From venona at gmx.ch Sun Jan 1 11:41:24 2006 From: venona at gmx.ch (venona@gmx.ch) Date: Sun Jan 1 13:14:37 2006 Subject: GnuPG --edit-key, help req. In-Reply-To: References: Message-ID: <20060101193125.1EF8.VENONA@gmx.ch> On Wed, 28 Dec 2005 00:36:03 +0530 Nicky wrote: > What does the usage letters mean in the key listing? > usage: CS > usage: SEA > What does SEA stand for? I think S and E stand for Signing and Encryption > respectively but what about A and C? A: Authentication C: Certification From dshaw at jabberwocky.com Sun Jan 1 18:27:10 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jan 1 18:26:52 2006 Subject: Smart card signing failure In-Reply-To: <43B66425.2050901@excelcia.org> References: <43B5C9BF.5090807@excelcia.org> <43B66425.2050901@excelcia.org> Message-ID: <20060101172710.GA16672@jabberwocky.com> On Sat, Dec 31, 2005 at 03:57:41AM -0700, Kurt Fitzner wrote: > I have solved my own problem. If the gpg.conf has a setting for > personal-digest-preferences, and if an algo that is supported by a > smartcard is not first in the list, then GnuPG will fail with any > signing operation made with a smartcard. > > For example, my gpg.conf setting was: > > personal-digest-preferences SHA256 SHA384 SHA512 > > This was causing gnupg to fail with all signing operations. I don't > know whether or not this is a bug, or just an error message that is too > cryptic. A little of both. GPG should give a better error message if you try to sign with a hash the card does not support, but personal-digest-preferences should not have selected a hash that the card doesn't support in the first place. Fixed for 1.4.3, thanks! David From kfitzner at excelcia.org Sun Jan 1 20:57:27 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Sun Jan 1 20:58:01 2006 Subject: Smartcard questions Message-ID: <43B83427.8030305@excelcia.org> I am still getting used to working with the OpenPGP smartcards, and I have a few questions: 1) Is it possible to erase one? For example, if a set of three keys has been generated on the card, and if later that card is going to be used for one or two subkeys, can the unused keys on the card be erased? It would be nice to return the card to an unused state for reuse. 2) Is it possible to export only the smartcard private key stubs from a normal RSA key pair that has smartcard subkeys? In other words, once I have made smartcard subkeys of a regular RSA key, and once they are on the card, how can I use the card on another PC without transporting the full master secret key? 3) Is it possible to set the private DO 1 and DO 2 fields to anything? 4) Is the card serial number stored in the keyring? Can GnuPG be configured to ask for the correct card when there is no card inserted, rather than just when the wrong card is inserted? 5) Related to 4, is it possible to use GnuPG to query for the serial number of the card associated with a key? I would like to make GPGee able to ask for a card when one is needed, but don't know how to find out which card to prompt for. Any information would be muchly appreciated. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 372 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060101/2b7f8a64/signature.pgp From widhalmt at unix.sbg.ac.at Mon Jan 2 10:23:33 2006 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Mon Jan 2 10:24:11 2006 Subject: Using gpg in larger scale at a University In-Reply-To: <43B87BFC.6020600@gnupg.org> References: <200512222206.24946.widhalmt@unix.sbg.ac.at> <43B87BFC.6020600@gnupg.org> Message-ID: <1136193813.7538.1.camel@ralph.edvz.sbg.ac.at> Thanks for the notice. I saw my messages appearing some days after I sent them. This looks rather strange to me as I would expect my messages not appearing to me but not getting delivered with a delay of some days. Regards, Thomas On Mon, 2006-01-02 at 02:03 +0100, GnupgUser wrote: > Thomas Widhalm wrote: > > >Hi! > > > >I already sent this email twice to this mailinglist, but it didn't appear at > >my mailserver, so I assume it didn't reach any of you. > > > > > Both of your eMails have appeared on the list, maybe the mailinglist > server is configured in a way that you don't receive your own posts. > > Chris. -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg ITServices (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20060102/50c72af7/attachment-0001.pgp From wk at gnupg.org Mon Jan 2 14:37:44 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 2 14:42:25 2006 Subject: using gpgsm In-Reply-To: <20051229145243.ritwptqpwk4k4s88@www.milivojevic.org> (Aleksandar Milivojevic's message of "Thu, 29 Dec 2005 14:52:43 -0600") References: <20051221142326.2t6o7ivrtwkg08og@www.milivojevic.org> <87ek423apq.fsf@wheatstone.g10code.de> <20051229145243.ritwptqpwk4k4s88@www.milivojevic.org> Message-ID: <87d5jau4wn.fsf@wheatstone.g10code.de> On Thu, 29 Dec 2005 14:52:43 -0600, Aleksandar Milivojevic said: > was able to import PKCS#12 file. Might be good idea if configure script was > checking if pinentry is installed and complaining if it wasn't, like for other That creates a dependency which is not needed in all cases. Certain server applications don't need the pinentry. It is matter of the packing system to decribe pinentry as a dependecy but not one of configure. > $ openssl x509 -noout -text -in test.crt > Subject: C=CA, ST=Quebec, L=Montreal, > O=\x00T\x00e\x00s\x00t\x00_\x00I\x00m\x00p\x00r\x00i\x00m\x00e\x00u\x00r, That looks much like a double wide character encoding (ucs2 ?) and for sure is no utf-8. gpgsm is able to convert certain encodings but not all of them. Check out libksba/src/dn.c:append_atv. It is possible that there is a bug in the implementation (append_ucs2_value). > BTW, the certificate in this example is almost unselectable using > gpgsm. The CN > is in UTF-8, but when I looked closer into it, it doesn't really contain any > non-US-ASCII characters. It just reads "Test_Imprimeur" (just remove > all those > "\x00"). However if I do 'gpgsm --list-keys CN=Test_Imprimeur', nothing is > displayed. Same reason as above. Can you please run dumpasn1 on the certificate as created by OpenSSL and check the encoding of the "O" RDN? Shalom-Salam, Werner From wk at gnupg.org Mon Jan 2 14:44:04 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 2 14:47:22 2006 Subject: using passphrase with special chars on Windows In-Reply-To: <43B0A533.4080309@debian.org> (Philipp Kern's message of "Tue, 27 Dec 2005 03:21:39 +0100") References: <43AD18A9.60806@gmx.li> <43B0A533.4080309@debian.org> Message-ID: <878xtyu4m3.fsf@wheatstone.g10code.de> On Tue, 27 Dec 2005 03:21:39 +0100, Philipp Kern said: > You certainly encounter charset problems. On Linux you use either > ISO-8859-1 or UTF-8 on your terminal. On Windows... Well I don't know > but I recall something Windows specific. You should change the Further there is a bug in the windows version and we are not yet sure howto fix it without breaking all exiting passphrases created on Windows. Given that there are only a few complaints it is probably best not do change anything. This is however something for the FAQ. Change the passphrase on Windows using only ascii characters and keep on using it this way to avoid further trouble if something with your Unix locale is wrong. Salam-Shalom, Werner From wk at gnupg.org Mon Jan 2 14:46:59 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 2 14:52:22 2006 Subject: failure notice In-Reply-To: <1106152097.20051224144923@gmx.net> (Mica Mijatovic's message of "Sat, 24 Dec 2005 14:49:23 +0100") References: <1106152097.20051224144923@gmx.net> Message-ID: <871wzqu4h8.fsf@wheatstone.g10code.de> On Sat, 24 Dec 2005 14:49:23 +0100, Mica Mijatovic said: > : > 217.69.77.222_failed_after_I_sent_the_message./Remote_host_said:_550_Administrative_prohibition/ The sending host is on one of the blacklists or the message has been rejected due to other reasons. Without more information I can't tell the problem. Shalom-Salam, Werner From wk at gnupg.org Mon Jan 2 14:52:24 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 2 14:57:21 2006 Subject: PKA In-Reply-To: <20051227004429.GA1388@sky.schizandra.ru> (Pawel Shajdo's message of "Tue, 27 Dec 2005 03:44:29 +0300") References: <20051227004429.GA1388@sky.schizandra.ru> Message-ID: <87wthispnr.fsf@wheatstone.g10code.de> On Tue, 27 Dec 2005 03:44:29 +0300, Pawel Shajdo said: > What is PKA? Just have found in manual unknown words... Public Key Association Yeah, I know that I should write a paper on this. There is only a simplepresentation on what PKA tries to solve (ftp://ftp.g10code.com/people/werner/talks/pka-intro.ps.gz) Salam-Shalom, Werner From wk at gnupg.org Mon Jan 2 14:58:37 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 2 15:02:31 2006 Subject: Reimporting key into gpgsm In-Reply-To: <200512271716.08017.widhalmt@unix.sbg.ac.at> (Thomas Widhalm's message of "Tue, 27 Dec 2005 17:16:07 +0100") References: <200512271716.08017.widhalmt@unix.sbg.ac.at> Message-ID: <87sls6spde.fsf@wheatstone.g10code.de> On Tue, 27 Dec 2005 17:16:07 +0100, Thomas Widhalm said: > simple one. I deleted my whole keyring.kbx file and imported all anew but the keyring.kbx only contains public keys (aka certificates). The private keys