from Cologne is the lucky winner. > > He will soon see his design used with GnuPG and also receive 50 > percent of the received donation (we received as of now 215 Euro but > further donations won't be rejected [3]). Unfortunately I can't offer > him a mail alias thomas at gnupg because this has been assigned to the > creator of the old logo. > > Ranks 2 and 3 are held by Robbie Tingey and Michel Blinn. They will > receive an email alias for their contribution. > > If you like to see the new logo, point your browser to > > http://logo-contest.gnupg.org > > You will also find also the detailed results of the ballot, all > submissions and the list of sponsors. > > I want to thank all who submitted a logo to the contest as well as > those who worked on a logo but submitted it too late. There are some > really cool designs and I hope that some can be reused for another > project. > > Special thanks to the sponsors: Intevation GmbH, Markus Komosinski, > Parag Mehta, Folkert van Heusden, Ralph Angenendt, Alexander Tomisch, > Robert Workman, Simon Josefsson. > > The remaining funds will be used to help with a new website design. > > > Many thanks to all, > > Werner > From dshaw at jabberwocky.com Sun Dec 3 06:25:07 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Dec 3 06:23:53 2006 Subject: gpg strips '0x' on key searches... In-Reply-To: References: Message-ID: <20061203052507.GD28620@jabberwocky.com> On Tue, Oct 31, 2006 at 01:00:07PM -0800, Mark Atkinson wrote: > For example, in v1.4.5 that I'm using: > > gpg --keyserver hkp://pgpkeys.mit.edu --search-keys 0xCA6CDFB2 > > is translated to: > > http://pgpkeys.mit.edu:11371/pks/lookup?op=index&options=mr&search=CA6CDFB2&exact=on > > and fails. > > where > > http://pgpkeys.mit.edu:11371/pks/lookup?op=index&options=mr&search=0xCA6CDFB2&exact=on > > would work. Is this the fault of gpg, or the key server? It's in GPG. You're quite right, and this is fixed for the next release. David From benjamin at py-soft.co.uk Sun Dec 3 14:54:15 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun Dec 3 15:35:44 2006 Subject: Problem building libksba In-Reply-To: References: Message-ID: <4572D707.2080604@py-soft.co.uk> Victor Escobar wrote: > Please advise. This is fixed in v1.0.1 - see ftp://ftp.gnupg.org/gcrypt/libksba/libksba-1.0.1.tar.bz2 Ben From benjamin at py-soft.co.uk Sun Dec 3 17:38:19 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun Dec 3 17:36:44 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: References: <877ixetl0e.fsf@wheatstone.g10code.de> <456DBEA7.2090202@py-soft.co.uk> <87vekynoz5.fsf@wheatstone.g10code.de> <456DC796.7050009@py-soft.co.uk> <456DCE34.3050506@py-soft.co.uk> Message-ID: <4572FD7B.3050809@py-soft.co.uk> reynt0 wrote: > May one ask, is there any chance there will be such a > packaged version for OS10.3.x as well as for 10.4.x? Unlikely I'm afraid: i/ The mac-gpg team consider 10.3.x to be a legacy system. ii/ I don't have access to 10.3.x iii/ gpg is easy enough to compile under MacOS now. However, please feel free to contribute a 10.3.x build. Ben From hhhobbit at securemecca.net Mon Dec 4 11:20:40 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Mon Dec 4 11:18:43 2006 Subject: Two servers...one KeyPair In-Reply-To: <0MKpyh-1GpOCi1hpQ-0003O6@mx.perfora.net> References: <0MKpyh-1GpOCi1hpQ-0003O6@mx.perfora.net> Message-ID: <1165227640.4884.40.camel@sirius.brigham.net> On Tue, 2006-11-28 at 15:01 +0100, Albert Reiner wrote: > Message:1 > Date: Tue, 28 Nov 2006 15:01:25 +0100 > From: Albert Reiner > Subject: Re: Two servers...one KeyPair > To: Gnupg-users@gnupg.org > Cc: "Wolff, Alex" > Message-ID: <20061128140125.GA15808@tph.tuwien.ac.at> > Content-Type: text/plain; charset=us-ascii > > > I am trying to get around the problem of creating one key-pair and using it > > on two different servers (TEST and PROD). Is this possible? > > Generate the key on one server, export both private and public key > (gpg --export, gpg --export-private-key), transfer to the other > server, import private and public key. > > HTH, > > Albert. I apologize for not addressing this sooner. I never heard of the option --export-private-key. I gave the more complete response of how to do it using --export-secret-keys. Is --export-private-key part of 2.0 or are just you explaining the concept? I have never used 2.0, YET. I said that if you don't have completely duplicate key-rings, you should do the export. Additionally, if you have generated the keys on GnuPG, but you are using PGP instead of GnuPG on the other machine you will also want to do an --export-secret-keys and import it on the other machine EVEN if the key-rings are duplicates of each other. I forgot to ask the philosophical question of whether or not we should be asked the pass-phrase of the secret key to do this. I suppose not, since you still need to know it to use the key once you import it some place else. But it feels strange not to be prompted for your pass-phrase when you are exporting secret keys. Even if it doesn't do anything, the asking of you to confirm that you really want to export your secret key by asking for the pass-phrase of that key should clue you in that you are doing something that needs to be done with care and you should probably securely remove the file that was created when you no longer need it. HHH From areiner at tph.tuwien.ac.at Mon Dec 4 12:34:18 2006 From: areiner at tph.tuwien.ac.at (Albert Reiner) Date: Mon Dec 4 12:33:10 2006 Subject: Two servers...one KeyPair In-Reply-To: <1165227640.4884.40.camel@sirius.brigham.net> References: <0MKpyh-1GpOCi1hpQ-0003O6@mx.perfora.net> <1165227640.4884.40.camel@sirius.brigham.net> Message-ID: <20061204113418.GA6026@tph.tuwien.ac.at> On Mon, Dec 04, 2006 at 03:20:40AM -0700, Henry Hertz Hobbit wrote: > I never heard of the option --export-private-key. I gave the > more complete response of how to do it using --export-secret-keys. > Is --export-private-key part of 2.0 or are just you explaining > the concept? I have never used 2.0, YET. Neither have I; sorry for having caused confusion: I simply mis-remembered the name of the option and wrote -private- instead of -secret-. Albert. From hs2412 at gmail.com Tue Dec 5 10:22:44 2006 From: hs2412 at gmail.com (Hardeep Singh) Date: Tue Dec 5 11:55:15 2006 Subject: Questions from a newbie Message-ID: Hi All I need to travel a lot and send emails/proposals on the go. Mostly I just carry my docs on a pendrive, rarely also carrying a laptop. So even though I have known PGP for quite a long time and I tried my hand at it, also at thawte, I never took it seriously since PGP needs to be installed and all. Now I found GnuPG and liked it - its small and can be carried on the pendrive easily. I have a few questions: 1. While creating the key, I noticed RSA is sign only. Does it mean an RSA key cannot be used to encrypt? Why so - even RSA is now in public domain I believe. PGP (the free version) also allows RSA keys. The algorithm used instead by GnuPG is "DSA and Elgamal' which I havent heard of and dont know if they are equally secure. Are these compatible with PGP? 2. What happens if I loose the pendrive? They would not know the password but they would have the secret key. Does it make it easier for them to hack the messages I have already received, and possibly the encrypted files I have stored on the same pendrive? 3. Is there a wipe function or a wipe software also available from Gnu similar to the one offered by PGP? I need one that can be run from a pendrive without installation. Regards Hardeep Singh Give your resume visibility. Get a home for it. Resume Central. http://RC.Hardeep.name From joerg at schmitz-linneweber.de Tue Dec 5 10:15:16 2006 From: joerg at schmitz-linneweber.de (Joerg Schmitz-Linneweber) Date: Tue Dec 5 11:55:25 2006 Subject: sshd authentication problem with gpg-agent and OpenPGP card Message-ID: <457538A4.1020107@schmitz-linneweber.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all! I recently found a problem when using OpenPGP cards with gpg-agent in combination with ssh/sshd. Technical details follows: - --- snip ----------------------- > gpg-agent --version gpg-agent (GnuPG) 2.0.0 - --- snip ----------------------- > rpm -qf `which ssh-add` openssh-3.9p1-12.10 - --- snip ----------------------- > ssh-add -l 1024 fingerprint_in_hex cardno:my_card_no (RSA) 1024 fingerprint_in_hex ~/id_dsa (DSA) 1024 fingerprint_in_hex ~/other_id_dsa (DSA) 1024 fingerprint_in_hex ~/other2_id_dsa (DSA) - --- snip ----------------------- (on the remote machine) # rpm -qf `which sshd` openssh-3.9p1-12.10 - --- snip ----------------------- OK. Connecting to the remote via: > ssh -vvvvi ~/.ssh/id_dsa remote_host works perfectly (no card involved) but: > ssh -vvvv remote_host tries to use the card and results in: - --- snip ----------------------- debug2: key: cardno:my_card (0x8095498) debug2: key: ~/.ssh/id_dsa (0x80999b0) debug2: key: ~/.ssh/other_id_dsa (0x8098d98) debug2: key: ~/.ssh/other2_id_dsa (0x8098d98) debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: cardno:my_card_no debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply Connection closed by remote_host - --- snip ----------------------- and the log on the remote machine explains this abrupt connection loss: - --- snip ----------------------- Dec 5 09:47:19 floyd sshd[4666]: fatal: buffer_get_bignum2: negative numbers not supported Dec 5 09:55:13 floyd sshd[4893]: fatal: buffer_get_bignum2: negative numbers not supported - --- snip ----------------------- The last snippet shows whats going on in gpg-agent: - --- snip ----------------------- [client at fd 4 connected] 4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine 0x80858b8 f?r fd 7 gestartet 4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for request_identities (11) started 4 - 2006-12-05 10:10:37 gpg-agent[10191]: new connection to SCdaemon established (reusing) [client at fd 5 connected] 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR $AUTHKEYID 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S $AUTHKEYID OPENPGP.3 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR SERIALNO 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S SERIALNO my_serial_info 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- READKEY OPENPGP.3 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> [ xx xx...(all bytes skipped) ] 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR $DISPSERIALNO 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S $DISPSERIALNO the_displayable_serialno 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for request_identities (11) ready 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- RESTART 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine 0x80858b8 f?r fd 7 beendet - --- snip ----------------------- So gpg-agent in conjunction with this ssh version might deliver invalid data to the waiting ssh daemon. I found nothing particular on the mentioned bignum package in sshd though... :-( Anybody knows whats going on with OpenPGP card authentication? Werner? :-) Salut, J?rg - -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFdTik/PQgU9f6RRIRArT4AJ4wXZaBiR8oZWhlvAcZXSOP8VdUcwCgzbs/ aUdw1ByhBJlE8e3C9KeiGsE= =JwLw -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Dec 5 12:22:12 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue Dec 5 12:20:16 2006 Subject: Questions from a newbie In-Reply-To: References: Message-ID: <45755664.3010708@sixdemonbag.org> Hardeep Singh wrote: > 1. While creating the key, I noticed RSA is sign only. Does it mean > an RSA key cannot be used to encrypt? No. I use a set of RSA keys to encrypt and sign data. All that it means is you need to create your set of encryption keys in a separate step from creating your signing keys. When creating DSA/Elg keys, both the signing and encryption keys are created at the same time. RSA keys are created differently. Don't really know why it's that way, but that's the way it is. > The algorithm used instead by GnuPG is "DSA and Elgamal' which I > havent heard of and dont know if they are equally secure. The term 'Elgamal' has an unfortunate multitude of meanings. It refers to the Egyptian-American researcher Taher el Gamal, whose name has been Americanized as Elgamal. He did a lot of fundamental research into an entire family of cryptographic algorithms, which have since been called the Elgamal family. Elgamal is also used to describe a particular algorithm within the Elgamal family. The Digital Signature Algorithm, DSA, is part of the Elgamal family. So when you see "DSA and Elgamal", please don't think of them as two different algorithms; think of them as two very closely related algorithms. Anyway. You were wondering if the Elgamals are equally secure to RSA. The short answer is the Elgamals are believed to be comparable to RSA. Or maybe we should say RSA is believed comparable to the Elgamals. Either way, they can be used with confidence. > Are these compatible with PGP? PGP 5.0 or better, yes. > 2. What happens if I loose the pendrive? They would not know the > password but they would have the secret key. No, they would not. The secret key is stored in an encrypted format. The passphrase is needed to decrypt the secret key so that GnuPG can then use it. The cipher used to encrypt the secret key is of comparable strength to the cipher used to encrypt a PGP message. This means that as long as your passphrase is strong, you could publish your secret key in the _New York Times_ and still be confident that nobody would be able to read your email. > 3. Is there a wipe function or a wipe software also available from > Gnu similar to the one offered by PGP? I need one that can be run > from a pendrive without installation. For this one, we need to know what operating system you're using. From adam at e-ignite.co.uk Tue Dec 5 12:30:29 2006 From: adam at e-ignite.co.uk (Adam Gould) Date: Tue Dec 5 12:28:39 2006 Subject: Questions from a newbie In-Reply-To: References: Message-ID: <45755855.4040005@e-ignite.co.uk> Hardeep Singh wrote: > 1. While creating the key, I noticed RSA is sign only. Does it mean an > RSA key cannot be used to encrypt? Why so - even RSA is now in public > domain I believe. PGP (the free version) also allows RSA keys. No, it does not mean that you *can't* use RSA to encrypt. You would generate an RSA signing only key, then generate an RSA encryption subkey using the gpg --edit-key command. This way, you can have (for example) a 1024 bit RSA signing key with a 4096 bit RSA encryption key if you wish. Hardeep Singh wrote: > The algorithm used instead by GnuPG is "DSA and Elgamal' which I > havent heard of and dont know if they are equally secure. Are these > compatible with PGP? They are simply the default key types with GnuPG. The DSA key is the signing key and it can only be 1024 bits. The Elgamal key is an encryption key, and it is the size that you specify. Both DSA / Elgamal and RSA are compatible with PGP 5 and above. Hardeep Singh wrote: > 2. What happens if I loose the pendrive? They would not know the > password but they would have the secret key. Does it make it easier > for them to hack the messages I have already received, and possibly > the encrypted files I have stored on the same pendrive? Put quite simply, yes. If they have a copy of your private key, hackers only need to find your passphrase to compromise all of your previously secured communications. Using a dictionary attack on the key, they are far more likely to break the security of your emails and files. If you do ever lose your pendrive with secret keys on it, I would recommend that you revoke the keys you lost and create a new key pair. Hardeep Singh wrote: > 3. Is there a wipe function or a wipe software also available from Gnu > similar to the one offered by PGP? I need one that can be run from a > pendrive without installation. There are several free, open source wiping programs available, but these are not entirely useful when you are using a flash memory pen drive. In order to prolong the life of flash memory, all data is written to a random "sector" on the drive and this is controlled by a low-level controller over which the operating system of the host PC has no control. Therefore to absolutely securely remove data from a flash drive, you would need to delete the file then run a "free-space" wipe of the memory. You may be interested in Mobility Email (available at http://www.mobilityemail.net) - this is an open source mail client based on Mozilla code, and has built-in OpenPGP email encryption support. It is designed to run from a removable drive, so the disk letter does not matter and you can therefore use it on multiple computer terminals. It also supports profile locking and secure wiping of the disk if you choose to enable it. This encrypts your mail profile using AES symmetrical encryption (with a user-specified passphrase), deletes the unencrypted profile from your disk, then performs a "free-space wipe" of the memory, ensuring excellent security even if you lose the flash disk. This is quite a time-consuming process though, and may not be necessary for every-day use - this is why we included the option so that the users decide what level of security to use. I would highly recommend that you try it and form your own opinions - it's free, open source software and is compatible with Windows and Linux running WINE. Hope this helps, Adam -- e-ignite: OpenPGP Key: 0x4B45F6F5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 560 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061205/2e7a3f93/signature-0001.pgp From hawke at hawkesnest.net Tue Dec 5 17:11:05 2006 From: hawke at hawkesnest.net (Alex Mauer) Date: Tue Dec 5 17:09:44 2006 Subject: adding passphrases to gpg-agent In-Reply-To: <87ac2h6q7m.fsf@wheatstone.g10code.de> References: <87lkm2ea5u.fsf@wheatstone.g10code.de> <87ac2h6q7m.fsf@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > For example, you don't need to use ssh-add every time after starting > the agent. You do it only once and gpg-agent will store the entire > key on disk and no just in memeory as ssh-agent does. Is it possible to control/disable this behavior? I prefer to keep my ssh keys only on a USB disk, and not have them copied to any machine on which I happen to load them. -Alex Mauer "hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061205/17011e41/signature.pgp From wk at gnupg.org Tue Dec 5 17:26:44 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Dec 5 17:31:53 2006 Subject: adding passphrases to gpg-agent In-Reply-To: (Alex Mauer's message of "Tue\, 05 Dec 2006 10\:11\:05 -0600") References: <87lkm2ea5u.fsf@wheatstone.g10code.de> <87ac2h6q7m.fsf@wheatstone.g10code.de> Message-ID: <877ix6l35n.fsf@wheatstone.g10code.de> On Tue, 5 Dec 2006 17:11, hawke@hawkesnest.net said: > Is it possible to control/disable this behavior? I prefer to keep my > ssh keys only on a USB disk, and not have them copied to any machine on > which I happen to load them. Make a ~/.gnupg/private-keys-v1.d/ a symlink to your USB disk. Salam-Shalom, Werner From sydbarrett74 at hotmail.com Tue Dec 5 18:45:04 2006 From: sydbarrett74 at hotmail.com (Victor Escobar) Date: Tue Dec 5 18:43:38 2006 Subject: Problem building 2.0.1 Message-ID: Hi all, I am having a problem with configure. It doesn't recognise that I have these libraries already installed (which I do, and all the latest versions). I'm using OSX 10.4.8... ----- configure: *** *** You need libgpg-error to build this program. ** This library is for example available at *** ftp://ftp.gnupg.org/gcrypt/libgpg-error *** (at least version 1.4 is required.) *** configure: *** *** You need libassuan with Pth support to build this program. *** This library is for example available at *** ftp://ftp.gnupg.org/gcrypt/libassuan/ *** (at least version 0.9.3 (API 1) is required). *** configure: *** *** You need libksba to build this program. *** This library is for example available at *** ftp://ftp.gnupg.org/gcrypt/libksba/ *** (at least version 1.0.0 using API 1 is required). *** configure: error: *** *** Required libraries not found. Please consult the above messages *** and install them before running configure again. *** From eray.aslan at caf.com.tr Tue Dec 5 18:13:01 2006 From: eray.aslan at caf.com.tr (Eray Aslan) Date: Tue Dec 5 19:55:09 2006 Subject: encrypt the sent folder Message-ID: <4575A89D.8010003@caf.com.tr> Hi, How can I make sure that all the emails in my Sent folder are encrypted and can't be read without my private key? In other words, I want my email in my Sent folder to be encrypted even though the email sent on the wire is plain text. Encrypt to self option only works if I send an encrypted mail. I couldn't get it to work all the time. here is my gpg.conf: comment "" no-mangle-dos-filenames keyserver-options auto-key-retrieve verbose include-revoked include-subkeys expert default-recipient-self encrypt-to 0x34697591 default-key 0x34697591 Email client is Thunderbird/Enigmail. Mails are stored on IMAP server if it makes any difference. Thank you. -- Eray From rjh at sixdemonbag.org Tue Dec 5 20:03:13 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue Dec 5 20:01:01 2006 Subject: encrypt the sent folder In-Reply-To: <4575A89D.8010003@caf.com.tr> References: <4575A89D.8010003@caf.com.tr> Message-ID: <4575C271.70001@sixdemonbag.org> Eray Aslan wrote: > How can I make sure that all the emails in my Sent folder are encrypted > and can't be read without my private key? In other words, I want my > email in my Sent folder to be encrypted even though the email sent on > the wire is plain text. This is not a task for GnuPG. This is a task for an encrypted file system. On OS X, look into using encrypted home directories (System Preferences-->Security). On Windows, I've found TrueCrypt to be a pretty good solution. On Linux, look into cryptoloop. > Email client is Thunderbird/Enigmail. Mails are stored on IMAP server > if it makes any difference. It does. You need your IMAP server to run the encrypted file system. From qed at tiscali.it Tue Dec 5 20:25:48 2006 From: qed at tiscali.it (Qed) Date: Tue Dec 5 20:23:33 2006 Subject: encrypt the sent folder In-Reply-To: <4575C271.70001@sixdemonbag.org> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> Message-ID: <4575C7BC.8020809@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 05/12/06 20:03, Robert J. Hansen wrote: >> How can I make sure that all the emails in my Sent folder are encrypted >> and can't be read without my private key? In other words, I want my >> email in my Sent folder to be encrypted even though the email sent on >> the wire is plain text. > This is not a task for GnuPG. This is a task for an encrypted file > system. Or, better, for an encryption plugin for his MUA. > On OS X, look into using encrypted home directories (System > Preferences-->Security). On Windows, I've found TrueCrypt to be a > pretty good solution. On Linux, look into cryptoloop. >> Email client is Thunderbird/Enigmail. Mails are stored on IMAP >> server if it makes any difference. > It does. You need your IMAP server to run the encrypted file system. This is suitable only if he owns the server or IMAP storage is kept in a directory on which he has rw permissions(e.g.: ~/home/Maildir). - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6rc1 (GNU/Linux) iD8DBQFFdce7H+Dh0Dl5XacRA/4dAJ9j7M06Q1qJH3p56Pl+eABe3TaM0QCeIHUR wLUDzY1L0dnhTDwSlIvmuRQ= =i8GA -----END PGP SIGNATURE----- From eray.aslan at caf.com.tr Tue Dec 5 20:43:36 2006 From: eray.aslan at caf.com.tr (Eray Aslan) Date: Tue Dec 5 20:41:32 2006 Subject: encrypt the sent folder In-Reply-To: <4575C271.70001@sixdemonbag.org> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> Message-ID: <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> On Tue, December 5, 2006 9:03 pm, Robert J. Hansen wrote: > Eray Aslan wrote: >> How can I make sure that all the emails in my Sent folder are encrypted >> and can't be read without my private key? In other words, I want my >> email in my Sent folder to be encrypted even though the email sent on >> the wire is plain text. > > This is not a task for GnuPG. This is a task for an encrypted file > system. On OS X, look into using encrypted home directories (System > Preferences-->Security). On Windows, I've found TrueCrypt to be a > pretty good solution. On Linux, look into cryptoloop. Surely there must be a better way. These all require admin access to the IMAP server. The software already does what I want some of the time (when I send the recipient encrypted email). I just want it to do it all the time. -- Eray From wk at gnupg.org Tue Dec 5 21:10:29 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Dec 5 21:16:50 2006 Subject: Problem building 2.0.1 In-Reply-To: (Victor Escobar's message of "Tue\, 05 Dec 2006 12\:45\:04 -0500") References: Message-ID: <871wnehznu.fsf@wheatstone.g10code.de> On Tue, 5 Dec 2006 18:45, sydbarrett74@hotmail.com said: > I am having a problem with configure. It doesn't recognise that I have > these libraries already installed (which I do, and all the latest versions). > I'm using OSX 10.4.8... You need to make sure that the correct libraries are found. For example, if you installed them to /usr/local/ you need to make sure that /usr/local/bin comes early in the path, so that an old version alreay installed does not get in the way. You find more information about the checks done in config.log. Salam-Shalom, Werner From rjh at sixdemonbag.org Tue Dec 5 21:30:22 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue Dec 5 21:28:21 2006 Subject: encrypt the sent folder In-Reply-To: <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> Message-ID: <4575D6DE.9060703@sixdemonbag.org> Eray Aslan wrote: > Surely there must be a better way. These all require admin access to the > IMAP server. The software already does what I want some of the time (when > I send the recipient encrypted email). I just want it to do it all the > time. There isn't. If you want a program that does this, you're going to need to write it yourself. It seems like it could be done in just a couple of hours of Perl. But once you do that, you're going to need to hack on Enigmail/Thunderbird in able to support text searches through encrypted data, then you're going to need to... etc., etc. It's a nontrivial amount of work. Also remember that OpenPGP is a wire protocol. The protocol is not meant for mass storage. Sure, you can use GnuPG to encrypt files, but once you start dealing with large numbers of them you're generally going to be better off using a system that's purpose-built for the task. Like, say, an encrypted filesystem. From dshaw at jabberwocky.com Tue Dec 5 21:45:45 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 5 21:44:32 2006 Subject: encrypt the sent folder In-Reply-To: <4575D6DE.9060703@sixdemonbag.org> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <4575D6DE.9060703@sixdemonbag.org> Message-ID: <20061205204545.GA9461@jabberwocky.com> On Tue, Dec 05, 2006 at 02:30:22PM -0600, Robert J. Hansen wrote: > Also remember that OpenPGP is a wire protocol. The protocol is not > meant for mass storage. Sure, you can use GnuPG to encrypt files, but > once you start dealing with large numbers of them you're generally going > to be better off using a system that's purpose-built for the task. > Like, say, an encrypted filesystem. I must disagree with this. OpenPGP is not solely a wire protocol. There are even parts of the specification that were added mainly for the benefit of mass storage. It's being used in storage in a number of places today. The nice thing about using OpenPGP as an archival primitive is that each encrypted file is its own file and decrypting one does not impact any others. This works well in the context of email, where each mail is its own object. David From rjh at sixdemonbag.org Tue Dec 5 21:52:56 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue Dec 5 21:50:44 2006 Subject: encrypt the sent folder In-Reply-To: <20061205204545.GA9461@jabberwocky.com> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <4575D6DE.9060703@sixdemonbag.org> <20061205204545.GA9461@jabberwocky.com> Message-ID: <4575DC28.6000509@sixdemonbag.org> David Shaw wrote: > I must disagree with this. OpenPGP is not solely a wire protocol. I probably should have said 'primarily'. It wasn't my intent to give the impression it was exclusively a wire protocol. > The nice thing about using OpenPGP as an archival primitive is that > each encrypted file is its own file and decrypting one does not impact > any others. This works well in the context of email, where each mail > is its own object. In other ways it doesn't work very well, since each email is encrypted separately, requiring complex bignum math for each decryption. Searching through large numbers of emails could potentially be very problematic. Compare this to an encrypted filesystem, which is typically much more performance-friendly. From dshaw at jabberwocky.com Tue Dec 5 22:15:18 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Dec 5 22:14:03 2006 Subject: encrypt the sent folder In-Reply-To: <4575DC28.6000509@sixdemonbag.org> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <4575D6DE.9060703@sixdemonbag.org> <20061205204545.GA9461@jabberwocky.com> <4575DC28.6000509@sixdemonbag.org> Message-ID: <20061205211518.GB9461@jabberwocky.com> On Tue, Dec 05, 2006 at 02:52:56PM -0600, Robert J. Hansen wrote: > David Shaw wrote: > > I must disagree with this. OpenPGP is not solely a wire protocol. > > I probably should have said 'primarily'. It wasn't my intent to give > the impression it was exclusively a wire protocol. > > > The nice thing about using OpenPGP as an archival primitive is that > > each encrypted file is its own file and decrypting one does not impact > > any others. This works well in the context of email, where each mail > > is its own object. > > In other ways it doesn't work very well, since each email is encrypted > separately, requiring complex bignum math for each decryption. > Searching through large numbers of emails could potentially be very > problematic. > > Compare this to an encrypted filesystem, which is typically much more > performance-friendly. Absolutely. It all depends on what the goal is. Given a compromise, many distinct files can limit the damage done to a subset (or one) of the encrypted files. A compromise of an encrypted filesystem generally compromises the whole filesystem containing all the files. On the other side, as you say, an encrypted filesystem will probably outperform multiple encrypted files. Given the original request (to store encrypted mails on a remote IMAP server), OpenPGP seems like an obvious answer as it works even when the remote IMAP server isn't under the control of the user (which is often the case). OpenPGP (and encrypted filesystems) are two good solutions to two slightly different and overlapping problems. David From johanw at vulcan.xs4all.nl Tue Dec 5 22:39:50 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Dec 5 22:39:08 2006 Subject: encrypt the sent folder In-Reply-To: <4575C271.70001@sixdemonbag.org> Message-ID: <200612052139.kB5LdoYU010513@vulcan.xs4all.nl> Robert J. Hansen wrote: >Preferences-->Security). On Windows, I've found TrueCrypt to be a >pretty good solution. On Linux, look into cryptoloop. TrueCrypt works also on Linux (kernel 2.6.5 and up). The advantage is that a TC volume can be accessed on both Linux and windows - very usefull when I use the same USB stick both at home and on my work. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From rjh at sixdemonbag.org Tue Dec 5 23:06:56 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue Dec 5 23:04:52 2006 Subject: Christmas is upon us again. Message-ID: <4575ED80.4040905@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Whether you're secular or religious, atheist or devout, I think we can all agree that the time of the year known as Christmas will soon be upon us. This is historically a time for personal reflection and charitable giving. We reflect on how fortunate we are, and we give in order to show our thanks and appreciation for that which we have received. This year, I'm grateful that we have a Free Software implementation of the OpenPGP protocol. I'm also grateful that the development process is fairly open and I'm grateful that, by and large, the people in the community are friendly. This year, I'm giving $10 to the Free Software Foundation (http://www.fsf.org) in the name of the GNU Privacy Guard, as my way of telling the developers "thanks". If you feel like joining me in this, well... feel free to say thanks on-list, or to write off a note to the developers. Likewise, I hope you'll give a small donation to the charity of your choice in the name of the GNU Privacy Guard. Merry Christmas to everyone. May we have peace on Earth and goodwill to all humanity. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJFde2AAAoJELcA9IL+r4EJzQAIAOJJW/1rDgO4H92MsjLHr0lj kl9hl3d1xSWrkscAuY6rDYWxrs/91H2f+CZGt8mDC6MOcJeBlb3QOs9BSmoWZG+6 dxDaSEern8mr7r7+WLeejOvDSK1bfTYT1S5KTJwy1jgs8F3xrL9RqJ4JW0acCVg5 HMYHhLfSUu4rWYJ/odGYat4qTT5CqtLYr5jFtWMEkGEpCsnDexgVmCkI4Q+8cE0p 4KMLEiUHvC8GKW/Ug8vFySkok5UBwv7iBPejQjqaKI/fvxc5/cx5D6sr42WD6HG6 keKvJD9g9b7DWJXDVXiVeBexsj8Hrbvp36oHFkwlERFNeBuAD3Lv1PY82KP2WEA= =+4hw -----END PGP SIGNATURE----- From tmz at pobox.com Wed Dec 6 00:00:33 2006 From: tmz at pobox.com (Todd Zullinger) Date: Wed Dec 6 00:35:59 2006 Subject: encrypt the sent folder In-Reply-To: <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> Message-ID: <20061205230033.GD32304@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eray Aslan wrote: > Surely there must be a better way. These all require admin access > to the IMAP server. The software already does what I want some of > the time (when I send the recipient encrypted email). I just want > it to do it all the time. This doesn't like an entirely unreasonable feature request to make of Enigmail. Perhaps you'd want to check in with the Enigmail folks to see if the would consider adding such a feature? It has some potential to be useful but it might be icky to implement. Obviously, if you send a message unencrypted but store it encrypted, you won't really have an accurate record of your sent mail. The headers and MIME parts will be different. Some people prefer that what's in their sent mailbox be exactly equal to what was sent. (Pedants. :) I am curious though, what particular threats are you concerned about? That might help shape what options would be best to take. If you don't trust the IMAP server admins, then you should store your mail somewhere you do trust. If you are worried about someone cracking the server and getting at your sent messages then encryption on the server may be sufficient, but would involve either changes to you mail client or some other sort of access to your mailbox on the server. - -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== Oh, I feel so deliciously white trash! Mommy, I want a mullet! -- Stewie Griffin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6rc1 (GNU/Linux) iQFDBAEBAgAtBQJFdfoRJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90 bXouYXNjAAoJEEMlk4u+rwzjIIcIAKIcq+3PoQ/WaEZ2MExTp2vimQ/ReNOpu/vB BGYVylEg0yJ2mVRtodexGZ+GCSFxaQYmXqyS+5H93AbY7SlhKByRGkCi5caHOlLQ aED3FL5SL8ANzXDWDDWABt9YL43+Rx/0/PM81X4m5ueLJUyBC0agtlxGWHlgzUha t0ENzdf/DkjSOVxDvovoHcBmBBhwJMPlQvWd50l1MYbyFWamer3BDOZke1rVKS2p 0rDTvrWfMIqDKRR8Isbfj5LRIJ2ln99GdioDnKDvB24uzUFHWmCMSj6usFggqM09 EwX0sNAZoQ6DYqRNbMPiN1le2hACv0YJllatBYLZOPaiR0Zpjoc= =JPs0 -----END PGP SIGNATURE----- From sydbarrett74 at hotmail.com Wed Dec 6 01:47:58 2006 From: sydbarrett74 at hotmail.com (Victor Escobar) Date: Wed Dec 6 01:46:46 2006 Subject: Problem building 2.0.1 In-Reply-To: <871wnehznu.fsf@wheatstone.g10code.de> Message-ID: Walter, thank you for this tip. I'm such an idiot: /usr/local/bin was not in my path -- DOH! :( However, now I'm getting the following error during make: /usr/bin/ld: Undefined symbols: _gpg_error_from_syserror collect2: ld returned 1 exit status make[2]: *** [kbxutil] Error 1 make[2]: Leaving directory `/Users/sydbarrett74/Desktop/gnupg-2.0.1/kbx' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/Users/sydbarrett74/Desktop/gnupg-2.0.1' make: *** [all] Error 2 On 12/5/06 3:10 PM, "Werner Koch" wrote: > On Tue, 5 Dec 2006 18:45, sydbarrett74@hotmail.com said: > >> I am having a problem with configure. It doesn't recognise that I have >> these libraries already installed (which I do, and all the latest versions). >> I'm using OSX 10.4.8... > > You need to make sure that the correct libraries are found. For > example, if you installed them to /usr/local/ you need to make sure > that /usr/local/bin comes early in the path, so that an old version > alreay installed does not get in the way. > > You find more information about the checks done in config.log. > > > Salam-Shalom, > > Werner > > > From randy at randyburns.us Wed Dec 6 03:01:55 2006 From: randy at randyburns.us (Randy Burns) Date: Wed Dec 6 04:00:22 2006 Subject: Christmas is upon us again. In-Reply-To: <4575ED80.4040905@sixdemonbag.org> Message-ID: <20061206020155.82217.qmail@web50912.mail.yahoo.com> It's a great idea. A more direct link is: https://www.fsf.org/associate/support_freedom/donate Randy --- "Robert J. Hansen" wrote: > > Whether you're secular or religious, atheist or devout, I think we can > all agree that the time of the year known as Christmas will soon be upon > us. This is historically a time for personal reflection and charitable > giving. We reflect on how fortunate we are, and we give in order to > show our thanks and appreciation for that which we have received. > > This year, I'm grateful that we have a Free Software implementation of > the OpenPGP protocol. I'm also grateful that the development process is > fairly open and I'm grateful that, by and large, the people in the > community are friendly. > > This year, I'm giving $10 to the Free Software Foundation > (http://www.fsf.org) in the name of the GNU Privacy Guard, as my way of > telling the developers "thanks". > > If you feel like joining me in this, well... feel free to say thanks > on-list, or to write off a note to the developers. Likewise, I hope > you'll give a small donation to the charity of your choice in the name > of the GNU Privacy Guard. > > Merry Christmas to everyone. May we have peace on Earth and goodwill to > all humanity. > From shavital at mac.com Wed Dec 6 08:23:22 2006 From: shavital at mac.com (Charly Avital) Date: Wed Dec 6 08:21:49 2006 Subject: Problem building 2.0.1 In-Reply-To: <871wnehznu.fsf@wheatstone.g10code.de> References: <871wnehznu.fsf@wheatstone.g10code.de> Message-ID: <45766FEA.1040000@mac.com> Werner Koch wrote the following on 12/5/06 3:10 PM: > On Tue, 5 Dec 2006 18:45, sydbarrett74@hotmail.com said: > >> I am having a problem with configure. It doesn't recognise that I have >> these libraries already installed (which I do, and all the latest versions). >> I'm using OSX 10.4.8... > > You need to make sure that the correct libraries are found. For > example, if you installed them to /usr/local/ you need to make sure > that /usr/local/bin comes early in the path, so that an old version > alreay installed does not get in the way. > > You find more information about the checks done in config.log. > > > Salam-Shalom, > > Werner > Hi Werner, Running Mac PPC, OS 10.4.8 (Darwin 8.8.0) 1. First attempt with ./configure: ------------- checking for gpg-error-config... /usr/local/bin/gpg-error-config checking for GPG Error - version >= 1.4... yes checking for libgcrypt-config... /usr/local/bin/libgcrypt-config checking for LIBGCRYPT - version >= 1.2.0... yes checking LIBGCRYPT API version... okay checking for libassuan-config... /usr/local/bin/libassuan-config checking for LIBASSUAN - version >= 0.9.3... yes checking LIBASSUAN API version... okay checking for libassuan-config... (cached) /usr/local/bin/libassuan-config checking for LIBASSUAN pth - version >= 0.9.3... yes checking LIBASSUAN pth API version... okay checking for libassuan-config... (cached) /usr/local/bin/libassuan-config checking for LIBASSUAN - version >= 1.0.1... yes checking LIBASSUAN API version... okay checking for ksba-config... /usr/local/bin/ksba-config checking for KSBA - version >= 1.0.0... yes checking KSBA API version... okay ....[.........]........ config.status: creating po/Makefile GnuPG v2.0.1 has been configured as follows: Platform: Darwin (powerpc-apple-darwin8.8.0) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) PKITS based tests: no ----------------------- But then, with make: ----- /usr/bin/ld: Undefined symbols: _libiconv _libiconv_close _libiconv_open collect2: ld returned 1 exit status make[2]: *** [kbxutil] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 -------------------- 2. Second attempt with a fresh copy of the source code and./configure -- --disable-nls Same results regarding the presence of the required libraries, and for final configuration. But then, make (same final results): ------------------------- /usr/bin/ld: Undefined symbols: _libiconv _libiconv_close _libiconv_open collect2: ld returned 1 exit status make[2]: *** [kbxutil] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 --------------- 3. Trying to compile libiconv 1.11 with ./configure: ---------------- config.status: creating Makefile config.status: creating lib/Makefile config.status: creating include/localcharset.h config.status: creating include/localcharset.h.inst config.status: creating config.h ---------------- Then make: -------------- libtool: install: `4/Applications/libiconv-1.11/lib/libcharset.la' is not a directory Try `libtool --help --mode=install' for more information. make[2]: *** [install-lib] Error 1 make[1]: *** [install-lib] Error 2 make: *** [lib/localcharset.h] Error 2 --------------------- I am still digging in 'man libtool', the whole thing (dynamic, static, etc...) is too arcane *for my limited knowledge*. If you need more quotes from the outputs I can send them to you directly; I shall post to the list the final outcome (if there is one). Any ideas or suggestions? Thanks in advance, Charly From shavital at mac.com Wed Dec 6 08:36:31 2006 From: shavital at mac.com (Charly Avital) Date: Wed Dec 6 08:34:23 2006 Subject: Problem building 2.0.1 In-Reply-To: <45766FEA.1040000@mac.com> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> Message-ID: <457672FF.5000309@mac.com> Werner, My version of libtool is Apple Computer, Inc. version cctools-622.5 Sorry for the omission, Charly From eray.aslan at caf.com.tr Wed Dec 6 08:45:47 2006 From: eray.aslan at caf.com.tr (Eray Aslan) Date: Wed Dec 6 08:43:55 2006 Subject: encrypt the sent folder In-Reply-To: <20061205230033.GD32304@psilocybe.teonanacatl.org> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> Message-ID: <4576752B.102@caf.com.tr> Todd Zullinger wrote: > Eray Aslan wrote: >> Surely there must be a better way. These all require admin access >> to the IMAP server. The software already does what I want some of >> the time (when I send the recipient encrypted email). I just want >> it to do it all the time. > > This doesn't like an entirely unreasonable feature request to make of > Enigmail. Perhaps you'd want to check in with the Enigmail folks to > see if the would consider adding such a feature? It has some > potential to be useful but it might be icky to implement. I thought it was a mis-configuration on my part. > Obviously, if you send a message unencrypted but store it encrypted, > you won't really have an accurate record of your sent mail. The > headers and MIME parts will be different. Some people prefer that > what's in their sent mailbox be exactly equal to what was sent. > (Pedants. :) Fair enough. > I am curious though, what particular threats are you concerned about? > That might help shape what options would be best to take. > > If you don't trust the IMAP server admins, then you should store your > mail somewhere you do trust. Nope. I am the admin. > If you are worried about someone cracking the server and getting at > your sent messages then encryption on the server may be sufficient, > but would involve either changes to you mail client or some other sort > of access to your mailbox on the server. The servers in question already has encryption at the file system level with cryptsetupLUKS for Linux and truecrypt for windows boxes. But the trouble is these do not provide any defense against attacks through the network. They will happily serve the emails thru the network to the appropriate user when asked. FS encryption is only good at boot time. Once the partition is mounted, you can access the data. I can give the end users a smartcard or a usb stick. The objective is to provide a solution so that not even the admin can read the emails (say by changing the password and logging in as the user) unless he/she has the secret key. -- Eray -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061206/20880ba1/signature.pgp From JPClizbe at tx.rr.com Wed Dec 6 08:57:41 2006 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed Dec 6 08:56:52 2006 Subject: encrypt the sent folder In-Reply-To: <20061205230033.GD32304@psilocybe.teonanacatl.org> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> Message-ID: <457677F5.5090004@tx.rr.com> Todd Zullinger wrote: > Eray Aslan wrote: >> Surely there must be a better way. These all require admin access >> to the IMAP server. The software already does what I want some of >> the time (when I send the recipient encrypted email). I just want >> it to do it all the time. > > This doesn't like an entirely unreasonable feature request to make of > Enigmail. Perhaps you'd want to check in with the Enigmail folks to > see if the would consider adding such a feature? It has some > potential to be useful but it might be icky to implement. Sounds unreasonable to me. It's completely beyond our scope to implement. Why is this unreasonable? You are asking an extension with hooks in certain steps of a MUA (Thunderbird/Seamonkey) to set policy on an IMAP server out of our control. Enigmail gets the message after the user clicks 'Send', does its processing, and passes the result back to the Mozilla mail-news code for mailing and storage. The extension has no control or interest in how the user has configured the MUA to handle sent items. In both the IMAP case and the local storage case, the message that is saved is the exact message that is sent on the wire. This is not an Enigmail function, but a function of the mail agent. There is no provision for processing a message on multiple paths and specifying separate handling on each path when sending, nor would it be reasonable to expect there to be. There are two RFEs filed in Bugzilla to allow the unencrypted storage of encrypted items. One applies to sent items, the other to received ones. These may be possible at some time in the future, but no one is making any promises. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061206/fa441c9e/signature.pgp From eray.aslan at caf.com.tr Wed Dec 6 09:17:19 2006 From: eray.aslan at caf.com.tr (Eray Aslan) Date: Wed Dec 6 09:15:15 2006 Subject: encrypt the sent folder In-Reply-To: <457677F5.5090004@tx.rr.com> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> <457677F5.5090004@tx.rr.com> Message-ID: <45767C8F.8030601@caf.com.tr> John Clizbe wrote: [snip] > There is no provision for processing a message on multiple paths and specifying > separate handling on each path when sending, nor would it be reasonable to > expect there to be. Ahh, this is the problem. > There are two RFEs filed in Bugzilla to allow the unencrypted storage of > encrypted items. One applies to sent items, the other to received ones. > These may be possible at some time in the future, but no one is making any promises. Should I open another RFE? These are all the same problem after all. And thank you for the explanation. -- Eray -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061206/20e35b68/signature.pgp From tmz at pobox.com Wed Dec 6 10:21:53 2006 From: tmz at pobox.com (Todd Zullinger) Date: Wed Dec 6 10:19:55 2006 Subject: encrypt the sent folder In-Reply-To: <4576752B.102@caf.com.tr> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> <4576752B.102@caf.com.tr> Message-ID: <20061206092153.GC13050@psilocybe.teonanacatl.org> Eray Aslan wrote: > I thought it was a mis-configuration on my part. Nope. As John pointed out this is simply not feasible to do from within Enigmail based on the way it has to interact with Thunderbird. >> If you don't trust the IMAP server admins, then you should store >> your mail somewhere you do trust. > > Nope. I am the admin. I'll assume that means you trust you. ;-) >> If you are worried about someone cracking the server and getting at >> your sent messages then encryption on the server may be sufficient, >> but would involve either changes to you mail client or some other >> sort of access to your mailbox on the server. > > The servers in question already has encryption at the file system > level with cryptsetupLUKS for Linux and truecrypt for windows boxes. > But the trouble is these do not provide any defense against attacks > through the network. They will happily serve the emails thru the > network to the appropriate user when asked. FS encryption is only > good at boot time. Once the partition is mounted, you can access > the data. True. An encrypted FS that's always mounted isn't too secure. > I can give the end users a smartcard or a usb stick. The objective > is to provide a solution so that not even the admin can read the > emails Well, as I understand your original query, you're looking to get security on the sent messages that are not encrypted to the recipient. In that case, the message goes out via IMAP and SMTP on the server and thus the admin could just grab a copy somewhere in that process. That'd be a lot easier to do than trying to crack the gpg encrypted message in your sent mailbox. ISTM that the only good way for you to get the security you want in this case is to send the mail encrypted in the first place. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== Rupert! I told you to watch the bags! You were watching the boys again weren't you! -- Stewie Griffin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20061206/62e673d0/attachment.pgp From tmz at pobox.com Wed Dec 6 10:22:11 2006 From: tmz at pobox.com (Todd Zullinger) Date: Wed Dec 6 10:20:05 2006 Subject: encrypt the sent folder In-Reply-To: <457677F5.5090004@tx.rr.com> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> <457677F5.5090004@tx.rr.com> Message-ID: <20061206092211.GD13050@psilocybe.teonanacatl.org> John Clizbe wrote: > Sounds unreasonable to me. It's completely beyond our scope to > implement. That seems more like not feasible than unreasonable. But the results are the same. :-) Thank you for the explanation. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money. -- Alexis De Tocqueville. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20061206/73cd5107/attachment.pgp From JPClizbe at tx.rr.com Wed Dec 6 10:49:35 2006 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed Dec 6 10:48:12 2006 Subject: encrypt the sent folder In-Reply-To: <4576752B.102@caf.com.tr> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> <4576752B.102@caf.com.tr> Message-ID: <4576922F.6000706@tx.rr.com> Eray Aslan wrote: > > The servers in question already have encryption at the file system level > with cryptsetupLUKS for Linux and truecrypt for windows boxes. But the > trouble is these do not provide any defense against attacks through the > network. They will happily serve the emails thru the network to the > appropriate user when asked. FS encryption is only good at boot time. > Once the partition is mounted, you can access the data. Once again, this would appear to be a server configuration issue, not a GnuPG issue. If it is possible for someone to easily spoof a user's credentials and access their emails, then it's an authentication issue. If you're worried about eavesdropping on the wire, you want SSL or TLS to secure the link. In the case given of IMAP, you want IMAP + TLS or IMAP + SSL Check with your server admins to determine if your server supports IMAP w/ TLS or IMAP w/SSL. POP3 and SMTP also may be configured to use one of these suites. If these are supported, you may select them on the 'Server Settings' tab in 'Account Settings' It sounds as if you need to sit down and realistically evaluate your security needs with those who administer your network and servers. If your threat level is such that you do not feel the existing tools can meet your needs, it's time get out your checkbook and call in a professional not continue to seek free advice on a mailing list. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061206/df96fe7c/signature-0001.pgp From eray.aslan at caf.com.tr Wed Dec 6 11:52:14 2006 From: eray.aslan at caf.com.tr (Eray Aslan) Date: Wed Dec 6 11:50:19 2006 Subject: encrypt the sent folder In-Reply-To: <4576922F.6000706@tx.rr.com> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> <4576752B.102@caf.com.tr> <4576922F.6000706@tx.rr.com> Message-ID: <4576A0DE.40107@caf.com.tr> John Clizbe wrote: > Eray Aslan wrote: >> The servers in question already have encryption at the file system level >> with cryptsetupLUKS for Linux and truecrypt for windows boxes. But the >> trouble is these do not provide any defense against attacks through the >> network. They will happily serve the emails thru the network to the >> appropriate user when asked. FS encryption is only good at boot time. >> Once the partition is mounted, you can access the data. > > Once again, this would appear to be a server configuration issue, not a GnuPG issue. I think I am not expressing myself clearly. > If it is possible for someone to easily spoof a user's credentials and access > their emails, then it's an authentication issue. No, see below. > If you're worried about > eavesdropping on the wire, you want SSL or TLS to secure the link. > > In the case given of IMAP, you want IMAP + TLS or IMAP + SSL We provide IMAP+SSL and POP3+SSL email access to our employees. Plain IMAP and POP3 is not provided. SMTP is also secured. We also provide webmail service secured with HTTPS. Again plain HTTP is not allowed. This is basic stuff. So eavesdropping on the wire is not my main concern. And mails are stored on IMAP servers with encrypted file systems. This is not an authentiation issue because you can change the authentication method at the server. I want the emails to stay encrypted even if the server is compromised. I don't want anyone with the root password to say "that is what you wrote 2 months ago" unless he has my secret key. And that is what GnuPG does, no? And since all our email accounts are virtual - meaning thay don't have a shell account, dont have a home directory and emails are stored under the same UID at the server - I have to solve this at the MUA level. Please tell if there is an alternative. -- Eray -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061206/e78d60f6/signature.pgp From rjh at sixdemonbag.org Wed Dec 6 12:14:12 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed Dec 6 12:12:06 2006 Subject: encrypt the sent folder In-Reply-To: <4576A0DE.40107@caf.com.tr> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> <4576752B.102@caf.com.tr> <4576922F.6000706@tx.rr.com> <4576A0DE.40107@caf.com.tr> Message-ID: <4576A604.7030206@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Eray Aslan wrote: > Please tell if there is an alternative. Your best alternative at this point is to hire a professional information security consultant. Your needs are highly specialized. That means that nobody here can give you good advice on what to do, since none of us here are fully briefed on your infrastructure, your operations, your business, your threats, or any of the other dozens of things that go into a risk management plan. You're also going to need to address problems with public-key infrastructure if you want to deploy this for your employees. PKI is the big elephant in the middle of the room that nobody talks about; existing PKI designs are, speaking generally, absolutely terrible. Deploying PKI is something you'll want a specialist for. GnuPG is a tool. It is not a solution. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJFdqYEAAoJELcA9IL+r4EJes4IAKE+PHVnY3actxoElF1QB0iR qH5iiRsLM7Dw9zCLSaLoujWOyzVMLF0N0lBXx88bB4MS8kj16daBgbCs7paasyyy qAPER++Ra6ahIrmsWHERdmWJfhuqGab0o4f8jTyIZcBlfxJH+QMPp/b6mjek2XxU U8z//4EFaCVPAzX+HvAEl/Mo6EJ0O+8E0y7G9X0lnWO4caB8BUjMtXtb4nxAZPz7 U2qOfyBEpTHtyPG/u8dLWFokl6nX9GQhfVHCmWhjSNMrmlxtPmTHn68ycA33z8Ah L/6FWTzmg7Shd/XLg2TFWA0BrxE/7kmxf/FMTHYE8RIRM2KE0Gf8JTmut8utlvI= =TySs -----END PGP SIGNATURE----- From eray.aslan at caf.com.tr Wed Dec 6 12:24:36 2006 From: eray.aslan at caf.com.tr (Eray Aslan) Date: Wed Dec 6 12:22:23 2006 Subject: encrypt the sent folder In-Reply-To: <4576A604.7030206@sixdemonbag.org> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> <4576752B.102@caf.com.tr> <4576922F.6000706@tx.rr.com> <4576A0DE.40107@caf.com.tr> <4576A604.7030206@sixdemonbag.org> Message-ID: <4576A874.5020301@caf.com.tr> Robert J. Hansen wrote: > Your best alternative at this point is to hire a professional > information security consultant. [snip] I'll fight for the budget but it's not likely. Thanks anyway. -- Eray -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061206/80a27530/signature.pgp From willems.luc at pandora.be Wed Dec 6 11:11:17 2006 From: willems.luc at pandora.be (Luc Willems) Date: Wed Dec 6 12:25:13 2006 Subject: using belgium EID with gnupg 2.0.1 Message-ID: <200612061111.17382.willems.luc@pandora.be> hello all , i'm trying to import my belgium eID card but it only imports the belgium Root CA this is the output i get luc@lieve:~/.gnupg> gpgsm --learn-card gpgsm[6605]: can't connect to `/tmp/gpg-GXgusb/S.gpg-agent': No such file or directory gpgsm: can't connect to the agent - trying fall back gpgsm[6605]: can't connect to `/home/luc/.gnupg/S.gpg-agent': No such file or directory gpgsm: no running gpg-agent - starting one gpgsm: DBG: connection to agent established gpgsm: issuer certificate {C2EAD603ED8E2ED59FA26D27D21E3826FC8024AC} not found using authorityKeyIdentifier gpgsm: issuer certificate (#/2.5.4.5=#323030363033,CN=Citizen CA,C=BE) not found gpgsm: issuer certificate missing - storing as ephemeral gpgsm: issuer certificate {C2EAD603ED8E2ED59FA26D27D21E3826FC8024AC} not found using authorityKeyIdentifier gpgsm: issuer certificate (#/2.5.4.5=#323030363033,CN=Citizen CA,C=BE) not found gpgsm: issuer certificate missing - storing as ephemeral gpgsm: issuer certificate {10F00C569B61EA573AB635976D9FDDB9148EDBE6} not found using authorityKeyIdentifier gpgsm: issuer certificate (#/CN=Belgium Root CA,C=BE) not found gpgsm: issuer certificate missing - storing as ephemeral gpgsm: certificate imported secmem usage: 0/16384 bytes in 0 blocks luc@lieve:~/.gnupg> gpgsm --list-keys /home/luc/.gnupg/pubring.kbx ---------------------------- Serial number: 580B056C5324DBB25057185FF9E5A650 Issuer: /CN=Belgium Root CA/C=BE Subject: /CN=Belgium Root CA/C=BE validity: 2003-01-26 23:00:00 through 2014-01-26 23:00:00 key type: 2048 bit RSA key usage: certSign crlSign policies: 2.16.56.1.1.1:N: chain length: unlimited fingerprint: DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC if have the following gpg-agent.conf # GPGConf disabled this option here at Wed 06 Dec 2006 10:14:02 AM CET # allow-mark-trusted ###+++--- GPGConf ---+++### ignore-cache-for-signing allow-mark-trusted debug-level basic log-file socket:///home/luc/.gnupg/log-socket ###+++--- GPGConf ---+++### Wed 06 Dec 2006 10:51:20 AM CET # GPGConf edited this configuration file. # It will disable options before this marked block, but it will # never change anything below these lines. but for some reason it doesn't trust the root and citizen CA. I also didn't got a question to trust the CA certificates ? How can i fix this ? Also , the current scdaemon fails most of the time with my acr38 card reader. i'm using the pcsc driver but most of the time i get Card errors. The card works fine with firefox and thunderbird which uses the belgium pkcs11 library greetings, luc From msemtd at yahoo.co.uk Wed Dec 6 13:27:49 2006 From: msemtd at yahoo.co.uk (Michael Erskine) Date: Wed Dec 6 13:26:12 2006 Subject: Christmas is upon us again. In-Reply-To: <20061206020155.82217.qmail@web50912.mail.yahoo.com> References: <20061206020155.82217.qmail@web50912.mail.yahoo.com> Message-ID: <200612061227.49316.msemtd@yahoo.co.uk> On Wednesday 06 December 2006 02:01, Randy Burns wrote: > It's a great idea. A more direct link is: > https://www.fsf.org/associate/support_freedom/donate Excellent idea - I shall do the same. Regards, Michael Erskine. -- Slurm, n.: The slime that accumulates on the underside of a soap bar when it sits in the dish too long. -- Rich Hall, "Sniglets" Send instant messages to your online friends http://uk.messenger.yahoo.com From blueness at gmx.net Wed Dec 6 13:59:06 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Wed Dec 6 14:00:51 2006 Subject: Christmas is upon us again. In-Reply-To: <4575ED80.4040905@sixdemonbag.org> References: <4575ED80.4040905@sixdemonbag.org> Message-ID: <719058079.20061206135906@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224 Was Tue, 05 Dec 2006, at 16:06:56 -0600, when Robert J. Hansen wrote: > Whether you're secular or religious, atheist or devout, I think we can > all agree that the time of the year known as Christmas will soon be upon > us. This is historically a time for personal reflection and charitable > giving. We reflect on how fortunate we are, and we give in order to > show our thanks and appreciation for that which we have received. > This year, I'm grateful that we have a Free Software implementation of > the OpenPGP protocol. I'm also grateful that the development process is > fairly open and I'm grateful that, by and large, the people in the > community are friendly. > This year, I'm giving $10 to the Free Software Foundation > (http://www.fsf.org) in the name of the GNU Privacy Guard, as my way of > telling the developers "thanks". > If you feel like joining me in this, well... feel free to say thanks > on-list, or to write off a note to the developers. Likewise, I hope > you'll give a small donation to the charity of your choice in the name > of the GNU Privacy Guard. > Merry Christmas to everyone. May we have peace on Earth and goodwill to > all humanity. * I thank you warmly and as a Buddhist wish you (all) Happy Tibetan New Year.[1] The speech is of very loving-kindness nature and is spreading characteristic velvet and silky atmosphere we all need (at least once in a year). I hope that Miss GnuGP Universe contest will be established at some time also, because it is very good idea. Ten US dollars sound good too, so I will be willing to donate as well, in this or other way, to FSF, as soon as Mr Richard Stallman stops his support for legalization of ga...marijuana and/or any "soft drugs", or at least removes this from his web site. I wish also to GnuPG to remain good, free (as in "freedom"), independent and nonrestricted software as long as possible, and to its related team(s) a good, reliable, stable, vital and quality organizational (cap)abilities. __________________________ [1] I also wish Happy International, Serbian, Chinese and Japanese New Year and Merry Orthodox Christmas, since I am coming from this cultural and spiritual milieu too. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ checking whether the reason is present and sane... piggy, piggy! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn-4298 <>o<> tiger192 (Cygwin/MinGW32) iQCZAwUBRXa+WAYWnlFQ1cE7AQunhAQcC6oxzOXmX4msGVUkRr8UsEAoAu4F9sCE twBpxaEF6F5ikm7aEo+kBN2iy2jUM2n5dTA6VfgK6lwF8bhoSZfMl12pFXPg9f5N ejFx0OTk8AR7xr6T2w1G9a6aIfIzrLC7uv+5iuQTyyMNGngbTZ63TddJqnm27Xb2 mRXPuupeklLe3j7Z =DCDv -----END PGP SIGNATURE----- From shavital at mac.com Wed Dec 6 14:45:52 2006 From: shavital at mac.com (Charly Avital) Date: Wed Dec 6 14:44:21 2006 Subject: Christmas is upon us again. In-Reply-To: <20061206020155.82217.qmail@web50912.mail.yahoo.com> References: <20061206020155.82217.qmail@web50912.mail.yahoo.com> Message-ID: <4576C990.7000507@mac.com> Randy Burns wrote the following on 12/5/06 9:01 PM: > It's a great idea. A more direct link is: > https://www.fsf.org/associate/support_freedom/donate > > Randy > > --- "Robert J. Hansen" wrote: [...] >> This year, I'm giving $10 to the Free Software Foundation >> (http://www.fsf.org) in the name of the GNU Privacy Guard, as my way of >> telling the developers "thanks". >> >> If you feel like joining me in this, well... feel free to say thanks >> on-list, or to write off a note to the developers. Likewise, I hope >> you'll give a small donation to the charity of your choice in the name >> of the GNU Privacy Guard. Kudos to Robert for the initiative. Donation sent via the above link (thanks Randy). Thanks, Merry Christmas, Happy Hanukkah and a Happy New Year to Charly From alain.mp.bertrand at tele2.be Wed Dec 6 15:09:21 2006 From: alain.mp.bertrand at tele2.be (alain bertrand) Date: Wed Dec 6 16:55:41 2006 Subject: Expectk and echo from GnuPG ---edit-key Command> Message-ID: <200612061509.22400.alain.mp.bertrand@tele2.be> Hi, I'm scripting a Tcl/Tk frontend using Expect extension. It's all right up to GnuPG 1.4.2. With GnuPG 1.4.5, the spawned process from tcl script (spawn gpg --no-use-agent --edit-key 0x12345678) echoes back character by character everything is sent to gpg. So my tcl script receive back a mix of data from and to gpg. Tcl sends delsig It received: Command> d Command> de Command> del Command> dels Command> delsi Command> delsig Command> and not "Command> " prompt only. Why is 1.4.5 behaviour different from 1.4.2 ? Is it possible to avoid this echoing precluding use of Expect for key edition ? I'm a Linux rookie. Thanks for your help. Alain. From peter at stoddard.name Wed Dec 6 07:23:59 2006 From: peter at stoddard.name (Peter Stoddard) Date: Wed Dec 6 17:31:10 2006 Subject: Compile of Gnupg 2.0.1 failed - no libintl Message-ID: <3110FC4B-8B8B-48B1-A98D-0444F652BBEA@stoddard.name> Hi folks I tried compiling Gnupg 2.0.1 on a 733 MHz PowerPC G4 running Mac OSX 10.4.8 and the make failed with the following error: In file included from sysutils.c:41: i18n.h:27:23: error: libintl.h: No such file or directory sysutils.c: In function 'disable_core_dumps': sysutils.c:88: warning: implicit declaration of function 'gettext' sysutils.c:88: warning: incompatible implicit declaration of built-in function 'gettext' make[2]: *** [libcommon_a-sysutils.o] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 I looked libintl up and it involves native language support. Is this really necessary to ild Gnupg 2.x? If so, is there source code somewhere I can download? Thanks Pete -- Peter Stoddard -- GPG Key 4A1F5DA0 From vedaal at hush.com Wed Dec 6 18:30:55 2006 From: vedaal at hush.com (vedaal at hush.com) Date: Wed, 06 Dec 2006 12:30:55 -0500 Subject: encrypt the sent folder (Eray Aslan) Message-ID: <20061206173056.50708DA835@mailserver7.hushmail.com> On Wed, 06 Dec 2006 10:59:14 -0500 gnupg-users-request at gnupg.org wrote: >Send Gnupg-users mailing list submissions to > gnupg-users at gnupg.org > >To subscribe or unsubscribe via the World Wide Web, visit > http://lists.gnupg.org/mailman/listinfo/gnupg-users >or, via email, send a message with subject or body 'help' to > gnupg-users-request at gnupg.org > >You can reach the person managing the list at >Message: 1 >Date: Wed, 06 Dec 2006 12:52:14 +0200 >From: Eray Aslan >We provide IMAP+SSL and POP3+SSL email access to our employees. >Plain >IMAP and POP3 is not provided. SMTP is also secured. We also >provide >webmail service secured with HTTPS. Again plain HTTP is not >allowed. >This is basic stuff. So eavesdropping on the wire is not my main >concern. And mails are stored on IMAP servers with encrypted file >systems. > >This is not an authentiation issue because you can change the >authentication method at the server. I want the emails to stay >encrypted even if the server is compromised. I don't want anyone >with >the root password to say "that is what you wrote 2 months ago" >unless he >has my secret key. And that is what GnuPG does, no? > >And since all our email accounts are virtual - meaning thay don't >have a >shell account, dont have a home directory and emails are stored >under >the same UID at the server - I have to solve this at the MUA >level. >Please tell if there is an alternative. at the risk of sounding simplistic, maybe there is not too difficult workaround: [1] make it an option to save mail that is sent, and make the default as 'not' saving it [2]those wishing to have their sent mail stored encrypted, can forward the sent mail to to self, (as this is not usually done, it must be implemented to 'allow' it, but that shouldn't be that hard to do), and encrypt the forwarded mail with the sender's default key [3] add something in the subject line like: 'forwarded mail of 'date', encrypted' [4] add a disclaimer that users choosing to save mail in the 'sent' folder without encrypting it, will have it stored as cleartext on the server this keeps the users informed, gives them a choice, allows them to be protected (and does so by default) and protects the provider vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From dougb at dougbarton.us Wed Dec 6 19:33:39 2006 From: dougb at dougbarton.us (Doug Barton) Date: Wed, 06 Dec 2006 10:33:39 -0800 Subject: Compile of Gnupg 2.0.1 failed - no libintl In-Reply-To: <3110FC4B-8B8B-48B1-A98D-0444F652BBEA@stoddard.name> References: <3110FC4B-8B8B-48B1-A98D-0444F652BBEA@stoddard.name> Message-ID: <45770D03.1080900@dougbarton.us> Peter Stoddard wrote: > Hi folks > > I tried compiling Gnupg 2.0.1 on a 733 MHz PowerPC G4 running Mac OSX > 10.4.8 and the make failed with the following error: > > In file included from sysutils.c:41: > i18n.h:27:23: error: libintl.h: No such file or directory > sysutils.c: In function 'disable_core_dumps': > sysutils.c:88: warning: implicit declaration of function 'gettext' > sysutils.c:88: warning: incompatible implicit declaration of built-in > function 'gettext' > make[2]: *** [libcommon_a-sysutils.o] Error 1 > make[1]: *** [all-recursive] Error 1 > make: *** [all] Error 2 > > I looked libintl up and it involves native language support. Is this > really necessary to ild Gnupg 2.x? If so, is there source code > somewhere I can download? Try adding --disable-nls to your configure command. Also try doing './configure --help | more' to see if there is anything else there that is relevant, but only change things if you're pretty sure you know what's going to happen if you do. :) Doug -- If you're never wrong, you're not trying hard enough From peter at digitalbrains.com Wed Dec 6 20:08:07 2006 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 06 Dec 2006 20:08:07 +0100 Subject: Christmas is upon us again. In-Reply-To: <4576C990.7000507@mac.com> References: <20061206020155.82217.qmail@web50912.mail.yahoo.com> <4576C990.7000507@mac.com> Message-ID: <45771517.7090603@digitalbrains.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, I will join in too and donate to the FSF, as a strong supporter of enabling *free speech* (GnuPG and other crypto/anonimity products), and free software in general. Peter. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRXcVFfqr/97I5g4/AQIoPwP/eVBXF0X4nKkS8Vh4SG3yq87aKuyJRbxh Ks/grhOA2h9b+NYLeI2sREunVl32Q5zXIck6qlar4isSPPKcxiD8jWQO9IHeKb6D AaCI74ogFUC6d8QTIKv1tgfuCme6WWiZ3FpqO5AbtSTvyJWRDWg62/AkI7twK4W1 HPiSGuPYm84= =RFRL -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Dec 6 23:13:21 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 06 Dec 2006 16:13:21 -0600 Subject: encrypt the sent folder In-Reply-To: <20061206092211.GD13050@psilocybe.teonanacatl.org> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> <457677F5.5090004@tx.rr.com> <20061206092211.GD13050@psilocybe.teonanacatl.org> Message-ID: <45774081.9030105@sixdemonbag.org> Todd Zullinger wrote: > That seems more like not feasible than unreasonable. But the results > are the same. :-) Infeasible: "we have the manpower, we have the tools, we have the talent, but the architecture is working against us in a big way." Unreasonable: "our manpower is stretched so thin that all infeasible RFEs are unreasonable expectations of us." As is unfortunately common with open-source projects, there's a major lack of manpower on Enigmail. If you know Javascript and would like to get your hands dirty with Enigmail, why not volunteer over on the Enigmail list? :) From peter at stoddard.us Thu Dec 7 01:46:34 2006 From: peter at stoddard.us (Peter Stoddard) Date: Wed, 6 Dec 2006 16:46:34 -0800 Subject: Compile of Gnupg 2.0.1 failed - no libintl In-Reply-To: <45770D03.1080900@dougbarton.us> References: <3110FC4B-8B8B-48B1-A98D-0444F652BBEA@stoddard.name> <45770D03.1080900@dougbarton.us> Message-ID: <06E1F3DC-32AA-4798-83FC-41DC02E47033@stoddard.us> On Dec 6, 2006, at 10:33 AM, Doug Barton wrote: > Peter Stoddard wrote: >> Hi folks >> >> I tried compiling Gnupg 2.0.1 on a 733 MHz PowerPC G4 running Mac OSX >> 10.4.8 and the make failed with the following error: >> >> In file included from sysutils.c:41: >> i18n.h:27:23: error: libintl.h: No such file or directory >> sysutils.c: In function 'disable_core_dumps': >> sysutils.c:88: warning: implicit declaration of function 'gettext' >> sysutils.c:88: warning: incompatible implicit declaration of built-in >> function 'gettext' >> make[2]: *** [libcommon_a-sysutils.o] Error 1 >> make[1]: *** [all-recursive] Error 1 >> make: *** [all] Error 2 >> >> I looked libintl up and it involves native language support. Is this >> really necessary to ild Gnupg 2.x? If so, is there source code >> somewhere I can download? > > Try adding --disable-nls to your configure command. Also try doing > './configure --help | more' to see if there is anything else there > that is relevant, but only change things if you're pretty sure you > know what's going to happen if you do. :) Thanks for the suggestion Doug. I tried configure --disable-nls, and I got further in the make but it eventually failed with the following error: /usr/bin/ld: Undefined symbols: _libiconv _libiconv_close _libiconv_open collect2: ld returned 1 exit status make[2]: *** [kbxutil] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 I don't know what other configuration options to try, and I don't understand what *any* of them do, so I'm going to bag gnupg 2.0.1 and wait until I can find out what is going on, or maybe wait for a macosx binary. I'm running 1.4.5 and its working fine for me. Pete -- Peter Stoddard -- GPG Key 4A1F5DA0 -- Peter Stoddard -- GPG Key 4A1F5DA0 From tmz at pobox.com Thu Dec 7 04:14:03 2006 From: tmz at pobox.com (Todd Zullinger) Date: Wed, 6 Dec 2006 22:14:03 -0500 Subject: encrypt the sent folder In-Reply-To: <45774081.9030105@sixdemonbag.org> References: <4575A89D.8010003@caf.com.tr> <4575C271.70001@sixdemonbag.org> <1121.85.101.16.38.1165347816.squirrel@mail.caf.com.tr> <20061205230033.GD32304@psilocybe.teonanacatl.org> <457677F5.5090004@tx.rr.com> <20061206092211.GD13050@psilocybe.teonanacatl.org> <45774081.9030105@sixdemonbag.org> Message-ID: <20061207031403.GI13050@psilocybe.teonanacatl.org> Robert J. Hansen wrote: > Todd Zullinger wrote: >> That seems more like not feasible than unreasonable. But the >> results are the same. :-) > > Infeasible: "we have the manpower, we have the tools, we have the > talent, but the architecture is working against us in a big way." > > Unreasonable: "our manpower is stretched so thin that all infeasible > RFEs are unreasonable expectations of us." I suppose that's one way to define the terms. I was thinking that unreasonable would be more aptly applied to a request that wasn't grounded in any good reasoning. Not feasible could be applied for either lack of manpower or lack of an available set of hooks to achieve the goal. > As is unfortunately common with open-source projects, there's a > major lack of manpower on Enigmail. If you know Javascript and > would like to get your hands dirty with Enigmail, why not volunteer > over on the Enigmail list? :) While I think that the Enigmail team has done a really great job of integrating OpenPGP into Thunderbird[1], I'm a happy Mutt user and not looking to switch back to any graphical MUA. ;-) I sincerely appreciate the efforts of all those folks that create the tools so many of us use, from the kernel hackers working on low level drivers for obscure funtions I will likely never understand, to David, Werner, Timo and all the GnuPG developers/contributors, to Ingo, John, Patrick and others who spend hours integrating those pieces into easy to use graphical interfaces that I can teach a friend to use pretty quickly. [1] For Windows, Thunderbird with Enigmail is the only thing I'd recommend to friends getting started. For linux, it's either Thunderbird/Enigmail or Kmail. Both projects have done a lot to make using PGP both seemless and secure. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== The chains of habit are too weak to be felt until they are too strong to be broken -- Samuel Johnson (1709-1784) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20061206/58dd4283/attachment.pgp From tmz at pobox.com Thu Dec 7 05:37:25 2006 From: tmz at pobox.com (Todd Zullinger) Date: Wed, 6 Dec 2006 23:37:25 -0500 Subject: Info doc conflict between 1.4.6 and 2.0.1? Message-ID: <20061207043724.GJ13050@psilocybe.teonanacatl.org> I was updating my system to 1.4.6 today and noticed the following in the make install output (I've got 2.0.1 installed already): install-info: menu item `gpg' already exists, for file `gnupg' I don't recall seeing this before, but I don't use the info docs much, so maybe I've just missed it previously. It seems that 1.4.6 changed the texinfo file to use the dircategory "GNU Utilities" just as 2.0.1 does. 1.4.5 used GnuPG. Without knowing much about how install-info works, I'm guessing that it's balking because both programs try to create a gpg entry in the same info section. If I'm looking to install both 1.4.6 and 2.0.1 simultaneously, shouldn't the info pages for both versions be able to coexist? If I'm doing something wrong or am incorrect in expecting that the info files should be parallel installable, let me know. If not, would a proper fix be to use gpg2 as the entry for 2.0.1? -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== No oppression is so heavy or lasting as that which is inflicted by the perversion and exorbitance of legal authority. -- Joseph Addison -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20061206/bf1ca0bb/attachment.pgp From shavital at mac.com Thu Dec 7 06:07:07 2006 From: shavital at mac.com (Charly Avital) Date: Thu, 07 Dec 2006 00:07:07 -0500 Subject: Info doc conflict between 1.4.6 and 2.0.1? In-Reply-To: <20061207043724.GJ13050@psilocybe.teonanacatl.org> References: <20061207043724.GJ13050@psilocybe.teonanacatl.org> Message-ID: <4577A17B.80809@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Zullinger wrote the following on 12/6/06 11:37 PM: > I was updating my system to 1.4.6 today and noticed the following in > the make install output (I've got 2.0.1 installed already): > > install-info: menu item `gpg' already exists, for file `gnupg' > > I don't recall seeing this before, but I don't use the info docs much, > so maybe I've just missed it previously. It seems that 1.4.6 changed > the texinfo file to use the dircategory "GNU Utilities" just as 2.0.1 > does. 1.4.5 used GnuPG. Without knowing much about how install-info > works, I'm guessing that it's balking because both programs try to > create a gpg entry in the same info section. > > If I'm looking to install both 1.4.6 and 2.0.1 simultaneously, > shouldn't the info pages for both versions be able to coexist? > > If I'm doing something wrong or am incorrect in expecting that the > info files should be parallel installable, let me know. If not, would > a proper fix be to use gpg2 as the entry for 2.0.1? I am MacOS X user (10.4.6), unable till now to compile 2.0.1 (posted a few messages explaining why). If you are MacOS X user, could you please explain how you succeeded to compile 2.0.1. Thanks. I had no problem compiling 1.4.6 (and all its predecessors) from source. Charly KeyOnCard at: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRXehaSRJoUyU/RYhAQKz2gQAgNde+O79/HZW/5tiwb4Ci7g56wMo5gyC UAFnrVvJeB+u6YjHSOxqEN+R8ik6sEdDloDrPNDUOzyXaibbno7gIE8Xv6JvoF7E wHU7lYY6jzImUiR5x/+Ic+utXJgqwGpPiJy9folzByn2rieFXHFNlitN4uJYGQNZ W+xXerzuX7E= =jvRB -----END PGP SIGNATURE----- From tmz at pobox.com Thu Dec 7 06:50:58 2006 From: tmz at pobox.com (Todd Zullinger) Date: Thu, 7 Dec 2006 00:50:58 -0500 Subject: Info doc conflict between 1.4.6 and 2.0.1? In-Reply-To: <4577A17B.80809@mac.com> References: <20061207043724.GJ13050@psilocybe.teonanacatl.org> <4577A17B.80809@mac.com> Message-ID: <20061207055058.GA18723@psilocybe.teonanacatl.org> Charly Avital wrote: > I am MacOS X user (10.4.6), unable till now to compile 2.0.1 (posted > a few messages explaining why). > If you are MacOS X user, could you please explain how you succeeded > to compile 2.0.1. Thanks. Sorry, I'm using linux. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== It is impossible to enjoy idling thoroughly unless one has plenty of work to do. -- Jerome K. Jerome -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20061207/d64808a0/attachment.pgp From wk at gnupg.org Thu Dec 7 10:14:49 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Dec 2006 10:14:49 +0100 Subject: Info doc conflict between 1.4.6 and 2.0.1? In-Reply-To: <20061207043724.GJ13050@psilocybe.teonanacatl.org> (Todd Zullinger's message of "Wed\, 6 Dec 2006 23\:37\:25 -0500") References: <20061207043724.GJ13050@psilocybe.teonanacatl.org> Message-ID: <87lklkhxti.fsf@wheatstone.g10code.de> On Thu, 7 Dec 2006 05:37, tmz at pobox.com said: > I don't recall seeing this before, but I don't use the info docs much, > so maybe I've just missed it previously. It seems that 1.4.6 changed > the texinfo file to use the dircategory "GNU Utilities" just as 2.0.1 > does. 1.4.5 used GnuPG. Without knowing much about how install-info That is quite possible. I forgot to did this chnage in the release candidate and it was too late to do another one due to the security bug. > If I'm doing something wrong or am incorrect in expecting that the > info files should be parallel installable, let me know. If not, would > a proper fix be to use gpg2 as the entry for 2.0.1? I think so and will change it for the next release. Salam-Shalom, Werner From wk at gnupg.org Thu Dec 7 10:16:22 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Dec 2006 10:16:22 +0100 Subject: Info doc conflict between 1.4.6 and 2.0.1? In-Reply-To: <4577A17B.80809@mac.com> (Charly Avital's message of "Thu\, 07 Dec 2006 00\:07\:07 -0500") References: <20061207043724.GJ13050@psilocybe.teonanacatl.org> <4577A17B.80809@mac.com> Message-ID: <87hcw8hxqx.fsf@wheatstone.g10code.de> On Thu, 7 Dec 2006 06:07, shavital at mac.com said: > I am MacOS X user (10.4.6), unable till now to compile 2.0.1 (posted a > few messages explaining why). > If you are MacOS X user, could you please explain how you succeeded to > compile 2.0.1. Thanks. I know that there are some problems. Please give me some time wor work through them. IIRC, you need to use --disable-nls as weel as the latest versions of the libraries (maybe even from SVN). Shalom-Salam, Werner From wk at gnupg.org Thu Dec 7 10:21:18 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Dec 2006 10:21:18 +0100 Subject: Problem building 2.0.1 In-Reply-To: <45766FEA.1040000@mac.com> (Charly Avital's message of "Wed\, 06 Dec 2006 02\:23\:22 -0500") References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> Message-ID: <87d56whxip.fsf@wheatstone.g10code.de> On Wed, 6 Dec 2006 08:23, shavital at mac.com said: > ----- > /usr/bin/ld: Undefined symbols: > _libiconv Well, you need a proper iconv installation too. We need too do have an extra test for it in case NLS has been disabled. NLS requires iconv anyway but there is some otehr code in gpg which needs it too. Can you please add your problem it to the bug tracker, so we don't forget about it? Use category gnupg and mention libiconv in the title. http://bugs.g10code.com . Salam-Shalom, Werner From wk at gnupg.org Thu Dec 7 10:23:29 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Dec 2006 10:23:29 +0100 Subject: using belgium EID with gnupg 2.0.1 In-Reply-To: <200612061111.17382.willems.luc@pandora.be> (Luc Willems's message of "Wed\, 6 Dec 2006 11\:11\:17 +0100") References: <200612061111.17382.willems.luc@pandora.be> Message-ID: <8764cohxf2.fsf@wheatstone.g10code.de> On Wed, 6 Dec 2006 11:11, willems.luc at pandora.be said: > i'm trying to import my belgium eID card but it only imports the belgium Root CA I have currently no time to care about it. I hope I can look at this in the next week. My two developer cards work just fine. You need to import the root certificates, though. Shalom-Salam, Werner From wk at gnupg.org Thu Dec 7 10:25:21 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Dec 2006 10:25:21 +0100 Subject: Compile of Gnupg 2.0.1 failed - no libintl In-Reply-To: <06E1F3DC-32AA-4798-83FC-41DC02E47033@stoddard.us> (Peter Stoddard's message of "Wed\, 6 Dec 2006 16\:46\:34 -0800") References: <3110FC4B-8B8B-48B1-A98D-0444F652BBEA@stoddard.name> <45770D03.1080900@dougbarton.us> <06E1F3DC-32AA-4798-83FC-41DC02E47033@stoddard.us> Message-ID: <871wnchxby.fsf@wheatstone.g10code.de> On Thu, 7 Dec 2006 01:46, peter at stoddard.us said: > I don't know what other configuration options to try, and I don't > understand what *any* of them do, so I'm going to bag gnupg 2.0.1 and > wait until I can find out what is going on, or maybe wait for a > macosx binary. I'm running 1.4.5 and its working fine for me. You should install libiconv. See my response too Charly Avital's report. Salam-Shalom, Werner From johanw at vulcan.xs4all.nl Wed Dec 6 11:28:50 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed, 6 Dec 2006 11:28:50 +0100 (MET) Subject: encrypt the sent folder In-Reply-To: <457607CF.2090607@madhatt.com> Message-ID: <200612061028.kB6ASo2j022084@vulcan.xs4all.nl> Andrew Berg wrote: >> TrueCrypt works also on Linux (kernel 2.6.5 and up). The advantage is >> that a TC volume can be accessed on both Linux and windows - very >> usefull when I use the same USB stick both at home and on my work. >Uhhh... TC requires admin rights in order to mount a virtual drive. You >must have admin rights at work. If not, how are you able to use it? I have on my local machine. As a programmer, I need to. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw at vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Thu Dec 7 17:07:12 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Dec 2006 17:07:12 +0100 Subject: [Announce] Maintenance release for GnuPG 1.2.x Message-ID: <87psavbsgf.fsf@wheatstone.g10code.de> Hello, I am pleased to announce a security update to the 1.2 series of GnuPG: Version 1.2.8. The 1.2.x series has reached end of life status about 2 years ago. However, I make an update available for the sake of those who can't migrate to 1.4. There is no guarantee that all problems are solved in 1.2 - it is in general better to migrate to the activly maintained 1.4 series. You will find that version as well as corresponding signatures at the usual place (ftp://ftp.gnupg.org/gcrypt/gnupg/). Noteworthy changes in version 1.2.8 (2006-12-07) ------------------------------------------------ Backported security fixes. Note, that the 1.2.x series has reached end of life status. You should migrate to 1.4.x. * Fixed a serious and exploitable bug in processing encrypted packages. [CVE-2006-6235]. * Fixed a buffer overflow in gpg. [bug#728, CVE-2006-6169] * User IDs are now capped at 2048 bytes. This avoids a memory allocation attack [CVE-2006-3082]. * Added countermeasures against the Mister/Zuccherato CFB attack . Happy Hacking, Werner -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20061207/2e2372f7/attachment.pgp -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From tmz at pobox.com Thu Dec 7 18:16:10 2006 From: tmz at pobox.com (Todd Zullinger) Date: Thu, 7 Dec 2006 12:16:10 -0500 Subject: Info doc conflict between 1.4.6 and 2.0.1? In-Reply-To: <87lklkhxti.fsf@wheatstone.g10code.de> References: <20061207043724.GJ13050@psilocybe.teonanacatl.org> <87lklkhxti.fsf@wheatstone.g10code.de> Message-ID: <20061207171610.GD20318@psilocybe.teonanacatl.org> Werner Koch wrote: > On Thu, 7 Dec 2006 05:37, tmz at pobox.com said: > >> I don't recall seeing this before, but I don't use the info docs >> much, so maybe I've just missed it previously. It seems that 1.4.6 >> changed the texinfo file to use the dircategory "GNU Utilities" >> just as 2.0.1 does. 1.4.5 used GnuPG. Without knowing much about >> how install-info > > That is quite possible. I forgot to did this chnage in the release > candidate and it was too late to do another one due to the security > bug. Yes, I can understand that there were far more important things to be done. Here's hoping you can take this weekend off and relax. :) >> If I'm doing something wrong or am incorrect in expecting that the >> info files should be parallel installable, let me know. If not, would >> a proper fix be to use gpg2 as the entry for 2.0.1? > > I think so and will change it for the next release. If it helps, attached a one line patch against current svn. That seems to be all that's needed to get both 1.4 and 2.0 installed together happily. Thanks again to you and the whole GnuPG team! -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== To tax and to please, no more than to love and be wise, is not given to men. -- Edmund Burke -------------- next part -------------- Index: doc/gnupg.texi =================================================================== --- doc/gnupg.texi (revision 4372) +++ doc/gnupg.texi (working copy) @@ -48,7 +48,7 @@ @dircategory GNU Utilities @direntry -* gpg: (gnupg). OpenPGP encryption and signing tool. +* gpg2: (gnupg). OpenPGP encryption and signing tool. * gpgsm: (gnupg). S/MIME encryption and signing tool. @end direntry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20061207/d92e90bb/attachment.pgp From wk at gnupg.org Thu Dec 7 19:20:48 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Dec 2006 19:20:48 +0100 Subject: Signed patch against 1.4.5 Message-ID: <871wnbbm9r.fsf@wheatstone.g10code.de> An embedded and charset-unspecified text was scrubbed... Name: filter-context-14-small.diff Url: /pipermail/attachments/20061207/43134302/attachment-0001.diff From wk at gnupg.org Thu Dec 7 19:21:33 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Dec 2006 19:21:33 +0100 Subject: Signed patch against 2.0.1 Message-ID: <87wt53a7o2.fsf@wheatstone.g10code.de> An embedded and charset-unspecified text was scrubbed... Name: filter-context-20-small.diff Url: /pipermail/attachments/20061207/6bd11edc/attachment.diff From tmz at pobox.com Thu Dec 7 20:01:22 2006 From: tmz at pobox.com (Todd Zullinger) Date: Thu, 7 Dec 2006 14:01:22 -0500 Subject: Signed patch against 2.0.1 In-Reply-To: <87wt53a7o2.fsf@wheatstone.g10code.de> References: <87wt53a7o2.fsf@wheatstone.g10code.de> Message-ID: <20061207190122.GI20318@psilocybe.teonanacatl.org> Werner Koch wrote: > Here comes a signed patch against 2.0.1 for those who care to verify > signatures ;-). Thanks Werner. Seems that the list archives scrub the attachment, which makes it less useful than it'd be otherwise, 'cause you can't point others to the signed patch. If any of the list owners have some free time I'd be happy to try to get that corrected or take it to the mailman-users list for advice if need be. (It seems that the content filter settings for the list may be a little aggressive.) BTW, I really like your Content-Type boundary string. :) -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== Lack of money is the root of all evil. -- George Bernard Shaw "Man and Superman", 1903 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20061207/d8d62fed/attachment.pgp From larstiq at larstiq.dyndns.org Thu Dec 7 21:41:42 2006 From: larstiq at larstiq.dyndns.org (Wouter van Heyst) Date: Thu, 7 Dec 2006 21:41:42 +0100 Subject: Signed patch against 2.0.1 In-Reply-To: <20061207190122.GI20318@psilocybe.teonanacatl.org> References: <87wt53a7o2.fsf@wheatstone.g10code.de> <20061207190122.GI20318@psilocybe.teonanacatl.org> Message-ID: <20061207204141.GC4525@larstiq.dyndns.org> On Thu, Dec 07, 2006 at 02:01:22PM -0500, Todd Zullinger wrote: > Werner Koch wrote: > > Here comes a signed patch against 2.0.1 for those who care to verify > > signatures ;-). > > Thanks Werner. Seems that the list archives scrub the attachment, > which makes it less useful than it'd be otherwise, 'cause you can't > point others to the signed patch. If any of the list owners have some > free time I'd be happy to try to get that corrected or take it to the > mailman-users list for advice if need be. (It seems that the content > filter settings for the list may be a little aggressive.) I got a patch plus sig just fine, sure it isn't somewhere between the list server and you that the scrubbing happens? Wouter van Heyst -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : /pipermail/attachments/20061207/1a66580a/attachment.pgp From tmz at pobox.com Thu Dec 7 22:11:16 2006 From: tmz at pobox.com (Todd Zullinger) Date: Thu, 7 Dec 2006 16:11:16 -0500 Subject: Signed patch against 2.0.1 In-Reply-To: <20061207204141.GC4525@larstiq.dyndns.org> References: <87wt53a7o2.fsf@wheatstone.g10code.de> <20061207190122.GI20318@psilocybe.teonanacatl.org> <20061207204141.GC4525@larstiq.dyndns.org> Message-ID: <20061207211116.GO20318@psilocybe.teonanacatl.org> Wouter van Heyst wrote: > I got a patch plus sig just fine, sure it isn't somewhere between > the list server and you that the scrubbing happens? I'm only talking about the archives. The patch arrived here just fine as well. But say I want to point at it in a distribution package or tell a friend about it. The archives are less than useful: http://lists.gnupg.org/pipermail/gnupg-users/2006-December/029976.html -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== The American people are becoming more and more afraid of, and are running away from, their own revolution. -- Leonard E. Read -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20061207/486c0a45/attachment.pgp From z.himsel at gmail.com Thu Dec 7 22:22:53 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Thu, 7 Dec 2006 16:22:53 -0500 Subject: GnuPG 2.0.1 compile error Message-ID: <8d5f78b30612071322m60825028wb22d8168babb7814@mail.gmail.com> Yes, I know there has been a lot of compiling error going around on gnupg-users recently but I have tried to find the problem, but cannot. My './configure' works fine, but I get the following error part-way through 'make': ================================ compress.c:36:18: error: zlib.h: No such file or directory compress.c:61: error: expected declaration specifiers or '...' before 'z_stream' compress.c: In function 'init_compress': compress.c:76: error: 'Z_DEFAULT_COMPRESSION' undeclared (first use in this function) compress.c:76: error: (Each undeclared identifier is reported only once compress.c:76: error: for each function it appears in.) compress.c:82: warning: implicit declaration of function 'deflateInit2' compress.c:82: error: 'zs' undeclared (first use in this function) compress.c:82: error: 'Z_DEFLATED' undeclared (first use in this function) compress.c:83: error: 'Z_DEFAULT_STRATEGY' undeclared (first use in this function) compress.c:84: warning: implicit declaration of function 'deflateInit' compress.c:85: error: 'Z_OK' undeclared (first use in this function) compress.c:87: error: 'Z_MEM_ERROR' undeclared (first use in this function) compress.c:88: error: 'Z_VERSION_ERROR' undeclared (first use in this function) compress.c: At top level: compress.c:97: error: expected declaration specifiers or '...' before 'z_stream' compress.c: In function 'do_compress': compress.c:104: error: 'zs' undeclared (first use in this function) compress.c:109: warning: implicit declaration of function 'deflate' compress.c:110: error: 'Z_STREAM_END' undeclared (first use in this function) compress.c:110: error: 'Z_FINISH' undeclared (first use in this function) compress.c:112: error: 'Z_OK' undeclared (first use in this function) compress.c: At top level: compress.c:134: error: expected declaration specifiers or '...' before 'z_stream' compress.c: In function 'init_uncompress': compress.c:148: warning: implicit declaration of function 'inflateInit2' compress.c:148: error: 'zs' undeclared (first use in this function) compress.c:149: warning: implicit declaration of function 'inflateInit' compress.c:149: error: 'Z_OK' undeclared (first use in this function) compress.c:151: error: 'Z_MEM_ERROR' undeclared (first use in this function) compress.c:152: error: 'Z_VERSION_ERROR' undeclared (first use in this function) compress.c: At top level: compress.c:162: error: expected declaration specifiers or '...' before 'z_stream' compress.c: In function 'do_uncompress': compress.c:169: error: 'zs' undeclared (first use in this function) compress.c:198: warning: implicit declaration of function 'inflate' compress.c:198: error: 'Z_SYNC_FLUSH' undeclared (first use in this function) compress.c:202: error: 'Z_STREAM_END' undeclared (first use in this function) compress.c:204: error: 'Z_OK' undeclared (first use in this function) compress.c:204: error: 'Z_BUF_ERROR' undeclared (first use in this function) compress.c: In function 'compress_filter': compress.c:225: error: 'z_stream' undeclared (first use in this function) compress.c:225: error: 'zs' undeclared (first use in this function) compress.c:231: error: too many arguments to function 'init_uncompress' compress.c:238: warning: passing argument 3 of 'do_uncompress' from incompatible pointer type compress.c:238: error: too many arguments to function 'do_uncompress' compress.c:256: error: too many arguments to function 'init_compress' compress.c:262: error: 'Z_NO_FLUSH' undeclared (first use in this function) compress.c:262: error: too many arguments to function 'do_compress' compress.c:266: warning: implicit declaration of function 'inflateEnd' compress.c:274: error: 'Z_FINISH' undeclared (first use in this function) compress.c:274: error: too many arguments to function 'do_compress' compress.c:275: warning: implicit declaration of function 'deflateEnd' make[2]: *** [compress.o] Error 1 make[2]: Leaving directory `/root/gnupg-2.0.1/g10' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnupg-2.0.1' make: *** [all] Error 2 =============================== -- Zach Himsel ======= http://tinyurl.com/yjxo8s ======= |_|0|_| ------- OpenPGP Key: 0x9A1DFCAC ------- |_|_|0| () **ASCII Ribbon Campaign** -- against |0|0|0| /\ html mail & proprietary attachments From dshaw at jabberwocky.com Thu Dec 7 23:48:13 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 7 Dec 2006 17:48:13 -0500 Subject: Problem building 2.0.1 In-Reply-To: <87d56whxip.fsf@wheatstone.g10code.de> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> Message-ID: <20061207224813.GA13758@jabberwocky.com> On Thu, Dec 07, 2006 at 10:21:18AM +0100, Werner Koch wrote: > On Wed, 6 Dec 2006 08:23, shavital at mac.com said: > > > ----- > > /usr/bin/ld: Undefined symbols: > > _libiconv > > Well, you need a proper iconv installation too. We need too do have > an extra test for it in case NLS has been disabled. NLS requires > iconv anyway but there is some otehr code in gpg which needs it too. OSX has iconv already. I see a problem in the Makefiles that we're not linking to it though. I've fixed this in svn, and 2.0 now builds more or less (still some doc/ issues) on my OSX box. Here's a patch for the various people who have had a problem. David -------------- next part -------------- Index: tools/Makefile.am =================================================================== --- tools/Makefile.am (revision 4373) +++ tools/Makefile.am (working copy) @@ -54,13 +54,14 @@ common_libs = ../jnlib/libjnlib.a ../common/libcommon.a ../gl/libgnu.a pwquery_libs = ../common/libsimple-pwquery.a -gpgsplit_LDADD = $(common_libs) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(ZLIBS) +gpgsplit_LDADD = $(common_libs) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) \ + $(ZLIBS) $(LIBICONV) gpgconf_SOURCES = gpgconf.c gpgconf.h gpgconf-comp.c no-libgcrypt.c # jnlib/common sucks in gpg-error, will they, nil they (some compilers # do not eliminate the supposed-to-be-unused-inline-functions). -gpgconf_LDADD = $(common_libs) $(LIBINTL) $(GPG_ERROR_LIBS) +gpgconf_LDADD = $(common_libs) $(LIBINTL) $(GPG_ERROR_LIBS) $(LIBICONV) gpgparsemail_SOURCES = gpgparsemail.c rfc822parse.c rfc822parse.h gpgparsemail_LDADD = @@ -74,7 +75,7 @@ gpg_connect_agent_SOURCES = gpg-connect-agent.c no-libgcrypt.c gpg_connect_agent_LDADD = $(common_libs) $(LIBASSUAN_LIBS) \ - $(GPG_ERROR_LIBS) $(LIBINTL) $(NETLIBS) + $(GPG_ERROR_LIBS) $(LIBINTL) $(NETLIBS) $(LIBICONV) gpgkey2ssh_SOURCES = gpgkey2ssh.c gpgkey2ssh_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) Index: g10/Makefile.am =================================================================== --- g10/Makefile.am (revision 4373) +++ g10/Makefile.am (working copy) @@ -118,8 +118,10 @@ LDADD = $(needed_libs) ../common/libgpgrl.a \ $(ZLIBS) $(DNSLIBS) $(LIBREADLINE) \ $(LIBINTL) $(CAPLIBS) $(NETLIBS) -gpg2_LDADD = $(LIBGCRYPT_LIBS) $(LDADD) $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) -gpgv2_LDADD = $(LIBGCRYPT_LIBS) $(LDADD) $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) +gpg2_LDADD = $(LIBGCRYPT_LIBS) $(LDADD) $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) \ + $(LIBICONV) +gpgv2_LDADD = $(LIBGCRYPT_LIBS) $(LDADD) $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) \ + $(LIBICONV) $(PROGRAMS): $(needed_libs) ../common/libgpgrl.a Index: agent/Makefile.am =================================================================== --- agent/Makefile.am (revision 4373) +++ agent/Makefile.am (working copy) @@ -53,7 +53,7 @@ gpg_agent_CFLAGS = $(AM_CFLAGS) $(LIBASSUAN_PTH_CFLAGS) $(PTH_CFLAGS) gpg_agent_LDADD = $(commonpth_libs) \ $(LIBGCRYPT_LIBS) $(LIBASSUAN_PTH_LIBS) $(PTH_LIBS) \ - $(GPG_ERROR_LIBS) $(LIBINTL) $(NETLIBS) + $(GPG_ERROR_LIBS) $(LIBINTL) $(NETLIBS) $(LIBICONV) gpg_protect_tool_SOURCES = \ protect-tool.c \ @@ -62,14 +62,14 @@ # Needs $(NETLIBS) for libsimple-pwquery.la. gpg_protect_tool_LDADD = $(pwquery_libs) $(common_libs) \ - $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(LIBINTL) $(NETLIBS) + $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(LIBINTL) $(NETLIBS) $(LIBICONV) gpg_preset_passphrase_SOURCES = \ preset-passphrase.c # Needs $(NETLIBS) for libsimple-pwquery.la. gpg_preset_passphrase_LDADD = $(pwquery_libs) $(common_libs) \ - $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(LIBINTL) $(NETLIBS) + $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(LIBINTL) $(NETLIBS) $(LIBICONV) # Make sure that all libs are build before we use them. This is From dshaw at jabberwocky.com Thu Dec 7 23:57:25 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 7 Dec 2006 17:57:25 -0500 Subject: GnuPG 2.0.1 compile error In-Reply-To: <8d5f78b30612071322m60825028wb22d8168babb7814@mail.gmail.com> References: <8d5f78b30612071322m60825028wb22d8168babb7814@mail.gmail.com> Message-ID: <20061207225725.GB13758@jabberwocky.com> On Thu, Dec 07, 2006 at 04:22:53PM -0500, Zach Himsel wrote: > Yes, I know there has been a lot of compiling error going around on > gnupg-users recently but I have tried to find the problem, but cannot. > > My './configure' works fine, but I get the following error part-way > through 'make': > > ================================ > compress.c:36:18: error: zlib.h: No such file or directory We need at least a tiny bit of information to try and help you. Let's start with what kind of computer you have and what OS is running on it? Then look in config.log and see what it says about zlib.h (stuff like "checking for zlib.h usability" and "checking for zlib.h"). David From dshaw at jabberwocky.com Fri Dec 8 00:04:24 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 7 Dec 2006 18:04:24 -0500 Subject: Problem building 2.0.1 In-Reply-To: <45789C26.4070301@sixdemonbag.org> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> <45789C26.4070301@sixdemonbag.org> Message-ID: <20061207230424.GC13758@jabberwocky.com> On Thu, Dec 07, 2006 at 04:56:38PM -0600, Robert J. Hansen wrote: > David Shaw wrote: > > OSX has iconv already. > > Minor correction; OS X 10.4 has iconv already. For 10.3 and previous, > iconv is not part of the operating system. That's not correct. 10.3 has iconv. 10.2 doesn't, but, well, 10.2 is also from 2002. Get modern, people, or compile iconv yourself ;) David From rjh at sixdemonbag.org Thu Dec 7 23:56:38 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 07 Dec 2006 16:56:38 -0600 Subject: Problem building 2.0.1 In-Reply-To: <20061207224813.GA13758@jabberwocky.com> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> Message-ID: <45789C26.4070301@sixdemonbag.org> David Shaw wrote: > OSX has iconv already. Minor correction; OS X 10.4 has iconv already. For 10.3 and previous, iconv is not part of the operating system. From z.himsel at gmail.com Fri Dec 8 03:01:33 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Thu, 7 Dec 2006 21:01:33 -0500 Subject: Fwd: GnuPG 2.0.1 compile error In-Reply-To: <8d5f78b30612071755q3e0437ceqb1b54cc1c03917c5@mail.gmail.com> References: <8d5f78b30612071322m60825028wb22d8168babb7814@mail.gmail.com> <20061207225725.GB13758@jabberwocky.com> <8d5f78b30612071755q3e0437ceqb1b54cc1c03917c5@mail.gmail.com> Message-ID: <8d5f78b30612071801gbf0706esf8fb58a093d118b8@mail.gmail.com> On 12/7/06, David Shaw wrote: > We need at least a tiny bit of information to try and help you. Let's > start with what kind of computer you have and what OS is running on > it? Then look in config.log and see what it says about zlib.h (stuff > like "checking for zlib.h usability" and "checking for zlib.h"). > Duh! Sorry, I forgot about that! :) I'm running Ubuntu 'Edgy Eft' on an Acer Aspire 5100 (Turion 64, 1GB RAM). I currently have GnuPG 1.4.6 and 1.9.21. config.log is as follows (regarding zlib.h): =============================== configure:30117: checking zlib.h usability configure:30134: gcc -c -g -O2 conftest.c >&5 conftest.c:238:18: error: zlib.h: No such file or directory configure:30140: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME "gnupg" | #define PACKAGE_TARNAME "gnupg" | #define PACKAGE_VERSION "2.0.1" ====SNIP==== | /* end confdefs.h. */ | #include configure:30217: result: no configure:30250: checking for zlib.h configure:30257: result: no configure:30375: checking for bzlib.h configure:30396: gcc -c -g -O2 conftest.c >&5 conftest.c:207:19: error: bzlib.h: No such file or directory configure:30402: $? = 1 =============================== Hope this helps... -- Zach Himsel ======= http://tinyurl.com/yjxo8s ======= |_|0|_| ------- OpenPGP Key: 0x9A1DFCAC ------- |_|_|0| () **ASCII Ribbon Campaign** -- against |0|0|0| /\ html mail & proprietary attachments From dshaw at jabberwocky.com Fri Dec 8 04:59:24 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 7 Dec 2006 22:59:24 -0500 Subject: Fwd: GnuPG 2.0.1 compile error In-Reply-To: <8d5f78b30612071801gbf0706esf8fb58a093d118b8@mail.gmail.com> References: <8d5f78b30612071322m60825028wb22d8168babb7814@mail.gmail.com> <20061207225725.GB13758@jabberwocky.com> <8d5f78b30612071755q3e0437ceqb1b54cc1c03917c5@mail.gmail.com> <8d5f78b30612071801gbf0706esf8fb58a093d118b8@mail.gmail.com> Message-ID: <20061208035924.GA14605@jabberwocky.com> On Thu, Dec 07, 2006 at 09:01:33PM -0500, Zach Himsel wrote: > On 12/7/06, David Shaw wrote: > > We need at least a tiny bit of information to try and help you. Let's > > start with what kind of computer you have and what OS is running on > > it? Then look in config.log and see what it says about zlib.h (stuff > > like "checking for zlib.h usability" and "checking for zlib.h"). > > > Duh! Sorry, I forgot about that! :) > > I'm running Ubuntu 'Edgy Eft' on an Acer Aspire 5100 (Turion 64, 1GB > RAM). I currently have GnuPG 1.4.6 and 1.9.21. > > config.log is as follows (regarding zlib.h): > =============================== > configure:30117: checking zlib.h usability > configure:30134: gcc -c -g -O2 conftest.c >&5 > conftest.c:238:18: error: zlib.h: No such file or directory Ok. The problem is simple: you don't have zlib installed, or at least don't have the zlib development package installed. I'm not sure what it's called on Ubuntu, but there is probably some variation of "zlib" and some variation on "zlib-devel". You need zlib-devel. GnuPG 1.4.x comes with a built-in zlib just in case the build platform doesn't have one. GnuPG 2.0.x doesn't have a built-in one, so you must provide it yourself. David From tmz at pobox.com Fri Dec 8 05:48:13 2006 From: tmz at pobox.com (Todd Zullinger) Date: Thu, 7 Dec 2006 23:48:13 -0500 Subject: Fwd: GnuPG 2.0.1 compile error In-Reply-To: <20061208035924.GA14605@jabberwocky.com> References: <8d5f78b30612071322m60825028wb22d8168babb7814@mail.gmail.com> <20061207225725.GB13758@jabberwocky.com> <8d5f78b30612071755q3e0437ceqb1b54cc1c03917c5@mail.gmail.com> <8d5f78b30612071801gbf0706esf8fb58a093d118b8@mail.gmail.com> <20061208035924.GA14605@jabberwocky.com> Message-ID: <20061208044813.GI16276@psilocybe.teonanacatl.org> David Shaw wrote: > Ok. The problem is simple: you don't have zlib installed, or at > least don't have the zlib development package installed. I'm not > sure what it's called on Ubuntu, but there is probably some > variation of "zlib" and some variation on "zlib-devel". You need > zlib-devel. It appears to be (the obviously named) zlib1g-dev. :) Likewise, the bzip development package is named libbz2-dev. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.... -- Carl Zwanzig -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20061207/83619b1a/attachment.pgp From shavital at mac.com Fri Dec 8 08:08:37 2006 From: shavital at mac.com (Charly Avital) Date: Fri, 08 Dec 2006 02:08:37 -0500 Subject: Problem building 2.0.1 In-Reply-To: <20061207224813.GA13758@jabberwocky.com> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> Message-ID: <45790F75.8000202@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote the following on 12/7/06 5:48 PM: > On Thu, Dec 07, 2006 at 10:21:18AM +0100, Werner Koch wrote: >> On Wed, 6 Dec 2006 08:23, shavital at mac.com said: >> >>> ----- >>> /usr/bin/ld: Undefined symbols: >>> _libiconv >> Well, you need a proper iconv installation too. We need too do have >> an extra test for it in case NLS has been disabled. NLS requires >> iconv anyway but there is some otehr code in gpg which needs it too. > > OSX has iconv already. I see a problem in the Makefiles that we're > not linking to it though. I've fixed this in svn, and 2.0 now builds > more or less (still some doc/ issues) on my OSX box. > > Here's a patch for the various people who have had a problem. > > David [...] Hi David, thanks for your support of MacOSX. Running MacOSX 10.4.8, on a PPC, GnuPG 1.4.6 already installed and running, as well as gpg2 1.9.20. 1. Patch applied: - ---------- $ cd /Users/shavital/Desktop/gnupg-2.0.1/ Charly-Avitals-PBG4:~/Desktop/gnupg-2.0.1 shavital$ patch -p0 < /Users/shavital/Desktop/gnupg-2.0-osx-iconv.patch patching file tools/Makefile.am patching file g10/Makefile.am patching file agent/Makefile.am - ---------- 2. End of ./configure: - ----------------- GnuPG v2.0.1 has been configured as follows: Platform: Darwin (powerpc-apple-darwin8.8.0) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) PKITS based tests: no - ------------------ 3. End of make: - ------------------ /usr/bin/ld: Undefined symbols: _libiconv _libiconv_close _libiconv_open collect2: ld returned 1 exit status make[2]: *** [kbxutil] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 - ------------------ Thanks in advance for any further suggestion/assistance whenever you can. Charly KeyOnCard at: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRXkPUSRJoUyU/RYhAQIEcwP/XELeA+kpSrfMBCobXsYAjmOje2cZrOPD K+rJBkUiR4bA3isggwUq/OPk1p2jIror9Xi7cx+0Zkbdan+HkojfqghxUuiX5aHR gYTTEmlYi4IPqtDRZRYJRZGEuyQoPMwrEAgmKYVzYS+a41+Y7ZkALdOXXnmbOxAI /D03/dUPtU8= =go3E -----END PGP SIGNATURE----- From shavital at mac.com Fri Dec 8 08:21:26 2006 From: shavital at mac.com (Charly Avital) Date: Fri, 08 Dec 2006 02:21:26 -0500 Subject: Problem building 2.0.1 In-Reply-To: <20061207224813.GA13758@jabberwocky.com> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> Message-ID: <45791276.7070208@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote the following on 12/7/06 5:48 PM: > On Thu, Dec 07, 2006 at 10:21:18AM +0100, Werner Koch wrote: >> On Wed, 6 Dec 2006 08:23, shavital at mac.com said: >> >>> ----- >>> /usr/bin/ld: Undefined symbols: >>> _libiconv >> Well, you need a proper iconv installation too. We need too do have >> an extra test for it in case NLS has been disabled. NLS requires >> iconv anyway but there is some otehr code in gpg which needs it too. > > OSX has iconv already. I see a problem in the Makefiles that we're > not linking to it though. I've fixed this in svn, and 2.0 now builds > more or less (still some doc/ issues) on my OSX box. > > Here's a patch for the various people who have had a problem. > > David Hi David, Further to my previous posting, I applied the patch to a fresh copy of 2.0.1, and tried ./configure --disable.nls The results were exactly the same as previously reported. If you are interested and authorize me, I can send you, directly, the *whole* output, from patches (your own patch, and Werner's patch for g10), up to end of make. Charly KeyOnCard at: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRXkSbiRJoUyU/RYhAQJQoAP/frhMwqMkhbzoMo/a21ZSPIJJAQ7sAor0 YYfYAWek4r1MNPAK22arng99g5CJMtdVX+ugFxQih8AwWB6+o8a4HoAXmvTk2uEX hEu2pW5kJp6JmHpETUTkVWXKBnu+OB5kQgDvj0fzyp1t7nVdY/QIp5YlBrCpDPUj /5YNb2PlQjI= =Ug27 -----END PGP SIGNATURE----- From wk at gnupg.org Fri Dec 8 09:21:51 2006 From: wk at gnupg.org (Werner Koch) Date: Fri, 08 Dec 2006 09:21:51 +0100 Subject: Signed patch against 2.0.1 In-Reply-To: <20061207190122.GI20318@psilocybe.teonanacatl.org> (Todd Zullinger's message of "Thu\, 7 Dec 2006 14\:01\:22 -0500") References: <87wt53a7o2.fsf@wheatstone.g10code.de> <20061207190122.GI20318@psilocybe.teonanacatl.org> Message-ID: <87ejraajc0.fsf@wheatstone.g10code.de> On Thu, 7 Dec 2006 20:01, tmz at pobox.com said: > point others to the signed patch. If any of the list owners have some > free time I'd be happy to try to get that corrected or take it to the > mailman-users list for advice if need be. (It seems that the content > filter settings for the list may be a little aggressive.) Basically I am the list owner :-(. I already installed a new version of Mailman and tried to rebuild it. However it mixed up the numbers and thus most existing URLs won't be correct anymore. The attachments fgailed too, though. So what I did is to manually edit the HTML version to include at least the full text. Recently I had another issue. Pipermail break the message if it sees a ">From " at the beginning of a line. I also had to resort to manual editing. > BTW, I really like your Content-Type boundary string. :) A gadget posted to the Gnus list some years ago: (defun spook-make-boundary (&optional count) (save-excursion (set-buffer (generate-new-buffer " *spook tmp*")) (setq buffer-disable-undo t) (spook) (subst-char-in-region (point-min) (point-max) ?\n ?= t) (subst-char-in-region (point-min) (point-max) ? ?- t) (prog1 (buffer-substring (point-min) (min 70 (point-max))) (kill-buffer (current-buffer))))) (setq mml-boundary-function 'spook-make-boundary) Shalom-Salam, Werner From dougb at dougbarton.us Fri Dec 8 10:04:13 2006 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 08 Dec 2006 01:04:13 -0800 Subject: Problem building 2.0.1 In-Reply-To: <45791276.7070208@mac.com> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> <45791276.7070208@mac.com> Message-ID: <45792A8D.4040908@dougbarton.us> Charly Avital wrote: > Further to my previous posting, I applied the patch to a fresh copy of > 2.0.1, and tried ./configure --disable.nls Did you do that exactly, or did you really try: ./configure --disable-nls Doug -- If you're never wrong, you're not trying hard enough From wk at g10code.com Wed Dec 6 16:55:52 2006 From: wk at g10code.com (Werner Koch) Date: Wed, 06 Dec 2006 16:55:52 +0100 Subject: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235] Message-ID: <87psaxc92v.fsf@wheatstone.g10code.de> GnuPG: remotely controllable function pointer [CVE-2006-6235] =============================================================== 2006-12-04 Summary ======= Tavis Ormandy of the Gentoo security team identified a severe and exploitable bug in the processing of encrypted packets in GnuPG. [ Please do not send private mail in response to this message. The mailing list gnupg-devel is the best place to discuss this problem (please subscribe first so you don't need moderator approval [1]). ] Impact ====== Using malformed OpenPGP packets an attacker is able to modify and dereference a function pointer in GnuPG. This is a remotely exploitable bug and affects any use of GnuPG where an attacker can control the data processed by GnuPG. It is not necessary limited to encrypted data, also signed data may be affected. Affected versions: All versions of GnuPG < 1.4.6 All versions of GnuPG-2 < 2.0.2 All beta versions of GnuPG-2 (1.9.0 .. 1.9.95) Affected tools: gpg, gpgv, gpg2 and gpgv2. Affected platforms: All. gpg-agent, gpgsm as well as other tools are not affected. A workaround is not known. Solution ======== If you are using a vendor supplied version of GnuPG: * Wait for an update from your vendor. Vendors have been informed on Saturday December 2, less than a day after this bug has been reported. If you are using GnuPG 1.4: * Update as soon as possible to GnuPG 1.4.6. It has been uploaded to the usual location: ftp://ftp.gnupg.org/gcrypt/gnupg/. This version was due to be released anyway this week. See http://www.gnupg.org/download/ for details. * Or: As another and less intrusive option, apply the attached patch to GnuPG 1.4.5. This is the smallest possible fix. If you are using GnuPG 2.0: * Apply the attached patch against GnuPG 2.0.1. * Or: Stop using gpg2 and gpgv2, install GnuPG 1.4.6 and use gpg and gpgv instead. If you are using a binary Windows version of GnuPG: * A binary version of GnuPG 1.4.6 for Windows is available as usual. * Gpg4win 1.0.8, including GnuPG 1.4.6, is available. Please go to http://www.gpg4win.org . Background ========== GnuPG uses data structures called filters to process OpenPGP messages. These filters ware used in a similar way as a pipelines in the shell. For communication between these filters context structures are used. These are usually allocated on the stack and passed to the filter functions. At most places the OpenPGP data stream fed into these filters is closed before the context structure gets deallocated. While decrypting encrypted packets, this may not happen in all cases and the filter may use a void contest structure filled with garbage. An attacker may control this garbage. The filter context includes another context used by the low-level decryption to access the decryption algorithm. This is done using a function pointer. By carefully crafting an OpenPGP message, an attacker may control this function pointer and call an arbitrary function of the process. Obviously an exploit needs to prepared for a specific version, compiler, libc, etc to be successful - but it is definitely doable. Fixing this is obvious: We need to allocate the context on the heap and use a reference count to keep it valid as long as either the controlling code or the filter code needs it. We have checked all other usages of such a stack based filter contexts but fortunately found no other vulnerable places. This allows to release a relatively small patch. However, for reasons of code cleanness and easier audits we will soon start to change all these stack based filter contexts to heap based ones. Support ======= g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. As evident by the two vulnerabilities found within a week, a review of the entire code base should be undertaken as soon as possible. As maintainers we try to do our best and are working slowly through the code. The long standing plan is to scrutinize the 2.0 code base, write more test cases and to backport new fixes and cleanups to 1.4. However, as a small company our resources are limited and we need to prioritize other projects which get us actual revenues. Support contracts or other financial backing would greatly help us to improve the quality of GnuPG. Thanks ====== Tavis Ormandy found this vulnerability. [1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel . -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: filter-context-14-small.diff Url: /pipermail/attachments/20061206/3de5c112/attachment.diff -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: filter-context-20-small.diff Url: /pipermail/attachments/20061206/3de5c112/attachment-0001.diff -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20061206/3de5c112/attachment.pgp -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From michael at vorlon.ping.de Fri Dec 8 11:49:18 2006 From: michael at vorlon.ping.de (Michael Bienia) Date: Fri, 8 Dec 2006 11:49:18 +0100 Subject: Problem building 2.0.1 In-Reply-To: <45790F75.8000202@mac.com> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> <45790F75.8000202@mac.com> Message-ID: <20061208104918.GA4802@vorlon.ping.de> On 2006-12-08 02:08:37 -0500, Charly Avital wrote: > 1. Patch applied: > - ---------- > $ cd /Users/shavital/Desktop/gnupg-2.0.1/ > Charly-Avitals-PBG4:~/Desktop/gnupg-2.0.1 shavital$ patch -p0 < > /Users/shavital/Desktop/gnupg-2.0-osx-iconv.patch > patching file tools/Makefile.am > patching file g10/Makefile.am > patching file agent/Makefile.am > - ---------- This only patches Makefile.am. You need to have this changes also in Makefile.in so either regenerate Makefile.in with automake or patch Makefile.in manually and add the same changes there. Michael From shavital at mac.com Fri Dec 8 12:25:19 2006 From: shavital at mac.com (Charly Avital) Date: Fri, 08 Dec 2006 06:25:19 -0500 Subject: Problem building 2.0.1 In-Reply-To: <45792A8D.4040908@dougbarton.us> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> <45791276.7070208@mac.com> <45792A8D.4040908@dougbarton.us> Message-ID: <45794B9F.3040706@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doug Barton wrote the following on 12/8/06 4:04 AM: > Charly Avital wrote: > >> Further to my previous posting, I applied the patch to a fresh copy of >> 2.0.1, and tried ./configure --disable.nls > > Did you do that exactly, or did you really try: > > ./configure --disable-nls > > > Doug > I tried ./configure --disable.nls and that was wrong. Thanks I'll try again. Charly KeyOnCard at: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRXlLmCRJoUyU/RYhAQIcbAP+OBtVQS2R0pFNgwR6JS30qPVFodA0mPmv uxOWrbnJ59yWEUAwuJPh5k7DR3QlYNHFbzAxs8m+cMLWpYD9A8wF3m/dCbdQzNWR Knp/R2pX43/VRSXHCIJXpW53c9KP4RlahwLu38XvBoJFAxXcboubewu6M/glt8gE n9yr9ciuHfs= =+C4s -----END PGP SIGNATURE----- From shavital at mac.com Fri Dec 8 12:28:42 2006 From: shavital at mac.com (Charly Avital) Date: Fri, 08 Dec 2006 06:28:42 -0500 Subject: Problem building 2.0.1 In-Reply-To: <45792A8D.4040908@dougbarton.us> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> <45791276.7070208@mac.com> <45792A8D.4040908@dougbarton.us> Message-ID: <45794C6A.6060001@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doug Barton wrote the following on 12/8/06 4:04 AM: > Charly Avital wrote: > >> Further to my previous posting, I applied the patch to a fresh copy of >> 2.0.1, and tried ./configure --disable.nls > > Did you do that exactly, or did you really try: > > ./configure --disable-nls > > > Doug > Tried again with ./configure --disable-nls, on a fresh expanded copy of the source code, unfortunately same results. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRXlMZCRJoUyU/RYhAQIYZAQAh/VvlvxRyimpNQJG/hSdr4oXYcEk71Rz k035kFAWz0orRJMSa/2WLNlCzj16q7gJFXcAiM+BIjWvGjLALNFskrNfD/EiD+g5 dumsQYyzJJ0dygvCpyxKXadAv3E1dyObTAQrzcj/Z43tFkaWeG4yO1u2CiL4oVrV knHIDNHT1e4= =lYFl -----END PGP SIGNATURE----- From shavital at mac.com Fri Dec 8 12:33:24 2006 From: shavital at mac.com (Charly Avital) Date: Fri, 08 Dec 2006 06:33:24 -0500 Subject: Problem building 2.0.1 In-Reply-To: <20061208104918.GA4802@vorlon.ping.de> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> <45790F75.8000202@mac.com> <20061208104918.GA4802@vorlon.ping.de> Message-ID: <45794D84.5060104@mac.com> Michael Bienia wrote the following on 12/8/06 5:49 AM: > On 2006-12-08 02:08:37 -0500, Charly Avital wrote: >> 1. Patch applied: >> - ---------- >> $ cd /Users/shavital/Desktop/gnupg-2.0.1/ >> Charly-Avitals-PBG4:~/Desktop/gnupg-2.0.1 shavital$ patch -p0 < >> /Users/shavital/Desktop/gnupg-2.0-osx-iconv.patch >> patching file tools/Makefile.am >> patching file g10/Makefile.am >> patching file agent/Makefile.am >> - ---------- > > This only patches Makefile.am. You need to have this changes also in > Makefile.in so either regenerate Makefile.in with automake or patch > Makefile.in manually and add the same changes there. > > Michael Does this mean that the whole gnupg-2.0-osx-iconv.patch should be re-written to achieve what you indicate? Charly From dshaw at jabberwocky.com Fri Dec 8 14:53:02 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 8 Dec 2006 08:53:02 -0500 Subject: Problem building 2.0.1 In-Reply-To: <20061208104918.GA4802@vorlon.ping.de> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> <45790F75.8000202@mac.com> <20061208104918.GA4802@vorlon.ping.de> Message-ID: <20061208135302.GB14605@jabberwocky.com> On Fri, Dec 08, 2006 at 11:49:18AM +0100, Michael Bienia wrote: > On 2006-12-08 02:08:37 -0500, Charly Avital wrote: > > 1. Patch applied: > > - ---------- > > $ cd /Users/shavital/Desktop/gnupg-2.0.1/ > > Charly-Avitals-PBG4:~/Desktop/gnupg-2.0.1 shavital$ patch -p0 < > > /Users/shavital/Desktop/gnupg-2.0-osx-iconv.patch > > patching file tools/Makefile.am > > patching file g10/Makefile.am > > patching file agent/Makefile.am > > - ---------- > > This only patches Makefile.am. You need to have this changes also in > Makefile.in so either regenerate Makefile.in with automake or patch > Makefile.in manually and add the same changes there. That is correct. Charly, you have to run automake before the patch is useful to you. David From malte.gell at gmx.de Fri Dec 8 14:19:55 2006 From: malte.gell at gmx.de (Malte Gell) Date: Fri, 8 Dec 2006 14:19:55 +0100 Subject: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235] In-Reply-To: <87psaxc92v.fsf@wheatstone.g10code.de> References: <87psaxc92v.fsf@wheatstone.g10code.de> Message-ID: <200612081420.00229.malte.gell@gmx.de> On Wednesday 06 December 2006 16:55, Werner Koch wrote: > GnuPG: remotely controllable function pointer [CVE-2006-6235] > =============================================================== > 2006-12-04 Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed message... Maybe my gpg.conf is messed or is this due to changes in gpg > 1.4.5? Thanx. From tmz at pobox.com Fri Dec 8 18:17:23 2006 From: tmz at pobox.com (Todd Zullinger) Date: Fri, 8 Dec 2006 12:17:23 -0500 Subject: Signed patch against 2.0.1 In-Reply-To: <87ejraajc0.fsf@wheatstone.g10code.de> References: <87wt53a7o2.fsf@wheatstone.g10code.de> <20061207190122.GI20318@psilocybe.teonanacatl.org> <87ejraajc0.fsf@wheatstone.g10code.de> Message-ID: <20061208171723.GP16276@psilocybe.teonanacatl.org> Werner Koch wrote: > Basically I am the list owner :-(. Good grief man, your head must hurt from all those hats. :) I've spent a good bit of time hanging around the mailman-users list and managing a few smaller lists for others. I would be glad to try and help figure out what list settings could be tweaked to get the archives into better shape. It should be doable as I've seen and sent pgp signed (mime and inline) message that included attachments and the pipermail archiver handled them alright. There was a bug fixed in 2.1.8 that would scrub some parts of pgp/mime messages with attachments, but even that one left the main message body intact for the archives. I believe I found the culprit that has scrubbed your last few signed patch mails in the archives. It seems that since the mime parts lack a content-type: text/plain header, Mailman's scrubber removes them. I think this is probably a bug in the scrubber module, as the MIME RFC states that messages lacking such a header should be assumed text/plain. I've sent a query to mailman-users to see if others agree[2]. If so, hopefully that can be fixed without too much hassle. I setup a test list on my box and twiddled with your initial post in this thread. All that was required to get it to archive was the attached diff. Perhaps you can convince Gnus to include the content-type headers as a work-around to the mailman archive problem? > I already installed a new version of Mailman and tried to rebuild > it. However it mixed up the numbers and thus most existing URLs > won't be correct anymore. Yeah, that's a very unfortunate limitation of the archiver. Its weaknesses were just discussed on mailman-users the other day with main dev Barry Warsaw saying[1]: Have I mentioned recently how long I've been looking for a volunteer to help make all this not suck? ;} Pipermail is just one of those things that people either live with or ditch. While it would be bad to have to rebuild and break external links into the archives, I think it'd be worth it as some of the most valuable messages in the archives are those that you or any other GnuPG developer send announcing a problem and attaching a patch. > Recently I had another issue. Pipermail break the message if it > sees a ">From " at the beginning of a line. I also had to resort to > manual editing. Another icky problem caused by older versions of the python email module which Mailman uses. Anything since Python 2.3 should include an email module that defaults to escaping such From_ lines. So once the mbox is edited to correct the old, unescaped From_ lines it shouldn't happen again. >> BTW, I really like your Content-Type boundary string. :) > > A gadget posted to the Gnus list some years ago: Very nice. Some cold and rainy day I may have to add something similar to my mutt setup. [1] http://www.mail-archive.com/mailman-users%40python.org/msg42504.html [2] http://mail.python.org/pipermail/mailman-users/2006-December/054904.html -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== In God we trust. Everybody else we verify using PGP! -- Tim Newsome -------------- next part -------------- --- wk-orig 2006-12-08 11:43:53.000000000 -0500 +++ wk-munged 2006-12-08 11:46:11.000000000 -0500 @@ -42,6 +42,7 @@ Lines: 294 --=KGB-Sundevil-gamma-Skipjack-government-Vince-Foster-Treasury-bce-S-B +Content-type: text/plain; charset=us-ascii Hi! @@ -55,6 +56,7 @@ --=KGB-Sundevil-gamma-Skipjack-government-Vince-Foster-Treasury-bce-S-B +Content-type: text/plain; charset=us-ascii Content-Disposition: inline; filename=filter-context-20-small.diff Content-Description: Patch against 2.0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20061208/00aec1b4/attachment.pgp From mlisten at hammernoch.net Fri Dec 8 18:57:48 2006 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Fri, 08 Dec 2006 18:57:48 +0100 Subject: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235] In-Reply-To: <200612081420.00229.malte.gell@gmx.de> References: <87psaxc92v.fsf@wheatstone.g10code.de> <200612081420.00229.malte.gell@gmx.de> Message-ID: <4579A79C.2050501@hammernoch.net> -----BEGIN PGP MESSAGE----- Charset: ISO-8859-1 Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org hIwDjwsYiWKxLx0BBAC83AgzLgfvAsUpd4m+YpHxRLS6j9jkpSs/rzhDHk4Au3uD vEylbC9FmEOpWyWvAy5T27dJANAy9dCsz79YlHSImNKFYUJ071bTQd4gLH2bINFy FPpgQCqItUWzjJfcYrJlfnMNodEVPW0fraSXURWYah7wK4PcN6HF2QctwkNq3oUB DANWJ6cVV1aMHQEH/RXvXiXNJLVSk91ceizXQTbY1ojr1Cmg0Ehw/oZsrHJ5UlMs Zt/VJwyZiWGnFwMTYN0MvIQkHFOOZM/DwRxBzQArW9FQD+Y6t/n9P4f6uprm+VKA SUohNwxIAVv7J2pGfMoYBqW6Z6X4tyZh8kF/+6bLgu1mPmTELktcFOBXjjAb6PhX fHP7XCiMXL8FIgIb/SdXec3TUP4UVUJMiStnKevqfUzWwQ/2tcMnOU6FSSJfkAzy 1r0f6YIAgie0vO6xCefCrVHtzH7JeuHn84BRYPpyTWQknVcCTEjs4rIvQwsHYvYh nGXg1t0MpYtSN5Tp0PAg6c3LgYobhVP5vyZxvO7J6cM0U4d968u/g4YC++Eh6x9p 41zjv3vqZpZYY2d63TxisWCUZx5tRlFt6Wnlt17f0pbNtQhemdL7w4wZVSeAMfQu qGN7n30VdO/8jC19oo6fp2b2dGxrDqV3U8rs90VZG7DN89UN5nE/WHN8A+1Vx/bB g5qKZhFeWEoXqE6MoozaDMEwv3s/iH46Imaub8KyZ7S2V7tPUHJcVU1PjlKXnmro RTJ8x+263U5sjx+ZfrSJYJxVOqp6dLlKbho7y4lnMJpeoZ3CA9vMD4oXXXa5u+ub WixUHUsK6AAYkw1PQaDUDeyQZZNv2QH3bZj/atwgLYBaw+CGCPDcJjX1z9TlyuwG qSwc/BJBqFi+6i9DWnZvA+aNLY+VYEhHnTDorsTCDw8EQKCy4OX3FeVxTvd9oPwg Ocek9zRMh2+8ZnWK0JDKj0FD50woqHHecdBIxTBeoq6V3VUGJazvTa8T/5VnJHGp ef3OFlrPDCiEME6hHzEt608msghF2f43wzzSRyV1x4bKaHntNLR50pbTWOTiwgSR n2HsnvMQPQByJsLgawJeZhu0f9ljelVxkvrVFkbDKJPngkKvBfRumLtmt58gkYiU pPogg/rmnkkz2G1Tp9sGB4nrKVla2hBxokMCXzq6CmDJyU1/cqR9mE1eZ2Bnd1XU Rj+gQCIzqYT+eirqLHsOLVdYdWa4obwNT2TM27lyKVUYRQVYO18n9ELQUVXqiMDk uWOvmiHNJOLWpWLJig== =3Q15 -----END PGP MESSAGE----- From mlisten at hammernoch.net Fri Dec 8 18:59:14 2006 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Fri, 08 Dec 2006 18:59:14 +0100 Subject: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235] In-Reply-To: <200612081420.00229.malte.gell@gmx.de> References: <87psaxc92v.fsf@wheatstone.g10code.de> <200612081420.00229.malte.gell@gmx.de> Message-ID: <4579A7F2.2040105@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Malte Gell wrote on 08.12.2006 14:19 Uhr: > Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed > message... Maybe my gpg.conf is messed or is this due to changes in > gpg >> 1.4.5? Thanx. Enigmail didn't even indicate a signed message :-(( Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRXmn8lYnpxVXVowdAQKLbAf+N9uC8X725ifxwhgeTFWWS2AVjNrqgA/H TX1osRJn7gH2NCqytItn577q/eNTukbOAZ4xEyh9J0WLkAyEdnIgpdPllNNXim3P h46KoyFy61vdKGiClpNJb8Ft6Z0b8Mp41LqmIpv5nLLgWD5U0dvSP61TaIygRMHj betFYQKqPfYsTz6V6D/naKiWfR3iTBGUk4JVFKUXIJ4MQRWZXwLgZ8BJFOpK7LuU Met5s84LSypAjJG2m+OEEw6Bn7LQ7pCvaakmmtptZU9i2F7kl3xbQtEMtZRBjJmh LK+5iMtwFLAq6+L+Ihm5SZTLCIBAe9+plNb58AB52U5e8ddmYsoYHw== =IwlS -----END PGP SIGNATURE----- From bahamut at madhatt.com Fri Dec 8 19:58:08 2006 From: bahamut at madhatt.com (Andrew Berg) Date: Fri, 08 Dec 2006 12:58:08 -0600 Subject: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235] In-Reply-To: <4579A7F2.2040105@hammernoch.net> References: <87psaxc92v.fsf@wheatstone.g10code.de> <200612081420.00229.malte.gell@gmx.de> <4579A7F2.2040105@hammernoch.net> Message-ID: <4579B5C0.8040606@madhatt.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ludwig H?gelsch?fer wrote: > Enigmail didn't even indicate a signed message :-(( Same here. - -- /\_/\ /\_/\ /\_/\ ( o.o ) ( o.o ) ( o.o ) > ^ < > ^ < > ^ < Don't make me send my ASCII kitten minions. Key ID: 0x9C6CC3A3 Fingerprint: 5474 04A6 2BAC 7138 204A D61B 4246 59CB 9C6C C3A3 (Portable) Thunderbird 1.5.0.7 w/ Enigmail 0.94.1.1 and GnuPG 1.4.5 Windows XP SP2 Home Edition Every time you send private information unencrypted, a kitten cries. So won't you please, please, think of the kittens? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: -- Comment: /\_/\ Comment: ( o.o ) Comment: > ^ < Meow! Comment: Key ID: 0x9C6CC3A3 Comment: Fingerprint: 5474 04A6 2BAC 7138 204A D61B 4246 59CB 9C6C C3A3 iD8DBQFFebW/QkZZy5xsw6MRCIL3AJ9Ut8rwdmYw3nq/p9KDv6Goz5b65wCdFrdh MRk5kRK9LR19b9dvNRNP8RQ= =nP0X -----END PGP SIGNATURE----- From brunij at earthlink.net Fri Dec 8 21:20:06 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Fri, 8 Dec 2006 13:20:06 -0700 Subject: Signed patch against 2.0.1 In-Reply-To: <20061208171723.GP16276@psilocybe.teonanacatl.org> References: <87wt53a7o2.fsf@wheatstone.g10code.de> <20061207190122.GI20318@psilocybe.teonanacatl.org> <87ejraajc0.fsf@wheatstone.g10code.de> <20061208171723.GP16276@psilocybe.teonanacatl.org> Message-ID: On Dec 8, 2006, at 10:17 AM, Todd Zullinger wrote: > Werner Koch wrote: >> Basically I am the list owner :-(. > > Good grief man, your head must hurt from all those hats. :) His other name is Zaphod. From sydbarrett74 at hotmail.com Fri Dec 8 23:15:29 2006 From: sydbarrett74 at hotmail.com (Victor Escobar) Date: Fri, 08 Dec 2006 17:15:29 -0500 Subject: Error making gnupg-2.0.1 Message-ID: Hi all, I get this error when trying to do a make for gnupg-2.0.1: /usr/bin/ld: Undefined symbols: _gpg_error_from_syserror collect2: ld returned 1 exit status make[2]: *** [kbxutil] Error 1 make[2]: Leaving directory `/Users/sydbarrett74/Desktop/gnupg-2.0.1/kbx' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/Users/sydbarrett74/Desktop/gnupg-2.0.1' make: *** [all] Error 2 I'm using OSX 10.4.8.... From cyrus at 80d.org Fri Dec 8 22:43:13 2006 From: cyrus at 80d.org (Cyrus Yunker) Date: Fri, 8 Dec 2006 16:43:13 -0500 Subject: encrypt the sent folder - offline task In-Reply-To: <4575A89D.8010003@caf.com.tr> References: <4575A89D.8010003@caf.com.tr> Message-ID: <20061208214313.GT60128@80d.org> On Tue, Dec 05, 2006 at 07:13:01PM +0200, Eray Aslan wrote: > Hi, > > How can I make sure that all the emails in my Sent folder are > encrypted and can't be read without my private key? In other > words, I want my email in my Sent folder to be encrypted even > though the email sent on the wire is plain text. > > Encrypt to self option only works if I send an encrypted mail. > I couldn't get it to work all the time. > > [...]/cy > > Email client is Thunderbird/Enigmail. Mails are stored on IMAP > server if it makes any difference. [I'm making assumptions you are uni*-enabled] I do not have a full solution for you but I can propose to you another way of accomplishing the task. Modifying your client or plugin may not be the way you want to go. I'd suggest placing the feature request, but for the meantime..... Some scripting or configuring will probably be in order. What you might look at doing is, if you can stand your sent-mail being unencrypted on the IMAP server for a little while, copy it or sync it to your local machine (or to a server machine somewhere) with an IMAP mail copy tool[1] and encrypt them one message at a time which you could then sync back onto your IMAP storage and delete the plain-text version. You might consider two outgoing folders in your IMAP storage space: sent-plain and sent-enciphered. Another possibility would be to setup Thunderbird to write sent mail to a local folder on the machine you work on, do an encrypt-to-self operation (automated preferably, a batch job moving through your local spool) and then copy the enciphered version to a sent-mail folder on the IMAP server (via SMTP or an IMAP copy tool). You could also Bcc: all mails you send to an address where you have a mailhandler setup that bounces an encrypted version back to your 'IMAP email' and use server side filtering (SIEVE) to place those mails in sent-enciphered. I'm sure you could get procmail to do this too. To prevent the plaintext version from hanging around, you could set outgoing emails in Thunderbird to write to the local filesystem (or /dev/null somehow) instead of the default location on your IMAP space. There are a few tools that are designed for moving things about your IMAP storage and/or to a local file system. A small list and a bit of discussion about a few of them can be found at [1] You would have to give up the body-text search for sure but I'm guessing you're not as worried about that as others seem to think you might be. A compromise might be to 'digestify' your mails so they are stored in day or week long chunks on the server. These would only require one decrypt per many messages rather than a resource intensive operation per message. Store in the 'real' sent-mail folder a dummy message with a body that hints to where the pgp text can be found. An approach like this might be useful to the plugin folks - one decrypt per many messages would be a huge speedup if body-text search were needed. Store in the body a machine readable index hint. If you have any control over your mail server [you may not but others on the list might] you can encrypt/sign all outgoing mail or perform other fun tasks with some of the tools you can find listed at: And for those configuring your own mail servers, be sure you've got yours set to opportunistically encrypt traffic with TLS. That's just good sense, regardless if you use OpenPGP or not. (Setting it up is trivial on Postfix.) --... ...-- -.. . -.- -... ..--- ..- .-. .- =Cyrus -- cyrus@ [ Semper Curiosus .0. ] 80d [ ..0 ] dot [ 000 ] org [ OpenPGP key: 0xFF28DF5A ] -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20061208/d5992086/attachment.pgp From mlisten at hammernoch.net Sat Dec 9 14:10:22 2006 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Sat, 09 Dec 2006 14:10:22 +0100 Subject: Error making gnupg-2.0.1 In-Reply-To: References: Message-ID: <457AB5BE.80904@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi victor, Victor Escobar wrote on 08.12.2006 23:15 Uhr: > Hi all, > I get this error when trying to do a make for gnupg-2.0.1: > > /usr/bin/ld: Undefined symbols: > _gpg_error_from_syserror > collect2: ld returned 1 exit status > make[2]: *** [kbxutil] Error 1 > make[2]: Leaving directory `/Users/sydbarrett74/Desktop/gnupg-2.0.1/kbx' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/Users/sydbarrett74/Desktop/gnupg-2.0.1' > make: *** [all] Error 2 > > I'm using OSX 10.4.8.... Hm. Did you install libgpgerror before you tried to build gnugp? Ludwig BTW: Sorry for the encrypted message yesterday. Have now set up a per-recipient-rule in enigmail :-) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRXq1vlYnpxVXVowdAQKgsAf9HBdGPQW1lbU1q4/2Ed32CqaaZRwSdm9F nUW4uZIhV2t8taBFiSZQZnaae6aeECMAvIcdl7t5P3NEE+esAzQ0pcq+e3cRby77 xAON9v03tH+bYvy4o3qwBtMjnxhYV+dnIoPRTxGJGxWQnMBK9TRCp8/ko55LifHH pzlg4Q8/s36U+Xnvc21H9JDmHRQO5HME7IbKag5R7Kkwm7Dy4tzUMNkBihmUrHVQ KYVMZ+j+mDtf0sWMG01UFwREClIZXSUIfAJX+W0pWkDvz69jT/gsYBxu1bfRVq9/ gdC0riv8tqDcTkE/PQkM7ivCLoPZsjbKNvZa5v0qR+gu9e2rmie4Uw== =G3tw -----END PGP SIGNATURE----- From patrick at mozilla-enigmail.org Sat Dec 9 15:39:35 2006 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Sat, 09 Dec 2006 15:39:35 +0100 Subject: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235] In-Reply-To: <4579A7F2.2040105__48336.7582819939$1165600843$gmane$org@hammernoch.net> References: <87psaxc92v.fsf@wheatstone.g10code.de> <200612081420.00229.malte.gell@gmx.de> <4579A7F2.2040105__48336.7582819939$1165600843$gmane$org@hammernoch.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ludwig H?gelsch?fer wrote: > Hi, > > Malte Gell wrote on 08.12.2006 14:19 Uhr: > >> Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed >> message... Maybe my gpg.conf is messed or is this due to changes in >> gpg >>> 1.4.5? Thanx. > > Enigmail didn't even indicate a signed message :-(( True yes. I have to find out why ... - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRXrKpXcOpHodsOiwAQK+YggAwO3L3gFMYb8hXhHxMKNcaCeJjBlrNeEn FUP3F/JSJW+ZRpcCNm8ySsBZFH7iqFDTpmB6Kk5uwR7jSYoaJDk6GyiEhBrPypnd m38akeVa3E593AfgTzMMoQL7JHQoqwoNTRLB1TaxEsUJXKf7eOFXbKhUUrZgblih 5tvjzMasV8A4CcnDF9DFKb/L1moGsz7hCDi46V051jSMGvhpxGj7dwA12dotwJ+5 8HsvKyYuj73BRTagJuphAj7HQfonx9KWhnCCe3VNaHFVH2pOb86HPrbKBpQNySiw 7RBWJj6YyTw5wcQY/VSLAk+CKTfaPViMCh24xX/21NdIK5Vu8NO0PA== =D7yo -----END PGP SIGNATURE----- From patrick at mozilla-enigmail.org Sat Dec 9 15:58:48 2006 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Sat, 09 Dec 2006 15:58:48 +0100 Subject: GnuPG: remotely controllable function pointer [CVE-2006-6235] In-Reply-To: References: <87psaxc92v.fsf@wheatstone.g10code.de> <200612081420.00229.malte.gell@gmx.de> <4579A7F2.2040105__48336.7582819939$1165600843$gmane$org@hammernoch.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrick Brunschwig wrote: > Ludwig H?gelsch?fer wrote: >> Hi, > >> Malte Gell wrote on 08.12.2006 14:19 Uhr: > >>> Hm, GnuPG 1.4.5 (unpatched)/KMail 1.8.2 reports invalid signed >>> message... Maybe my gpg.conf is messed or is this due to changes in >>> gpg >>>> 1.4.5? Thanx. >> Enigmail didn't even indicate a signed message :-(( > > True yes. I have to find out why ... Interesting ... I found that Werner's mails are PGP/MIME signed, with micalg=sha1 However, according to RFC 3156, this is not valid, the parameter would have to be as follows, and thus it's not recognized as valid by Enigmail: micalg=pgp-sha1 Is there a new version of the RFC that I'm not aware of, or is it just a bug of Werner's mail client? In general, is it a good idea to interpret the RFC so strictly for this, or is it "better" to be a bit more relaxed? - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRXrPJHcOpHodsOiwAQKWdQf6A16HoCGb1kNNAa31RGJK0J6mSxB61Khn 4A5Ko9wPUuAegznBToYT+b/ePlx5Cz7Zz2BKaQ1nKN9sxPRwEKWk8Fzjb1+9xb2A gApqkCH2NubvDwj6iAxJkQTgahRLd/QGI7Km+2ltfKlgw8d4Kuo1HNTVN5HjuDAO yzPCT9azZMA2NS0caXG/gkjf4NYLltMpXFFBNM046/MlmJ3IP3r8UHhUxbAU7Zu6 YSyx2n+l87NvvegO6VxSGiLsVDRoZW2i+pqBi9YC5l7WMZPhLPmT8kVfNjUrRDtU K8dqdhsTwmfICyuyVWx3YT6/urW1/xjhKrrEDqn4PTAZLExRptJOTw== =WSu2 -----END PGP SIGNATURE----- From mlisten at hammernoch.net Sat Dec 9 16:32:27 2006 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Sat, 09 Dec 2006 16:32:27 +0100 Subject: Problem building 2.0.1 (on Mac OS X 10.4.8) In-Reply-To: <20061208135302.GB14605@jabberwocky.com> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> <45790F75.8000202@mac.com> <20061208104918.GA4802@vorlon.ping.de> <20061208135302.GB14605@jabberwocky.com> Message-ID: <457AD70B.300@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, David Shaw wrote on 08.12.2006 14:53 Uhr: > On Fri, Dec 08, 2006 at 11:49:18AM +0100, Michael Bienia wrote: >> On 2006-12-08 02:08:37 -0500, Charly Avital wrote: >>> 1. Patch applied: >>> - ---------- >>> $ cd /Users/shavital/Desktop/gnupg-2.0.1/ >>> Charly-Avitals-PBG4:~/Desktop/gnupg-2.0.1 shavital$ patch -p0 < >>> /Users/shavital/Desktop/gnupg-2.0-osx-iconv.patch >>> patching file tools/Makefile.am >>> patching file g10/Makefile.am >>> patching file agent/Makefile.am >>> - ---------- >> This only patches Makefile.am. You need to have this changes also in >> Makefile.in so either regenerate Makefile.in with automake or patch >> Makefile.in manually and add the same changes there. > > That is correct. Charly, you have to run automake before the patch is > useful to you. This still doesn't help - at least for me... Despite the applied patch and manually modifying Makefile.in in tools, g10 and agent I get: ld: Undefined symbols: _libiconv _libiconv_close _libiconv_open make[2]: *** [kbxutil] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 After modifying Makefile.in and Makefile.am in kbx by adding $(LIBICONV) to kbxutil_LDADD I get the following: gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include - -I/usr/local/include -g -O2 -Wall -o gpgsm gpgsm.o misc.o keydb.o server.o call-agent.o call-dirmngr.o fingerprint.o base64.o certlist.o certdump.o certcheck.o certchain.o keylist.o verify.o sign.o encrypt.o decrypt.o import.o export.o delete.o certreqgen.o qualified.o ../jnlib/libjnlib.a ../kbx/libkeybox.a ../common/libcommon.a ../gl/libgnu.a -L/usr/local/lib -lgcrypt -L/usr/local/lib -lgpg-error - -L/usr/local/lib -lksba -lgpg-error -L/usr/local/lib -lassuan - -L/usr/local/lib -lgpg-error -lz -lbz2 ld: Undefined symbols: _libiconv _libiconv_close _libiconv_open make[2]: *** [gpgsm] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 *sigh* Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRXrXC1YnpxVXVowdAQIjtwgA0VBCDknLQNMZwAhSrfTKyQOSvCgBN9cA 3HKjj847a4pWencownsWGZxUi0/PLNkrj+Ls6ydVQdIG5T4NVqzymhx7pD6GJTlL A2R3gWpxwlBIpJ5m5yY0g5fVBP6zb/AnpoHAXsbuoYfxxeRd3Qtv+QJ4+sW3A/hw Emj2Qb1hTAWDULXLYtVj102XlOzeAmpLASls0Se44WuDSeFgwpc+8ArEuFpDQIJt xGiinXkFB/mEABFHJTvnNmjgAPi1SChoGK8h2XpyYylgDakeiUu+a7VO+IQr0agf X/7RVh8axz41elWnKo8QbVa+4bxqYdonq0jGAQc7AnOSNkisKcF9aw== =gX90 -----END PGP SIGNATURE----- From wk at gnupg.org Sat Dec 9 16:56:38 2006 From: wk at gnupg.org (Werner Koch) Date: Sat, 09 Dec 2006 16:56:38 +0100 Subject: [Announce] GnuPG: remotely controllable function pointer [CVE-2006-6235] In-Reply-To: <4579A7F2.2040105@hammernoch.net> (Ludwig =?utf-8?Q?H=C3=BCge?= =?utf-8?Q?lsch=C3=A4fer's?= message of "Fri\, 08 Dec 2006 18\:59\:14 +0100") References: <87psaxc92v.fsf@wheatstone.g10code.de> <200612081420.00229.malte.gell@gmx.de> <4579A7F2.2040105@hammernoch.net> Message-ID: <87d56t2hc9.fsf@wheatstone.g10code.de> On Fri, 8 Dec 2006 18:59, mlisten at hammernoch.net said: > Enigmail didn't even indicate a signed message :-(( The mail sent to gnupg-announce verified just fine. Forwarding to gnupg-users and gnupg-deel is done using a simple procmail rule. Don't know what changed the signature. Salam-Shalom, Werner > > Ludwig > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Sat Dec 9 16:58:26 2006 From: wk at gnupg.org (Werner Koch) Date: Sat, 09 Dec 2006 16:58:26 +0100 Subject: GnuPG: remotely controllable function pointer [CVE-2006-6235] In-Reply-To: (Patrick Brunschwig's message of "Sat\, 09 Dec 2006 15\:58\:48 +0100") References: <87psaxc92v.fsf@wheatstone.g10code.de> <200612081420.00229.malte.gell@gmx.de> <4579A7F2.2040105__48336.7582819939$1165600843$gmane$org@hammernoch.net> Message-ID: <878xhh2h99.fsf@wheatstone.g10code.de> On Sat, 9 Dec 2006 15:58, patrick at mozilla-enigmail.org said: > Is there a new version of the RFC that I'm not aware of, or is it just a > bug of Werner's mail client? In general, is it a good idea to interpret > the RFC so strictly for this, or is it "better" to be a bit more relaxed? It is a bug in Gnus/easypg. I fixed it but it might be that I overlooked it at some other palces. Need to update easypg anyway. Shalom-Salam, Werner From shavital at mac.com Sat Dec 9 18:16:58 2006 From: shavital at mac.com (Charly Avital) Date: Sat, 09 Dec 2006 12:16:58 -0500 Subject: Problem building 2.0.1 (on Mac OS X 10.4.8) In-Reply-To: <457AD70B.300@hammernoch.net> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> <45790F75.8000202@mac.com> <20061208104918.GA4802@vorlon.ping.de> <20061208135302.GB14605@jabberwocky.com> <457AD70B.300@hammernoch.net> Message-ID: <457AEF8A.8080905@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ludwig H?gelsch?fer wrote the following on 12/9/06 10:32 AM: > Hi, > > David Shaw wrote on 08.12.2006 14:53 Uhr: >> On Fri, Dec 08, 2006 at 11:49:18AM +0100, Michael Bienia wrote: >>> On 2006-12-08 02:08:37 -0500, Charly Avital wrote: >>>> 1. Patch applied: >>>> - ---------- >>>> $ cd /Users/shavital/Desktop/gnupg-2.0.1/ >>>> Charly-Avitals-PBG4:~/Desktop/gnupg-2.0.1 shavital$ patch -p0 < >>>> /Users/shavital/Desktop/gnupg-2.0-osx-iconv.patch >>>> patching file tools/Makefile.am >>>> patching file g10/Makefile.am >>>> patching file agent/Makefile.am >>>> - ---------- >>> This only patches Makefile.am. You need to have this changes also in >>> Makefile.in so either regenerate Makefile.in with automake or patch >>> Makefile.in manually and add the same changes there. >> That is correct. Charly, you have to run automake before the patch is >> useful to you. > > This still doesn't help - at least for me... > > Despite the applied patch and manually modifying Makefile.in in tools, > g10 and agent I get: > > ld: Undefined symbols: > _libiconv > _libiconv_close > _libiconv_open > make[2]: *** [kbxutil] Error 1 > make[1]: *** [all-recursive] Error 1 > make: *** [all] Error 2 > > After modifying Makefile.in and Makefile.am in kbx by adding $(LIBICONV) > to kbxutil_LDADD I get the following: > > gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include > -I/usr/local/include -g -O2 -Wall -o gpgsm gpgsm.o misc.o keydb.o > server.o call-agent.o call-dirmngr.o fingerprint.o base64.o certlist.o > certdump.o certcheck.o certchain.o keylist.o verify.o sign.o encrypt.o > decrypt.o import.o export.o delete.o certreqgen.o qualified.o > ../jnlib/libjnlib.a ../kbx/libkeybox.a ../common/libcommon.a > ../gl/libgnu.a -L/usr/local/lib -lgcrypt -L/usr/local/lib -lgpg-error > -L/usr/local/lib -lksba -lgpg-error -L/usr/local/lib -lassuan > -L/usr/local/lib -lgpg-error -lz -lbz2 > ld: Undefined symbols: > _libiconv > _libiconv_close > _libiconv_open > make[2]: *** [gpgsm] Error 1 > make[1]: *** [all-recursive] Error 1 > make: *** [all] Error 2 > > *sigh* > > Ludwig Ludwig, I didn't dare modify the Makefile.in modules manually, after automake 1.6.3 didn't work. I have not succeeded to install a higher version of automake, the compiling and installing process seems to complete positively, but whenever I type automake --version, I get 1.6.3. Baffles me. I have been at it part of Thursday, and almost all Friday, always ending in one kind of error or another, including the ones you indicate in your message (ld: Undefines symbols etc., and kabxutil. I know (I hope) that I have the three required libraries installed: libgpg-error 1.4, libassuan 1.0.1, and libksba 1.0.1 - iconv is there too (albeit an Apple version). No success. I am still running gpg2 1.9.20 that I installed with the help of Ben Donnachie. Thanks for your information. Charly KeyOnCard at: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRXrvWCRJoUyU/RYhAQLr3QP9GHlQ/bNUeampx7/krUGTylZ5vQ7hWFm2 ZgHhFUP2ov3proiWFFb39GKwWefaBIDqOnc5u+m7uy8QShNviRaTkhtBUkEwdjW4 7kToCOCXAiw0j2jkiLHSUbhigi/vQ7OKANXxV/1mxXMTCpo42R9Rz/HossqD2DZq 47wWRscaIsc= =CiAy -----END PGP SIGNATURE----- From sydbarrett74 at hotmail.com Sun Dec 10 21:30:25 2006 From: sydbarrett74 at hotmail.com (Victor Escobar) Date: Sun, 10 Dec 2006 15:30:25 -0500 Subject: Problem building gnupg 2.0.1 Message-ID: Victor Escobar wrote on 08.12.2006 23:15 Uhr: >> Hi all, >> I get this error when trying to do a make for gnupg-2.0.1: >> >> /usr/bin/ld: Undefined symbols: >> _gpg_error_from_syserror >> collect2: ld returned 1 exit status >> make[2]: *** [kbxutil] Error 1 >> make[2]: Leaving directory `/Users/sydbarrett74/Desktop/gnupg-2.0.1/kbx' >> make[1]: *** [all-recursive] Error 1 >> make[1]: Leaving directory `/Users/sydbarrett74/Desktop/gnupg-2.0.1' >> make: *** [all] Error 2 >> >> I'm using OSX 10.4.8.... >Hm. Did you install libgpgerror before you tried to build gnugp? > >Ludwig Yep. It wouldn't have let me run configure without it. So I had no choice. This error creeps up during the 'make' step. From leatherfoot at sbcglobal.net Sat Dec 9 00:07:27 2006 From: leatherfoot at sbcglobal.net (Neil McCarty) Date: Fri, 8 Dec 2006 15:07:27 -0800 Subject: how do I uninstall GPGMail? Message-ID: Hi, Mac OS X 10.3.9 Mail 1.3.11 I installed GnuPG Mac OS X 1.4.1 I installed GPGMail I played with these for a while and all worked well. I haven't used encryption for months because, except for my wife, no one else was using it. My wife was only using it because I made her help me try it out. Today I went into Mail and into a folder for my doctor which contains 5 messages. When I click on 3 of the messages, a yellow banner appears that says "Unable to decrypt message." When I click on Show Details, it says, "There was a problem decrypting this message. Please check that you have a valid certificate installed in your keychain." These messages are not encrypted, they've never been encrypted. I figure the only way to get to read these messages again is to uninstall GPGMail and possibly GnuPG. How do I uninstall this software? Many Thanks, Neil From H.Lormans at oberthurcs.com Mon Dec 11 14:29:45 2006 From: H.Lormans at oberthurcs.com (Lormans Harry) Date: Mon, 11 Dec 2006 14:29:45 +0100 Subject: GPG question Message-ID: <267ED552CB756E4C8521774B0D240D640111E05C@nlsiserv02.sittard.oberthurcs.com> Hi all, In PGP I can select the symmetric cryptographic algorithm to use (e.g. TripleDES, IDEA, etc.). How can I make this selection in GPG ? If not: what is setup at the moment ? Note that I cannot find anything in one of the preferences (I'm using GPG4Win). Kind regards, Harry Lormans h.lormans at oberthurcs.com From SeidlS at schneider.com Mon Dec 11 19:35:04 2006 From: SeidlS at schneider.com (SeidlS at schneider.com) Date: Mon, 11 Dec 2006 12:35:04 -0600 Subject: Upgrade from 1.2.1 to 1.4.6 Message-ID: I have been tasked with upgrading our version of GnuPG from 1.2.1 to the most recent & stable version. This upgrade was supposed to start after the first of the year, but that has been pushed up with last week's vulnerability report, and I am now in a rush situation to upgrade ASAP. What I am looking for is if anyone has upgrade from a 1.2.x version to 1.4.6 and have the been any difficulties that you have run into? Are there specific items that should be tested with the trading partners? Any other testing recommended? Some of the information of the current setup is below: OS: Solaris KeyServers used: No, all keys are directly imported into the local key ring. all GPG commands are executed from the Command line or KSH scripts. Thanks Scott Seidl From dshaw at jabberwocky.com Mon Dec 11 21:16:50 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 11 Dec 2006 15:16:50 -0500 Subject: Upgrade from 1.2.1 to 1.4.6 In-Reply-To: References: Message-ID: <20061211201649.GD23891@jabberwocky.com> On Mon, Dec 11, 2006 at 12:35:04PM -0600, SeidlS at schneider.com wrote: > > I have been tasked with upgrading our version of GnuPG from 1.2.1 to the > most recent & stable version. This upgrade was supposed to start after the > first of the year, but that has been pushed up with last week's > vulnerability report, and I am now in a rush situation to upgrade ASAP. While there are many reasons to upgrade to 1.4.x, note that there was a 1.2.x version released with a fix for last week's vulnerability. ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.2.8.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.2.8.tar.bz2.sig or ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.2.8.tar.gz ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.2.8.tar.gz.sig I'd still upgrade to 1.4.6, but this might allow you to do it in a more relaxed manner. David From mega408 at hotmail.com Tue Dec 12 02:17:31 2006 From: mega408 at hotmail.com (Gou Yang) Date: Mon, 11 Dec 2006 17:17:31 -0800 Subject: gpg writes junk forever when decrypting Message-ID: Hello, I think I've hit a bug in gpg. When I try and decrypt a corrupt pgp file, it looks like it is working but when it hits the corrupt part of the file, I see this error pop up: gpg: no valid OpenPGP data found. gpg: block_filter 0x80e8ac0: read error (size=11072,a->size=27456) gpg: block_filter 0x80e8a98: read error (size=14947,a->size=39523) When this error pops up, gpg goes out of control and starts appending junk to the decrypted file and never stops appending junk. I've let it sit up to 50GB before I killed gpg. The original file is only about 1GB but I wanted to see if it would ever stop. I've looked around but I didn't see anyone else who had this problem and resolved it. I could verify the signature prior to attempting to decrypt the file but the file isn't signed. Any suggestions? Any workaround? Anyone else have this problem? Thanks, Gou _________________________________________________________________ MSN Shopping has everything on your holiday list. Get expert picks by style, age, and price. Try it! http://shopping.msn.com/content/shp/?ctId=8000,ptnrid=176,ptnrdata=200601&tcode=wlmtagline From dshaw at jabberwocky.com Tue Dec 12 05:07:48 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 11 Dec 2006 23:07:48 -0500 Subject: GPG question In-Reply-To: <267ED552CB756E4C8521774B0D240D640111E05C@nlsiserv02.sittard.oberthurcs.com> References: <267ED552CB756E4C8521774B0D240D640111E05C@nlsiserv02.sittard.oberthurcs.com> Message-ID: <20061212040748.GA26013@jabberwocky.com> On Mon, Dec 11, 2006 at 02:29:45PM +0100, Lormans Harry wrote: > Hi all, > > In PGP I can select the symmetric cryptographic algorithm to use > (e.g. TripleDES, IDEA, etc.). How can I make this selection in GPG > ? If not: what is setup at the moment ? Note that I cannot find > anything in one of the preferences (I'm using GPG4Win). It's hard to answer your question, since there are multiple different things in GPG that could fit the description of "selecting the symmetric cryptographic algorithm". Please explain further what you are trying to do. Are you trying to set the preferences on your key so other people will send you messages encrypted with a particular cipher? Are you trying to set the outgoing cipher to something? David From dshaw at jabberwocky.com Tue Dec 12 05:08:43 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 11 Dec 2006 23:08:43 -0500 Subject: Problem building 2.0.1 (on Mac OS X 10.4.8) In-Reply-To: <457AEF8A.8080905@mac.com> References: <871wnehznu.fsf@wheatstone.g10code.de> <45766FEA.1040000@mac.com> <87d56whxip.fsf@wheatstone.g10code.de> <20061207224813.GA13758@jabberwocky.com> <45790F75.8000202@mac.com> <20061208104918.GA4802@vorlon.ping.de> <20061208135302.GB14605@jabberwocky.com> <457AD70B.300@hammernoch.net> <457AEF8A.8080905@mac.com> Message-ID: <20061212040843.GB26013@jabberwocky.com> On Sat, Dec 09, 2006 at 12:16:58PM -0500, Charly Avital wrote: > Ludwig H?gelsch?fer wrote the following on 12/9/06 10:32 AM: > > Hi, > > > > David Shaw wrote on 08.12.2006 14:53 Uhr: > >> On Fri, Dec 08, 2006 at 11:49:18AM +0100, Michael Bienia wrote: > >>> On 2006-12-08 02:08:37 -0500, Charly Avital wrote: > >>>> 1. Patch applied: > >>>> - ---------- > >>>> $ cd /Users/shavital/Desktop/gnupg-2.0.1/ > >>>> Charly-Avitals-PBG4:~/Desktop/gnupg-2.0.1 shavital$ patch -p0 < > >>>> /Users/shavital/Desktop/gnupg-2.0-osx-iconv.patch > >>>> patching file tools/Makefile.am > >>>> patching file g10/Makefile.am > >>>> patching file agent/Makefile.am > >>>> - ---------- > >>> This only patches Makefile.am. You need to have this changes also in > >>> Makefile.in so either regenerate Makefile.in with automake or patch > >>> Makefile.in manually and add the same changes there. > >> That is correct. Charly, you have to run automake before the patch is > >> useful to you. > > > > This still doesn't help - at least for me... > > > > Despite the applied patch and manually modifying Makefile.in in tools, > > g10 and agent I get: > > > > ld: Undefined symbols: > > _libiconv > > _libiconv_close > > _libiconv_open > > make[2]: *** [kbxutil] Error 1 > > make[1]: *** [all-recursive] Error 1 > > make: *** [all] Error 2 > > > > After modifying Makefile.in and Makefile.am in kbx by adding $(LIBICONV) > > to kbxutil_LDADD I get the following: > > > > gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include > > -I/usr/local/include -g -O2 -Wall -o gpgsm gpgsm.o misc.o keydb.o > > server.o call-agent.o call-dirmngr.o fingerprint.o base64.o certlist.o > > certdump.o certcheck.o certchain.o keylist.o verify.o sign.o encrypt.o > > decrypt.o import.o export.o delete.o certreqgen.o qualified.o > > ../jnlib/libjnlib.a ../kbx/libkeybox.a ../common/libcommon.a > > ../gl/libgnu.a -L/usr/local/lib -lgcrypt -L/usr/local/lib -lgpg-error > > -L/usr/local/lib -lksba -lgpg-error -L/usr/local/lib -lassuan > > -L/usr/local/lib -lgpg-error -lz -lbz2 > > ld: Undefined symbols: > > _libiconv > > _libiconv_close > > _libiconv_open > > make[2]: *** [gpgsm] Error 1 > > make[1]: *** [all-recursive] Error 1 > > make: *** [all] Error 2 > > > > *sigh* > > > > Ludwig > > Ludwig, > > I didn't dare modify the Makefile.in modules manually, after automake > 1.6.3 didn't work. I have not succeeded to install a higher version of > automake, the compiling and installing process seems to complete > positively, but whenever I type automake --version, I get 1.6.3. Baffles me. > > I have been at it part of Thursday, and almost all Friday, always ending > in one kind of error or another, including the ones you indicate in your > message (ld: Undefines symbols etc., and kabxutil. I think the best bet here would be to wait for the next 2.x rc release. There have been a number of changes. David From hhhobbit at securemecca.net Tue Dec 12 19:57:10 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Tue, 12 Dec 2006 11:57:10 -0700 Subject: gpg writes junk forever when decrypting In-Reply-To: References: Message-ID: <457EFB86.1010201@securemecca.net> "Gou Yang" wrote: > Hello, > > I think I've hit a bug in gpg. When I try and decrypt a corrupt > pgp file, it looks like it is working but when it hits the > corrupt part of the file, I see this error pop up: > > gpg: no valid OpenPGP data found. > gpg: block_filter 0x80e8ac0: read error (size=11072,a->size=27456) > gpg: block_filter 0x80e8a98: read error (size=14947,a->size=39523) > > When this error pops up, gpg goes out of control and starts > appending junk to the decrypted file and never stops appending > junk. > > I've let it sit up to 50GB before I killed gpg. The original file > is only about 1GB but I wanted to see if it would ever stop. I've > looked around but I didn't see anyone else who had this problem > and resolved it. > > I could verify the signature prior to attempting to decrypt the > file but the file isn't signed. > > Any suggestions? Any workaround? Anyone else have this problem? I have tried this with the following combinations (my default symmetric cipher is TWOFISH). 