are in ~/.gnupg/private-keys-v1.d/. To locate the actual used private key you best run gpgsm --dump-key userID Which will give you something like Serial number: 01509C Issuer: 1.2.840.113549.1.9.1=#737570706F7274406361636572742E6F7267,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA Subject: CN=trithemius.gnupg.org aka: (8:dns-name13:www.gnupg.org) aka: (8:dns-name15:lists.gnupg.org) aka: (8:dns-name14:bugs.gnupg.org) sha1_fpr: ED:05:C9:FD:A2:BB:57:F1:38:9D:61:C0:46:C9:9D:8A:AF:08:C7:24 md5_fpr: EF:35:35:ED:6F:C7:64:1B:27:7A:7B:66:69:11:39:91 keygrip: F6730C230858070D2DCCB448C3994DF8B4225946 notBefore: 2005-07-21 16:51:43 notAfter: 2007-07-21 16:51:43 hashAlgo: 1.2.840.113549.1.1.4 (md5WithRSAEncryption) keyType: 1024 bit RSA subjKeyId: [none] authKeyId: [none] keyUsage: digitalSignature keyEncipherment extKeyUsage: clientAuth (suggested) serverAuth (suggested) serverGatedCrypto.ns (suggested) serverGatedCrypto.ms (suggested) policies: [none] chainLength: not a CA crlDP: [none] authInfo: 1.3.6.1.5.5.7.48.1 http://ocsp.cacert.org subjInfo: [none] extn: 1.3.6.1.5.5.7.1.1 (authorityInfoAccess) [38 octets] Now take the keygrip line and you will find the key ay ~/.gnupg/private-keys-v1.d/F6730C230858070D2DCCB448C3994DF8B4225946.key To view the private key you may use /usr/local/libexec/gpg-protect-tool FILE pgp-protect-tool might be installed under lib on your system. > issue stays the same. Could anyone help me changing my passphrase within gpgsm --passwd Shalom-Salam, Werner From wk at gnupg.org Mon Jan 2 15:01:45 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 2 15:07:25 2006 Subject: verify CHV1 failed - not able to sign In-Reply-To: <20051230171155.GD12218@mbwg.de> (Matthias Kirschner's message of "Fri, 30 Dec 2005 18:11:55 +0100") References: <20051230171155.GD12218@mbwg.de> Message-ID: <87oe2usp86.fsf@wheatstone.g10code.de> On Fri, 30 Dec 2005 18:11:55 +0100, Matthias Kirschner said: > Here on the machine GnuPG 1.4.2rc1 is installed. > I am running Debian sarge. And the only change I can think of was > running aptitude update and upgrade during the last days. What does gpg --card-status tell you? Are the retry counters all the same or is the firsdtone at zero? You may want to run the signing operation with --debug 2048 and send me the output. Jabber is fine. Salam-Shalom, Werner From wk at gnupg.org Mon Jan 2 15:13:41 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 2 15:17:22 2006 Subject: Smartcard questions In-Reply-To: <43B83427.8030305@excelcia.org> (Kurt Fitzner's message of "Sun, 01 Jan 2006 12:57:27 -0700") References: <43B83427.8030305@excelcia.org> Message-ID: <87k6disooa.fsf@wheatstone.g10code.de> On Sun, 01 Jan 2006 12:57:27 -0700, Kurt Fitzner said: > 1) Is it possible to erase one? For example, if a set of three keys has > been generated on the card, and if later that card is going to be used > for one or two subkeys, can the unused keys on the card be erased? It > would be nice to return the card to an unused state for reuse. It is on my todo list. The way it will work is by storing a dummy key on the card (which erases the old one) and to clear the fingerprint. > 2) Is it possible to export only the smartcard private key stubs from a > normal RSA key pair that has smartcard subkeys? In other words, once I > have made smartcard subkeys of a regular RSA key, and once they are on > the card, how can I use the card on another PC without transporting the > full master secret key? If the key is missing a stub should be created automagically if you run gpg --card-status on the other machine. > 3) Is it possible to set the private DO 1 and DO 2 fields to anything? /* Note, that we do not announce this command yet. */ { "privatedo", cmdPRIVATEDO, 0, NULL }, On the --card-edit prompt enter: privatedo N and you will be asked for the value or privatedo N < FILE and the data will be taken from FILE - useful for binary data. This redirection works also with the login command. > 4) Is the card serial number stored in the keyring? Can GnuPG be > configured to ask for the correct card when there is no card inserted, > rather than just when the wrong card is inserted? Yes, this should work when using the pinentry. On Windows you need check the status code yourself: CARDCTRL [] This is used to control smartcard operations. Defined values for WHAT are: 1 = Request insertion of a card. Serialnumber may be given to request a specific card. 2 = Request removal of a card. 3 = Card with serialnumber detected 4 = No card available. 5 = No card reader available > 5) Related to 4, is it possible to use GnuPG to query for the serial > number of the card associated with a key? I would like to make GPGee > able to ask for a card when one is needed, but don't know how to find > out which card to prompt for. See above. Shalom-Salam, Werner From mk at fsfe.org Mon Jan 2 17:31:47 2006 From: mk at fsfe.org (Matthias Kirschner) Date: Mon Jan 2 17:34:12 2006 Subject: verify CHV1 failed - not able to sign In-Reply-To: <87oe2usp86.fsf@wheatstone.g10code.de> References: <20051230171155.GD12218@mbwg.de> <87oe2usp86.fsf@wheatstone.g10code.de> Message-ID: <20060102163147.GK13516@mbwg.de> Hello Werner, * Werner Koch [2006-01-02 15:01:45 +0100]: > On Fri, 30 Dec 2005 18:11:55 +0100, Matthias Kirschner said: > > > Here on the machine GnuPG 1.4.2rc1 is installed. > > I am running Debian sarge. And the only change I can think of was > > running aptitude update and upgrade during the last days. > > What does > > gpg --card-status > > tell you? Are the retry counters all the same or is the firsdtone at > zero? Yes, that was the problem: PIN retry counter : 0 3 3 I unblocked it and now it works again. Thank you very much, Matze -- Join the Fellowship and protect your freedom! (http://www.fsfe.org) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 310 bytes Desc: Digital signature Url : /pipermail/attachments/20060102/4c00139b/attachment.pgp From jeroen at unfix.org Mon Jan 2 16:29:22 2006 From: jeroen at unfix.org (Jeroen Massar) Date: Mon Jan 2 18:04:10 2006 Subject: PKA In-Reply-To: <87wthispnr.fsf@wheatstone.g10code.de> References: <20051227004429.GA1388@sky.schizandra.ru> <87wthispnr.fsf@wheatstone.g10code.de> Message-ID: <43B946D2.1020604@unfix.org> Werner Koch wrote: > On Tue, 27 Dec 2005 03:44:29 +0300, Pawel Shajdo said: > >> What is PKA? Just have found in manual unknown words... > > Public Key Association > > Yeah, I know that I should write a paper on this. There is only a > simplepresentation on what PKA tries to solve > (ftp://ftp.g10code.com/people/werner/talks/pka-intro.ps.gz) I just have to mention that I like this idea a *LOT*. It also aligns quite well with what I had in mind for it. Of course repudiation folks will not like PGP signed messages at all as they can't say anymore that they didn't write it ;) I thought a bit about the deployment, fingerprints fortunately don't change (much), (DNS) caching is thus not a problem either. The uri= field is only used to get the key when one doesn't have it yet. Thus a single TXT lookup per the single source address is efficient and gets cached. Thus this should work pretty well. DNS folks will not like it though as DNS will be used as a generic directory and they claim it to not be one, though there are numerous examples that it is. One concern though is for folks who can't configure their dns and having providers of this system not wanting to do it, for various reasons. Would it be a good thing to have, say ._pka.verified.gnupg.org where these folks can register eg user.example.org._pka.verified.gnupg.org ? gpg could then check first if the domain itself has records, if it doesn't have _pka. at all it can be configured to fall back to the verified domain. The latter can be automated quite well with a webinterface that mails folks with a unique code to verify them, similar to biglumber. DNS + Web resource is the only issue here though, but I guess there will be enough offers to host such a dns server to overcome this. This service can then also be a public code which allows folks to have a reference to how they can set it up for their own domain. Using PowerDNS to interface directly with SQL comes to my mind. What values can be stuck in the uri field? hkp and http seem to map both to hkp. Both don't support HTTP/1.1's Host: header, which would limit running a HKP/HTTP keyserver for only one virtual host, thus excluding most simple hosts. Another idea here would be to support https, then one also knows that the server one fetches the key from is really authoritative, DNS, with DNSSEC, points to the server and the server has a valid certificate, thus the key must be valid (unless the box is compromised). Having a non-TXT record for this would also be very useful, though the difference with a TXT record won't be too much I guess. I would suggest changing the format of the TXT record though for this purpose into: "1;A4D94E92B0986AB5EE9DCD755DE249965B0358A2;finger:wk@example.com" (64 bytes) Skipping the 'tags', if there are new tags to be added, upgrade the version number or make the fourth field contain a tag to do so. The difference then with a special DNS RR is almost gone: [version] [fingerprint-length] [fingerprint] [uri-length] [uri] 