1. Encrypted symmetrically with TWOFISH, AES192, AES256, DES, and BLOWFISH ciphers. gpg -a -c --force-mdc --cipher-algo ${CIPHER} \ < ReadMe.txt > ReadMe.txt.asc Twiddled two characters in ReadMe.txt.asc. Tried to decrypt with: gpg -d < ReadMe.txt.asc > ReadMe.txt Result: decryption stopped, output file size ZERO. 2. Encrypted and signed asymmetrically to myself with TWOFISH, AES, and AES256 used for the symmetric ciphers. gpg -a -r hhhobbit at securemecca.net -e -s \ < ReadMe.txt > ReadMe.txt.asc Twiddled two characters in ReadMe.txt.asc. Tried to decrypt with: gpg -d < ReadMe.txt.asc > ReadMe.txt Result: decryption stopped, output file size ZERO. 3. On a file that is just a text file I get the following message: gpg: no valid OpenPGP data found. gpg: decrypt_message failed: eof I have tried the use of several more symmetric ciphers and the result is always the same. The instant I twiddle just two characters in the encrypted [ / signed ] file I can't decrypt and the output file size is ZERO. The failure given for the asymmetric encryption is this for one of them: gpg: CRC error; 2DC30B - 9AAB55 gpg: encrypted_mdc packet with unknown version 255 And the one I get for symmetric encrypion is this for one of them: gpg: CRC error; 404350 - 94DB54 gpg: encrypted_mdc packet with unknown version 255 In all cases if it failed, I end up with the output file being of size ZERO. I am using 1.4.6 with keys that were created with 1.4.2 (at least I believe that was what it was). I suspect you have either a damaged file system or damaged keys. But without more particulars I don't know what you are looking at, because in all cases, I end up with a file size of ZERO. That also happens when I delete quite a few characters. HHH From hhhobbit at securemecca.net Tue Dec 12 20:33:57 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Tue, 12 Dec 2006 12:33:57 -0700 Subject: GPG question (cipher preference) In-Reply-To: References: Message-ID: <457F0425.4010309@securemecca.net> On Mon, Dec 11, 2006 at 02:29:45PM +0100, Lormans Harry wrote: > In PGP I can select the symmetric cryptographic algorithm to use > (e.g. TripleDES, IDEA, etc.). How can I make this selection in > GPG? If not: what is setup at the moment? Note that I cannot > find anything in one of the preferences (I'm using GPG4Win). For defaults, do the equivalent of (you may have to add the path to the gpg.exe executable and use the CMD window, but some of this may be done in the GUI tools): [0] gpg --version # this will show your choices of check sums and ciphers and # keys among other things [1] gpg --list-keys | more # snag your key as it comes past or redirect output to a file to find it: [2] gpg --edit-key YOURKEYID Command> showpref Command> setpref AES AES192 AES256 TWOFISH CAST5 BLOWFISH 3DES \ SHA256 SHA384 SHA512 SHA1 ZLIB BZIP2 ZIP MDC no-ks-modify REM All the stuff in this command is on ONE line with REM NO backslash - sorry, my email wrapped it Command> expire REM give it a reasonable default like 2-3 years Command> save If you just want to change the encryption on the fly to some other symmetric encryption algorithm you can do that with the "--cipher-algo" option and specify the one to use. This should be selectable in what ever GUI you are using to manage your keys and do symmetric encryption of your files. On the other hand you may be able to do it only using the command line (cmd.exe). If you do have to do it that way, what I do is create a %SystemDrive%\bin (usually c:\bin) folder and copy the gpg*.exe files into that folder and add that to the path. Just remember to copy the new executables there when you upgrade. If all you need is to change the defaults, it shouldn't be too painful since you only need to do it once. If you want to do a LOT of symmetric ciphers and your GUI tool won't let you do it easily you may want to write a script to do it. I have them on 'nix, the shell is much more powerful than cmd.exe. If you write me privately, I can send them to you but I don't know how much help they would be. Nuff? HHH From mega408 at hotmail.com Tue Dec 12 21:19:48 2006 From: mega408 at hotmail.com (Gou Yang) Date: Tue, 12 Dec 2006 12:19:48 -0800 Subject: gpg writes junk forever when decrypting In-Reply-To: <457EFB86.1010201@securemecca.net> Message-ID: Hello Henry, Thank You for doing the test. Can you send me a public key? If you sent me a public key, I could have the specific person encrypt sample data. I can then purposely damage the file to see if you could reproduce the problem. Thanks, Gou >From: Henry Hertz Hobbit >To: gnupg-users at gnupg.org >Subject: Re: gpg writes junk forever when decrypting >Date: Tue, 12 Dec 2006 11:57:10 -0700 >MIME-Version: 1.0 >Received: from mout.perfora.net ([217.160.230.40]) by >bay0-mc8-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Tue, >12 Dec 2006 10:57:28 -0800 >Received: from [24.2.84.45] (helo=[192.168.0.21])by mrelay.perfora.net >(node=mrelayus0) with ESMTP (Nemesis),id 0MKoyl-1GuCoZ2CsY-0005Gp; Tue, 12 >Dec 2006 13:57:24 -0500 >X-Message-Info: txF49lGdW43UIMTS7HBrIWt+gNGp6hWR87dJNhtsAOs= >User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc3 (X11/20050929) >X-Accept-Language: en-us, en >References: >X-Enigmail-Version: 0.93.0.0 >X-Provags-ID: perfora.net abuse at perfora.net >login:a354d7601013496e03ec352ec8cecf2c >Return-Path: hhhobbit at securemecca.net >X-OriginalArrivalTime: 12 Dec 2006 18:57:28.0752 (UTC) >FILETIME=[5EDA1B00:01C71E1F] > >"Gou Yang" wrote: > > > Hello, > > > > I think I've hit a bug in gpg. When I try and decrypt a corrupt > > pgp file, it looks like it is working but when it hits the > > corrupt part of the file, I see this error pop up: > > > > gpg: no valid OpenPGP data found. > > gpg: block_filter 0x80e8ac0: read error (size=11072,a->size=27456) > > gpg: block_filter 0x80e8a98: read error (size=14947,a->size=39523) > > > > When this error pops up, gpg goes out of control and starts > > appending junk to the decrypted file and never stops appending > > junk. > > > > I've let it sit up to 50GB before I killed gpg. The original file > > is only about 1GB but I wanted to see if it would ever stop. I've > > looked around but I didn't see anyone else who had this problem > > and resolved it. > > > > I could verify the signature prior to attempting to decrypt the > > file but the file isn't signed. > > > > Any suggestions? Any workaround? Anyone else have this problem? > >I have tried this with the following combinations (my default >symmetric cipher is TWOFISH). > >1. Encrypted symmetrically with TWOFISH, AES192, AES256, DES, > and BLOWFISH ciphers. > > gpg -a -c --force-mdc --cipher-algo ${CIPHER} \ > < ReadMe.txt > ReadMe.txt.asc > > Twiddled two characters in ReadMe.txt.asc. Tried to decrypt with: > > gpg -d < ReadMe.txt.asc > ReadMe.txt > > Result: decryption stopped, output file size ZERO. > >2. Encrypted and signed asymmetrically to myself with TWOFISH, > AES, and AES256 used for the symmetric ciphers. > > gpg -a -r hhhobbit at securemecca.net -e -s \ > < ReadMe.txt > ReadMe.txt.asc > > Twiddled two characters in ReadMe.txt.asc. Tried to decrypt with: > > gpg -d < ReadMe.txt.asc > ReadMe.txt > > Result: decryption stopped, output file size ZERO. > >3. On a file that is just a text file I get the following message: > >gpg: no valid OpenPGP data found. >gpg: decrypt_message failed: eof > >I have tried the use of several more symmetric ciphers and the >result is always the same. The instant I twiddle just two >characters in the encrypted [ / signed ] file I can't decrypt >and the output file size is ZERO. The failure given for the >asymmetric encryption is this for one of them: > >gpg: CRC error; 2DC30B - 9AAB55 >gpg: encrypted_mdc packet with unknown version 255 > >And the one I get for symmetric encrypion is this for one >of them: > >gpg: CRC error; 404350 - 94DB54 >gpg: encrypted_mdc packet with unknown version 255 > >In all cases if it failed, I end up with the output file >being of size ZERO. I am using 1.4.6 with keys that were >created with 1.4.2 (at least I believe that was what it was). > >I suspect you have either a damaged file system or damaged >keys. But without more particulars I don't know what you are >looking at, because in all cases, I end up with a file size of >ZERO. That also happens when I delete quite a few characters. > >HHH _________________________________________________________________ WIN up to $10,000 in cash or prizes ? enter the Microsoft Office Live Sweepstakes http://clk.atdmt.com/MRT/go/aub0050001581mrt/direct/01/ From jmoore3rd at bellsouth.net Tue Dec 12 22:09:27 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 12 Dec 2006 16:09:27 -0500 Subject: Would Someone 'School Me', Please Message-ID: <457F1A87.6070108@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 What are the practical benefits behind: "Removed the use of g10defs.h. This required some code cleanups and the introduction of a few accessor ducntions in mpi." Being 'Old School' enough to believe "if it ain't broke. don't fix it" I would appreciate someone explaining to Me what was 'broken'. JOHN :-\ Timestamp: Tuesday 12 Dec 2006, 16:08 --500 (Eastern Standard Time) - -- Programming is like sex: if you make a mistake, you have to support it for the rest of your life. --(unknown) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7-svn4375: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJFfxqCAAoJEBCGy9eAtCsPXv4IAITzhl2zQvwZEfR5KlZoAJNE xuMTIpy/ATen0w/mRAXxsBKBe7azxn+mxBGPYKUyjob3Bq2wWS7DGZMZ5NX+kDDF f2H66kYd+KlPopLDfGHMj6JuhDoTs5VSBY84oTtTmgLKmohiUoJuK8ETeiVFUvMb JL3EgZ3HWYGlpwrO38HoJ7Bc0fVyjz9ryyJ4lws2MKps+TrgnckfLZhyG2tappBI mDBu/4haIZr6MBZ0wcFwopoR+qQMjy4WPIa9IFhmi4xTfsp/cEInm1vqW5PBgUtB G1C6bRESH4UQO214O/6UJoeETVyE6Xoj4IO4baKfyifVTNAm5H0P0gcS/r0MjSU= =yzSH -----END PGP SIGNATURE----- From nixclusive0 at gmail.com Tue Dec 12 21:56:07 2006 From: nixclusive0 at gmail.com (nix) Date: Wed, 13 Dec 2006 02:26:07 +0530 Subject: GPG question In-Reply-To: References: Message-ID: <20061212205607.GA7318@teststation> >In PGP I can select the symmetric cryptographic algorithm to use (e.g. TripleDES, IDEA, >etc.). >How can I make this selection in GPG ? If not: what is setup at the moment ? >Note that I cannot find anything in one of the preferences (I'm using GPG4Win). use the command line options '--symmetric' for encrypting symmetrically. Here's a sample: $ gpg --cipher-algo AES256 --symmetric file.ext where --cipler-algo list can be obtained from: gpg --version From linux at thorstenhau.de Wed Dec 13 00:39:13 2006 From: linux at thorstenhau.de (Thorsten Haude) Date: Wed, 13 Dec 2006 00:39:13 +0100 (MET) Subject: Would Someone 'School Me', Please In-Reply-To: <457F1A87.6070108@bellsouth.net> References: <457F1A87.6070108@bellsouth.net> Message-ID: <20061212233101.GB2137@eumel.yoo.local> Hi, * John W. Moore III wrote (2006-12-12 16:09): >What are the practical benefits behind: > >"Removed the use of g10defs.h. >This required some code cleanups and the introduction of >a few accessor ducntions in mpi." > >Being 'Old School' enough to believe "if it ain't broke. don't fix it" I >would appreciate someone explaining to Me what was 'broken'. Knowing neither which change you talk about nor indeed what g10defs.h is, I still think this might give a hint: http://en.wikipedia.org/wiki/Defensive_programming Thorsten Radiohead: Exit Music (For A Film) -- When there are too many policemen, there can be no liberty; When there are too many soldiers, there can be no peace; When there are too many lawyers, there can be no justice. - Lin Yutang -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061213/74ed71d4/attachment.pgp From brunij at earthlink.net Wed Dec 13 02:05:18 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Tue, 12 Dec 2006 18:05:18 -0700 Subject: Would Someone 'School Me', Please In-Reply-To: <457F1A87.6070108@bellsouth.net> References: <457F1A87.6070108@bellsouth.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sometimes refactoring one's software can lead to better extensibility as well as helping to uncover previously unknown bugs and dependencies. Reducing dependencies allows one to change one component without break others. Accessor functions provide indirection that also allows for the same sorts of changes, facilitating a change to an implementation without breaking the interface. A good reference on how to improve stability and design of software without drastic changes is "Refactoring" by Fowler, Beck, et al. (ISBN 0201485672). On Dec 12, 2006, at 2:09 PM, John W. Moore III wrote: > What are the practical benefits behind: > > "Removed the use of g10defs.h. > This required some code cleanups and the introduction of > a few accessor ducntions in mpi." > > Being 'Old School' enough to believe "if it ain't broke. don't fix > it" I > would appreciate someone explaining to Me what was 'broken'. > > JOHN :-\ > Timestamp: Tuesday 12 Dec 2006, 16:08 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEVAwUBRX9R1FGV1jrNVRjHAQiQ1wf/cjzVKg88DB8q1vyflEYX8Gz+vfLxIGnf 2fWB2ojJBOhouNMl+HRuhBrTMBd7wIesZPlfwC/S8W+2zZ0TidCO0AdCnPgvWpMD JoZhj9N62SlwWs77XznokmlnGF1GLL3Vli8qt2rLCNPqaNqwUHBztzPJVc2Dr/cB vJ51aSVtvMTLvYxHdZa4yUoN9STJk2Q6CDE02Z2Zoto6mZ+FuUyQAIiGrQxMJgyX zMAAOxJ9scm/TALzcT5tb6CR/irkjj9xc/mumtbxuShl7k9ak3XighNB27vxv6up 29VvHAgZezcZAYKxVbZT2IbtUXKkOzXqTiMkiCgyBeam4LMVvS8SlA== =oG3T -----END PGP SIGNATURE----- From wk at gnupg.org Wed Dec 13 09:32:55 2006 From: wk at gnupg.org (Werner Koch) Date: Wed, 13 Dec 2006 09:32:55 +0100 Subject: Would Someone 'School Me', Please In-Reply-To: <457F1A87.6070108@bellsouth.net> (John W. Moore, III's message of "Tue\, 12 Dec 2006 16\:09\:27 -0500") References: <457F1A87.6070108@bellsouth.net> Message-ID: <87mz5s19hk.fsf@wheatstone.g10code.de> On Tue, 12 Dec 2006 22:09, jmoore3rd at bellsouth.net said: > Being 'Old School' enough to believe "if it ain't broke. don't fix it" I > would appreciate someone explaining to Me what was 'broken'. Less code, less bugs. Further the old way didn't exactly comply with the GNU coding standard in that it was not possible to change the installation directories during the install step. Shalom-Salam, Werner From shavital at netvision.net.il Tue Dec 12 19:01:25 2006 From: shavital at netvision.net.il (Charly Avital) Date: Tue, 12 Dec 2006 13:01:25 -0500 Subject: Correct location of 'automake'? Message-ID: <457EEE75.8070007@netvision.net.il> When trying to compile GnuPG 2.0.1, I was told to run automake before applying David Shaw's patch. Whenever I tried to run automake, I got a long error message, the gist of which was the version I was using. 1.6.3, was wrong, and that I should use 1.9.6. I tried to install 1.9.6 by compiling the source code. It apparently succeeded, but automake --version still gave 1.6.3, as well as /usr/bin/automake --version. I have now tried 'locate automake', and it seems that I have the two versions, 1.6.3, and 1.9.6 installed, but in different paths; following are partial quotes of the Terminal output: When I do: /usr/local/bin/automake --version I get version 1.9.6 /usr/bin/automake /usr/bin/automake-1.6 and /usr/local/bin/automake /usr/local/bin/automake-1.9 Moreover I have: /usr/share/automake-1.6 /usr/share/automake-1.6/acinstall and /usr/local/share/automake-1.9 /usr/local/share/automake-1.9/acinstall So what should be the 'correct' path? - /usr/bin/automake or - /usr/local/bin/automake ? Thanks in advance, Charly From ricowidmer at gmx.ch Wed Dec 13 10:24:30 2006 From: ricowidmer at gmx.ch (Telandor) Date: Wed, 13 Dec 2006 01:24:30 -0800 (PST) Subject: secret key (not) available Message-ID: <7849584.post@talk.nabble.com> Hallo everybody I use GPG 1.4.4 and have encrypted a txt-file on computer A. I put this encrypted txt-file to computer B and wanted to decrypt it there. Then computer B said "secret key not available". So I exported my keys from computer A and imported them in computer B. But the error remained. So I copied the encrypted txt-file back to computer A and wanted to decrypt it there. But there was the same error! gpg --list-keys didn't even show any keys on computer A. So I exported the keys from computer B and imported them on computer A. Where they were actually created. But it still didn't work. I have another file encrypted with gpg on computer A and I can decrypt this file. gpg -K does not show any keys (!?) I hope this problem is not too confusing. Thank you very much for your effort! -- View this message in context: http://www.nabble.com/secret-key-%28not%29-available-tf2812871.html#a7849584 Sent from the GnuPG - User mailing list archive at Nabble.com. From wk at gnupg.org Wed Dec 13 17:43:52 2006 From: wk at gnupg.org (Werner Koch) Date: Wed, 13 Dec 2006 17:43:52 +0100 Subject: Correct location of 'automake'? In-Reply-To: <457EEE75.8070007@netvision.net.il> (Charly Avital's message of "Tue\, 12 Dec 2006 13\:01\:25 -0500") References: <457EEE75.8070007@netvision.net.il> Message-ID: <87k60vwxtj.fsf@wheatstone.g10code.de> On Tue, 12 Dec 2006 19:01, shavital at netvision.net.il said: > I tried to install 1.9.6 by compiling the source code. It apparently > succeeded, but automake --version still gave 1.6.3, as well as > /usr/bin/automake --version. You need to make sure that it comes first in your PATH. Or better, read the README.SVN and use the PREFIX and suffix variables. Salam-Shalom, Werner From mega408 at hotmail.com Wed Dec 13 23:28:51 2006 From: mega408 at hotmail.com (Gou Yang) Date: Wed, 13 Dec 2006 14:28:51 -0800 Subject: secret key (not) available In-Reply-To: <7849584.post@talk.nabble.com> Message-ID: Hello, If you were able to encrypt a file and then you listed the keys and found none then perhaps you are using an incorrect key ring. You should check to make sure you are using the right keyring or you should just use "--home" and specify the exact location. Regards, Gou >From: Telandor >To: gnupg-users at gnupg.org >Subject: secret key (not) available >Date: Wed, 13 Dec 2006 01:24:30 -0800 (PST) >MIME-Version: 1.0 >Received: from trithemius.gnupg.org ([217.69.76.44]) by >bay0-mc1-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Wed, 13 >Dec 2006 02:19:40 -0800 >Received: from localhost ([127.0.0.1] helo=trithemius.gnupg.org)by >trithemius.gnupg.org with esmtp (Exim 4.50 #1 (Debian))id 1GuR9o-0004ib-KE; >Wed, 13 Dec 2006 11:16:12 +0100 >Received: from kerckhoffs.g10code.com ([217.69.77.222])by >trithemius.gnupg.org with esmtp (Exim 4.50 #1 (Debian))id 1GuQJQ-0000sP-2N >for ;Wed, 13 Dec 2006 10:22:04 +0100 >Received: from www.nabble.com ([72.21.53.35] helo=talk.nabble.com)by >kerckhoffs.g10code.com with esmtp (Exim 4.50 #1 (Debian))id >1GuQU0-0004iD-Kxfor ; Wed, 13 Dec 2006 10:33:00 >+0100 >Received: from [72.21.53.38] (helo=jubjub.nabble.com)by talk.nabble.com >with esmtp (Exim 4.50) id 1GuQLm-0003bg-AVfor gnupg-users at gnupg.org; Wed, >13 Dec 2006 01:24:30 -0800 >X-Message-Info: txF49lGdW40KTBTxx1CrFNeKWti23Hv0j/seK57liJE= >X-Nabble-From: ricowidmer at gmx.ch >X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on >trithemius.gnupg.org >X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none >autolearn=ham version=3.0.3 >X-Mailman-Approved-At: Wed, 13 Dec 2006 11:15:04 +0100 >X-BeenThere: gnupg-users at gnupg.org >X-Mailman-Version: 2.1.9 >Precedence: list >List-Id: Help and discussion among users of GnuPG >List-Unsubscribe: >, >List-Archive: >List-Post: >List-Help: >List-Subscribe: >, >Errors-To: gnupg-users-bounces at gnupg.org >Return-Path: gnupg-users-bounces at gnupg.org >X-OriginalArrivalTime: 13 Dec 2006 10:19:40.0527 (UTC) >FILETIME=[3328EFF0:01C71EA0] > > >Hallo everybody > >I use GPG 1.4.4 and have encrypted a txt-file on computer A. >I put this encrypted txt-file to computer B and wanted to decrypt it there. >Then computer B said "secret key not available". >So I exported my keys from computer A and imported them in computer B. >But the error remained. >So I copied the encrypted txt-file back to computer A and wanted to decrypt >it there. But there was the same error! >gpg --list-keys didn't even show any keys on computer A. >So I exported the keys from computer B and imported them on computer A. >Where they were actually created. But it still didn't work. > >I have another file encrypted with gpg on computer A and I can decrypt this >file. > >gpg -K does not show any keys (!?) > > >I hope this problem is not too confusing. >Thank you very much for your effort! >-- >View this message in context: >http://www.nabble.com/secret-key-%28not%29-available-tf2812871.html#a7849584 >Sent from the GnuPG - User mailing list archive at Nabble.com. > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users at gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users _________________________________________________________________ View Athlete?s Collections with Live Search http://sportmaps.live.com/index.html?source=hmemailtaglinenov06&FORM=MGAC01 From j.lysdal at gmail.com Thu Dec 14 23:04:58 2006 From: j.lysdal at gmail.com (=?UTF-8?Q?J=C3=B8rgen_Lysdal?=) Date: Thu, 14 Dec 2006 23:04:58 +0100 Subject: Hash algorithmn In-Reply-To: <9afe34fe0612141344p20e55aa2wcf77d67648dca61b@mail.gmail.com> References: <9afe34fe0612141344p20e55aa2wcf77d67648dca61b@mail.gmail.com> Message-ID: <9afe34fe0612141404g31cebc2bp9b0cd1a348b27136@mail.gmail.com> okay, i missed the "verbose" option in the man page... sry :) 2006/12/14, J?rgen Lysdal : > Hi, > > I got an encryptet and signed email, is it possible to see what hash > algorithmn was used for signing? > > --- > Jorgen Ch. Lysdal / 0x7763AF61 > From j.lysdal at gmail.com Thu Dec 14 22:44:40 2006 From: j.lysdal at gmail.com (=?UTF-8?Q?J=C3=B8rgen_Lysdal?=) Date: Thu, 14 Dec 2006 22:44:40 +0100 Subject: Hash algorithmn Message-ID: <9afe34fe0612141344p20e55aa2wcf77d67648dca61b@mail.gmail.com> Hi, I got an encryptet and signed email, is it possible to see what hash algorithmn was used for signing? --- Jorgen Ch. Lysdal / 0x7763AF61 From ajgraves at freeshell.org Fri Dec 15 08:23:36 2006 From: ajgraves at freeshell.org (Aaron J. Graves) Date: Fri, 15 Dec 2006 00:23:36 -0700 (MST) Subject: authenticate flag Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have created a key that for some reason does not have the "authenticate" flag set. Is there a way I can somehow set this flag? Or do I have to start from scratch? Here's an example. From the key in question: pub 1024D/9FB54294 created: 2006-09-17 expires: never usage: SC trust: ultimate validity: ultimate sub 4096g/DE94A6C4 created: 2006-09-17 expires: never usage: E And from another key that has the flag set: pub 1024D/34BAFE51 created: 2006-08-26 expires: 2011-08-25 usage: SCA trust: ultimate validity: ultimate sub 4096g/84400184 created: 2006-08-26 expires: 2011-08-25 usage: E Notice the "A" in the usage section. How can I add that to my other key? Or if it's not necessary, would it be possible to ask why? Thanks very much for your time. Aaron Graves -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (NetBSD) iD8DBQFFgOvk20bIVZ+1QpQRAoO4AJoDx2aidK3hxLwQ1HJLxmSEL/EWWQCfaesO oqThQE1wdHyERZm94BzK5c8= =w2Dy -----END PGP SIGNATURE----- From alphasigmax at gmail.com Fri Dec 15 09:22:31 2006 From: alphasigmax at gmail.com (Alphax) Date: Fri, 15 Dec 2006 18:52:31 +1030 Subject: authenticate flag In-Reply-To: References: Message-ID: <45825B47.9060708@gmail.com> Aaron J. Graves wrote: > I have created a key that for some reason does not have the "authenticate" > flag set. Is there a way I can somehow set this flag? Or do I have to start > from scratch? > > Here's an example. From the key in question: > > pub 1024D/9FB54294 created: 2006-09-17 expires: never usage: SC > trust: ultimate validity: ultimate > sub 4096g/DE94A6C4 created: 2006-09-17 expires: never usage: E > > And from another key that has the flag set: > pub 1024D/34BAFE51 created: 2006-08-26 expires: 2011-08-25 usage: SCA > trust: ultimate validity: ultimate > sub 4096g/84400184 created: 2006-08-26 expires: 2011-08-25 usage: E > > Notice the "A" in the usage section. How can I add that to my other key? > Or if it's not necessary, would it be possible to ask why? > As someone wiser than me said about a year and a half ago, a key with the "authenticate" flag could be used to eg. unlock your PC instead of using a username/password. To set the flag during key creation, use gpg --expert --gen-key: > Please select what kind of key you want: > (1) DSA and Elgamal (default) > (2) DSA (sign only) > (3) DSA (set your own capabilities) > (5) RSA (sign only) > (7) RSA (set your own capabilities) > Your selection? Select (7) and toggle the "A" option. Adding it to an existing key requires a deep understanding of the OpenPGP spec (RFC 2440) and a hex editor; alternatively, you could add a subkey with this capability (gpg --expert --edit 0x, addkey, , 7, A, Q). HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 542 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061215/d597cc12/attachment.pgp From Hwy101y at Yahoo.com Sun Dec 17 03:07:18 2006 From: Hwy101y at Yahoo.com (Tom - Hwy101) Date: Sat, 16 Dec 2006 18:07:18 -0800 Subject: Very Newbie Questions Message-ID: <4584A656.80601@Yahoo.com> I am a XP Pro User, Thunderbird - I got the extension for Thunderbird to do PnuPG... and have the executable to Install the Encryption program. I mainly want to ?Sign?my msgs at this point and not Encrypt, is this possible to just Sign without a lot of hassle? Or to setup to default that way so I don't have to choose to Sign and not encrypt? Thanks for Any Pointers - Tom From JPClizbe at tx.rr.com Sun Dec 17 07:09:21 2006 From: JPClizbe at tx.rr.com (John Clizbe) Date: Sun, 17 Dec 2006 00:09:21 -0600 Subject: Very Newbie Questions In-Reply-To: <4584A656.80601@Yahoo.com> References: <4584A656.80601@Yahoo.com> Message-ID: <4584DF11.7000609@tx.rr.com> Tom - Hwy101 wrote: > I am a XP Pro User, Thunderbird - I got the extension for Thunderbird to > do GnuPG... That would be Enigmail > and have the executable to Install the Encryption program. Double-click the executable and accept the defaults to install GnuPG > I mainly want to ?Sign?my msgs at this point and not Encrypt, is this > possible to just Sign without a lot of hassle? Yes > Or to setup to default that way so I don't have to choose to Sign and > not encrypt? Yep, Quite simply. Let me direct you to the GnuPG Installation and Configuration page we wrote at http:/enigmail.mozdev.org/gpgconf.html Most common questions are answered at http://enigmail.mozdev.org/help.html You can get answers to Enigmail-specific questions on the mailing list, enigmail at mozdev.org. You can subscribe to the list at http://mozdev.org/mailman/listinfo/enigmail. Subscribing isn't necessary, but your posts will be seen a lot faster as nonsubscribers are moderated. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061217/1e6ed7ff/attachment-0001.pgp From hhhobbit at securemecca.net Sun Dec 17 09:37:11 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Sun, 17 Dec 2006 01:37:11 -0700 Subject: secret key (not) available In-Reply-To: References: Message-ID: <1166344631.5282.49.camel@sirius.brigham.net> On Wed, 2006-12-13 at 01:24 -0800, ricowidmer at gmx.ch wrote: > > > Hallo everybody > > I use GPG 1.4.4 and have encrypted a txt-file on computer A. Encrypted how, symmetrically, or asymmetrically? > I put this encrypted txt-file to computer B and wanted to decrypt > it there. Then computer B said "secret key not available". > So I exported my keys from computer A and imported them in > computer B. How did you export them? gpg -a --export YOURKEYID > yourkey.asc # or gpg -a --export-secret-keys YOURKEYID > yoursecretkey.asc The first just exports your public key. The second exports both your public and your secret key of the keypair. The import should go without a hitch for either one, but their won't be a secret key if you use the first. If you encrypted only symmetrically it won't have any effect. > But the error remained. So I copied the encrypted txt-file back to > computer A and wanted to decrypt it there. But there was the same > error! gpg --list-keys didn't even show any keys on computer A. Can you do a: cd ; cd .gnupg on machine A? If you can, then after that do a: ls -l You should at least see the following files: gpg.conf pubring.gpg pubring.gpg~ random_seed secring.gpg trustdb.gpg Also do it on machine B. If they aren't there, then make sure you specify WHERE they are at (and find where they are at. If you have to (disk and CPU intensive): find / -name secring.gpg -print 2> /dev/null > So I exported the keys from computer B and imported them on > computer A. Where they were actually created. But it still > didn't work. Again, can you see the secret keys on machine B, e.g.: gpg --K > I have another file encrypted with gpg on computer A and I > can decrypt this file. > > gpg -K does not show any keys (!?) > Was this file encrypted with symmetric or asymmetric encryption? Symmetric example: ------------------ gpg -a -c --force-mdc --cipher-algo ${CIPHER} < INFILE > OUTFILE Asymmetric example: ------------------- gpg -a -e -r PERSON at THEIRMAILHOST < INFILE > OUTFILE > I hope this problem is not too confusing. > Thank you very much for your effort! The only thing confusing is just what you have, how you are doing the encryption (symmetric or asymmetric), whether you have any keys at all (I am assuming you did a gpg --gen-key before the start of all this), etc. It IS possible to do a symmetric encryption without any keys at all (although gpg WILL create an empty pubring.gpg file). 1. I suspect you are NOT encrypting the first file with symmetric encryption, but are doing it with the second file (the one you can decrypt on machine A). Copy the second file to machine B and decrypt it. 2. Since the first file is probably being encrypted with asymmetric encryption, I suggest you are encrypting it with the public key, but don't have the secret key. The only person that can decrypt the file that was encrypted is the one that has the secret key that corresponds to the public key that was used. If when you do a "gpg -K" on both machines and no keys show up, then you have NO secret keys. Are you sure you did a "gpg --gen-key" at the start of all this? On the other hand, if you do a gpg --list-keys and the public key you are using is there, then it is totally understandable that if you are using asymmetric encryption that you can encrypt the file but not decrypt it. Did that help or am *I* missing something? If I did miss something then please fill us in. If you generated the key pair (public / secret) it is hignly possible your ~/.gnupg/secring.gpg file has been damaged, which is exactly what is going through my mind right now. HHH From hhhobbit at securemecca.net Sun Dec 17 10:59:38 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Sun, 17 Dec 2006 02:59:38 -0700 Subject: Very Newbie Questions In-Reply-To: References: Message-ID: <1166349578.5282.86.camel@sirius.brigham.net> On Sat, 2006-12-16 at 18:07 -0800, Hwy101y at Yahoo.com wrote: > I am a XP Pro User, Thunderbird - I got the extension for Thunderbird to > do GnuPG... and have the executable to Install the Encryption program. > > I mainly want to ?Sign?my msgs at this point and not Encrypt, is this > possible to just Sign without a lot of hassle? > Or to setup to default that way so I don't have to choose to Sign and > not encrypt? > > Thanks for Any Pointers - Tom I don't know what you are using to install GnuPG itself. Make sure that you have a copy of iconv.dll (zip that contains it if doing separately is libiconv-1.9.1.dll.zip) is in your %SystemDrive%\windows\system32 folder After the install. I don't know whether they put the following values in the registry with what you are using but you can check it after installing GnuPG with regedit: -------------------------------------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\GNU] [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG] [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG] "gpgProgram"="C:\\Program Files\\GnuPG\\gpg.exe" [HKEY_CURRENT_USER\Control Panel\Mingw32] [HKEY_CURRENT_USER\Control Panel\Mingw32\NLS] [HKEY_CURRENT_USER\Control Panel\Mingw32\NLS] "MODir"="C:\\Program Files\\GnuPG\\Locale" [HKEY_CURRENT_USER\Software\GNU] [HKEY_CURRENT_USER\Software\GNU\GNUPG] [HKEY_CURRENT_USER\Software\GNU\GNUPG] "HomeDir"="C:\\Documents and Settings\\%USERNAME%\\Application Data\\Gnu \\GnuPG" "gpgProgram"="C:\\Program Files\\GnuPG\\gpg.exe" "OptFile"="C:\\Documents and Settings\\%USERNAME%\\Application Data\\Gnu \\GnuPG\\gpg.conf" ------------------------------------------------------------------- %USERNAME% should just be your user name (starting a cmd window should tell you who you are in the prompt - it is the last folder name unless you changed where cmd starts up). The last line and the second from the last wrapped on me (HomeDir and OptFile). If these entries aren't in the registry after you install GnuPG, you may want to save this portion (the stuff between the lines) to a file named YOURNAME.reg, Just be sure your key folder is Gnu\GnuPG and not just GnuPG. If it is just GnuPG delete the "\\Gnu" from the two Documents and Settings lines. Replace %USERNAME% with your real user name. Then double click on the file. I must mention that I think GPG4Win does all of this for you. If it does, do NOT move where it puts your key files. I finally because a fascist and took control of where they were on my own. I would encourage you NOT to sign every message since most people don't have OpenPGP encryption and will wonder what in the world all those garbled characters are at the end of the file. It is easy to select signing when the occasion demands it (the other person uses OpenPGP). I LOVE to receive signed messages. That shows the message really came from the other person, especially if I got the public key from them personally. HHH From hhhobbit at securemecca.net Sun Dec 17 17:59:46 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Sun, 17 Dec 2006 09:59:46 -0700 Subject: Very Newbie Questions In-Reply-To: <1166349578.5282.86.camel@sirius.brigham.net> References: <1166349578.5282.86.camel@sirius.brigham.net> Message-ID: <45857782.8000507@securemecca.net> Henry Hertz Hobbit wrote: OOPS! > [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG] > "gpgProgram"="C:\\Program Files\\GnuPG\\gpg.exe" This line should now be: "gpgProgram"="C:\\Program Files\\GNU\\GnuPG\\gpg.exe" > [HKEY_CURRENT_USER\Control Panel\Mingw32] > > [HKEY_CURRENT_USER\Control Panel\Mingw32\NLS] > > [HKEY_CURRENT_USER\Control Panel\Mingw32\NLS] > "MODir"="C:\\Program Files\\GnuPG\\Locale" And this line should now PROBABLY be (on Linux right now) "MODir"="C:\\Program Files\\GNU\\GnuPG\\Locale" If it isn't there then it would be in the GNU folder ("MODir"="C:\\Program Files\\GNU\\Locale") but if memory serves me correct it is in the GnuPG folder. I wouldn't know this because I use the standard English strings. I have tons of language support, but the system setting is (American) English. > [HKEY_CURRENT_USER\Software\GNU] > > [HKEY_CURRENT_USER\Software\GNU\GNUPG] > > [HKEY_CURRENT_USER\Software\GNU\GNUPG] > "HomeDir"="C:\\Documents and Settings\\%USERNAME%\\Application Data\\Gnu > \\GnuPG" > "gpgProgram"="C:\\Program Files\\GnuPG\\gpg.exe" And this line should now be: "gpgProgram"="C:\\Program Files\\GNU\\GnuPG\\gpg.exe" Sorry about that. HHH From JPClizbe at tx.rr.com Sun Dec 17 19:34:25 2006 From: JPClizbe at tx.rr.com (John Clizbe) Date: Sun, 17 Dec 2006 12:34:25 -0600 Subject: Very Newbie Questions In-Reply-To: <1166349578.5282.86.camel@sirius.brigham.net> References: <1166349578.5282.86.camel@sirius.brigham.net> Message-ID: <45858DB1.5020008@tx.rr.com> Henry Hertz Hobbit wrote: > > I don't know what you are using to install GnuPG itself. Make > sure that you have a copy of iconv.dll (zip that contains it if > doing separately is libiconv-1.9.1.dll.zip) is in your > %SystemDrive%\windows\system32 folder After the install. I don't > know whether they put the following values in the registry with > what you are using but you can check it after installing GnuPG > with regedit: Manual registry editing is not needed - the installer handles all the entries GnuPG needs. Likewise, there is no need to copy or do anything else with iconv.dll. As a general rule of thumb, copying things into %systemroot%\system32 is to be avoided. The iconv library is only needed for NLS support. If gpg needs it and cannot find it, it will issue a warning and continue executing. Werner posted that the installer correctly handles iconv; ie if the DLL is found in your path, the installer does nothing; if not found or too old, it places a copy of iconv.dll into the GnuPG program directory. [GnuPG-Devel 2005-03-17] -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061217/9d082ed1/attachment.pgp From ajgraves at freeshell.org Thu Dec 14 07:17:14 2006 From: ajgraves at freeshell.org (Aaron J. Graves) Date: Wed, 13 Dec 2006 23:17:14 -0700 (MST) Subject: authenticate flag Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have created a key that for some reason does not have the "authenticate" flag set. Is there a way I can somehow set this flag? Or do I have to start from scratch? Here's an example. From the key in question: pub 1024D/9FB54294 created: 2006-09-17 expires: never usage: SC trust: ultimate validity: ultimate sub 4096g/DE94A6C4 created: 2006-09-17 expires: never usage: E And from another key that has the flag set: pub 1024D/34BAFE51 created: 2006-08-26 expires: 2011-08-25 usage: SCA trust: ultimate validity: ultimate sub 4096g/84400184 created: 2006-08-26 expires: 2011-08-25 usage: E Notice the "A" in the usage section. How can I add that to my other key? Or if it's not