01 28 A4 D9 4E 92 B0 98 6A B5 EE 9D CD 75 5D E2 49 96 5B 03 58 A2 15 finger:wk@example.com which is a total of 63 bytes (did I count correctly?) he length fields, making parsing easier, where formerly the separator tags. The version number can also be skipped entirely if there is a decision that this is all we need. Which most likely is the case for the purpose of this record. Any additional data can be fetched from the URI. BTW is there a more "static" version of PKA documentation available than the http://lists.gnupg.org/pipermail/gnupg-devel/2005-August/022254.html message? A "How to set it up and use it" document would be nice, I think I get & understand most of the concept thus if you want me to submit something just yell. BTW2, someone should update http://www.gnupg.org/(en)/download/cvs_access.html to not point to CVS but the subversion repos... Greets, Jeroen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 238 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060102/9e1d7147/signature-0001.pgp From kfitzner at excelcia.org Tue Jan 3 02:06:15 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Tue Jan 3 02:05:53 2006 Subject: Using gpg in larger scale at a University In-Reply-To: <200512222206.24946.widhalmt@unix.sbg.ac.at> References: <200512222206.24946.widhalmt@unix.sbg.ac.at> Message-ID: <43B9CE07.6040808@excelcia.org> The good news is that Werner is very serious about good Windows support for GnuPG. He has started the gpg4win project to collect together all the Windows front ends and plugins under one installer. The bad news is that this is a work in progress. Thomas Widhalm wrote: > I need a plugin for Outlook which support gpg/MIME and maybe inline gpg. (Not > Gdata, this didn't work out) There is a new Outlook plugin called GPGol that is part of that gpg4win project. Werner himself is writing it. It's loosely based on the old GData plugin - essentially a rewrite of it. I don't use Outlook myself (thank heavens I don't have to), so I can't tell you what the current state is. Back in September when he first announced it, it apparently worked with Outlook 2003, but not Outlook 2000. You can find it currently at: ftp://ftp.g10code.com/g10code/gpgol/ > I think it would be a good idea to create a CA. How to achieve that? How to > keep the key save? Is just one person the CA, or a bunch of people? What if > someone leaves us? What if an employee leaves, loses his email address but > still has a signature. Should we revoke it? You are mixing up questions about security policy with questions about policy implimentation. I hope I'm not stepping on any toes here, but I think I should suggest that this isn't the place to look for advice on security policy. You might get good advice - but then again, you might get the most dangerous type of advice there is: advice that sounds logical, that seems to make sense, from someone who is generally technically competant, but that has a nonobvious flaw in it that will come back to haunt you. I'll tell you right now, I'm one of those people. I'm a project manager, a good programmer, I use GnuPG and have written software for it, but I'm not a security consultant. There are ISO standards for this sort of thing - standards that specify what a computer that holds a certificate authority's keys can and can't be hooked to, who can hold the passphrases and tokens, key length, and so forth. If you really are serious and want to have a good security policy, you should talk to someone who knows these standards. > Is it possible/useful to create an own keyserver which synchronises with the > official ones? How to do that? Yes, this is possible. I can't tell you if it would be useful as that is based on your security policy and users' requirements. If the group of people who will be using the server need keys for people who don't use your server (people in the general OpenPGP community), then it would be useful. My understanding is that not all keyservers synchronize together - there are groups that synchronize with each other, but are otherwise self contained. You would have to contact the maintainers of any particular group in order to find out what their requirements are for joining. Probably the easiest way to find this out is to email the contact person for a particular server that you know is in the group you want to join. Hope this helps. Kurt. From Gnupg-users at gnupg.org Mon Jan 2 02:03:56 2006 From: Gnupg-users at gnupg.org (GnupgUser) Date: Tue Jan 3 11:20:59 2006 Subject: Using gpg in larger scale at a University In-Reply-To: <200512222206.24946.widhalmt@unix.sbg.ac.at> References: <200512222206.24946.widhalmt@unix.sbg.ac.at> Message-ID: <43B87BFC.6020600@gnupg.org> Thomas Widhalm wrote: >Hi! > >I already sent this email twice to this mailinglist, but it didn't appear at >my mailserver, so I assume it didn't reach any of you. > > Both of your eMails have appeared on the list, maybe the mailinglist server is configured in a way that you don't receive your own posts. Chris. From robert at robert.cz Tue Jan 3 11:18:07 2006 From: robert at robert.cz (RobertCZ) Date: Tue Jan 3 13:33:58 2006 Subject: thunderbird/enigmail install problem: invalid config Message-ID: <43BA4F5F.502@robert.cz> hello, i'm trying to install latest enigmail/gpg following the instructions at enigmail website http://enigmail.mozdev.org/gpgconf.html but after gpg --gen-key i get only this error C:\Documents and Settings\Germic>gpg --gen-key gpg: C:/Documents and Settings/Germic/Data aplikac?/gnupg\gpg.conf:0: argument not expected | thanks for your help - robert ps. my gpg.conf looks like this (exactly as recomended in the instructions above) default-recipient-self keyserver random.sks.keyserver.penguin.de default-cert-check-level 3 keyserver-options auto-key-retrieve include-subkeys no-mangle-dos-filenames no-secmem-warning # uncomment if you need IDEA, see http://www.gnupg.org/why-not-idea.html # load-extension Lib\idea From alex at milivojevic.org Tue Jan 3 17:09:09 2006 From: alex at milivojevic.org (Aleksandar Milivojevic) Date: Tue Jan 3 17:09:38 2006 Subject: using gpgsm In-Reply-To: <87d5jau4wn.fsf@wheatstone.g10code.de> References: <20051221142326.2t6o7ivrtwkg08og@www.milivojevic.org> <87ek423apq.fsf@wheatstone.g10code.de> <20051229145243.ritwptqpwk4k4s88@www.milivojevic.org> <87d5jau4wn.fsf@wheatstone.g10code.de> Message-ID: <20060103100909.cucqvyiw8o4wk0w4@www.milivojevic.org> Quoting Werner Koch : > On Thu, 29 Dec 2005 14:52:43 -0600, Aleksandar Milivojevic said: > >> was able to import PKCS#12 file. Might be good idea if configure script was >> checking if pinentry is installed and complaining if it wasn't, like >> for other > > That creates a dependency which is not needed in all cases. Certain > server applications don't need the pinentry. It is matter of the > packing system to decribe pinentry as a dependecy but not one of > configure. OK, I see... makes sense. However, maybe a warning message should be given. Something like that paragraph from README file that references pinentry (after all, most folks will simply fire up "./configure" without reading README file). >> $ openssl x509 -noout -text -in test.crt >> Subject: C=CA, ST=Quebec, L=Montreal, >> O=\x00T\x00e\x00s\x00t\x00_\x00I\x00m\x00p\x00r\x00i\x00m\x00e\x00u\x00r, > > That looks much like a double wide character encoding (ucs2 ?) and for > sure is no utf-8. gpgsm is able to convert certain encodings but not > all of them. Check out libksba/src/dn.c:append_atv. It is possible > that there is a bug in the implementation (append_ucs2_value). > >> BTW, the certificate in this example is almost unselectable using >> gpgsm. The CN >> is in UTF-8, but when I looked closer into it, it doesn't really contain any >> non-US-ASCII characters. It just reads "Test_Imprimeur" (just remove >> all those >> "\x00"). However if I do 'gpgsm --list-keys CN=Test_Imprimeur', nothing is >> displayed. > > Same reason as above. Can you please run dumpasn1 on the certificate > as created by OpenSSL and check the encoding of the "O" RDN? Hmmm... I've installed dumpasn1. Got: 271 37: SET { 273 35: SEQUENCE { 275 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 280 28: BMPString '' : } : } I've attempted playing with the tool, but couldn't get any more usefull output from it, other than this hex dump output (using -ahht options). <31 25 30 23 06 03 55 04 0A 1E 1C 00 54 00 65 00 73 00 74 00 5F 00 49 00> 271 37: SET { <30 23 06 03 55 04 0A 1E 1C 00 54 00 65 00 73 00 74 00 5F 00 49 00 6D 00> 273 35: SEQUENCE { <06 03 55 04 0A> 275 3: OBJECT IDENTIFIER organizationName (2 5 4 10) <1E 1C 00 54 00 65 00 73 00 74 00 5F 00 49 00 6D 00 70 00 72 00 69 00 6D> 280 28: BMPString '' : } : } I don't know much about internal format of certificates. Does above means that O was simply defined as some kind of binary data and value placed inside in raw format, without any encoding information? ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From alex at milivojevic.org Tue Jan 3 22:16:03 2006 From: alex at milivojevic.org (Aleksandar Milivojevic) Date: Tue Jan 3 22:18:04 2006 Subject: using gpgsm In-Reply-To: <87d5jau4wn.fsf@wheatstone.g10code.de> References: <20051221142326.2t6o7ivrtwkg08og@www.milivojevic.org> <87ek423apq.fsf@wheatstone.g10code.de> <20051229145243.ritwptqpwk4k4s88@www.milivojevic.org> <87d5jau4wn.fsf@wheatstone.g10code.de> Message-ID: <20060103151603.l8ptkcqmpwk48k4c@www.milivojevic.org> Quoting Werner Koch : > On Thu, 29 Dec 2005 14:52:43 -0600, Aleksandar Milivojevic said: > >> $ openssl x509 -noout -text -in test.crt >> Subject: C=CA, ST=Quebec, L=Montreal, >> O=\x00T\x00e\x00s\x00t\x00_\x00I\x00m\x00p\x00r\x00i\x00m\x00e\x00u\x00r, > > That looks much like a double wide character encoding (ucs2 ?) and for > sure is no utf-8. gpgsm is able to convert certain encodings but not > all of them. Check out libksba/src/dn.c:append_atv. It is possible > that there is a bug in the implementation (append_ucs2_value). After some Googling around and reading (mostly http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt and other docs overthere)... The above string was BMPString, which means it was really UCS-2 (10646/Unicode), as you indicated. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From vedaal at hush.com Wed Jan 4 01:32:27 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Jan 4 01:32:39 2006 Subject: updating a key's self-signature Message-ID: <200601040032.k040WSXg091574@mailserver2.hushmail.com> i have two keys that i use extensively for e-mailing one is a v4 rsa key (my default key), and the other is a v3 rsa key (for those correspondents who insist on or prefer the old key) both were signed with md5 when they were generated years ago when i try to sign them now, gnupg (1.4.2) prompts me to sign with a dh/dsa test key that is in my keyring, instead of with my default key (i tried using updpref sha256 first, which was accepted, but still couldn't sign a key with my default key) is there any way i can self-sign them with a sha256 sig, or sign them with my default key with a sha256 sig (if not, can this be a feature request? as signature hashing algorithms become less trusted, but while the key itself is still trusted, wouldn't it make more sense to be able to update the self-sig rather than have to generate a new key? ) TIA, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From dshaw at jabberwocky.com Wed Jan 4 01:43:01 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 4 01:42:43 2006 Subject: updating a key's self-signature In-Reply-To: <200601040032.k040WSXg091574@mailserver2.hushmail.com> References: <200601040032.k040WSXg091574@mailserver2.hushmail.com> Message-ID: <20060104004301.GD10206@jabberwocky.com> On Tue, Jan 03, 2006 at 04:32:27PM -0800, vedaal@hush.com wrote: > i have two keys that i use extensively for e-mailing > > one is a v4 rsa key (my default key), and the other is a v3 rsa key > (for those correspondents who insist on or prefer the old key) > > both were signed with md5 when they were generated years ago > > when i try to sign them now, gnupg (1.4.2) prompts me to sign with > a dh/dsa test key that is in my keyring, instead of with my default > key > > (i tried using updpref sha256 first, which was accepted, > but still couldn't sign a key with my default key) > > is there any way i can self-sign them with a sha256 sig, > or sign them with my default key with a sha256 sig > > (if not, can this be a feature request? > > as signature hashing algorithms become less trusted, > but while the key itself is still trusted, > wouldn't it make more sense to be able to update the self-sig > rather than have to generate a new key? ) Yes, but note that it's still possible for someone to get the old self-sig from a keyserver. Anyway, do this: gpg --expert --cert-digest-algo (thehash) -u (thekeyid) --sign-key (thekeyid) GPG will warn you that the key is already signed, but give you the option to sign anyway. Remember that if you pick a hash algorithm that your correspondents don't have, the key will become unusable to them. Despite the recent attacks, I'd use SHA-1. Why did you self-sign a v4 RSA key with MD5 anyway? David From vedaal at hush.com Wed Jan 4 04:59:08 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Jan 4 04:58:51 2006 Subject: updating a key's self-signature Message-ID: <20060104035911.9570433C23@mailserver5.hushmail.com> >Message: 8 >Date: Tue, 3 Jan 2006 19:43:01 -0500 >From: David Shaw >Subject: Re: updating a key's self-signature >Yes, but note that it's still possible for someone to get the old >self-sig from a keyserver. what good would that do anyone once the old signature hash is no longer trusted, and the key is updated with the new one ? >Anyway, do this: > >gpg --expert --cert-digest-algo (thehash) -u (thekeyid) --sign-key >(thekeyid) ok, Thanks! worked perfectly, updated key with new self-sig already uploaded >Despite the recent attacks, I'd use SHA-1. i'd prefer whirpool, but settled for sha-256 ;-) >Why did you self-sign a v4 RSA key with MD5 anyway? wasn't my choice ;-( (relatively 'old' key, circa 2001) was all that was available at the time from pgp, and gnupg wasn't allowing 4k keys yet vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From patrick.plattes at gmx.de Wed Jan 4 09:39:44 2006 From: patrick.plattes at gmx.de (Patrick Plattes) Date: Wed Jan 4 11:05:28 2006 Subject: Using of subkeys for encryption Message-ID: <43BB89D0.6060901@gmx.de> Hello, i have a problem while encrypting a message. I'm using the OpenPGP Card but i think the Problem doesn't depends on it. I've got a an decrypted e-mail and if i try to encrypt the e-mail i got a "gpg: public key decryption failed: wrong secret key used". The ID of the used key is an ID an a subkey. Usualy I don't use the subkey for de- and encryption, but i don't know anythink about the subkeys. According to the GnuPG Handbook it should work to use the subkey. Have a nice day and a good morning :), Patrick Here is the complete output: patrick@Dragon:~$ gpg very_secret.gpg gpg: encrypted with 2048-bit RSA key, ID XXXXXXXX, created XXXX-XX-XX "Another Person " gpg: encrypted with 1024-bit RSA key, ID 37BDF910, created 2005-09-21 "Patrick Plattes (Mr. Parity) " gpg: public key decryption failed: wrong secret key used gpg: decryption failed: secret key not available patrick@Dragon:~$ gpg --list-keys 37BDF910 pub 1024R/F7E086A6 2005-09-21 [expires: 2008-09-20] uid Patrick Plattes (Mr. Parity) sub 1024R/37BDF910 2005-09-21 [expires: 2008-09-20] sub 1024R/8A270C95 2005-09-21 [expires: 2008-09-20] patrick@Dragon:~$ gpg --list-secret-key /home/patrick/.gnupg/secring.gpg -------------------------------- sec 1024D/CE4CF5A4 2003-04-23 uid Patrick Plattes (Mr. Parity) ssb 4096g/D7173E45 2003-04-23 sec> 1024R/F7E086A6 2005-09-21 [expires: 2008-09-20] Card serial no. = 0001 000004FB uid Patrick Plattes (Mr. Parity) ssb> 1024R/37BDF910 2005-09-21 ssb> 1024R/8A270C95 2005-09-21 From wk at gnupg.org Wed Jan 4 12:23:27 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 4 12:27:26 2006 Subject: Using of subkeys for encryption In-Reply-To: <43BB89D0.6060901@gmx.de> (Patrick Plattes's message of "Wed, 04 Jan 2006 09:39:44 +0100") References: <43BB89D0.6060901@gmx.de> Message-ID: <87zmmckzio.fsf@wheatstone.g10code.de> On Wed, 04 Jan 2006 09:39:44 +0100, Patrick Plattes said: sec> 1024R/F7E086A6 2005-09-21 [expires: 2008-09-20] > Card serial no. = 0001 000004FB The key is on the card. Check whether the card works: gpg --card-status should list the key too. Salam-Shalom, Werner From wk at gnupg.org Wed Jan 4 18:12:57 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 4 18:17:54 2006 Subject: Using of subkeys for encryption In-Reply-To: <43BB89D0.6060901@gmx.de> (Patrick Plattes's message of "Wed, 04 Jan 2006 09:39:44 +0100") References: <43BB89D0.6060901@gmx.de> Message-ID: <87ek3nkjc6.fsf@wheatstone.g10code.de> On Wed, 04 Jan 2006 09:39:44 +0100, Patrick Plattes said: > gpg: encrypted with 1024-bit RSA key, ID 37BDF910, created 2005-09-21 > "Patrick Plattes (Mr. Parity) " > gpg: public key decryption failed: wrong secret key used I missed this message in my first reply. > gpg: decryption failed: secret key not available With the additional data supplied by Patrick: Signature key ....: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx F7E0 86A6 created ....: xxxxxxxxxxxxxxxxxxx Encryption key....: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 8A27 0C95 created ....: xxxxxxxxxxxxxxxxxxx Authentication key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 37BD F910 created ....: xxxxxxxxxxxxxxxxxxx General key info..: pub 1024R/F7E086A6 2005-09-21 Patrick Plattes (Mr. you can see that the messages has been encrypted to the authentication key and not to the encryption key (8a270c95). This is due to the fact that gnupg 1.2.5 does not know about authentication keys and tries to use them as encryption keys. This has been fixed in 1.2.7 (the last one in the old 1.2 branch). Salam-Shalom, Werner From dshaw at jabberwocky.com Wed Jan 4 18:35:41 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 4 18:35:30 2006 Subject: updating a key's self-signature In-Reply-To: <20060104035911.9570433C23@mailserver5.hushmail.com> References: <20060104035911.9570433C23@mailserver5.hushmail.com> Message-ID: <20060104173541.GA14301@jabberwocky.com> On Tue, Jan 03, 2006 at 07:59:08PM -0800, vedaal@hush.com wrote: > > >Message: 8 > >Date: Tue, 3 Jan 2006 19:43:01 -0500 > >From: David Shaw > >Subject: Re: updating a key's self-signature > > >Yes, but note that it's still possible for someone to get the old > >self-sig from a keyserver. > > what good would that do anyone once the old signature hash is no > longer trusted, > and the key is updated with the new one ? Remember than keys are merged on the keyservers, so you'll end up with both self-sigs present. To be sure, GPG will use the more recent, stronger, self-sig, but the old one is still there. If an attacker compromises the keyserver or in any way distributes your key himself, he can remove the new self-sig, leaving the old one behind. It's not much of an attack. I wouldn't lose sleep over it. > >Despite the recent attacks, I'd use SHA-1. > > i'd prefer whirpool, but settled for sha-256 ;-) This is fine, but note that the key may not work in older versions of PGP and GPG. David From realos at loftmail.com Wed Jan 4 16:43:14 2006 From: realos at loftmail.com (Realos) Date: Wed Jan 4 23:04:48 2006 Subject: lost private key password Message-ID: <20060104154314.GB11375@isw302> hello, I have found an old pair of private and public keys but unfortunaltely do no remember the corresponding password. Public key is places on key servers, thus I would like to have access to it's password again. What would you suggest in this case? A brute force attack with some software if I know part of the password? What tool is suitable for that? Thanks in anticipation. Regards, -- Realos From patrick.plattes at gmx.de Thu Jan 5 00:13:46 2006 From: patrick.plattes at gmx.de (Patrick Plattes) Date: Thu Jan 5 00:13:57 2006 Subject: lost private key password In-Reply-To: <20060104154314.GB11375@isw302> References: <20060104154314.GB11375@isw302> Message-ID: <43BC56AA.1000006@gmx.de> Realos wrote: >hello, > >I have found an old pair of private and public keys but unfortunaltely >do no remember the corresponding password. Public key is places on key >servers, thus I would like to have access to it's password again. > >What would you suggest in this case? A brute force attack with some >software if I know part of the password? What tool is suitable for that? > > Maybe you want to revoke the Key :) Have a nice day, Patrick From lusfert at gmail.com Thu Jan 5 02:13:51 2006 From: lusfert at gmail.com (lusfert) Date: Thu Jan 5 02:14:46 2006 Subject: lost private key password In-Reply-To: <43BC56AA.1000006@gmx.de> References: <20060104154314.GB11375@isw302> <43BC56AA.1000006@gmx.de> Message-ID: <43BC72CF.1050506@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Patrick Plattes wrote on 05.01.2006 2:13: > Realos wrote: > >> hello, >> >> I have found an old pair of private and public keys but unfortunaltely >> do no remember the corresponding password. Public key is places on key >> servers, thus I would like to have access to it's password again. >> >> What would you suggest in this case? A brute force attack with some >> software if I know part of the password? What tool is suitable for that? >> >> > Maybe you want to revoke the Key :) > To revoke any key at first it's needed to generate a revokation certificate: gpg --output [file] --gen-revoke [key id] This operation requires passphrase for private key... Thus it's strongly recommended to generate a revokation certificate at once after creating a key and keep it in safe place. If you already have an appropriate revokation certificate, simply import it into your keyring: gpg --import [rev cert file] Regards - -- My current OpenPGP key ID: 0x500B8987 Key fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Encrypted e-mail preferred. -----BEGIN PGP SIGNATURE----- iD8DBQFDvHLNnjU7VlALiYcRAwtDAJ9pYB4HrBw5Ou6TnA57dC1VsVpH1ACg2tlV BLpywWXQXfNPjz+BFDENvQc= =ZIvM -----END PGP SIGNATURE----- From kfitzner at excelcia.org Thu Jan 5 05:17:01 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Thu Jan 5 05:16:49 2006 Subject: lost private key password In-Reply-To: <20060104154314.GB11375@isw302> References: <20060104154314.GB11375@isw302> Message-ID: <43BC9DBD.107@excelcia.org> Realos wrote: > What would you suggest in this case? A brute force attack with some > software if I know part of the password? What tool is suitable for that? There isn't any software that I know of to brute-force a GnuPG password. You could probably whip up something quick and dirty using GnuPG's password checking code, but to be honest and as much as it probably annoys you, I think the best thing to do is just admit that you've got to replace your key. I did the same thing with my first key. I learned the hard way that one should have produced a revocation certificate. This is something I'd like to see GnuPG offer to generate by default for any new keys. Another option, so you don't have to hold multiple revocation certificates in a safe place, is to create a key for the sole use of using it as a revoking key. You add that key as a revoker to any new keys you produce, and don't use the revoker key for anything else. You can then store the revoker key without a passphrase, or with a very easy to remember one like your birthday. If someone gets their hands on your revoker key, all the damage they can do to you is to issue revocation certificates, which (for most people) is merely annoying rather than actually dangerous. Even better is to get yourself a few OpenPGP smartcards. Use one as your primary use key, and another as a backup. The backup is set up as a revoker for the primary one. If you lose your primary, or it is stolen, you can use the backup to revoke the key on your primary, and then use that key as as your new primary one. Then you just order a new card to act as a backup and when it comes, set it up as a backup with the ability to revoke your new primary key. Sorry about your original key - it's a pain, I know. Kurt. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 372 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060104/454ccc42/signature.pgp From atom at smasher.org Thu Jan 5 06:21:00 2006 From: atom at smasher.org (Atom Smasher) Date: Thu Jan 5 06:20:44 2006 Subject: hard-copy backups Message-ID: <20060105052104.53970.qmail@smasher.org> has anyone given any thought to what would be the difference between carefully and carelessly making hard-copy backups of secret keys? i mean, it would be stupid to print a copy of ones secret key (with a weak passphrase) and leave it lying on a table next to a window. OTOH, a printed copy of a secret key (with a strong passphrase) would probably be "secure" in a 10 ton safe. so how strong should a passphrase be when printing out a secret key in the first place? what are the pros/cons of hiding versus securing a hard-copy? what other factors should be considered? bear in mind, these are philosophical questions with philosophical answers... i'm not looking for absolutes. btw, if anyone prints out their secret key for backup, here's a few lines of shell code that will print a (non-cryptographic) checksum for each line. this way if you have to recover your key from hard-copy, it's *much* easier to find mistakes. an example of the output looks like this (indented): -----BEGIN PGP PUBLIC KEY BLOCK----- 3675205589 37 3515105045 1 mQILBECkOvYBEADJfImYQNznN0PJxkwcGysohePmujLVJTsA30WV9tXrb6+4L5ib 2185591463 65 Ed9zHilbvXEgmrLJbG949H7yAwbNAaEjfnlqxBO31BmIJjUDmnXxe3FN98fuKIcq 3919870367 65 bVn8aqPOvGGvsJaWDwLyFSG3UT60htHFuh0I0Nco7AB6WTXBrwV/9JDkiy7p0fK5 1339170163 65 the code works on bsd (zsh) but may have to be slightly modified for other operating systems or shells. while read n do echo -n "${n}\t" echo "${n}" | cksum done -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours." -- Stephen Roberts From patrick.plattes at gmx.de Thu Jan 5 07:39:35 2006 From: patrick.plattes at gmx.de (Patrick Plattes) Date: Thu Jan 5 07:39:41 2006 Subject: hard-copy backups In-Reply-To: <20060105052104.53970.qmail@smasher.org> References: <20060105052104.53970.qmail@smasher.org> Message-ID: <43BCBF27.4040106@gmx.de> Atom Smasher wrote: > has anyone given any thought to what would be the difference between > carefully and carelessly making hard-copy backups of secret keys? > > i mean, it would be stupid to print a copy of ones secret key (with a > weak passphrase) and leave it lying on a table next to a window. OTOH, > a printed copy of a secret key (with a strong passphrase) would > probably be "secure" in a 10 ton safe. > > so how strong should a passphrase be when printing out a secret key in > the first place? what are the pros/cons of hiding versus securing a > hard-copy? what other factors should be considered? i think you are mixing up two different things. on the one hand you have the problem of security of your data, e.g. no one should read your mails, etc. . on the other hand you have the problem of date recovery. for security you are using a very well gnupg setup. for data recovery you realy need a copy of your keys. paiper is one of the most robust medium to backup date (the egyptain know a more robust medium, but the usual computer user is not able to use a hammer and a chisel ;) ). i think you shoud take your paper (or flagstone), put them into a sealed envelope. give it to you local bank. the german bsi has written a book called it-grundschutzhandbuch imho there is also an english version avalable. maybe you want to read this. > bear in mind, these are philosophical questions with philosophical > answers... i'm not looking for absolutes. > > btw, if anyone prints out their secret key for backup, here's a few > lines of shell code that will print a (non-cryptographic) checksum for > each line. this way if you have to recover your key from hard-copy, > it's *much* easier to find mistakes. an example of the output looks > like this (indented): > > -----BEGIN PGP PUBLIC KEY BLOCK----- 3675205589 37 > 3515105045 1 > mQILBECkOvYBEADJfImYQNznN0PJxkwcGysohePmujLVJTsA30WV9tXrb6+4L5ib > 2185591463 65 > Ed9zHilbvXEgmrLJbG949H7yAwbNAaEjfnlqxBO31BmIJjUDmnXxe3FN98fuKIcq > 3919870367 65 > bVn8aqPOvGGvsJaWDwLyFSG3UT60htHFuh0I0Nco7AB6WTXBrwV/9JDkiy7p0fK5 > 1339170163 65 i know this little trick from the c64. there was a program called mse :) have a nice day, patrick From npcole at yahoo.co.uk Thu Jan 5 08:52:19 2006 From: npcole at yahoo.co.uk (Nicholas Cole) Date: Thu Jan 5 10:05:31 2006 Subject: lost private key password In-Reply-To: <43BC9DBD.107@excelcia.org> Message-ID: <20060105075219.7644.qmail@web25402.mail.ukl.yahoo.com> --- Kurt Fitzner wrote: > Realos wrote: > > What would you suggest in this case? A brute force > attack with some > > software if I know part of the password? What tool > is suitable for that? > > There isn't any software that I know of to > brute-force a GnuPG password. Actually, there is this, which might do what you need. But I've never tried it. Worth a go, perhaps. http://www.vanheusden.com/nasty/ Best, N. ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com From gnupg-users at gnupg.org Wed Jan 4 16:20:20 2006 From: gnupg-users at gnupg.org (Christoph Anton Mitterer) Date: Thu Jan 5 10:31:26 2006 Subject: updating a key's self-signature In-Reply-To: <20060104004301.GD10206@jabberwocky.com> References: <200601040032.k040WSXg091574@mailserver2.hushmail.com> <20060104004301.GD10206@jabberwocky.com> Message-ID: <43BBE7B4.1010605@gnupg.org> David Shaw wrote: >Anyway, do this: > >gpg --expert --cert-digest-algo (thehash) -u (thekeyid) --sign-key (thekeyid) > > Is this possible with the selfsigs on subkeys, too? Chris. From gnupg-users at gnupg.org Wed Jan 4 19:01:17 2006 From: gnupg-users at gnupg.org (Christoph Anton Mitterer) Date: Thu Jan 5 10:31:30 2006 Subject: updating a key's self-signature In-Reply-To: <20060104173541.GA14301@jabberwocky.com> References: <20060104035911.9570433C23@mailserver5.hushmail.com> <20060104173541.GA14301@jabberwocky.com> Message-ID: <43BC0D6D.9070403@gnupg.org> David Shaw wrote: >If an attacker compromises the keyserver or in any way distributes >your key himself, he can remove the new self-sig, leaving the old one >behind. > > Isn't it possible to revoke the older selfsig? Of course, it's still possible for an attacer to compromise the keyserver and/or distribute the key himself, but that risk exists always (e.g. when revoking the whole key - which is the same as revoking all the 0x13 selfsigs....) Chris. From dshaw at jabberwocky.com Thu Jan 5 14:10:07 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 5 14:09:49 2006 Subject: updating a key's self-signature In-Reply-To: <43BBE7B4.1010605@gnupg.org> References: <200601040032.k040WSXg091574@mailserver2.hushmail.com> <20060104004301.GD10206@jabberwocky.com> <43BBE7B4.1010605@gnupg.org> Message-ID: <20060105131007.GA23703@jabberwocky.com> On Wed, Jan 04, 2006 at 04:20:20PM +0100, Christoph Anton Mitterer wrote: > David Shaw wrote: > > >Anyway, do this: > > > >gpg --expert --cert-digest-algo (thehash) -u (thekeyid) --sign-key (thekeyid) > > > > > Is this possible with the selfsigs on subkeys, too? No. David From dshaw at jabberwocky.com Thu Jan 5 14:12:08 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 5 14:11:47 2006 Subject: updating a key's self-signature In-Reply-To: <43BC0D6D.9070403@gnupg.org> References: <20060104035911.9570433C23@mailserver5.hushmail.com> <20060104173541.GA14301@jabberwocky.com> <43BC0D6D.9070403@gnupg.org> Message-ID: <20060105131208.GB23703@jabberwocky.com> On Wed, Jan 04, 2006 at 07:01:17PM +0100, Christoph Anton Mitterer wrote: > David Shaw wrote: > > >If an attacker compromises the keyserver or in any way distributes > >your key himself, he can remove the new self-sig, leaving the old one > >behind. > > > > > Isn't it possible to revoke the older selfsig? Sure, but you have exactly the same problem as before: an attacker can simply unrevoke it by removing the revocation packet. > Of course, it's still possible for an attacer to compromise the > keyserver and/or distribute the key himself, but that risk exists always > (e.g. when revoking the whole key - which is the same as revoking all > the 0x13 selfsigs....) Revoking the whole key is not the same as revoking all selfsigs. One revokes the key. The other makes the key completely untrusted and untrustable. They're not at all the same. David From alex at bofh.net.pl Thu Jan 5 16:05:55 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Thu Jan 5 16:05:41 2006 Subject: hard-copy backups In-Reply-To: <20060105052104.53970.qmail@smasher.org> References: <20060105052104.53970.qmail@smasher.org> Message-ID: <20060105150555.GI21530@syjon.fantastyka.net> On Thu, Jan 05, 2006 at 12:21:00AM -0500, Atom Smasher wrote: > has anyone given any thought to what would be the difference between > carefully and carelessly making hard-copy backups of secret keys? > > i mean, it would be stupid to print a copy of ones secret key (with a weak > passphrase) and leave it lying on a table next to a window. OTOH, a > printed copy of a secret key (with a strong passphrase) would probably be > "secure" in a 10 ton safe. > > so how strong should a passphrase be when printing out a secret key in the > first place? what are the pros/cons of hiding versus securing a hard-copy? > what other factors should be considered? > > bear in mind, these are philosophical questions with philosophical > answers... i'm not looking for absolutes. from my experience, all keys for long-term, _safe storage_ (and after revocation) should be kept with no passphases at all human memory is very volatile and some day you gonna need to decrypt an old email encrypted with the key you revoked in 1993[1], and there's is no way you'll remember the old, long time not used, non-trivial passphrase alex [1] Thats actual thing that happened to me two weeks ago. -- mors ab alto 0x46399138 From lusfert at gmail.com Thu Jan 5 16:41:02 2006 From: lusfert at gmail.com (lusfert) Date: Thu Jan 5 16:42:14 2006 Subject: BZIP2 algorithm isn't supported after compiling gnupg from source code Message-ID: <43BD3E0E.9090206@gmail.com> Hello. I downloaded GnuPG source and checked its signature (under Windows): ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.2.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.2.tar.bz2.sig Then I rebooted into recently installed Debian GNU/Linux 3.1r0a system and built program from source: $ cd /home/[user]/ $ bunzip2 gnupg-1.4.2.tar.bz2 $ tar xvf gnupg-1.4.2.tar $ cd ./gnupg-1.4.2 $ ./configure $ make # make install After these steps command "gpg --version" displays the following: gpg (GnuPG) 1.4.2 [...] Compression: Uncompressed, ZIP, ZLIB Before compiling (there was default gnupg installation from Debian package) output of "gpg --version" was: gpg (GnuPG) 1.4.1 [...] Compression: Uncompressed, ZIP, ZLIB, BZIP2 Windows version (installed from official binaries) also supports BZIP2: gpg (GnuPG) 1.4.2 [...] Compression: Uncompressed, ZIP, ZLIB, BZIP2 Thus BZIP2 algorithm isn't supported after compiling GnuPG 1.4.2 from source code under Linux. How can I enable BZIP2 support using last version of GPG under Linux? Regards and thanks for advice -- My current OpenPGP key ID: 0x500B8987 Key fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Encrypted e-mail preferred. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060105/01bb9a1e/signature.pgp From JPClizbe at comcast.net Thu Jan 5 17:50:51 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Jan 5 17:51:58 2006 Subject: BZIP2 algorithm isn't supported after compiling gnupg from source code In-Reply-To: <43BD3E0E.9090206@gmail.com> References: <43BD3E0E.9090206@gmail.com> Message-ID: <43BD4E6B.90004@comcast.net> lusfert wrote: > $ cd /home/[user]/ > $ bunzip2 gnupg-1.4.2.tar.bz2 > $ tar xvf gnupg-1.4.2.tar tar xjvf will combine the tar extract operation with the bunzip > $ cd ./gnupg-1.4.2 > $ ./configure > $ make Thus is normally the point where one tests the built code *before* 'make install'. > # make install > > After these steps command "gpg --version" displays the following: > > gpg (GnuPG) 1.4.2 > [...] > Compression: Uncompressed, ZIP, ZLIB > Thus BZIP2 algorithm isn't supported after compiling GnuPG 1.4.2 from > source code under Linux. > How can I enable BZIP2 support using last version of GPG under Linux? What was the output from configure? You should have seen lines like (near top) checking whether to enable the BZIP2 compression algorithm... yes (near bottom) checking for bzlib.h... yes checking for BZ2_bzCompressInit in -lbz2... yes './configure 2>&1 | tee configure.log' will save the output from configure for diagnostic purposes. BZIP2 support won't be built if configure cannot find the bzlib.h include file and the libbz2 library. You may need to 'help' configure find the bzip2 library. configure's --help will tell you: --with-bzip2=DIR look for bzip2 in DIR Finally, what version does apt-get install? Mostly just curious, I don't use Debian. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 669 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060105/1b614c4a/signature.pgp From atom at smasher.org Thu Jan 5 20:07:17 2006 From: atom at smasher.org (Atom Smasher) Date: Thu Jan 5 20:06:56 2006 Subject: hard-copy backups In-Reply-To: <20060105150555.GI21530@syjon.fantastyka.net> References: <20060105052104.53970.qmail@smasher.org> <20060105150555.GI21530@syjon.fantastyka.net> Message-ID: <20060105190720.35059.qmail@smasher.org> On Thu, 5 Jan 2006, Janusz A. Urbanowicz wrote: > from my experience, all keys for long-term, _safe storage_ (and after > revocation) should be kept with no passphases at all > > human memory is very volatile and some day you gonna need to decrypt an > old email encrypted with the key you revoked in 1993[1], and there's is > no way you'll remember the old, long time not used, non-trivial > passphrase ==================== and then keep the printout in a very safe place? a very well hidden place? very safe, well hidden place? hehe... the problem then isn't remembering the passphrase, but remembering where you put the paper ;) -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "WAR IS PEACE, FREEDOM IS SLAVERY, IGNORANCE IS STRENGTH" The two minutes hate ended with this message which is the slogan of the Party. -- George Orwell From samuel at Update.UU.SE Thu Jan 5 23:51:43 2006 From: samuel at Update.UU.SE (Samuel ]slund) Date: Thu Jan 5 23:51:28 2006 Subject: hard-copy backups In-Reply-To: <20060105190720.35059.qmail@smasher.org> References: <20060105052104.53970.qmail@smasher.org> <20060105150555.GI21530@syjon.fantastyka.net> <20060105190720.35059.qmail@smasher.org> Message-ID: <20060105225143.GC27301@Update.UU.SE> On Thu, Jan 05, 2006 at 02:07:17PM -0500, Atom Smasher wrote: > On Thu, 5 Jan 2006, Janusz A. Urbanowicz wrote: > > >from my experience, all keys for long-term, _safe storage_ (and after > >revocation) should be kept with no passphases at all > > > >human memory is very volatile and some day you gonna need to decrypt an > >old email encrypted with the key you revoked in 1993[1], and there's is > >no way you'll remember the old, long time not used, non-trivial > >passphrase > ==================== > > and then keep the printout in a very safe place? a very well hidden place? > very safe, well hidden place? > > hehe... the problem then isn't remembering the passphrase, but remembering > where you put the paper ;) In Sweden people with weapon licenses are required to either keep their weapons locked up in a safe that is non-trivial to move or store them with the "vital part" and ammunition removed and hidden in different places. Might be applicable? //Samuel From atom at smasher.org Fri Jan 6 00:13:06 2006 From: atom at smasher.org (Atom Smasher) Date: Fri Jan 6 00:12:42 2006 Subject: hard-copy backups In-Reply-To: <20060105225143.GC27301@Update.UU.SE> References: <20060105052104.53970.qmail@smasher.org> <20060105150555.GI21530@syjon.fantastyka.net> <20060105190720.35059.qmail@smasher.org> <20060105225143.GC27301@Update.UU.SE> Message-ID: <20060105231308.70477.qmail@smasher.org> On Thu, 5 Jan 2006, Samuel ]slund wrote: > In Sweden people with weapon licenses are required to either keep their > weapons locked up in a safe that is non-trivial to move or store them > with the "vital part" and ammunition removed and hidden in different > places. > > Might be applicable? ===================== hhmm.... the first part is analogous to physically or cryptographically securing data. the second part, taken to a cryptographic extreme, leads me to consider making a one-time-pad of two or more parts, and leaving the parts under the care of different "trusted" persons and/or in different "secure" locations... that's a backup scheme i hadn't considered... -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "A good many observers have remarked that if equality could come at once the Negro would not be ready for it. I submit that the white American is even more unprepared." -- Martin Luther King, Jr. From engage at n0sq.us Fri Jan 6 01:25:13 2006 From: engage at n0sq.us (engage) Date: Fri Jan 6 02:34:30 2006 Subject: WinPT Message-ID: <200601051725.14540.engage@n0sq.us> I hope I'm not off-topic but I have a question about WinPT. It seems that I can refresh or add to the public keyring from the CLI with gpg but I can't refresh the keys using the same server from within WinPT. I keep getting an error about WinPT not able to access the server. I tried the other pre-installed servers with the same result. I have tried shutting down firewalls and anti-virus programs also. I have also tried setting up a dmz on the router and placing one PC in that zone with its firewall and AV program turned off. Windows XP, SP2. WinPT 0.10.1, GnuPG 1.4.2 From twoaday at gmx.net Fri Jan 6 11:56:37 2006 From: twoaday at gmx.net (Timo Schulz) Date: Fri Jan 6 11:59:26 2006 Subject: WinPT In-Reply-To: <200601051725.14540.engage@n0sq.us> References: <200601051725.14540.engage@n0sq.us> Message-ID: <43BE4CE5.2020902@gmx.net> engage wrote: > can refresh or add to the public keyring from the CLI with gpg but I can't > refresh the keys using the same server from within WinPT. There might be a problem with the code. Please can you check out 0.11.4 (0.10.1 is rather obsolete)? Timo From alex at bofh.net.pl Fri Jan 6 12:25:58 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Fri Jan 6 12:25:41 2006 Subject: hard-copy backups In-Reply-To: <20060105190720.35059.qmail@smasher.org> References: <20060105052104.53970.qmail@smasher.org> <20060105150555.GI21530@syjon.fantastyka.net> <20060105190720.35059.qmail@smasher.org> Message-ID: <20060106112557.GJ21530@syjon.fantastyka.net> On Thu, Jan 05, 2006 at 02:07:17PM -0500, Atom Smasher wrote: > On Thu, 5 Jan 2006, Janusz A. Urbanowicz wrote: > > >from my experience, all keys for long-term, _safe storage_ (and after > >revocation) should be kept with no passphases at all > > > >human memory is very volatile and some day you gonna need to decrypt an > >old email encrypted with the key you revoked in 1993[1], and there's is > >no way you'll remember the old, long time not used, non-trivial > >passphrase > ==================== > > and then keep the printout in a very safe place? a very well hidden place? > very safe, well hidden place? > > hehe... the problem then isn't remembering the passphrase, but remembering > where you put the paper ;) At least this knowledge is not case sensitive. And not national-characters-encoding sensitive too. Keep it with other important papers of your life. And not necessarily printouts only, slowly burned CD kept in good conditions, or some solid state memory storage (like a small and cheap pendrive), can last a few years. -- mors ab alto 0x46399138 From folkert at vanheusden.com Fri Jan 6 14:04:44 2006 From: folkert at vanheusden.com (Folkert van Heusden) Date: Fri Jan 6 15:04:17 2006 Subject: hard-copy backups In-Reply-To: <20060106112557.GJ21530@syjon.fantastyka.net> References: <20060105052104.53970.qmail@smasher.org> <20060105150555.GI21530@syjon.fantastyka.net> <20060105190720.35059.qmail@smasher.org> <20060106112557.GJ21530@syjon.fantastyka.net> Message-ID: <20060106130444.GE16547@vanheusden.com> > Keep it with other important papers of your life. And not necessarily > printouts only, slowly burned CD kept in good conditions, or some solid > state memory storage (like a small and cheap pendrive), can last a few > years. Burning a cd at low speeds doesn't neccessarily make it last longer. If you need them to stay in a good condition for a long time, buy gold cds. Like the Delkin archival gold series: http://keetweej.vanheusden.com/redir.php?id=58 Folkert van Heusden -- Try MultiTail! Multiple windows with logfiles, filtered with regular expressions, colored output, etc. etc. www.vanheusden.com/multitail/ ---------------------------------------------------------------------- Get your PGP/GPG key signed at www.biglumber.com! ---------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com From hhhobbit7 at netscape.net Fri Jan 6 14:34:13 2006 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Fri Jan 6 15:34:33 2006 Subject: BZIP2 algorithm Message-ID: <62399C46.36B44AEF.0307202B@netscape.net> lusfert wrote: >Hello. > >I downloaded GnuPG source and checked its signature (under Windows): >ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.2.tar.bz2 >ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.2.tar.bz2.sig You did that part right. >Then I rebooted into recently installed Debian GNU/Linux 3.1r0a system >and built program from source: > >$ cd /home/[user]/ >$ bunzip2 gnupg-1.4.2.tar.bz2 >$ tar xvf gnupg-1.4.2.tar better: $ bunzip2 gnupg-1.4.2.tar.bz2 | tar -xvf - >$ cd ./gnupg-1.4.2 >$ ./configure Where did the output go? To /dev/null? Since you are not using C Shell (please use bash, sh, of ksh), do it this way: $ ./configure > LOG.config 2> ERR.config Now you can study the results to decide what to do next... I can already tell you right now that you will be building the BZIP library. If you see the following magic line in the LOG.config file: "checking whether to enable the BZIP2 compression algorithm... yes" you will know you are okay. If you don't ... more on that in a moment... >$ make Ditto with output going to other files... $ make > LOG.make 2> ERR.make $ ls -l ERR.