necessary, would it be possible to ask why? Thanks very much for your time. Aaron Graves -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (NetBSD) iD8DBQFFgOvk20bIVZ+1QpQRAoO4AJoDx2aidK3hxLwQ1HJLxmSEL/EWWQCfaesO oqThQE1wdHyERZm94BzK5c8= =w2Dy -----END PGP SIGNATURE----- From ricowidmer at gmx.ch Mon Dec 18 10:10:32 2006 From: ricowidmer at gmx.ch (Telandor) Date: Mon, 18 Dec 2006 01:10:32 -0800 (PST) Subject: secret key (not) available In-Reply-To: <1166344631.5282.49.camel@sirius.brigham.net> References: <7849584.post@talk.nabble.com> <1166344631.5282.49.camel@sirius.brigham.net> Message-ID: <7925532.post@talk.nabble.com> Hi HHH Thank you for your fast answer! First of all, 2 of three of my files work now. Although I don't really know what I have done. I tiped once "gpg --home" (thank you Gou Yang) and then gpg created a file secring.gpg or so. Is this possible? Are the keys user specified? I remember that I had created the files and keys with another user than I tried to decrypt them. I had not exported my secret keys, I had not generated a key by "gpg --gen-key" and I have no idea if I had encrypted the files symmetrically or asymetrically. I had typed "gpg -e filename". The files I have (by the way I use Windows XP) in my application data folder are: pubring.bak pubring.gpg random_seed secring.gpg trustdb.gpg gpg -K now shows some keys. Well, thank you again for your help. If you have another idea for my third file please let me know. But it would be ok if you did not write an answer. It is not sooo important. Have a nice day! Henry Hertz Hobbit wrote: > > On Wed, 2006-12-13 at 01:24 -0800, ricowidmer at gmx.ch wrote: > >> >> >> Hallo everybody >> >> I use GPG 1.4.4 and have encrypted a txt-file on computer A. > > Encrypted how, symmetrically, or asymmetrically? > >> I put this encrypted txt-file to computer B and wanted to decrypt >> it there. Then computer B said "secret key not available". >> So I exported my keys from computer A and imported them in >> computer B. > > How did you export them? > > gpg -a --export YOURKEYID > yourkey.asc > # or > gpg -a --export-secret-keys YOURKEYID > yoursecretkey.asc > > The first just exports your public key. The second exports both > your public and your secret key of the keypair. The import should > go without a hitch for either one, but their won't be a secret key > if you use the first. If you encrypted only symmetrically it won't > have any effect. > >> But the error remained. So I copied the encrypted txt-file back to >> computer A and wanted to decrypt it there. But there was the same >> error! gpg --list-keys didn't even show any keys on computer A. > > Can you do a: > > cd ; cd .gnupg > > on machine A? If you can, then after that do a: > > ls -l > > You should at least see the following files: > > gpg.conf > pubring.gpg > pubring.gpg~ > random_seed > secring.gpg > trustdb.gpg > > Also do it on machine B. If they aren't there, > then make sure you specify WHERE they are at (and > find where they are at. If you have to (disk and > CPU intensive): > > find / -name secring.gpg -print 2> /dev/null > >> So I exported the keys from computer B and imported them on >> computer A. Where they were actually created. But it still >> didn't work. > > Again, can you see the secret keys on machine B, e.g.: > > gpg --K > >> I have another file encrypted with gpg on computer A and I >> can decrypt this file. >> >> gpg -K does not show any keys (!?) >> > > Was this file encrypted with symmetric or asymmetric > encryption? > > Symmetric example: > ------------------ > gpg -a -c --force-mdc --cipher-algo ${CIPHER} < INFILE > OUTFILE > > Asymmetric example: > ------------------- > gpg -a -e -r PERSON at THEIRMAILHOST < INFILE > OUTFILE > >> I hope this problem is not too confusing. >> Thank you very much for your effort! > > The only thing confusing is just what you have, how you are doing > the encryption (symmetric or asymmetric), whether you have any > keys at all (I am assuming you did a gpg --gen-key before the > start of all this), etc. It IS possible to do a symmetric > encryption without any keys at all (although gpg WILL create an > empty pubring.gpg file). > > 1. I suspect you are NOT encrypting the first file with > symmetric encryption, but are doing it with the second file > (the one you can decrypt on machine A). Copy the second file > to machine B and decrypt it. > > 2. Since the first file is probably being encrypted with asymmetric > encryption, I suggest you are encrypting it with the public > key, but don't have the secret key. The only person that can > decrypt the file that was encrypted is the one that has the > secret key that corresponds to the public key that was used. > > If when you do a "gpg -K" on both machines and no keys show up, > then you have NO secret keys. Are you sure you did a > "gpg --gen-key" at the start of all this? On the other hand, > if you do a gpg --list-keys and the public key you are using > is there, then it is totally understandable that if you are > using asymmetric encryption that you can encrypt the file > but not decrypt it. > > Did that help or am *I* missing something? If I did miss > something then please fill us in. If you generated the key > pair (public / secret) it is hignly possible your > ~/.gnupg/secring.gpg file has been damaged, which is exactly > what is going through my mind right now. > > HHH > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/secret-key-%28not%29-available-tf2812871.html#a7925532 Sent from the GnuPG - User mailing list archive at Nabble.com. From jmoore3rd at bellsouth.net Mon Dec 18 16:48:32 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 18 Dec 2006 10:48:32 -0500 Subject: authenticate flag In-Reply-To: References: Message-ID: <4586B850.9000507@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Aaron J. Graves wrote: > Here's an example. From the key in question: > > pub 1024D/9FB54294 created: 2006-09-17 expires: never usage: SC > trust: ultimate validity: ultimate > sub 4096g/DE94A6C4 created: 2006-09-17 expires: never usage: E > > And from another key that has the flag set: > pub 1024D/34BAFE51 created: 2006-08-26 expires: 2011-08-25 usage: SCA > trust: ultimate validity: ultimate > sub 4096g/84400184 created: 2006-08-26 expires: 2011-08-25 usage: E > > Notice the "A" in the usage section. How can I add that to my other key? > Or if it's not necessary, would it be possible to ask why? The "2nd" Key you reference above is the Encryption Sub-Key to the Main/Signing Key above it. I believe that the 'Authentication" Flag _must_ be 'placed' on the Signing Key at the time it is Generated...there is no reason for the Encryption sub-Key to have any other Flag. Many folks have a Main Key with both a Signing sub-Key & the Encryption sub-Key. I haven't done it, but perhaps You could add a Signing sub-Key to your existing Key and add the 'Authenticate' Flag at this time. BTW: Your Sig on this Post did not Verify. JOHN ;) Timestamp: Monday 18 Dec 2006, 10:47 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7-svn4384: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJFhrhMAAoJEBCGy9eAtCsPGKQH/j+yangmP78TAdrYUVYabO8d skk9+64OPPHzMf3aBAVmBHv6ycbBIwUJURK8X82qIjxokUHJZcCKllSsbtjwmRUj fqqQvgEpOAfqdkXu2jkLoaKHSbbuIt2xKvSAKpTGaa3Wpw9SruxlWISe2UbrJxbv OXOm4M0ueo/GENVHEqenolt0whUXRDTi1miJ8/EfQHuED5GhjbgStjvHrVWK0VK3 dknnhKwFUIxr+xE164jvOD80RObTKqTDHNwkwWGEKgNL9POJfzjQZqd9/qSWtY0i JaZSEDX2PtNkja6hNEEOHP+FMjLIE5B7aprjbA+8EA41JJgVyUyIyFtoihaDfFo= =I1Rr -----END PGP SIGNATURE----- From ajgraves at freeshell.org Mon Dec 18 19:42:33 2006 From: ajgraves at freeshell.org (Aaron J. Graves) Date: Mon, 18 Dec 2006 11:42:33 -0700 (MST) Subject: authenticate flag In-Reply-To: <4586B850.9000507@bellsouth.net> References: <4586B850.9000507@bellsouth.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The keys I listed are of two seperate keypairs. The signing key on the second one has the authenticate flag, the signing key on the first one does not. And that's strange about the sig... never had that happen before. Thanks, Aaron Aaron J. Graves wrote: > Here's an example. From the key in question: > > pub 1024D/9FB54294 created: 2006-09-17 expires: never usage: SC > trust: ultimate validity: ultimate > sub 4096g/DE94A6C4 created: 2006-09-17 expires: never usage: E > > And from another key that has the flag set: > pub 1024D/34BAFE51 created: 2006-08-26 expires: 2011-08-25 usage: SCA > trust: ultimate validity: ultimate > sub 4096g/84400184 created: 2006-08-26 expires: 2011-08-25 usage: E > > Notice the "A" in the usage section. How can I add that to my other key? > Or if it's not necessary, would it be possible to ask why? The "2nd" Key you reference above is the Encryption Sub-Key to the Main/Signing Key above it. I believe that the 'Authentication" Flag _must_ be 'placed' on the Signing Key at the time it is Generated...there is no reason for the Encryption sub-Key to have any other Flag. Many folks have a Main Key with both a Signing sub-Key & the Encryption sub-Key. I haven't done it, but perhaps You could add a Signing sub-Key to your existing Key and add the 'Authenticate' Flag at this time. BTW: Your Sig on this Post did not Verify. JOHN ;) Timestamp: Monday 18 Dec 2006, 10:47 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (NetBSD) iD8DBQFFhuDD20bIVZ+1QpQRAj4WAJwM0yU0CR5pieawOumqK4GhJ5+ArgCgjYR8 83EKoneiIXgW7SYhj4AhAvU= =LBoW -----END PGP SIGNATURE----- From hhhobbit at securemecca.net Tue Dec 19 01:56:01 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Mon, 18 Dec 2006 17:56:01 -0700 Subject: Very Newbie Questions In-Reply-To: References: Message-ID: <458738A1.1000404@securemecca.net> John Clizbe wrote: Please be warned that this is a LONG response. If you don't care, please hit the delete button. I don't see any way of making it shorter right now. In fact I may be misinterpreted and that means it isn't long enough. I think that is what just happened. Some of this should probably be in the Developer's forum. I am loathe to do that because most Windows users are also their own System Administrators. > Henry Hertz Hobbit wrote: > >>I don't know what you are using to install GnuPG itself. Make >>sure that you have a copy of iconv.dll (zip that contains it if >>doing separately is libiconv-1.9.1.dll.zip) is in your >>%SystemDrive%\windows\system32 folder After the install. I don't >>know whether they put the following values in the registry with >>what you are using but you can check it after installing GnuPG >>with regedit: > > > Manual registry editing is not needed - the installer handles all > the entries GnuPG needs. First, what if you put your keys on one of the crypto cards, or on a USB stick? What value are your automated HKEY_CURRENT_USER keys now? I think what I gave them they can easily extrapolate to the new location without me even saying one word. Novice Windows users may have problems - experienced ones will tell me to shut up and go about doing things without me saying anything more. That middle ground was what I was aiming at. Your install does not handle my needs. It may now handle all of them for the user doing the install, but hhhobbit is NOT doing the install on my machine since hhhobbit is only an ordinary user and is thus unable to put anything into %WinDir% or %WinDir%\system32 (same for %ProgramFiles%, because with the Windows DACLs I run, my systems are pretty tight). The super user on my systems when they are running MS Windows is somebody else other than me (hhhobbit). NO, YOU MAY NOT KNOW THEIR NAME! I use the accounts other than hhhobbit only for administering the system (primarily making sure the AV is up to date every time I run Windows). My hhhobbit user account is what I normally use and also when encryption is usually required. But there are times the other accounts also need access to the keys on the key ring (verifying downloads, etc.). For these special cases it is nice to specify where the key files are for ALL of the accounts that use the same key-ring if you CAN share them among multiple users. In other words, you can't completely automate all of this. What you probably have is geared around people that run their accounts as the administrator of the machine. That is NOT how I run my machines. That is why I am giving what I have to people. The end user *MUST* take some of the responsibility. The best way to do that, IMHO, is to lay it all out for them and allow them to make their own decisions. I believe the DropMyRights program only goes so far. Every time some other program is messaged into existence by a program that runs with dropped rights, the other program attains ALL of the privileges of the logged in user, not the privileges of the program which messaged it (which is running in diminished capacity because it was started with DropMyRights). I much prefer to log in as a less privileged user for most Internet stuff. This IS in accordance with Microsoft policy. I encourage all other users to do the same thing (NO, you don't have to adopt my draconian settings - less than an Internet server but not as loose as most people's machines either). My machines are closer to the Internet server than to most people's machines. It only takes one system compromise to wise you up as to how loosey-goosey Microsoft out of the box is. I have seen hundreds of compromises of Windows machines, thankfully all on machines I didn't have control over. I consider that more a matter of SHEER LUCK than any brilliance on my part. If you are not the user doing the install of GnuPG AND the install puts in the HKEY_LOCAL_MACHINE settings, you can modify what I have given by deleting all of the HKEY_LOCAL_MACHINE KEYS, keeping all of the HKEY_CURRENT_USER (all but the first three) and modifying them for your user name. You will need them! You will also have to use YOUR user name. This is really important since even if the person that did the install is also the end user, since MS Windows does that wonderful shift from your account being named hhhobbit to hhhobbit.MACHNAME. Hopefully it was much shorter than "Gene & Denine's wonderfull awesome computer", and YES I AM QUOTING THE ACTUAL NAME! For the love of what ever, let your machine have its OWN SHORT NAME. This account name shift frequently occurs after some of the update patches or for some other reason. When that happens you may want to alter the HKEY_CURRENT_USER data values again unless you want to keep your GnuPG keys in the old folder. If you don't you may want to enter the new Registry settings. You will also need to change them if you move your keyring files to a USB stick or a crypto card. I prefer moving my key files to my new folder (for what ever reason and that includes moving the keys to a USB stick I can carry around with me) when the name change happens. I also do NOT trust Microsoft to get it correct (yes the folder where my keys are at is protected from access by other users, including all of the other Sys Admins). That is also why these pluggable cards that have your encrypting keys on them are such a good idea. Why Microsoft changes the account name in the first place is a mystery to me. But the fact Microsoft does stuff like this is why they have thousands of administrators out there keeping machines running MS Windows shops going. WHEN YOU ARE ON MICROSOFT WINDOWS PROTECT YOUR KEY FILES! It is best when your OpenPGP key files aren't even on the machine unless you are using it. A crypto card or a USB stick is wonderful for that. > Likewise, there is no need to copy or do anything else with > iconv.dll. As a general rule of thumb, copying things into > %systemroot%\system32 is to be avoided. The iconv library is only > needed for NLS support. If gpg needs it and cannot find it, it will > issue a warning and continue executing. I wouldn't even make that statement. The correct place for every piece of software I have used is for them to usually install their DLL files IN the the %SystemRoot%\system32 folder. The only other real alternative that is rarely taken is for them to put their DLL file in their own %ProgramFiles% folder. In the README.iconv.dll file it states: "To install this dll simply copy the file 'iconv.dll' to a directory where you usually keep the DLLs." At least Windows people are spared the Macintosh OS-X, Sun Solaris, etcetera, etcetera, etcetera, /opt (or what ever) versus /usr/local argument. There IS NO OTHER "STANDARD" folder for DLL files on Windows that is well known other than the %SystemRoot%\system32 folder. That is why over 90% of the software I have installed (Lexmark Scanner / Printer, HP scanner / Printer with HP ethernet card, Minolta PagePro 1350W printer with access through Zonet printer server, Office 2003, etc.) puts their DLL files there. They MUST put their driver files in the %SystemRoot% area anyway, and since they may have 10 or more models of their printers, etc. that use the same DLL, it is natural for them to also install it in the %SystemRoot%\system32 folder as well. Why have multiple copies of the same DLL for each piece of their software especially if it never changes? It is best to put just one DLL on the machine. I would wager that over 85% of Windows software does put their DLL files in the %SystemRoot%\system32 folder rather than in their own folder in the %ProgramFiles% area. The piece that is missing is if what you are installing is actually older than what ever you currently have for a given DLL file. I HATE to have older files replacing newer ones. > Werner posted that the installer correctly handles iconv; ie if the DLL is found > in your path, the installer does nothing; if not found or too old, it places a > copy of iconv.dll into the GnuPG program directory. [GnuPG-Devel 2005-03-17] Okee-dokee. If you have more than one software package using that DLL, it is usually best to just have one copy of that DLL file in the %SystemRoot%\system32 folder instead of in each %ProgramFiles folder. Further, I STRONGLY suggest some way of automating (you hinted you did it) that they have the latest and greatest. I am saying this only because almost EVERY piece of Microsoft Windows software does NOT DO THIS. I can't count the times that the more current DLL file I have *intentionally* *installed* has been wiped out by some well meaning bozo who doesn't think I don't keep the Adobe Reader or several dozen other programs up to date that almost everybody uses. If you have a magical means of making sure iconv.dll is kept thoroughly up to date FOR GOD'S SAKE PLEASE USE IT! And put the iconv.dll file that all FSF (Gnu) software that uses it in the system folder. The only valid reason I see for the same DLL having multiple versions is if each piece of software is tailor made to use only that version of the DLL. When that happens - put it in the relevant %ProgramFiles% folder. PLEASE! I am just telling you the best way to do it according to the Microsoft way of doing things. I don't make the rules - they do! Okay, maybe it is only my take on it but please tell me where I am going wrong. In the *.exe code I would search first for the relevant file in the relevant %ProgramFiles% folder, then look for it in %SystemRoot%\system32. Why? If you are dependant on something that is specific you get it. If it is enough to get what every other program uses, then you still get what you need. Specific first, generic second is the order of the day. I also gave the newbie user my advice for what I do for command line use of gpg (using cmd.exe - ALL OF WHICH IS NON-STANDARD AND WHY I USUALLY DON'T POST IT - ***ANYWHERE*** - I am finally making an exception): mkdir %SystemDrive%\bin cd \progra~1\GNU\GnuPG copy *.exe %SystemDrive%\bin REM in all of this both %SystemDrive% and %HomeDrive% are usually REM "C:". If you type set you can see all of your environment vars I also have \util (my own separate compiled utilites) and \Scripts (for my own scripts *.bat, *.vbs, *.js, etc.) folders. They were all meant to be used in cmd.exe. Now some of this (primarily the bin) may conflict with CygWin, MinGW, or something else like that. Since I only need two or three things though, when I go into Control Panel -> System -> Advanced -> Environment Variables it is nice to just have to add those three folders to %PATH%. The only thing is you have to remember to copy files every time you upgrade a package. If Microsoft would have made it simply "Programs", or even better yet "Progs", I would be happy to keep adding those paths for command line use until I arrive at too many and run out of path space. Don't laugh - it HAS happened to me more times than I want to count! That includes both 'NIX and Windows systems! That is why I have taken to modifying even SYSTEM files on 'NIX to *SET* the path the way I want it, not to just add to it. That is also good advice on the perms on files, etc. on 'Nix when you do install SET IT! DO NOT ADD TO THE DEFAULT (which assumes it is going to be thus and thus). What is needed on MS Windows is a %SystemDrive%\Extras folder for all of these things, and THAT *IS* beyond the scope of this News Group. I do suggest that Microsoft should do that itself and as soon as possible to avoid this /opt versus /usr/local problem 'nix people face. I already gave them one suggested name. BUT THEY should NOT make the darn thing have a SPACE in it! I have had to combat that space character in my scripts far longer than I want to! Telling me that it will be sdhfjy~1 isn't going to cut it. I have been bit by that one too. Sometimes it is ~2 or ~3. The only way around that accursed space character (which can be avoided with proper casing despite Windows being case insensitive) is to quote EVERYTHING. Sometimes even that becomes very difficult when you do not know in advance what is going to be tacked on. *ALL* of this IS in harmony with the GNU / FSF philosophy. We empower people to make their *OWN* decisions on what is appropriate for them. "Very Newbie" no longer needs my help. He is smart! So you are you John - I am just letting you know that what was provided that works with perhaps over 90% of the users doesn't work for me and may not work for others. Now you and they know why it does not work and WHY I gave the advice I did. If you don't like the format, distill it handle almost all of the rest of the cases. They can promptly ignore my suggestions if they run as an administrative user all the time(which is what your install probably handles). I am just as loathe to run as an Administrative user on Microsoft Windows when interacting with the Internet as I am on 'nix machines. Perhaps I am even more reluctant on MS Windows. Now they have what is needed to handle they can handle ANY situation. As an aging Mathematician (yes I have the degree for the statement) I ask them only one thing - BE CONSISTENT. If you aren't consistent it will kill you. Sloppy control of any system will kill you. HHH From rjh at sixdemonbag.org Tue Dec 19 03:11:23 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 18 Dec 2006 20:11:23 -0600 Subject: Very Newbie Questions In-Reply-To: <458738A1.1000404@securemecca.net> References: <458738A1.1000404@securemecca.net> Message-ID: <45874A4B.7020705@sixdemonbag.org> Henry Hertz Hobbit wrote: > Please be warned that this is a LONG response. Henry, this response would've been considerably better if it had been considerably shorter. As it is, it's a very hard read. For that reason, I'm going to confine my remarks to just one thing. > At least Windows people are spared the Macintosh OS-X, > Sun Solaris, etcetera, etcetera, etcetera, /opt (or what ever) > versus /usr/local argument. Your typical OS X application will not use these. A well-packaged OS X application typically installs into /Applications as a self-contained bundle. Resources and the like typically go into /Library or $HOME/Library. /usr/local exists and is available for applications to install into, but typically native OS X apps use other locations instead. From rjh at sixdemonbag.org Tue Dec 19 04:43:32 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 18 Dec 2006 21:43:32 -0600 Subject: Very Newbie Questions In-Reply-To: <458738A1.1000404@securemecca.net> References: <458738A1.1000404@securemecca.net> Message-ID: <45875FE4.3080604@sixdemonbag.org> Henry: Some of this is probably going to sting. If it does, it does so only because I was not able to find a kinder way of expressing the same level of accuracy. > First, what if you put your keys on one of the crypto cards, or on a > USB stick? What value are your automated HKEY_CURRENT_USER keys now? > I think what I gave them they can easily extrapolate to the new > location without me even saying one word. A good rule in writing instructions is to aim for 95% of the users, and tell the other 5% of the users where they can find the specialized information they need. John's advice (which, if I understand correctly, boils down to "let the installer do its magic") is very simple and covers the needs of 95% of users. That makes it reasonably good advice. Your advice is much more technically detailed and much more demanding of the user, all so you can cover a few users more. Not only that, but how many users will in the course of these instructions completely screw up their box, and then come here saying "I tried to do these instructions and it failed, now somebody help me figure out how to undo it"? All this makes it bad advice. You're sacrificing enormous amounts of simplicity just so you can cover epsilon more users. Don't spam people with unnecessary detail. If they have special needs, they'll come back here and ask. It's what this mailing list is for. > Your install does not handle my needs. As soon as you're the one asking for help, then we'll be happy to give you advice that takes into account your needs. > The super user on my systems when they are running MS Windows is > somebody else other than me (hhhobbit). NO, YOU MAY NOT KNOW THEIR > NAME! Nobody's asking. Nobody cares. > The end user *MUST* take some of the responsibility. We've been saying this in computer security for thirty years or more. This mantra has done us very little good. > The best way to do that, IMHO, is to lay it all out for them and > allow them to make their own decisions. So how about if I drop the PKCS1-1.5 standard in your lap, a good reference on the untyped lambda calculus, RFC2440, the FIPS that specify SHA-1 and DES, and tell you to write your own OpenPGP implementation from nothing more than raw Assembly instructions and the S- and K-combinators? After all. That's laying it all out for you. This is an absurdist argument. It's absurdist for a reason: if you're going to say "best to lay it all out for them and allow them to make their own decisions", that's what lies at the end of that road. Clearly, some things should be beyond the realm of the end-user. The only question is where we put that marker. You want to carry that marker far, far further on down the road than I think is necessary, or even safe. > I also do NOT trust Microsoft to get it correct If you don't trust Microsoft to get it correct, then stop using Microsoft products and advise other people to do likewise. If you don't trust a vendor, then there is literally no level of precaution you can take which will make that vendor's products trustworthy. It is morally disingenuous of you to give advice on how to "secure" a system you believe to be inherently insecure. > WHEN YOU ARE ON MICROSOFT WINDOWS PROTECT YOUR KEY FILES! How is this Windows-specific advice? > It is best when your OpenPGP key files aren't even on the machine > unless you are using it. Best for whom? I distrust almost all broad, sweeping generalizations about security. > I wouldn't even make that statement. The correct place for every > piece of software I have used is for them to usually install their > DLL files IN the the %SystemRoot%\system32 folder. Please cite chapter and verse for this. When you describe it as "correct", that strongly implies there's some authoritative reference that says what's right and wrong. There may be an authoritative reference saying this is correct. If there is, I would like to see it for myself. > That is why over 90% of the software I have installed ... puts their > DLL files there. Sturgeon's Law: 90% of everything is crap. Sturgeon's Corollary: There are no guarantees about the remaining 10%. Just because 90% of Win32 programs do something doesn't mean it's right. It could just be a very widely-held stupidity. Most professional programmers have seen enough of these widely-held stupidities to be very cautious about making any definitive statements about good practice just on the basis of what the other guys are doing. > *ALL* of this IS in harmony with the GNU / FSF philosophy. We > empower people to make their *OWN* decisions on what is appropriate > for them. Please be careful when you speak for the community. The outside world judges us not on the basis of our best advocates, but on the basis of our worst. If you're going to speak for the community, please keep your remarks brief, clear, and so obviously true that few people would disagree with them. This is something that Eben Moglen is excellent at. If you've never attended one of his talks, he starts off with simple statements that everyone can agree with, and shows how following those statements leads directly to the ideals of free software. From gnu at ssl-mail.com Tue Dec 19 04:56:46 2006 From: gnu at ssl-mail.com (JB) Date: Tue, 19 Dec 2006 03:56:46 +0000 Subject: (no subject) Message-ID: <458762FE.8090208@ssl-mail.com> set show end From gnu at ssl-mail.com Tue Dec 19 04:57:04 2006 From: gnu at ssl-mail.com (JB) Date: Tue, 19 Dec 2006 03:57:04 +0000 Subject: (no subject) Message-ID: <45876310.7030900@ssl-mail.com> set help end From hawke at hawkesnest.net Tue Dec 19 19:32:28 2006 From: hawke at hawkesnest.net (Alex Mauer) Date: Tue, 19 Dec 2006 12:32:28 -0600 Subject: SCM SPR-332 pinpad Message-ID: I noticed recently that using the gnupg agent, as of version 2.0.1 it began prompting for keypad entry on my SPR-332 (same as the SPR-532, but USB only). Unfortunately, it doesn't seem to get the PIN back, or the PIN doesn't work (as it always fails). The PIN retry counter is not decremented, so I assume gpg isn't reading the PIN, or the reader isn't using it (not sure how that works) Is this something that should be working now? This is the gnupg 2.0.1 from Ubuntu (feisty) so if the pinpad is not supposed to be working at all, it's possible that a patch was applied to enable it. -Alex Mauer "hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061219/926d78ff/attachment.pgp From wk at gnupg.org Tue Dec 19 20:03:20 2006 From: wk at gnupg.org (Werner Koch) Date: Tue, 19 Dec 2006 20:03:20 +0100 Subject: SCM SPR-332 pinpad In-Reply-To: (Alex Mauer's message of "Tue\, 19 Dec 2006 12\:32\:28 -0600") References: Message-ID: <87d56f4sjr.fsf@wheatstone.g10code.de> On Tue, 19 Dec 2006 19:32, hawke at hawkesnest.net said: > I noticed recently that using the gnupg agent, as of version 2.0.1 it > began prompting for keypad entry on my SPR-332 (same as the SPR-532, but > USB only). Unfortunately, it doesn't seem to get the PIN back, or the > PIN doesn't work (as it always fails). The PIN retry counter is not I have only tested it with the SPR-532 and the KAAN Advanced and both work for me. Note that it will only work with the OpenPGP card and only with the regular PIN and not with the Admin-PIN. Helful things to debug this are adding the options verbose debug 1024 debug-ccid-driver to scdaemon.conf and setting an appropriate log file. Shalom-Salam, Werner From JPClizbe at tx.rr.com Wed Dec 20 01:12:27 2006 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue, 19 Dec 2006 18:12:27 -0600 Subject: Very Newbie Questions In-Reply-To: <458738A1.1000404@securemecca.net> References: <458738A1.1000404@securemecca.net> Message-ID: <45887FEB.9060007@tx.rr.com> I'll try to stick close to the original points. Henry Hertz Hobbit wrote: > > John Clizbe wrote: >> >> Manual registry editing is not needed - the installer handles all >> the entries GnuPG needs. > > First, what if you put your keys on one of the crypto cards, or on > a USB stick? What value are your automated HKEY_CURRENT_USER keys > now? The values in HKCU are fine. Keyrings on removable media are easily handled by editing gpg.conf. This allows portability across OSes by keeping OS-specific path references in gpg.conf. The exact same PCMCIA card with keyrings works on Windows, Linux, FreeBSD, Solaris, OSF1/Tru64, and VMS systems. I'd add OS X but I don't have a Mac. The gpg.conf is practically the same in all cases, the only differences being the semantics pointing to the files. HomeDir and gpg.conf don't move. The keyrings move. If only portability on a single OS is required, all that is needed is to define GNUPGHOME as a user environment variable. > Your install does not handle my needs. Then don't use it. You're 1 in a million. But, please don't extrapolate your particular set of needs and preferences to the remaining 99.9999% of the user base. The purpose of the installer is to produce a working installation of GnuPG in a known valid configuration. Other than the ability and rights to run an installer, there are no other system manglement skills called for or required. The phrase "edit the Registry" will cause most Windows users without development or system administration training to run in fear. We do not wish that result. Asking them to add the GnuPG program directory to their PATH makes some overly nervous. > But there are times > the other accounts also need access to the keys on the key ring > (verifying downloads, etc.). For these special cases it is nice to > specify where the key files are for ALL of the accounts that use the > same key-ring if you CAN share them among multiple users. In other > words, you can't completely automate all of this. But you could with GNUPGHOME at either the user of system level, and/or primary-keyring, keyring, secret-keyring, and/or trustdb-name directives in gpg.conf. It is also an advanced configuration that is far outside the scope of installing for and configuring a new user. This is the rare *exception* not the rule. > I consider that more a matter of SHEER LUCK than any brilliance on my part. I must say, I fully believe you are correct. > it. A crypto card or a USB stick is wonderful for that. I concur. But there is still no need to edit the Registry. _None_. You may, but it is not a requirement. >> Likewise, there is no need to copy or do anything else with >> iconv.dll. As a general rule of thumb, copying things into >> %systemroot%\system32 is to be avoided. The iconv library is only >> needed for NLS support. If gpg needs it and cannot find it, it will >> issue a warning and continue executing. > > I wouldn't even make that statement. The correct place for every > piece of software I have used is for them to usually install their > DLL files IN the the %SystemRoot%\system32 folder. I hear your ranting, but it still won't make what you are saying correct. Application specific DLLs go in the program's directory hierarchy. Redistributable system elements that are newer may go under %systemroot%. The Visual C 7.1 C runtime library, msvcr71.dll, is a good example. It wasn't expected to be found on older machines, so its redistribution was allowed. Your example of printer drivers being proof of your assertion is specious. Print driver software is supposed to go there. It is expected to be used by all programs on the system. What you didn't mention, was that the monitoring/dashboard type widgets from the printer maker go in a separate folder under %ProgramFiles%. Example: "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600" with directories: Bin, Coverpgs, Data, Docs, Faxes, Help. Ditto device drivers. Further, the behavior of other installers is not proof of their correctness. I hope Vista will seriously limit the practices you describe. >> Werner posted that the installer correctly handles iconv; ie if the DLL is found >> in your path, the installer does nothing; if not found or too old, it places a >> copy of iconv.dll into the GnuPG program directory. [GnuPG-Devel 2005-03-17] > > PLEASE! I am just telling you the best way to do it according to the Microsoft way > of doing things. I don't make the rules - they do! Okay, maybe it is > only my take on it but please tell me where I am going wrong. No, you're telling me your understanding of the Windows-development way colored by your beliefs of what is best. Please check the Microsoft Windows Software Logo program, http://www.microsoft.com/winlogo/software/default.mspx You may also want to poke around on MSDN: http://msdn2.microsoft.com/en-us/default.aspx > In the *.exe code I would search first for the relevant file in the relevant > %ProgramFiles% folder, then look for it in %SystemRoot%\system32. Why? If you > are dependent on something that is specific you get it. Maybe. Maybe not. The only way to be sure you get it is to place it in the same directory as the program. Placing it in %SystemRoot%\system32 is *NO* guarantee. If the DLL is not found locally, then a PATH search is started. An installer has no way to determine what will or will not be found at program execution time. Nor can it guarantee that directories in the PATH variable are ordered in a certain manner. How many ZLIB dlls of multiple version do you find under %ProgramFiles% (search for *zlib*.dll)? The only way to 100% guarantee that the application finds the correct DLL is to place it in the application directory. Things are even more fun with the spread of C++. Finally, include by reference . This response was long enough without duplicating what I agree with in another's response. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org No Pseudonyms Required. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061219/1c93aef8/attachment.pgp From schiessle at fsfe.org Wed Dec 20 16:04:33 2006 From: schiessle at fsfe.org (Bjoern Schiessle) Date: Wed, 20 Dec 2006 16:04:33 +0100 Subject: gpg smartcard: copy subkeys from backupt to a second card Message-ID: Hello, i have followed this howto[0] to set up my smartcard and to create a backup of the subkeys. Now i want to copy the subkeys from the backup to a second gpg smartcard. Therefore i have copied the backup files back to my ~/.gnupg directory and tried to move the subkeys with the command "keytocard" to my second smartcard. But the process always stops with this message: "gpg: secret key already stored on a card" How can i copy the subkeys to a new card? Thanks! Bjoern [0] https://www.fsfe.org/en/card/howto/subkey_howto -- Bjoern Schiessle (http://www.schiessle.org) Join the Fellowship and protect your freedom! (http://www.fsfe.org) What everyone should know about DRM (http://DRM.info) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available Url : /pipermail/attachments/20061220/9040e372/attachment.pgp From hawke at hawkesnest.net Wed Dec 20 17:38:35 2006 From: hawke at hawkesnest.net (Alex Mauer) Date: Wed, 20 Dec 2006 10:38:35 -0600 Subject: SCM SPR-332 pinpad In-Reply-To: <87d56f4sjr.fsf__29884.3072182082$1166555315$gmane$org@wheatstone.g10code.de> References: <87d56f4sjr.fsf__29884.3072182082$1166555315$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > Note that it will only work with the OpenPGP card and > only with the regular PIN and not with the Admin-PIN. Yes, I am using it with a FSFe OpenPGP card. > to scdaemon.conf and setting an appropriate log file. Here are the results: 2006-12-20 10:21:48 scdaemon[7324] DBG: prompting for keypad entry '||Please enter your PIN at the reader's keypad' scdaemon[7324.0] DBG: -> INQUIRE POPUPKEYPADPROMPT ||Please enter your PIN at the reader's keypad scdaemon[7324.0] DBG: <- END 2006-12-20 10:21:48 scdaemon[7324] DBG: ccid-driver: sending escape sequence to switch to a case 1 APDU 2006-12-20 10:21:48 scdaemon[7324] DBG: ccid-driver: sending 6B 03 00 00 00 00 11 00 00 00 80 02 00 2006-12-20 10:21:48 scdaemon[7324] DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 2006-12-20 10:21:48 scdaemon[7324] DBG: ccid-driver: sending 69 13 00 00 00 00 1 2 00 00 00 00 00 82 00 00 19 06 02 FF 04 09 00 00 40 00 00 20 00 82 ---Here it asked for the PIN. After entering the PIN and hitting enter:--- 2006-12-20 10:21:54 scdaemon[7324] DBG: ccid-driver: status: 00 error: 00 octe t[9]: 00 data: 00 40 02 90 00 D2 2006-12-20 10:21:54 scdaemon[7324] DBG: dismiss keypad entry prompt scdaemon[7324.0] DBG: -> INQUIRE DISMISSKEYPADPROMPT scdaemon[7324.0] DBG: <- END Full log available at http://web.hawkesnest.net/users/hawke/scd.log -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061220/f772027f/attachment.pgp From wk at gnupg.org Wed Dec 20 18:37:10 2006 From: wk at gnupg.org (Werner Koch) Date: Wed, 20 Dec 2006 18:37:10 +0100 Subject: SCM SPR-332 pinpad In-Reply-To: (Alex Mauer's message of "Wed\, 20 Dec 2006 10\:38\:35 -0600") References: <87d56f4sjr.fsf__29884.3072182082$1166555315$gmane$org@wheatstone.g10code.de> Message-ID: <87ac1ixyd5.fsf@wheatstone.g10code.de> On Wed, 20 Dec 2006 17:38, hawke at hawkesnest.net said: > 2006-12-20 10:21:48 scdaemon[7324] DBG: ccid-driver: sending escape > sequence to switch to a case 1 APDU > 2006-12-20 10:21:48 scdaemon[7324] DBG: ccid-driver: sending 6B 03 00 00 > 00 00 11 00 00 00 80 02 00 > 2006-12-20 10:21:48 scdaemon[7324] DBG: ccid-driver: status: 00 error: > 00 octet[9]: 00 > data: Sucessfully sent the escape sequence required fro SCM readers. > 2006-12-20 10:21:48 scdaemon[7324] DBG: ccid-driver: sending 69 13 00 00 > 00 00 1 > 2 00 00 00 00 00 82 00 00 19 06 02 FF 04 09 00 00 40 00 00 20 00 82 Here we are sending the verify APDU template (00 20 00 82) to the reader along with additional data to tell it how the reader should append the PIN to the APDU. > ---Here it asked for the PIN. After entering the PIN and hitting enter:--- As expected. > 2006-12-20 10:21:54 scdaemon[7324] DBG: ccid-driver: status: 00 error: > 00 octe > t[9]: 00 > data: 00 40 02 90 00 D2 No error from reader and the card returned success (90 00). Thus it is verified and the PIN worked. > 2006-12-20 10:21:54 scdaemon[7324] DBG: dismiss keypad entry prompt > scdaemon[7324.0] DBG: -> INQUIRE DISMISSKEYPADPROMPT > scdaemon[7324.0] DBG: <- END This is to dismiss the popup window. > Full log available at http://web.hawkesnest.net/users/hawke/scd.log Well this log also ends here. What you should see next is the usual sign command. So where is the problem? Alright, I see: You tried to sign with the card. This has not been implemented yet. I forgot about this because I tested only the authntication as this is what I am using most of the time (for ssh). Nte that decryption should also work as ist uses the CHV2 too. I'll add code tomorrow to make signing work. Salam-Shalom, Werner From hawke at hawkesnest.net Thu Dec 21 01:16:46 2006 From: hawke at hawkesnest.net (Alex Mauer) Date: Wed, 20 Dec 2006 18:16:46 -0600 Subject: SCM SPR-332 pinpad In-Reply-To: <87ac1ixyd5.fsf__11481.3972068534$1166636642$gmane$org@wheatstone.g10code.de> References: <87d56f4sjr.fsf__29884.3072182082$1166555315$gmane$org@wheatstone.g10code.de> <87ac1ixyd5.fsf__11481.3972068534$1166636642$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > Well this log also ends here. What you should see next is the usual > sign command. > > So where is the problem? Alright, I see: You tried to sign with the > card. This has not been implemented yet. I forgot about this because > I tested only the authntication as this is what I am using most of the > time (for ssh). Nte that decryption should also work as ist uses the > CHV2 too. > Hmm, I had not intended to sign with the card. I'm just using the gpg-agent with ssh-agent support; I would have assumed that it would use the authentication key by default. Is that not the case? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061220/30163cd6/attachment-0001.pgp From Hwy101y at Yahoo.com Thu Dec 21 02:04:14 2006 From: Hwy101y at Yahoo.com (Tom - Hwy101) Date: Wed, 20 Dec 2006 17:04:14 -0800 Subject: GnuPG ?Bineries? to USE PnuPG with Windows? Message-ID: <4589DD8E.4010000@Yahoo.com> Where are the 'Binaries' for Using PnuPG with Windows; AND, what do I do with to Use PnuPG with Thunderbird, Engimail Extension? Thanks From Hwy101y at Yahoo.com Thu Dec 21 03:08:16 2006 From: Hwy101y at Yahoo.com (Tom - Hwy101) Date: Wed, 20 Dec 2006 18:08:16 -0800 Subject: 1.0.8 Light Message-ID: <4589EC90.1000405@Yahoo.com> I tried to Run and got a Dialog that said the Download was Corrupt... Yipes! Is this Happening a lot? Is there an Alternate Site I can try to get a Good Download? (not to mention the warning of Virus that the Dialog Included -Shudder!) Now What? Thanks Everyone, Newbie Tom From wk at gnupg.org Thu Dec 21 08:33:23 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 21 Dec 2006 08:33:23 +0100 Subject: 1.0.8 Light In-Reply-To: <4589EC90.1000405@Yahoo.com> (Hwy101y@Yahoo.com's message of "Wed\, 20 Dec 2006 18\:08\:16 -0800") References: <4589EC90.1000405@Yahoo.com> Message-ID: <87fyb9wvng.fsf@wheatstone.g10code.de> On Thu, 21 Dec 2006 03:08, Hwy101y at Yahoo.com said: > I tried to Run and got a Dialog that said the Download was Corrupt... Yipes! Make sure that you download in binary mode or use the HTTP download. also check that you compare the right checksums. We provide SHA-1 as well as MD5 checksums (the shorter ones). > Is this Happening a lot? Is there an Alternate Site I can try to get a > Good Download? The server has sometimes network problems. If you experience low download rates, please use the mirror: ftp://ftp.no.gpg4win.org > (not to mention the warning of Virus that the Dialog Included -Shudder!) If you are running some virus scanner, get one which works and does not warn about innocent software. Shalom-Salam, Werner From wk at gnupg.org Thu Dec 21 08:36:29 2006 From: wk at gnupg.org (Werner Koch) Date: Thu, 21 Dec 2006 08:36:29 +0100 Subject: SCM SPR-332 pinpad In-Reply-To: (Alex Mauer's message of "Wed\, 20 Dec 2006 18\:16\:46 -0600") References: <87d56f4sjr.fsf__29884.3072182082$1166555315$gmane$org@wheatstone.g10code.de> <87ac1ixyd5.fsf__11481.3972068534$1166636642$gmane$org@wheatstone.g10code.de> Message-ID: <87bqlxwvia.fsf@wheatstone.g10code.de> On Thu, 21 Dec 2006 01:16, hawke at hawkesnest.net said: > Hmm, I had not intended to sign with the card. I'm just using the > gpg-agent with ssh-agent support; I would have assumed that it would use > the authentication key by default. Is that not the case? Yes, it does. I have tried it several times on a clean machine. However, I don't use the pinpad regulary because my primary machine is my laptop with the cardman 4040 reader. Please check the output of ssh -v and also what the scdaemon log has to say after the point where you cut it in your last message. Salam-Shalom, Werner From patrick at mozilla-enigmail.org Thu Dec 21 16:58:16 2006 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Thu, 21 Dec 2006 16:58:16 +0100 Subject: GnuPG ?Bineries? to USE PnuPG with Windows? In-Reply-To: <4589DD8E.4010000@Yahoo.com> References: <4589DD8E.4010000@Yahoo.com> Message-ID: Tom - Hwy101 wrote: > Where are the 'Binaries' for Using PnuPG with Windows; AND, what do I do > with to Use PnuPG > with Thunderbird, Engimail Extension? Thanks You can get GnuPG from: ftp://ftp.no.gpg4win.org After you have installed GnuPG, start Thunderbird with Enigmail installed. It will usually find GnuPG automatically. Then, the easiest way to get started is to use the Wizard which opens if you compose a new message and click on the "PGP" icon. -Patrick From jmoore3rd at bellsouth.net Thu Dec 21 17:13:07 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 21 Dec 2006 11:13:07 -0500 Subject: GnuPG ?Bineries? to USE PnuPG with Windows? In-Reply-To: References: <4589DD8E.4010000@Yahoo.com> Message-ID: <458AB293.80900@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Patrick Brunschwig wrote: > You can get GnuPG from: ftp://ftp.no.gpg4win.org > > After you have installed GnuPG, start Thunderbird with Enigmail > installed. It will usually find GnuPG automatically. Then, the easiest > way to get started is to use the Wizard which opens if you compose a new > message and click on the "PGP" icon. Does the 'OpenPGP' padlock Icon automagically appear in the Toolbar now; or will Tom need to first 'Customize' the Toolbar to place it there? I cannot remember. JOHN :-\ Timestamp: Thursday 21 Dec 2006, 11:12 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7-svn4384: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJFirKQAAoJEBCGy9eAtCsP+RMH/3IfKB5eXDkpRgmSGxDEMMQN EpJFIZiss0iZRFfrC24/459AdfWBi/tAIG5UFUBoKK9amKpZryTai1tuXS+ff2Q+ Mt6zuZ88vRVnvLxB88vM48vKwbj+y13vGJAVyaznxdu7c3hO2C1ba7trA2uyvhN0 uzigTeBEeHgwMgP6eGgqcLQocqkraTYuEh2Jkq58Oag/gsSOAaK/iIsryPp/JctJ tpeu4Pro92cl4O9JWAjb7O2u4N0abrptFUTPUIaj/aC+E1axD2ULbdv4Rwzb1/US RkO/GVwFrHASyIhkdy1y6YQr9EM0d1lk2q4cFgVF8+DYcwj3wW1l3hP1J56WN7E= =hjfX -----END PGP SIGNATURE----- From hawke at hawkesnest.net Thu Dec 21 17:32:36 2006 From: hawke at hawkesnest.net (Alex Mauer) Date: Thu, 21 Dec 2006 10:32:36 -0600 Subject: SCM SPR-332 pinpad In-Reply-To: <87bqlxwvia.fsf__27322.9157472544$1166686973$gmane$org@wheatstone.g10code.de> References: <87d56f4sjr.fsf__29884.3072182082$1166555315$gmane$org@wheatstone.g10code.de> <87ac1ixyd5.fsf__11481.3972068534$1166636642$gmane$org@wheatstone.g10code.de> <87bqlxwvia.fsf__27322.9157472544$1166686973$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > On Thu, 21 Dec 2006 01:16, hawke at hawkesnest.net said: > >> Hmm, I had not intended to sign with the card. I'm just using the >> gpg-agent with ssh-agent support; I would have assumed that it would use >> the authentication key by default. Is that not the case? > > Yes, it does. I have tried it several times on a clean machine. > However, I don't use the pinpad regulary because my primary machine is > my laptop with the cardman 4040 reader. > > Please check the output of ssh -v ssh -v says: debug1: Next authentication method: publickey debug1: Offering public key: cardno:000100000227 debug1: Server accepts key: pkalg ssh-rsa blen 153 Agent admitted failure to sign using the key. It then offers a different, file-based, key and gpg-agent prompts for the password for that. and also what the scdaemon log has > to say after the point where you cut it in your last message. Entire log available at http://web.hawkesnest.net/users/hawke/scd.log The log contains nothing after "scdaemon[7324.0] DBG: <- END". I cut stuff before "2006-12-20 10:21:48", but not after, nor in the middle. The point where I inserted the comment about the prompt was only a comment and the log is complete. -Alex Mauer "hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061221/64272cdc/attachment.pgp From devans at hclb.demon.co.uk Thu Dec 21 17:56:54 2006 From: devans at hclb.demon.co.uk (Dave Evans) Date: Thu, 21 Dec 2006 16:56:54 +0000 (UTC) Subject: Importing a key that has been revoked by a designated revoker Message-ID: <1166745414snx@hclb.demon.co.uk> If you import a key that has been revoked by a designated revoker, it seems that it does not show as revoked unless the public key of the designated revoker is also on the keyring. I don't know if this is a bug or a feature. To demonstrate this: Generate a key named testkey Add a designated revoker to testkey. Use the designated revoker key to generate a designated revocation certificate. Import the designated revocation certificate. Export testkey to a file. Export the key of the designated revoker to another file. Change to a clean copy of gpg by setting the GNUPGHOME variable to point to an empty directory. Import the file that testkey was exported to. Observe that list-key does not show testkey as revoked. You can also encrypt messages to testkey. Import the public key for the designated revoker. Observe that list-key now shows testkey as revoked. This is using Gnupg 1.4.6 for Windows. From kennethfinnegan2007 at gmail.com Thu Dec 21 20:06:23 2006 From: kennethfinnegan2007 at gmail.com (Kenneth Finnegan) Date: Thu, 21 Dec 2006 11:06:23 -0800 Subject: GnuPG ?Bineries? to USE PnuPG with Windows? In-Reply-To: <458AB293.80900@bellsouth.net> References: <4589DD8E.4010000@Yahoo.com> <458AB293.80900@bellsouth.net> Message-ID: <458ADB2F.3060106@GMail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yep, it shows up automatically (Or at least I don't remember having to figure it out...) Kenneth Finnegan Webmaster - http://ducttape.pbwiki.com/ AIM: PhirePyro Yahoo: KennethFinnegan2007 at yahoo.com MSN: KennethFinnegan2007 at yahoo.com Skype: kenneth.finnegan PGP: 0xF969DD2D John W. Moore III wrote: > Does the 'OpenPGP' padlock Icon automagically appear in the Toolbar now; > or will Tom need to first 'Customize' the Toolbar to place it there? > > I cannot remember. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFitsve2t35flp3S0RAtxWAKC/ZCMxLUmGgp4sg3wvtbbSyrh6iwCdHkqs /ABvX+FVIRIx5vaLDs6UuzI= =vc8R -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Dec 21 22:17:57 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 21 Dec 2006 16:17:57 -0500 Subject: Importing a key that has been revoked by a designated revoker In-Reply-To: <1166745414snx@hclb.demon.co.uk> References: <1166745414snx@hclb.demon.co.uk> Message-ID: <20061221211757.GA1095@jabberwocky.com> On Thu, Dec 21, 2006 at 04:56:54PM +0000, Dave Evans wrote: > If you import a key that has been revoked by a > designated revoker, it seems that it does not show > as revoked unless the public key of the designated > revoker is also on the keyring. I don't know if > this is a bug or a feature. This is neither a bug or a feature, but a natural result in how designated revokers work. Designated revokers do their job by issuing a signature onto the key they want to revoke. Naturally, if the designated revoker's key isn't on the keyring, we have no way to verify the signature. If we can't verify the signature, we can't know if it's real or a forgery. Keys in this state are treated specially: neither revoked or not revoked, but with a question attached. If you verify a signature from such a key, you'll see: gpg: WARNING: this key might be revoked (revocation key not present) It might be a good idea to display a similar warning on encryption to such a key, but we don't do that right now. David From bob at rsmits.ca Fri Dec 22 07:44:52 2006 From: bob at rsmits.ca (Robert Smits) Date: Thu, 21 Dec 2006 22:44:52 -0800 Subject: Why are signatures marked as bad? Message-ID: <200612212245.15312.bob@rsmits.ca> I'm using the KGpg that comes with Suse 10.1. I use the KDE desktop and hence Kmail to send my email. When I sign a message with my personal key, when it leaves my outbox the message is marked by a green banner saying "Message was signed by bob at rsmits.ca (Key ID: 0xA3DF27D8336EF8A7). The signature is valid and the key is ultimately trusted." If I send it to myself, the messages comes back with a red banner saying "Message was signed by bob at rsmits.ca (Key ID: 0xA3DF27D8336EF8A7). Warning: The signature is bad." The signature itself is not outdated, so why is this happening? Thanks, Bob. -- Bob Smits Ladysmith BC Phone 250-245-2553 Fax 250-245-5531 Email bob at rsmits.ca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061221/dc76646c/attachment-0001.pgp From email at ottosson.nu Thu Dec 21 10:03:26 2006 From: email at ottosson.nu (J. Ottosson) Date: Thu, 21 Dec 2006 10:03:26 +0100 Subject: 1.0.8 Light In-Reply-To: <87fyb9wvng.fsf@wheatstone.g10code.de> References: <4589EC90.1000405@Yahoo.com>, <87fyb9wvng.fsf@wheatstone.g10code.de> Message-ID: <458A5BEE.17931.371D8B@email.ottosson.nu> On 21 Dec 2006 at 8:33, Werner Koch wrote: > Make sure that you download in binary mode or use the HTTP download. > also check that you compare the right checksums. We provide SHA-1 as > well as MD5 checksums (the shorter ones). I've also had numerous problems downloading from the main gpg4win site. In fact, after some 3-4 tries at different times I still haven't been able to download the install file for the main package uncorrupted. (Just tried again a minute ago before writing this response). The alternate download URL you provided holds files that works though. (Just double-checked) > Werner -- J. Ottosson http://jo.sthlm.ws/ From wk at gnupg.org Fri Dec 22 11:55:49 2006 From: wk at gnupg.org (Werner Koch) Date: Fri, 22 Dec 2006 11:55:49 +0100 Subject: SCM SPR-332 pinpad In-Reply-To: (Alex Mauer's message of "Thu\, 21 Dec 2006 10\:32\:36 -0600") References: <87d56f4sjr.fsf__29884.3072182082$1166555315$gmane$org@wheatstone.g10code.de> <87ac1ixyd5.fsf__11481.3972068534$1166636642$gmane$org@wheatstone.g10code.de> <87bqlxwvia.fsf__27322.9157472544$1166686973$gmane$org@wheatstone.g10code.de> Message-ID: <87slf8td1m.fsf@wheatstone.g10code.de> On Thu, 21 Dec 2006 17:32, hawke at hawkesnest.net said: > debug1: Next authentication method: publickey > debug1: Offering public key: cardno:000100000227 > debug1: Server accepts key: pkalg ssh-rsa blen 153 > Agent admitted failure to sign using the key. That reminds me of another bug related to certain ssh keys. It has been reported to one of the mailing lists but unfortunately it is not in the bug tracker. I recall that I asked moritz to take care of that problem. Need to ask him what's going on. Shalom-Salam, Werner From db at tasit.net Sat Dec 23 11:50:51 2006 From: db at tasit.net (Dave Barton) Date: Sat, 23 Dec 2006 21:50:51 +1100 Subject: Why are signatures marked as bad? In-Reply-To: <200612212245.15312.bob@rsmits.ca> References: <200612212245.15312.bob@rsmits.ca> Message-ID: <1166871052.4019.17.camel@master.barton> On Thu, 2006-12-21 at 22:44 -0800, Robert Smits wrote: > I'm using the KGpg that comes with Suse 10.1. I use the KDE desktop and hence > Kmail to send my email. > > When I sign a message with my personal key, when it leaves my outbox the > message is marked by a green banner saying "Message was signed by > bob at rsmits.ca (Key ID: 0xA3DF27D8336EF8A7). > The signature is valid and the key is ultimately trusted." > > If I send it to myself, the messages comes back with a red banner saying > "Message was signed by bob at rsmits.ca (Key ID: 0xA3DF27D8336EF8A7). > Warning: The signature is bad." > > The signature itself is not outdated, so why is this happening? > > Thanks, Bob. Sorry I don't have an answer to your question, but FWIW your signature is appears to be valid in Evolution (see below). I am also running SuSE 10.1 and use Kgpg. As much as I would like to, I can't use Kmail for a completely unrelated reason. Dave This message is signed with a valid signature,but the sender of the message cannot be verified. gpg: armor header: Version: GnuPG v1.4.2 (GNU/Linux) gpg: Signature made Fri 22 Dec 2006 17:45:15 EST using DSA key ID 336EF8A7 gpg: requesting key 336EF8A7 from hkp server wwwkeys.pgp.net gpg: armor header: Version: SKS 1.0.10 gpg: pub 1024D/336EF8A7 2006-07-13 Bob Smits (New 10.1 key) gpg: using classic trust model gpg: key 336EF8A7: public key "Bob Smits (New 10.1 key) " imported gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Bob Smits (New 10.1 key) " gpg: aka "[jpeg image of size 7778]" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A2DE 65EB F87B BC71 ECB3 BA6F A3DF 27D8 336E F8A7 gpg: binary signature, digest algorithm SHA1 From shavital at mac.com Sat Dec 23 15:27:14 2006 From: shavital at mac.com (Charly Avital) Date: Sat, 23 Dec 2006 09:27:14 -0500 Subject: Why are signatures marked as bad? In-Reply-To: <200612212245.15312.bob@rsmits.ca> References: <200612212245.15312.bob@rsmits.ca> Message-ID: <458D3CC2.8050601@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert Smits wrote the following on 12/22/06 1:44 AM: > I'm using the KGpg that comes with Suse 10.1. I use the KDE desktop and hence > Kmail to send my email. > > When I sign a message with my personal key, when it leaves my outbox the > message is marked by a green banner saying "Message was signed by > bob at rsmits.ca (Key ID: 0xA3DF27D8336EF8A7). > The signature is valid and the key is ultimately trusted." > > If I send it to myself, the messages comes back with a red banner saying > "Message was signed by bob at rsmits.ca (Key ID: 0xA3DF27D8336EF8A7). > Warning: The signature is bad." > > The signature itself is not outdated, so why is this happening? > > Thanks, Bob. Your signature verifies as Good. Regards, Charly Thunderbird 1.5.0.9 - Enigmail 0.94.1.2 - GnuPG 1.4.6 under MacOS X 10.4.8 KeyOnCard at: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRY08uiRJoUyU/RYhAQJyHAP/UsBx2++u/B2YX6OEykaxfk2P/CFb+x/3 /WhEIlN7ZVsXWjMmK6gZdHLfaGjKJIhikkCknJcjSZVdtXSc0MDDXYXQDXPNdx61 IxXzAgPxjfIyvClGCoyXwgi2SemnQXPHClZquldCL7ZAqfC720Caa4IpHdGR/iVL 18rSpqnT6o0= =GY2p -----END PGP SIGNATURE----- From smolinski at de.ibm.com Sat Dec 23 16:06:28 2006 From: smolinski at de.ibm.com (Holger Smolinski) Date: Sat, 23 Dec 2006 16:06:28 +0100 Subject: Holger Smolinski/Germany/IBM is out of office until 01/02 Message-ID: I will be out of the office starting 23.12.2006 and will not return until 02.01.2007. Please contact Susanne Wintenberger (swinten at de.ibm.com) in any case of urgency. For urgent customer support issues please create a PMR and address it to Linux support. If appropriate, have the PMR escalated to the Linux development team offfshift-personnel. From bob at rsmits.ca Sat Dec 23 19:20:44 2006 From: bob at rsmits.ca (Robert Smits) Date: Sat, 23 Dec 2006 10:20:44 -0800 Subject: Why are signatures marked as bad? In-Reply-To: <200612212245.15312.bob@rsmits.ca> References: <200612212245.15312.bob@rsmits.ca> Message-ID: <200612231020.55073.bob@rsmits.ca> On Thursday 21 December 2006 22:44, Robert Smits wrote: > I'm using the KGpg that comes with Suse 10.1. I use the KDE desktop and > hence Kmail to send my email. > > When I sign a message with my personal key, when it leaves my outbox the > message is marked by a green banner saying "Message was signed by > bob at rsmits.ca (Key ID: 0xA3DF27D8336EF8A7). > The signature is valid and the key is ultimately trusted." > > If I send it to myself, the messages comes back with a red banner saying > "Message was signed by bob at rsmits.ca (Key ID: 0xA3DF27D8336EF8A7). > Warning: The signature is bad." > > The signature itself is not outdated, so why is this happening? Thanks to some suggestions from the posters to this list I did some further work. First I uploaded the sigs to the key servers. I removed bogofilter from the laptop because I thought the added filter notice might be changing the file size. None of this worked. I do notice, however, a change in file size when I compare the sent and received files. With the sent file, the multipart signed section is 1.3 KB, the body part is a Plain Text Document 96 Bytes, and a Detached OpenPGP Signature of 189 Bytes The file I received back had a multipart signed section of 2.2 KB, the body part is a Plain Text Document 96 Bytes, and a Detached OpenPGP Signature of 189 Bytes. It's obvious that something has changed, but I have no idea what is causing this. Thanks, Bob. -- Bob Smits Ladysmith BC Phone 250-245-2553 Fax 250-245-5531 Email bob at rsmits.ca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061223/f23f3b75/attachment.pgp From vapier at gentoo.org Sat Dec 23 18:50:08 2006 From: vapier at gentoo.org (Mike Frysinger) Date: Sat, 23 Dec 2006 12:50:08 -0500 Subject: controlling the use of subkeys Message-ID: <200612231250.08974.vapier@gentoo.org> i do signing of Gentoo packages and historically i would just generate a new key and sign that with my normal public one ... when the last one expired, i decided to try and use subkeys so my main key i get everyone to sign is E837F581 and i use that when signing my e-mails ... i created a new subkey just for signing Gentoo packages and that is 205D3103 ... now when i sign e-mails or files, my main key is no longer used, just my subkey ... how can i control this behavior ? $ gpg -K sec 4096R/E837F581 2002-11-17 uid Mike Frysinger uid Mike Frysinger (GMAIL) ssb 1024D/205D3103 2006-12-16 $ gpg --clearsign foo You need a passphrase to unlock the secret key for user: "Mike Frysinger " 1024-bit DSA key, ID 205D3103, created 2006-12-16 (main key ID E837F581) why is it using 205D3103 ? :( -mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061223/7d282ba6/attachment.pgp From rjh at sixdemonbag.org Sat Dec 23 20:51:01 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 23 Dec 2006 13:51:01 -0600 Subject: controlling the use of subkeys In-Reply-To: <200612231250.08974.vapier@gentoo.org> References: <200612231250.08974.vapier@gentoo.org> Message-ID: <458D88A5.10002@sixdemonbag.org> Mike Frysinger wrote: > i do signing of Gentoo packages and historically i would just > generate a new key and sign that with my normal public one ... when > the last one expired, i decided to try and use subkeys This may be bad policy on your part. The average Gentoo user is not going to be an expert on cryptography or the OpenPGP protocol. Keeping things as simple as possible for them is probably better than getting clever with subkeys, especially since there are some interesting edge cases there. > so my main key i get everyone to sign is E837F581 and i use that when > signing my e-mails ... i created a new subkey just for signing > Gentoo packages and that is 205D3103 Generally speaking, people don't sign keys; they sign user IDs. > ... now when i sign e-mails or files, my main key is no longer used, > just my subkey ... how can i control this behavior ? Use the "!" symbol to explicitly specify a subkey. E.g., "gpg -u 0x205D3103! --clearsign ..." I would suggest rethinking your strategy, however. From vapier at gentoo.org Sat Dec 23 20:59:31 2006 From: vapier at gentoo.org (Mike Frysinger) Date: Sat, 23 Dec 2006 14:59:31 -0500 Subject: controlling the use of subkeys In-Reply-To: <458D88A5.10002@sixdemonbag.org> References: <200612231250.08974.vapier@gentoo.org> <458D88A5.10002@sixdemonbag.org> Message-ID: <200612231459.32298.vapier@gentoo.org> On Saturday 23 December 2006 14:51, Robert J. Hansen wrote: > Mike Frysinger wrote: > > i do signing of Gentoo packages and historically i would just > > generate a new key and sign that with my normal public one ... when > > the last one expired, i decided to try and use subkeys > > This may be bad policy on your part. The average Gentoo user is not > going to be an expert on cryptography or the OpenPGP protocol. Keeping > things as simple as possible for them is probably better than getting > clever with subkeys, especially since there are some interesting edge > cases there. the average Gentoo user isnt going to ever care or even notice ... the signing aspects are all handled by portage user does `emerge pkg` and emerge goes and validates all of the keys > > so my main key i get everyone to sign is E837F581 and i use that when > > signing my e-mails ... i created a new subkey just for signing > > Gentoo packages and that is 205D3103 > > Generally speaking, people don't sign keys; they sign user IDs. sorry, yes ... they've been signing my Gentoo uid > > ... now when i sign e-mails or files, my main key is no longer used, > > just my subkey ... how can i control this behavior ? > > Use the "!" symbol to explicitly specify a subkey. E.g., thanks > I would suggest rethinking your strategy, however. and what would you suggest ? create brand new key sets when the previous one expires ? i thought one of the points of subkeys is to minimize this sort of management -mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061223/6977bed6/attachment-0001.pgp From rjh at sixdemonbag.org Sun Dec 24 02:11:57 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 23 Dec 2006 19:11:57 -0600 Subject: controlling the use of subkeys In-Reply-To: <200612231459.32298.vapier@gentoo.org> References: <200612231250.08974.vapier@gentoo.org> <458D88A5.10002@sixdemonbag.org> <200612231459.32298.vapier@gentoo.org> Message-ID: <458DD3DD.4090509@sixdemonbag.org> Mike Frysinger wrote: > and what would you suggest ? create brand new key sets when the > previous one expires ? i thought one of the points of subkeys is to > minimize this sort of management The best way to minimize management is to reduce the amount of stuff that needs to be managed. There almost certainly exist specialized applications where key expiry makes a lot of sense. But in general, I think most people who set their keys to expire do so without really thinking about what clear benefits it gives them, or what specific problem of theirs it will solve. If you can point to a specific requirement or need of the Gentoo community which key expiry will help address, then by all means, go for it. Otherwise, simplify your management by removing expiries. From vapier at gentoo.org Sun Dec 24 02:37:03 2006 From: vapier at gentoo.org (Mike Frysinger) Date: Sat, 23 Dec 2006 20:37:03 -0500 Subject: controlling the use of subkeys In-Reply-To: <458DD3DD.4090509@sixdemonbag.org> References: <200612231250.08974.vapier@gentoo.org> <200612231459.32298.vapier@gentoo.org> <458DD3DD.4090509@sixdemonbag.org> Message-ID: <200612232037.04272.vapier@gentoo.org> On Saturday 23 December 2006 20:11, Robert J. Hansen wrote: > Mike Frysinger wrote: > > and what would you suggest ? create brand new key sets when the > > previous one expires ? i thought one of the points of subkeys is to > > minimize this sort of management > > The best way to minimize management is to reduce the amount of stuff > that needs to be managed. > > There almost certainly exist specialized applications where key expiry > makes a lot of sense. But in general, I think most people who set their > keys to expire do so without really thinking about what clear benefits > it gives them, or what specific problem of theirs it will solve. > > If you can point to a specific requirement or need of the Gentoo > community which key expiry will help address, then by all means, go for > it. Otherwise, simplify your management by removing expiries. ok, but i think this is a different aspect than what we're talking about here ... sep keys means different uid's whereas a subkey is bound to the same uid ... people sign my uid and i have signing subkeys versus people sign my uid, i create a new key/uid and sign that with my own key subkeys can have expiration limits placed on them as well, so i dont see how your thoughts here are specific to saying "subkeys are the wrong way of doing things" ... what'd i miss ? -mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061223/0a8a7a2a/attachment.pgp From rjh at sixdemonbag.org Sun Dec 24 02:50:42 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 23 Dec 2006 19:50:42 -0600 Subject: controlling the use of subkeys In-Reply-To: <200612232037.04272.vapier@gentoo.org> References: <200612231250.08974.vapier@gentoo.org> <200612231459.32298.vapier@gentoo.org> <458DD3DD.4090509@sixdemonbag.org> <200612232037.04272.vapier@gentoo.org> Message-ID: <458DDCF2.3050905@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mike Frysinger wrote: > sep keys means different uid's whereas a subkey is bound to the same > uid ... This is not the case. The only (required) binding between a subkey and a UID comes from the fact that each UID has a self-signature. If you create a new subkey, there's no explicit binding between that and a UID. > subkeys can have expiration limits placed on them as well, so i dont > see how your thoughts here are specific to saying "subkeys are the > wrong way of doing things" ... what'd i miss ? I hate to sound like an arrogant son-of-a-so-and-so, but it sounds like you're attempting to do complex things with OpenPGP without understanding OpenPGP very well. My suggestion: figure out exactly what you need it to do and send it on to the list. If you need more than one sentence to do it, you may not understand your basic problem very well. For instance: "End-users need assurance that the package is really part of Gentoo." Or, "I need some way to separate my Gentoo maintainer identity from my personal identity." Or... etc., etc. Come up with a single sentence describing your problem, and you'll get a ton of responses by people with ideas for how to solve it. After a while, you'll see some consensus emerge about which ideas have merit and which are the products of overactive imaginations. (This being the internet, there may be a lot more of the latter than the former.) Then choose the simplest, most clearly-explained idea which has merit. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJFjdzyAAoJELcA9IL+r4EJoAIH/1wNVowvrWaLn2JgHm9Svl40 HpFqCvwDPpKsDpqLY0S1zYnqxcVnHHB3vpAFFPx5/IxGDi+HXa4TuqSn2DeScwb1 g0yaZ77aGtfoAQ+6yoDUOtBFRGEs6SZsnbod2yMJeGyFmW+BavBNMMvdo30JFVY0 /4XtaoIuTbdPm2/Y13xRzpt/mfw/f2I2PP84tiSNjjp+ef20O+LwpSzAC08Sa5Wc aeeLNXHyst9hW/ya0WkaoTL1TLUpHGpH0YIsCCEtRidwWjIzw/n6QwJKvDt4Y15j DbGfSUXb8SWph+sldlGyd7dNriRhkjLc7ZksyUwUxh6aJumMJYASSYzDPI+82VU= =0dBt -----END PGP SIGNATURE----- From vapier at gentoo.org Sun Dec 24 03:24:13 2006 From: vapier at gentoo.org (Mike Frysinger) Date: Sat, 23 Dec 2006 21:24:13 -0500 Subject: controlling the use of subkeys In-Reply-To: <458DDCF2.3050905@sixdemonbag.org> References: <200612231250.08974.vapier@gentoo.org> <200612232037.04272.vapier@gentoo.org> <458DDCF2.3050905@sixdemonbag.org> Message-ID: <200612232124.14038.vapier@gentoo.org> On Saturday 23 December 2006 20:50, Robert J. Hansen wrote: > I hate to sound like an arrogant son-of-a-so-and-so, but it sounds like > you're attempting to do complex things with OpenPGP without > understanding OpenPGP very well. probably, but that doesnt really matter to me much ... all the intricacies of pgp do not interrest me, it's merely a tool to get other things done > My suggestion: figure out exactly what you need it to do and send it on > to the list. If you need more than one sentence to do it, you may not > understand your basic problem very well. i have a personal key/uid i use for signing e-mails and such, E837F581. when doing gpg signing parties, this is what other people sign. in Gentoo, rather than using personal keys, we create a new key to keep personal and developer package signing separate. historically, i would just create a new key/uid (for example, the last one i was using was CC2BD2F2). then i would sign that with ultimate trust using my personal key. this time around, i thought i'd be lazy and just create a subkey off of E837F581 since it seemed to be a bit quicker (205D3103). then i noticed that even though i told some programs to use E837F581 to do signing, they'd turn around and use the subkey 205D3103, thus this e-mail chain ive started. -mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061223/64435165/attachment.pgp From rjh at sixdemonbag.org Sun Dec 24 03:33:50 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 23 Dec 2006 20:33:50 -0600 Subject: controlling the use of subkeys In-Reply-To: <200612232124.14038.vapier@gentoo.org> References: <200612231250.08974.vapier@gentoo.org> <200612232037.04272.vapier@gentoo.org> <458DDCF2.3050905@sixdemonbag.org> <200612232124.14038.vapier@gentoo.org> Message-ID: <458DE70E.70303@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mike Frysinger wrote: > probably, but that doesnt really matter to me much ... all the intricacies of > pgp do not interrest me, it's merely a tool to get other things done When you start doing advanced and sophisticated things with a tool, you need to invest the time in understanding that tool. This is true for pretty much any tool, not just GnuPG. > i have a personal key/uid i use for signing e-mails and such, E837F581. when > doing gpg signing parties, this is what other people sign. in Gentoo, rather > than using personal keys, we create a new key to keep personal and developer > package signing separate. This is sensible. This strongly counter-indicates using a new subkey. After all... when someone sees a signature with your new subkey, they'll then have to find the master signing key and import that before they can verify your signature. And since your personal identity is connected with that master key, you're going to conflate your personal identity with your Gentoo identity. Generate a new keypair and use that instead. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJFjecNAAoJELcA9IL+r4EJXBcH/1HTzgdltX/Vr4rKjNCDx4j3 gynMWYrpLb9lfeLCfTSAQSwV+/Fa33mJAguyQ8iNOFN/bepEQk+WZcAyNZR/pegm 3tX98bjU7/ecUwZeLuLM0d35W0dH4iYs9NVE3FrDYkzI0Zs/z2XCI2RbjqiH2WND d6gIrNW/TcVxW7F92Dbm3bwHcKhyphGeB37m/8NP7xEmyyUbFoty9fd2zqw4ivUD yaEyG9TygDY9SyFfU2qcDP1bPUCKUN/LFNcY4bxImfc832Iiv0CwXMKTNYrXJQ4U ZdfZmImDOIcsz7pukiZGZA3zHBjLVnCeiG9xfVjUUAYdZOXijRfMMqC1vYmWdSY= =JAbn -----END PGP SIGNATURE----- From robbat2 at gentoo.org Sun Dec 24 03:43:30 2006 From: robbat2 at gentoo.org (Robin H. Johnson) Date: Sat, 23 Dec 2006 18:43:30 -0800 Subject: controlling the use of subkeys In-Reply-To: <200612232124.14038.vapier@gentoo.org> References: <200612231250.08974.vapier@gentoo.org> <200612232037.04272.vapier@gentoo.org> <458DDCF2.3050905@sixdemonbag.org> <200612232124.14038.vapier@gentoo.org> Message-ID: <20061224024330.GA27466@curie-int.orbis-terrarum.net> On Sat, Dec 23, 2006 at 09:24:13PM -0500, Mike Frysinger wrote: > > My suggestion: figure out exactly what you need it to do and send it on > > to the list. If you need more than one sentence to do it, you may not > > understand your basic problem very well. To side-step the arguments here. Mike's just a Gentoo developer that wants to sign stuff. He doesn't care how it works, so long as it works, and everybody is happy with the security of it. I'm the Gentoo developer that is busy (with far too many things) creating a full plan of action regarding key usage and management. The only stumbling block on the part of GnuPG itself thus far is the need for an Assuan interface to GnuPG itself (not gpgsm) - gpgme is too slow since it exec()s fresh copies of gpg each time you make a call, and we we want to verify lots of ASCII-armoured files on demand (potentially 30k of them), this hurts badly. > this time around, i thought i'd be lazy and just create a subkey off of > E837F581 since it seemed to be a bit quicker (205D3103). then i noticed that > even though i told some programs to use E837F581 to do signing, they'd turn > around and use the subkey 205D3103, thus this e-mail chain ive started. *waves at Mike* Mike, to answer your question directly, PORTAGE_GPG_KEY="0xE837F581!" Put it in your environment and your make.conf. If that doesn't work, give me a shout directly. -- Robin Hugh Johnson E-Mail : robbat2 at gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : /pipermail/attachments/20061223/61ef1747/attachment.pgp From supraexpress at globaleyes.net Sun Dec 24 06:14:53 2006 From: supraexpress at globaleyes.net (User 1001) Date: Sun, 24 Dec 2006 05:14:53 +0000 (UTC) Subject: GnuPG ?Bineries? to USE PnuPG with Windows? References: <4589DD8E.4010000@Yahoo.com> Message-ID: On Thu, 21 Dec 2006 16:58:16 +0100, Patrick Brunschwig wrote: > Tom - Hwy101 wrote: >> Where are the 'Binaries' for Using PnuPG with Windows; AND, what do I do >> with to Use PnuPG >> with Thunderbird, Engimail Extension? Thanks > > You can get GnuPG from: ftp://ftp.no.gpg4win.org > > After you have installed GnuPG, start Thunderbird with Enigmail > installed. It will usually find GnuPG automatically. Then, the easiest > way to get started is to use the Wizard which opens if you compose a new > message and click on the "PGP" icon. You can also, and preferably, get GnuPG Windows binaries from "www.gnupg.org", which always has the most current version whereas other distributions oftentimes do not. From ggrabler at gmail.com Sun Dec 24 14:51:56 2006 From: ggrabler at gmail.com (Georg Grabler) Date: Sun, 24 Dec 2006 14:51:56 +0100 Subject: GnuPG Made Easy - docs? Message-ID: <200612241451.56516.ggrabler@gmail.com> Hello everyone around, I've tried to find a api documentation for the GnuPG Made Easy implementation. I couldn't lookup the zip files, since the ftp servers seem down, at least i can't reach them. Is there any api doc out there? I'd prefer readable format, a whole html / pdf or something, otherwhise i'd need to copy / paste again to get it printed. I dislike window switching, and my 2nd screen is broken. Thanks, Georg From ggrabler at gmail.com Tue Dec 26 17:44:28 2006 From: ggrabler at gmail.com (Georg Grabler) Date: Tue, 26 Dec 2006 17:44:28 +0100 Subject: GnuPG Made Easy documentation Message-ID: <200612261744.29127.ggrabler@gmail.com> Is there any API documentation for GnuPG Made Easy? I've been looking trough the page, but couldn't find any apporpriate point where to start. Thank you, Georg From mo at g10code.com Tue Dec 26 18:37:28 2006 From: mo at g10code.com (Moritz Schulte) Date: Tue, 26 Dec 2006 18:37:28 +0100 Subject: GnuPG Made Easy documentation In-Reply-To: <200612261744.29127.ggrabler@gmail.com> References: <200612261744.29127.ggrabler@gmail.com> Message-ID: <1167154648.6880.25.camel@localhost.localdomain> GPGME's API is documented in the info manual, which is part of the GPGME package. Thanks, Moritz From jharris at widomaker.com Tue Dec 26 22:43:21 2006 From: jharris at widomaker.com (Jason Harris) Date: Tue, 26 Dec 2006 16:43:21 -0500 Subject: new (2006-12-24) keyanalyze results (+sigcheck) Message-ID: <20061226214321.GA831@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2006-12-24/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 88ecf141cd339b5d3d90e52e5309498751eef3b8 14340996 preprocess.keys 1ecbc9cbbacebd114b3b9e94e10b319f359723fe 8411131 othersets.txt e72d86e88f05409a1042546aad3e9f34aa4d8050 3454774 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html d616cc746f27aa0f9e9fe278e2145aa8dc707a45 2278 keyring_stats 422f1cf5dbaeafdb4cc5d6026c9641c1228a354d 1358409 msd-sorted.txt.bz2 e761c147909a37247013b38f43bd34100554d79e 26 other.txt b106a9da66f960f3d9e5e5ad5c700f5b70509400 1825720 othersets.txt.bz2 c5035ea7f6d407204985d0efac4b51defada6017 5822640 preprocess.keys.bz2 7147f9d943f8667625582c45a22f899070099d06 14796 status.txt 25ac4a06fe307a705d3e19618d908dda400e848e 194635 top1000table.html 35b33efe94b9dda7d408645c95295827147f1477 29703 top1000table.html.gz 5688b67938e2680e6b9611e266393b213323a98e 9778 top50table.html 72be4d586527de48feee8cf6931fcdeca9bf01b8 2529 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20061226/5a7adb5c/attachment.pgp From hira at atlas-is.co.jp Wed Dec 27 01:28:38 2006 From: hira at atlas-is.co.jp (HIRA, Shuichi) Date: Wed, 27 Dec 2006 09:28:38 +0900 Subject: compiling gpgme with bcc Message-ID: <200612270028.AA00882@vela.sun.atlas-is.co.jp> Hi I tried to compile gpgme using Borland C++ Compiler 5.5. I found some errors, but got dll with modification. Do you need any information for that? Thx. -- HIRA, Shuichi Atlas Information Service Inc. IT Development Room hira at atlas-is.co.jp From vedaal at hush.com Wed Dec 27 19:25:34 2006 From: vedaal at hush.com (vedaal at hush.com) Date: Wed, 27 Dec 2006 13:25:34 -0500 Subject: gnupg clearsigning question Message-ID: <20061227182535.198BE22840@mailserver9.hushmail.com> is it possible to construct a gnupg signature that is the same each time for the same file (and same signing key and hash ) ? would like to do something like this for use as a truecrypt keyfile: the truecrypt volume is on a usb drive, the outer volume would contain the gnupg keyrings, the rest of the usb drive contains miscellenaous files, one of these is used for a keyfile for the outer volume, now, what i would like to do, is clearsign one of the many textfiles on the usb, and use that clearsigned textfile as a keyfile for the hidden volume the problem is, that this changes each time it is signed ;-((( is the only reason it changes because of the timestamp? (and then would just resetting the computer clock to time time of the original signing work? assuming it would be set to a minute or so before, and signed repeatedly until the timestamp was right to the second) if the timestamp is the only thing making the signature different, would it be possible to request a feature option where the timestamp is omitted? (this wouldn't affect open-pgp compatibility) Thanks, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From ewrobinson at fedex.com Wed Dec 27 19:29:07 2006 From: ewrobinson at fedex.com (Eric Robinson) Date: Wed, 27 Dec 2006 12:29:07 -0600 Subject: Issues w/Daylight Savings Time in 2007 ? In-Reply-To: Message-ID: Greetings, Does anyone know of any known issues regarding GPG and the 'new' Daylight Savings Time in 2007 ? Thanks, Eric ------------------------------------- Eric Robinson Business Application Advisor FedEx Corporate Services Internet Engineering & EC Integration 901.263.5749 ------------------------------------- From dshaw at jabberwocky.com Wed Dec 27 21:42:08 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 27 Dec 2006 15:42:08 -0500 Subject: Issues w/Daylight Savings Time in 2007 ? In-Reply-To: References: Message-ID: <20061227204208.GA11925@jabberwocky.com> On Wed, Dec 27, 2006 at 12:29:07PM -0600, Eric Robinson wrote: > Greetings, > Does anyone know of any known issues regarding GPG and the 'new' > Daylight Savings Time in 2007 ? GPG (like all OpenPGP programs) uses the common "seconds since 1/1/1970 UTC" method of storing time where daylight savings time or other conversions are irrelevant. Of course, people use GPG within an operating system which may or may not give GPG the right time. So, the best answer I can give is that if your OS is correct, GPG will be too. David From dshaw at jabberwocky.com Thu Dec 28 06:30:43 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 28 Dec 2006 00:30:43 -0500 Subject: gnupg clearsigning question In-Reply-To: <20061227182535.198BE22840@mailserver9.hushmail.com> References: <20061227182535.198BE22840@mailserver9.hushmail.com> Message-ID: <20061228053043.GA12450@jabberwocky.com> On Wed, Dec 27, 2006 at 01:25:34PM -0500, vedaal at hush.com wrote: > is it possible to construct a gnupg signature that is the same each > time > for the same file (and same signing key and hash ) ? > > would like to do something like this for use as a truecrypt keyfile: > > the truecrypt volume is on a usb drive, > the outer volume would contain the gnupg keyrings, > the rest of the usb drive contains miscellenaous files, > one of these is used for a keyfile for the outer volume, > > now, > what i would like to do, > is clearsign one of the many textfiles on the usb, > and use that clearsigned textfile as a keyfile for the hidden volume > > > the problem is, > that this changes each time it is signed ;-((( > > is the only reason it changes because of the timestamp? > (and then would just resetting the computer clock to time time of > the original signing work? > assuming it would be set to a minute or so before, and signed > repeatedly until the timestamp was right to the second) > > if the timestamp is the only thing making the signature different, > would it be possible to request a feature option where the > timestamp is omitted? > (this wouldn't affect open-pgp compatibility) DSA signatures contain random data, so even if you hacked around the timestamp problem, the signature would not match. RSA signatures do not contain random data. However, even if you managed to do this with an RSA key, why on earth would you want to construct such a massively convoluted way, involving hacking around the clock on your computer, just to generate a key that would be not good as a simple file with random numbers in it would be? Why create complications when the simple answer is both easier and more secure? David From rjh at sixdemonbag.org Thu Dec 28 07:01:51 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 28 Dec 2006 00:01:51 -0600 Subject: Issues w/Daylight Savings Time in 2007 ? In-Reply-To: <20061227204208.GA11925@jabberwocky.com> References: <20061227204208.GA11925@jabberwocky.com> Message-ID: <45935DCF.20706@sixdemonbag.org> David Shaw wrote: > GPG (like all OpenPGP programs) uses the common "seconds since > 1/1/1970 UTC" method of storing time where daylight savings time or > other conversions are irrelevant. In doc/DETAILS, it says that soon GnuPG will migrate to an ISO time format. What are the motivating reasons for this? What's the timeframe for the changeover? I've seen this warning in the DETAILS file for quite some time, so I'm kind of wondering if that's still the plan or if it's been forgotten about. From dshaw at jabberwocky.com Thu Dec 28 07:10:24 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 28 Dec 2006 01:10:24 -0500 Subject: Issues w/Daylight Savings Time in 2007 ? In-Reply-To: <45935DCF.20706@sixdemonbag.org> References: <20061227204208.GA11925@jabberwocky.com> <45935DCF.20706@sixdemonbag.org> Message-ID: <20061228061024.GB12450@jabberwocky.com> On Thu, Dec 28, 2006 at 12:01:51AM -0600, Robert J. Hansen wrote: > David Shaw wrote: > > GPG (like all OpenPGP programs) uses the common "seconds since > > 1/1/1970 UTC" method of storing time where daylight savings time or > > other conversions are irrelevant. > > In doc/DETAILS, it says that soon GnuPG will migrate to an ISO time > format. What are the motivating reasons for this? What's the timeframe > for the changeover? I've seen this warning in the DETAILS file for > quite some time, so I'm kind of wondering if that's still the plan or if > it's been forgotten about. Werner would have to say the reason, but I want to note that this is only an output/display change. Internally, GPG will always use seconds since epoch for OpenPGP as this is part of the OpenPGP specification. David From kennethfinnegan2007 at gmail.com Thu Dec 28 06:44:46 2006 From: kennethfinnegan2007 at gmail.com (Kenneth Finnegan) Date: Wed, 27 Dec 2006 21:44:46 -0800 Subject: gnupg clearsigning question In-Reply-To: <20061228053043.GA12450@jabberwocky.com> References: <20061227182535.198BE22840@mailserver9.hushmail.com> <20061228053043.GA12450@jabberwocky.com> Message-ID: <459359CE.2070900@GMail.com> It would add the requirement that he had control of his PGP key, but a smarter thing to do would be to just encrypt his TrueCrypt volume with PGP. Same effect with a lot less pain. But at some point you really need to face when the encryption is overkill relative to the security needed. Kenneth Finnegan Webmaster - http://ducttape.pbwiki.com/ AIM: PhirePyro Yahoo: KennethFinnegan2007 at yahoo.com MSN: KennethFinnegan2007 at yahoo.com Skype: kenneth.finnegan PGP: 0xF969DD2D David Shaw wrote: > On Wed, Dec 27, 2006 at 01:25:34PM -0500, vedaal at hush.com wrote: >> is it possible to construct a gnupg signature that is the same each >> time >> for the same file (and same signing key and hash ) ? >> >> would like to do something like this for use as a truecrypt keyfile: >> >> the truecrypt volume is on a usb drive, >> the outer volume would contain the gnupg keyrings, >> the rest of the usb drive contains miscellenaous files, >> one of these is used for a keyfile for the outer volume, >> >> now, >> what i would like to do, >> is clearsign one of the many textfiles on the usb, >> and use that clearsigned textfile as a keyfile for the hidden volume >> >> >> the problem is, >> that this changes each time it is signed ;-((( >> >> is the only reason it changes because of the timestamp? >> (and then would just resetting the computer clock to time time of >> the original signing work? >> assuming it would be set to a minute or so before, and signed >> repeatedly until the timestamp was right to the second) >> >> if the timestamp is the only thing making the signature different, >> would it be possible to request a feature option where the >> timestamp is omitted? >> (this wouldn't affect open-pgp compatibility) > > DSA signatures contain random data, so even if you hacked around the > timestamp problem, the signature would not match. RSA signatures do > not contain random data. > > However, even if you managed to do this with an RSA key, why on earth > would you want to construct such a massively convoluted way, involving > hacking around the clock on your computer, just to generate a key that > would be not good as a simple file with random numbers in it would be? > > Why create complications when the simple answer is both easier and > more secure? > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From rjh at sixdemonbag.org Thu Dec 28 07:19:19 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 28 Dec 2006 00:19:19 -0600 Subject: Issues w/Daylight Savings Time in 2007 ? In-Reply-To: <20061228061024.GB12450@jabberwocky.com> References: <20061227204208.GA11925@jabberwocky.com> <45935DCF.20706@sixdemonbag.org> <20061228061024.GB12450@jabberwocky.com> Message-ID: <459361E7.8030907@sixdemonbag.org> David Shaw wrote: > Werner would have to say the reason, but I want to note that this is > only an output/display change. Internally, GPG will always use > seconds since epoch for OpenPGP as this is part of the OpenPGP > specification. Well, before the changeover happens, I'd appreciate it if a switch would be added to preserve the current behavior. Seconds since epoch is dead simple and very familiar to programmers, and I suspect it might be better for machine parsing. From alphasigmax at gmail.com Thu Dec 28 14:04:18 2006 From: alphasigmax at gmail.com (Alphax) Date: Thu, 28 Dec 2006 23:34:18 +1030 Subject: gnupg clearsigning question In-Reply-To: <20061228053043.GA12450@jabberwocky.com> References: <20061227182535.198BE22840@mailserver9.hushmail.com> <20061228053043.GA12450@jabberwocky.com> Message-ID: <4593C0D2.7010905@gmail.com> David Shaw wrote: > On Wed, Dec 27, 2006 at 01:25:34PM -0500, vedaal at hush.com wrote: >> is it possible to construct a gnupg signature that is the same each >> time >> for the same file (and same signing key and hash ) ? >> >> would like to do something like this for use as a truecrypt keyfile: >> >> the truecrypt volume is on a usb drive, >> the outer volume would contain the gnupg keyrings, >> the rest of the usb drive contains miscellenaous files, >> one of these is used for a keyfile for the outer volume, >> >> now, >> what i would like to do, >> is clearsign one of the many textfiles on the usb, >> and use that clearsigned textfile as a keyfile for the hidden volume >> >> >> the problem is, >> that this changes each time it is signed ;-((( >> >> is the only reason it changes because of the timestamp? >> (and then would just resetting the computer clock to time time of >> the original signing work? >> assuming it would be set to a minute or so before, and signed >> repeatedly until the timestamp was right to the second) >> >> if the timestamp is the only thing making the signature different, >> would it be possible to request a feature option where the >> timestamp is omitted? >> (this wouldn't affect open-pgp compatibility) > > DSA signatures contain random data, so even if you hacked around the > timestamp problem, the signature would not match. RSA signatures do > not contain random data. > Err, I thought it was the other way around, which is why RSA signatures are bigger than DSA signatures... or is the RSA signature packaging-thing something else? -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 542 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061228/679c05c2/attachment.pgp From dshaw at jabberwocky.com Thu Dec 28 15:27:32 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 28 Dec 2006 09:27:32 -0500 Subject: gnupg clearsigning question In-Reply-To: <4593C0D2.7010905@gmail.com> References: <20061227182535.198BE22840@mailserver9.hushmail.com> <20061228053043.GA12450@jabberwocky.com> <4593C0D2.7010905@gmail.com> Message-ID: <20061228142732.GC12450@jabberwocky.com> On Thu, Dec 28, 2006 at 11:34:18PM +1030, Alphax wrote: > > DSA signatures contain random data, so even if you hacked around the > > timestamp problem, the signature would not match. RSA signatures do > > not contain random data. > > > > Err, I thought it was the other way around, which is why RSA signatures > are bigger than DSA signatures... or is the RSA signature > packaging-thing something else? No, the random data is part of DSA. The reason that RSA is large and DSA is small is unrelated to the use of random data. David From vedaal at hush.com Thu Dec 28 16:14:53 2006 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 28 Dec 2006 10:14:53 -0500 Subject: gnupg clearsigning question Message-ID: <20061228151453.EB2F72283E@mailserver9.hushmail.com> >Message: 6 >Date: Thu, 28 Dec 2006 00:30:43 -0500 >From: David Shaw >Subject: Re: gnupg clearsigning question >DSA signatures contain random data, so even if you hacked around >the >timestamp problem, the signature would not match. RSA signatures >do >not contain random data. Thanks! this might be very useful, and work out better without any special features > why on earth would you want to construct such a >massively convoluted way, >involving hacking around the clock on your computer the issue is the 'keyfile' keyfiles are problematic, in that they have to be stored 'somewhere', and if an attacker gets the storage media where it is stored, then measures must be taken to prevent recovery of the keyfile by the attacker there are four general ways to do this: (1) the simplest: just encrypt the keyfile, and decrypt it when necessary (the problem is that this calls attention to itself, by having an encrypted file present, and authorities can demand the key, or the session key, and recover the file) (2) the most secure, (but most tedious): have a folder of 7776 small textfiles, each having a diceware word as one of the filenames, and select a group of keyfiles the same way that a diceware passphrase is selected (the problem here is, that truecrypt keyfile selection does not behave like word selection in a passphrase, since the order of selection of keyfiles is not important, and a keyfile cannot be used more than once, so, while a passphrase of 'r' diceware words has a complexity of 7776^r, a similarlry constructed selection of keyfiles, has a complexity of only (7776 C r) = [(7776!) / (r!)([7776-r]!) ] (btw, anyone want to provide a table of how many more keyfiles are necessary for equivalent complexity? i.e. to achieve a complexity of a 6, 10, or 20 diceware word passphrase, how many diceware keyfiles would be necessary?) (3)the gnupg signing way, ideal, in that the keyfile is not present anywhere, and cannot be constructed by anyone without the secret key, and even if that is given up, the exact correct time needs to be used (4) the workaround i use now, (i think it's reasonably ok, [electron microscopy file recovery is not in my threat model ;-)], but i invite comments/criticism/suggestions): create a textfile by copying a selected part of the gnupg manpage, (present on the usb drive together with a gpg2go setup) and then typing in a diceware passphrase on a separate line, and using the resultant textfile as the keyfile, and wiping it after use tia, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From johanw at vulcan.xs4all.nl Thu Dec 28 18:30:27 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu, 28 Dec 2006 18:30:27 +0100 (MET) Subject: gnupg clearsigning question In-Reply-To: <20061228151453.EB2F72283E@mailserver9.hushmail.com> Message-ID: <200612281730.kBSHURJv003552@vulcan.xs4all.nl> vedaal at hush.com wrote: >the issue is the 'keyfile' [...] Sounds rather complex. I've just started to encrypt my USB flashdrives with TrueCrypt (main advantage is that it works both on Linux and windows) but have choosen to use "normal" password-encrypted volumes. What is the advantage of keyfiles? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw at vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From vedaal at hush.com Thu Dec 28 21:20:41 2006 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 28 Dec 2006 15:20:41 -0500 Subject: gnupg clearsigning question Message-ID: <20061228202042.77ADE22844@mailserver9.hushmail.com> Johan Wevers johanw at vulcan.xs4all.nl Thu Dec 28 18:30:27 CET 2006 wrote: > What is the advantage of keyfiles? it is a way of decrypting (allowing the truecrypt volume to be mounted) without using a passphrase, possibly avoiding issues of keyloggers, passphrase capturing, and concerns about memory ideally, a keyfile on a smartcard that would work with truecrypt, might provide the most secure option i defer to others more familiar with computer security for their opinions on whether or not there is any actual advantage over secure passphrase usage vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From blueness at gmx.net Thu Dec 28 22:14:31 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Thu, 28 Dec 2006 22:14:31 +0100 Subject: gnupg clearsigning question In-Reply-To: <20061228151453.EB2F72283E@mailserver9.hushmail.com> References: <20061228151453.EB2F72283E@mailserver9.hushmail.com> Message-ID: <432660771.20061228221431@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224 Was Thu, 28 Dec 2006, at 10:14:53 -0500, when vedaal at hush.com wrote: > (1) the simplest: > just encrypt the keyfile, and decrypt it when necessary > (the problem is that this calls attention to itself, by having an > encrypted file present, and authorities can demand the key, or the > session key, and recover the file) Put it into a TrueCrypt container (it has no "head[er]" nor a "tail" -- which is a good strategy for a possible future GPGDisk by the way, no matter who will make it) without extension, and you always may tell that you can't recall the password. It happens indeed now and then, so that it will not be suspicious much, and besides you may hint discretely that probably you can't recall it due to the stress they have exposed you to (whenever they frighten you, you forget a handful of passwords). Simplest things work best. Seriously. Acting insanity (or stupidness) in all this similar environment makes nothing suspicious, and thus the mimicry result shows as something quite natural and well composed in. We always should remember and find a resort in the fact that software has its (technical) limits, but the human mind (by default, at least) is limitless (having thus "all possibilities" at disposal). So this is a ground for an excellent and invincible strategy. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ Elevators smell different to midgets. -----BEGIN PGP SIGNATURE----- iQCZAwUBRZQf6QYWnlFQ1cE7AQs5OgQgr88DPEfe1DcLNepbiqW4R7nY+PHViHzd PeqK7i71W05wMsmbhPKUOqs+RO7DteeqpnADP96qj1o5tU9nM4RXCLcBViVH2M5D sx9XyphSa/zX242V+kxUKT9qrB3tYjZ0gySZhqC7tMX7OP2aC8gZn0K4jqUifW+u IBiWbEq8qd34WF6h =Zd7N -----END PGP SIGNATURE----- From luke at lukepowell.net Thu Dec 28 22:22:55 2006 From: luke at lukepowell.net (Luke Powell) Date: Thu, 28 Dec 2006 15:22:55 -0600 Subject: Signature notations? Message-ID: <459435AF.2000702@lukepowell.net> I recently had to revoke a uid and when I did I was asked to give a short notation about why I was revoking it. I'm curious as to how one views those notations. I tried using the following command: gpg --list-sigs --list-options\ show-unusable-uids,show-notations,show-sig-subpackets 7b4abdb3 but I didn't have any luck. Does anybody know if those notations are stored, and if so, how they can be read out? Thanks, Luke From dshaw at jabberwocky.com Fri Dec 29 02:28:14 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 28 Dec 2006 20:28:14 -0500 Subject: Signature notations? In-Reply-To: <459435AF.2000702@lukepowell.net> References: <459435AF.2000702@lukepowell.net> Message-ID: <20061229012814.GA17709@jabberwocky.com> On Thu, Dec 28, 2006 at 03:22:55PM -0600, Luke Powell wrote: > I recently had to revoke a uid and when I did I was asked to give a > short notation about why I was revoking it. I'm curious as to how one > views those notations. I tried using the following command: > > gpg --list-sigs --list-options\ > show-unusable-uids,show-notations,show-sig-subpackets 7b4abdb3 > > but I didn't have any luck. Does anybody know if those notations are > stored, and if so, how they can be read out? They're not notations, so the various methods of showing notations won't help you. The revocation reason is stored within the revocation signature, and is shown when a signature made by the revoked key or subkey is verified, or when decrypting a message encrypted to the revoked key or subkey. David From Hwy101y at Yahoo.com Fri Dec 29 01:35:42 2006 From: Hwy101y at Yahoo.com (Tom - Hwy101) Date: Thu, 28 Dec 2006 16:35:42 -0800 Subject: USB vs Smart Card? Message-ID: <459462DE.40200@Yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can I use a USB instead of a Smart Card? Thanks, Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFlGLc21btHJTHnM0RAtOaAJ95k4hyVXfVsSZ5B8TYAqBq+EIsZgCfUzBR tu4zD9J5YxceJDL2ryjdlrQ= =YOXg -----END PGP SIGNATURE----- From engage at n0sq.us Fri Dec 29 04:15:15 2006 From: engage at n0sq.us (engage) Date: Thu, 28 Dec 2006 20:15:15 -0700 Subject: unable to find valid key for.... Message-ID: <200612282015.15939.engage@n0sq.us> I wasn't able to encrypt to someone even though their key is on my keyring. I get a message that no valid and trusted key could be found for the recipient. The key isn't revoked, not expired, and my signature is on his key. Can anyone explain this? Mandriva 2007, Kmail 1.9.4, gnupg-1.4.5-1.2mdv2007.0, gnupg2-1.9.22-2.2mdv2007.0 From mo at g10code.com Fri Dec 29 11:06:21 2006 From: mo at g10code.com (Moritz Schulte) Date: Fri, 29 Dec 2006 11:06:21 +0100 Subject: USB vs Smart Card? In-Reply-To: <459462DE.40200@Yahoo.com> References: <459462DE.40200@Yahoo.com> Message-ID: <1167386781.6282.10.camel@localhost.localdomain> > Can I use a USB instead of a Smart Card? Without further context this question does not make too much sense. USB sticks (i guess that is what you mean) are completely different from smartcards when it comes to security solutions. Surely it is possible to e.g. store secret keys on a USB stick and thus enforce the use of that device for secret operations. But what USB sticks do not provide you with is encapsulation of secret operations. Means: while it is possible to copy the secret key from your USB stick to the computer to which the device is connected, crypto smartcards (e.g. the OpenPGP smartcard) do never give out the secret key. The decrypt/sign operations are implemented in the card itself, access is protected with PINs. Moritz From joerg at schmitz-linneweber.de Fri Dec 29 13:29:10 2006 From: joerg at schmitz-linneweber.de (Joerg Schmitz-Linneweber) Date: Fri, 29 Dec 2006 13:29:10 +0100 Subject: USB vs Smart Card? In-Reply-To: <1167386781.6282.10.camel@localhost.localdomain> References: <459462DE.40200@Yahoo.com> <1167386781.6282.10.camel@localhost.localdomain> Message-ID: <45950A16.9090906@schmitz-linneweber.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Moritz Schulte schrieb: >> Can I use a USB instead of a Smart Card? > > Without further context this question does not make too much sense. USB > sticks (i guess that is what you mean) are completely different from > smartcards when it comes to security solutions. > ... Perhaps the OP meant some USB crypto token... (eg. "Aladin eToken Pro") There are such crypto tokens but most of them use something X.509 compatible (certificate based, PKCS#11). If I remember correctly there exists a very small USB smartcard reader which can be "paired" with a small form factor smartcard (like the "GSM" ones) into one enclosure. If you take a cutter and reduce the size of a OpenPGP card to the mentioned size and find this particular reader *and* this reader is supported by Gnupg... then you're done! :-) Interessting link: [http://csrc.nist.gov/publications/nistir/IR-7056/Capabilities/Jun-SmartCardTech.pdf] Salut, J?rg - -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFlQoW/PQgU9f6RRIRAsv2AKCDjc7xju39sOjnrMInWieifyndRwCg4qDU 9/Wzl+XX0MY6I+0xXGJfvqc= =yFoZ -----END PGP SIGNATURE----- From luke at lukepowell.net Fri Dec 29 16:20:19 2006 From: luke at lukepowell.net (Luke Powell) Date: Fri, 29 Dec 2006 09:20:19 -0600 Subject: Signature notations? In-Reply-To: <20061229012814.GA17709@jabberwocky.com> References: <459435AF.2000702@lukepowell.net> <20061229012814.GA17709@jabberwocky.com> Message-ID: <45953233.4090000@lukepowell.net> On 12/28/2006 07:28 PM, David Shaw wrote: > They're not notations, so the various methods of showing notations > won't help you. The revocation reason is stored within the revocation > signature, and is shown when a signature made by the revoked key or > subkey is verified, or when decrypting a message encrypted to the > revoked key or subkey. > In this case I revoked a uid rather than a key or subkey. Would the reason ever be shown for that scenario? Luke From Hwy101y at Yahoo.com Fri Dec 29 21:36:36 2006 From: Hwy101y at Yahoo.com (Tom - Hwy101) Date: Fri, 29 Dec 2006 12:36:36 -0800 Subject: USB vs Smart Card? In-Reply-To: <1167386781.6282.10.camel@localhost.localdomain> References: <459462DE.40200@Yahoo.com> <1167386781.6282.10.camel@localhost.localdomain> Message-ID: <45957C54.4080903@Yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > * * * You Guys are Wonderful! Thanks! Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFlXxR21btHJTHnM0RAjGAAKCj/TSYNi/UqrsD7Lx7h1y/oDtOEACgigWO /s5n2ibFGbvGdHlM0DJdxDY= =3NVY -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Dec 29 21:57:11 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 29 Dec 2006 14:57:11 -0600 Subject: USB vs Smart Card? In-Reply-To: <1167386781.6282.10.camel@localhost.localdomain> References: <459462DE.40200@Yahoo.com> <1167386781.6282.10.camel@localhost.localdomain> Message-ID: <45958127.2050104@sixdemonbag.org> Moritz Schulte wrote: > Without further context this question does not make too much sense. USB > sticks (i guess that is what you mean) are completely different from > smartcards when it comes to security solutions. Yes and no. USB is just an interface specification. Depending on what's on the other end of the USB device, it could be completely equivalent to a smartcard. E.g., the Rainbow Technologies iKey 2000 is a smartcard that uses a USB interface. From wk at gnupg.org Tue Dec 26 10:16:21 2006 From: wk at gnupg.org (Werner Koch) Date: Tue, 26 Dec 2006 10:16:21 +0100 Subject: GnuPG Made Easy - docs? In-Reply-To: <200612241451.56516.ggrabler@gmail.com> (Georg Grabler's message of "Sun\, 24 Dec 2006 14\:51\:56 +0100") References: <200612241451.56516.ggrabler@gmail.com> Message-ID: <87d567qaoq.fsf@wheatstone.g10code.de> On Sun, 24 Dec 2006 14:51, ggrabler at gmail.com said: > I've tried to find a api documentation for the GnuPG Made Easy implementation. > I couldn't lookup the zip files, since the ftp servers seem down, at least i > can't reach them. info gpgme Shalom-Salam, Werner From wk at gnupg.org Fri Dec 29 22:18:34 2006 From: wk at gnupg.org (Werner Koch) Date: Fri, 29 Dec 2006 22:18:34 +0100 Subject: Issues w/Daylight Savings Time in 2007 ? In-Reply-To: <459361E7.8030907@sixdemonbag.org> (Robert J. Hansen's message of "Thu\, 28 Dec 2006 00\:19\:19 -0600") References: <20061227204208.GA11925@jabberwocky.com> <45935DCF.20706@sixdemonbag.org> <20061228061024.GB12450@jabberwocky.com> <459361E7.8030907@sixdemonbag.org> Message-ID: <87psa29z9x.fsf@wheatstone.g10code.de> On Thu, 28 Dec 2006 07:19, rjh at sixdemonbag.org said: > Well, before the changeover happens, I'd appreciate it if a switch would > be added to preserve the current behavior. Seconds since epoch is dead > simple and very familiar to programmers, and I suspect it might be > better for machine parsing. I have no concrete plans for that change. With gpgsm we use an iso based format for all internal timestamps because that is the only way to get around the year 2038 problem as well as some other minor problems. For X.509 this is required because there are real world certificates valid for more than 30 years (I am not sure whether "real world" is considered a joke for some CAs). For OpenPGP the protocol uses seconds since epoch and internally we handle it all as an unsigned 32 bit type so that we are protocol-wise safe for another 100 years. Given that it is unlikely that on GNU based systems time_t will be changed to 64 bit any time soon, we need to do some internal cleanups in a few years and eventually change the output format of thye --with-colon listing. Of course, there will be an option to enable a new format. FWIW, gpgme automagically detects whether we are using seconds since Epoch or ISO time. New programs using gpg directly might want to do that additional check (and conversion) too to be prepared for the future. Shalom-Salam, Werner From bob at rsmits.ca Sat Dec 30 00:33:38 2006 From: bob at rsmits.ca (Robert Smits) Date: Fri, 29 Dec 2006 15:33:38 -0800 Subject: Making Progress, Still having Bad Signatures. Message-ID: <200612291533.51604.bob@rsmits.ca> As some of you may know, I've been having bad signatures on my SuSE 10.1 KDE install. I use Knontact/Kmail/Kgpg for mail. Messages I send to myself that are gpg signed are coming back marked as having bad signatures. This occurs whether or not the keys are exported to key servers. I have experimented : 1. Using entirely new signatures created by kgpg. 2. Using signatures without pictures, in case the size of the pictures had an effect. 3 Using signatures created in Windows with PGP 8.1and sent with Eudora (Win) No matter what I do from the Linux side signatures are marked as bad when they return from the server (I'm sending them to myself). Messages with PGP 8.1 signatures from the Windows side come back just fine. When I receive them in Kmail they are marked as good signatures. Here is the discovery. When I look at mail in the sent box in kmail, the signatures are marked as good signatures, but the sig id has changed. The key signature has an id of 0x3E6E37DA when I look in the KGpg key management window. When I look at the sent message it's marked with the following key: 0xECE5238D3E6E37DA. So, even though the key is green and says it has a good signature, the key id has changed. Since all the machines around here do this, and I have Suse 10.1 installed on all three Linux boxes, and this behaviour occurs on all three, the next thing I'm going to try is to install Kubuntu on a laptop to see if this occurs with it, too. If it does, then it's got to be something in KDE, Kmail, Kontact, KGpg etc. I'll let the list know if I make any further progress. Bob. -- Bob Smits Email bob at rsmits.ca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061229/6f755f98/attachment.pgp From cpollock at earthlink.net Sat Dec 30 02:24:29 2006 From: cpollock at earthlink.net (Chris) Date: Fri, 29 Dec 2006 19:24:29 -0600 Subject: gpg-agent directories in /tmp Message-ID: <200612291924.50867.cpollock@earthlink.net> I've got a bunch of directories in /tmp that are like this: gpg-ZEMbnK: total 0 srwxrwxr-x 1 chris chris 0 Aug 16 20:42 S.gpg-agent= gpg-uo6rHn: total 0 srwxrwxr-x 1 chris chris 0 Nov 23 2005 S.gpg-agent= gpg-ukogMJ: total 0 srwxrwxr-x 1 chris chris 0 Jul 8 22:45 S.gpg-agent= gpg-t1Jcgi: total 0 srwxrwxr-x 1 chris chris 0 May 14 2006 S.gpg-agent= gpg-pI9dfK: total 0 srwxr-xr-x 1 chris chris 0 Dec 29 18:28 S.gpg-agent= gpg-Ojg1JY: total 0 and so on, about 25 all together. What is their purpose and can they be safely removed? What is the purpose of the S.gpg-agent socket file that is 0 bytes? Thanks Chris -- Chris http://learn.to/quote -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061229/652f8333/attachment-0001.pgp From martin at linux-ip.net Sat Dec 30 05:37:25 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Fri, 29 Dec 2006 22:37:25 -0600 Subject: gpg-agent directories in /tmp In-Reply-To: <200612291924.50867.cpollock@earthlink.net> References: <200612291924.50867.cpollock@earthlink.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris, : I've got a bunch of directories in /tmp that are like this: : : and so on, about 25 all together. What is their purpose and can : they be safely removed? What is the purpose of the S.gpg-agent : socket file that is 0 bytes? Look for other UNIX sockets on your system. They should also have a filesize of 0 bytes [0]. There are probably better scripts than the attached for cleaning up the temporary socket files, but this will do the trick. When you fire up gpg-agent, it creates a new mode 0700 directory in which to store the socket itself. When gpg-agent is allowed to exit gracefully, it should clean up its sockets (see atexit handler called cleanup in gpg-agent.c). Best, - -Martin [0] find /var /tmp -type s - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFle0KHEoZD1iZ+YcRAq2HAJ91H8i8C8L9Rj2ckDUpWoXn6mgT4QCgqWlk 0RklsF3nt280YdDIyUkVNko= =Va0L -----END PGP SIGNATURE----- -------------- next part -------------- #! /bin/bash # # -- get rid of unwanted old gpg-agent directories, 2006-12-29; -MAB DFLT_BASEDIR=/tmp BASEDIR="$1" # -- if the user did not specify a directory, assume that we are # pruning S.gpg-agent files found under /tmp # : "${BASEDIR:=$DFLT_BASEDIR}" VERBOSE=0 test -t 0 && VERBOSE="--verbose" # -- find all "S.gpg-agent" sockets under the "$BASEDIR" # find 2>/dev/null "$BASEDIR" -maxdepth 2 -type s -name S.gpg-agent \ | while read file ; do # -- check to see if the file/socket is in use; if not, blow away the # enclosing directory # fuser "$file" >/dev/null 2>&1 \ || rm --recursive --force $VERBOSE -- "${file%/*}" done # -- end of file From mkallas at schokokeks.org Sat Dec 30 14:00:58 2006 From: mkallas at schokokeks.org (Michael Kallas) Date: Sat, 30 Dec 2006 14:00:58 +0100 Subject: Making Progress, Still having Bad Signatures. In-Reply-To: <200612291533.51604.bob@rsmits.ca> References: <200612291533.51604.bob@rsmits.ca> Message-ID: <4596630A.3080501@schokokeks.org> Hi, Robert Smits schrieb: > As some of you may know, I've been having bad signatures on my SuSE 10.1 KDE > install. I use Knontact/Kmail/Kgpg for mail. Messages I send to myself that > are gpg signed are coming back marked as having bad signatures. This mail of you was recognized with a valid signature. I'm using Icedove 1.5.0.9 (ex-Thunderbird) with enigmail 2:0.94.1-1 on Debian unstable here. [...] > Here is the discovery. When I look at mail in the sent box in kmail, the > signatures are marked as good signatures, but the sig id has changed. > > The key signature has an id of 0x3E6E37DA when I look in the KGpg key > management window. When I look at the sent message it's marked with the > following key: 0xECE5238D3E6E37DA. This is exactly the same key, it's just short or long id. If you want to check keys, short ids are not enough as there can be doubles. Long ids are practically unique. Best wishes Michael -- Nobody can save your freedom but YOU - Become a fellow of the FSFE! http://www.fsfe.org/en -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 370 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061230/ca3d2dbb/attachment.pgp From bob at rsmits.ca Sun Dec 31 20:20:56 2006 From: bob at rsmits.ca (Robert Smits) Date: Sun, 31 Dec 2006 11:20:56 -0800 Subject: Still Bad Signatures - KGPG seems broken Message-ID: <200612311121.12703.bob@rsmits.ca> I've been trying for some time to figure out why messages from me that are gpg signed come back to me with the signature marked bad. I run three different computers all with SuSE 10.1, and use KMail/Kontact/Kgpg for all my email. Whenever I send my own signature to either a mailing list or to myself, the signature comes bad with red banners marked bad. When I look in the sent mail box on Kmail, the same message is marked as having a good signature. This occurs no matter which machine I send it from, my work computer, my home desktop or my laptop. I discovered that I could send a PGP signature from a Windows partition using Eudora/PGP 8.1 and the signature comes through marked as good. I've even tried back levelling Suse to version 10.0 but I get exactly the same results as with SuSe 10.1 Since I can send a message from the Windows Partition through my ISP and I can receive it on either my Linux partition or my Windows partition with a good signature I come to the conclusion that the ISP isn't doing anything bad to the email, but that it has something to do with what happens to it when I send it. I wonder if anyone else with a similar setup (Suse 10.1/Kmail/Kontact/Kgpg) can try sending themselves a signed email and see if this problem is systemic or mine alone. Bob -- Bob Smits Ph 250-245-2553 Fax 250-245-5531 E-mail bob at rsmits.ca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061231/23d1d33a/attachment.pgp From mkallas at schokokeks.org Fri Dec 29 10:42:57 2006 From: mkallas at schokokeks.org (Michael Kallas) Date: Fri, 29 Dec 2006 10:42:57 +0100 (CET) Subject: unable to find valid key for.... In-Reply-To: <200612282015.15939.engage@n0sq.us> References: <200612282015.15939.engage@n0sq.us> Message-ID: <20592.164.61.12.28.1167385377.squirrel@mail.schokokeks.org> Hi, engage schrieb: > I wasn't able to encrypt to someone even though their key is on my > keyring. I get a message that no valid and trusted key could be found for > the recipient. Maybe you try to write to another email address of the same person that's not listed in the key? Best wishes Michael -- Nobody can save your freedom but YOU - become a fellow of the FSFE! http://www.fsfe.org/en From arno. at no-log.org Sun Dec 31 23:20:39 2006 From: arno. at no-log.org (arno.) Date: Sun, 31 Dec 2006 23:20:39 +0100 Subject: gpg-agent: hide my passphrase length Message-ID: <20061231222038.GA6653@localhost.localdomain> Hi, I just discovered gpg-agent and it's useful to type my passphrase less often. Without gpg-agent, when gpg prompts me for a passphrase, it does not display the number of characters I type. But when I enter my passphrase in gpg-agent, a star is displayed for every letter I type (I use pinentry-curses as a backend). So, I feel less secure. It may not be so important, but I don't like it when people can see length of my passwords. I looked for a way to change that behaviour, but found none. Do you known of a solution ? thanks a lot arno -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20061231/c4183141/attachment.pgp