* If both of those files are empty, you may be okay. If they are and you are happy with what is in the LOG.* files, then you can proceed... ># make install > >After these steps command "gpg --version" displays the following: > >gpg (GnuPG) 1.4.2 >[...] >Compression: Uncompressed, ZIP, ZLIB First, I am assuming you put the program by default into /usr/local. Do you have /usr/local/bin and /usr/local/sbin first in your PATH? I ALWAYS DO THIS TO MY PATH VARIABLE. That is because I leave the older version of GnuPG (and whatever else) alone since I don't want to get whacked by an update from the OS creators that undoes all that nice work to get things as up to date as possible (especially useful with GnuPG). Download bzip2 and install it in all its glory (which includes not only the executables, but also the header and bzip2 link library files. http://www.bzip.org/ Strange, but it isn't as nicely integrated into ClamAV as it is in GnuPG. I may REALLY need it there in the future once MS Windows is dead and the virus writers move on to Linux and back to where the very first virus was written - TO UNIX! Strange - it seems like they would have provided bzip2 with the libraries and header files by now in most distributions by default. Does anybody know the reason why they are not doing it? Happy bzip2'ing, but I really would advise that if you are going to be sending to MS Windows people to use either gzip or zip as your default compression algorithm. Most Windows compression programs can handle them, but one of the things I do to contain the Trojan files while they are on Windows is to bzip2 them on Linux. When virus writers conceal their nasty worms in bzip2 files, all of this will change. Henry Hertz Hobbit __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From lusfert at gmail.com Fri Jan 6 22:10:32 2006 From: lusfert at gmail.com (lusfert) Date: Fri Jan 6 22:11:39 2006 Subject: BZIP2 algorithm isn't supported after compiling gnupg from source code In-Reply-To: <43BD4E6B.90004@comcast.net> References: <43BD3E0E.9090206@gmail.com> <43BD4E6B.90004@comcast.net> Message-ID: <43BEDCC8.4060401@gmail.com> John Clizbe wrote on 05.01.2006 19:50: > lusfert wrote: >>Thus BZIP2 algorithm isn't supported after compiling GnuPG 1.4.2 from >>source code under Linux. >>How can I enable BZIP2 support using last version of GPG under Linux? > > > What was the output from configure? You should have seen lines like > (near top) > checking whether to enable the BZIP2 compression algorithm... yes > > (near bottom) > checking for bzlib.h... yes > checking for BZ2_bzCompressInit in -lbz2... yes > > './configure 2>&1 | tee configure.log' will save the output from > configure for diagnostic purposes. > OK, I tried again. Here is configure log: http://lusfert.land.ru/files/configure_log It contains these lines: ----- checking whether to enable the BZIP2 compression algorithm... yes checking for bzlib.h... no ----- > BZIP2 support won't be built if configure cannot find the bzlib.h include file > and the libbz2 library. You may need to 'help' configure find the bzip2 library. > configure's --help will tell you: > > --with-bzip2=DIR look for bzip2 in DIR > But what directory should I write here? > Finally, what version does apt-get install? > 1.4.1 Regards -- My current OpenPGP key ID: 0x500B8987 Key fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Encrypted e-mail preferred. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060107/67dd4ec2/signature.pgp From JPClizbe at comcast.net Fri Jan 6 22:59:05 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Jan 6 22:59:47 2006 Subject: BZIP2 algorithm isn't supported after compiling gnupg from source code In-Reply-To: <43BEDCC8.4060401@gmail.com> References: <43BD3E0E.9090206@gmail.com> <43BD4E6B.90004@comcast.net> <43BEDCC8.4060401@gmail.com> Message-ID: <43BEE829.5080002@comcast.net> lusfert wrote: > John Clizbe wrote on 05.01.2006 19:50: > OK, I tried again. Here is configure log: > http://lusfert.land.ru/files/configure_log > > It contains these lines: > ----- > checking whether to enable the BZIP2 compression algorithm... yes > checking for bzlib.h... no > ----- > >> BZIP2 support won't be built if configure cannot find the bzlib.h include file >> and the libbz2 library. You may need to 'help' configure find the bzip2 library. >> configure's --help will tell you: >> >> --with-bzip2=DIR look for bzip2 in DIR >> > But what directory should I write here? find / -name bzlib.h -print If you don't have it you can probably get it from the bzip2 source. If the test for libbz2 after this fails, you'll likely need to build your own BZIP2. Come on, Debianistas. I know there are Debian users out there who can answer all of this. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 669 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060106/37f4475b/signature-0001.pgp From zwon at severodvinsk.ru Fri Jan 6 23:31:05 2006 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Fri Jan 6 23:54:49 2006 Subject: BZIP2 algorithm isn't supported after compiling gnupg from source code In-Reply-To: <43BEDCC8.4060401@gmail.com> References: <43BD3E0E.9090206@gmail.com> <43BD4E6B.90004@comcast.net> <43BEDCC8.4060401@gmail.com> Message-ID: <20060106223105.GC10998@sky.schizandra.ru> On Jan 07, 2006 at 00:10 +0300, lusfert wrote: > checking whether to enable the BZIP2 compression algorithm... yes > checking for bzlib.h... no maybe you must install somthing as bzip-devel? Vale! -- Pawel I. Shajdo From pkern at debian.org Fri Jan 6 23:59:25 2006 From: pkern at debian.org (Philipp Kern) Date: Fri Jan 6 23:59:21 2006 Subject: BZIP2 algorithm isn't supported after compiling gnupg from source code In-Reply-To: <43BEE829.5080002@comcast.net> References: <43BD3E0E.9090206@gmail.com> <43BD4E6B.90004@comcast.net> <43BEDCC8.4060401@gmail.com> <43BEE829.5080002@comcast.net> Message-ID: <43BEF64D.6010007@debian.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Clizbe wrote: > Come on, Debianistas. I know there are Debian users out there who can answer all > of this. Taking this question self-contained: # apt-get install libbz2-dev Then gnupg's configure should find it just fine, without specifying a path. Kind regards, Philipp Kern -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) iD8DBQFDvvZN7Ro5M7LPzdgRApGLAJ0evexwO0OtQrPoFrxBRY2fDVuUPgCguhlk SsRFhWTRA4mYqRXwr5BLa8o= =snTb -----END PGP SIGNATURE----- From lusfert at gmail.com Sat Jan 7 00:13:37 2006 From: lusfert at gmail.com (lusfert) Date: Sat Jan 7 00:14:42 2006 Subject: BZIP2 algorithm In-Reply-To: <62399C46.36B44AEF.0307202B@netscape.net> References: <62399C46.36B44AEF.0307202B@netscape.net> Message-ID: <43BEF9A1.6090706@gmail.com> Henry Hertz Hobbit wrote on 06.01.2006 16:34: > lusfert wrote: >>$ cd ./gnupg-1.4.2 >>$ ./configure > > > Where did the output go? To /dev/null? Output was on the screen... > Since you are not > using C Shell (please use bash, sh, of ksh),do it this way: > I use bash. > $ ./configure > LOG.config 2> ERR.config > > Now you can study the results to decide what to do next... > I can already tell you right now that you will be building > the BZIP library. If you see the following magic line in > the LOG.config file: > > "checking whether to enable the BZIP2 compression algorithm... yes" > > you will know you are okay. If you don't ... more on that in a > moment... > OK, see here: http://lists.gnupg.org/pipermail/gnupg-users/2006-January/027768.html Log file does contain above line. > >>$ make > > > Ditto with output going to other files... > > $ make > LOG.make 2> ERR.make > $ ls -l ERR.* > > If both of those files are empty, you may be okay. If they > are and you are happy with what is in the LOG.* files, then > you can proceed... > Both files (ERR.config & ERR.make) are empty. Log file contains magic line too. > > First, I am assuming you put the program by default into /usr/local. GnuPG installs into /usr/local/bin. > Do you have /usr/local/bin and /usr/local/sbin first in your PATH? > I ALWAYS DO THIS TO MY PATH VARIABLE. That is because I leave the > older version of GnuPG (and whatever else) alone since I don't want > to get whacked by an update from the OS creators that undoes all that > nice work to get things as up to date as possible (especially useful > with GnuPG). Download bzip2 and install it in all its glory (which > includes not only the executables, but also the header and bzip2 > link library files. > > http://www.bzip.org/ > Thanks, this helps. I installed bzip2-1.0.3.tar.gz and after this command "./configure" found bzlib.h without additional options. Now after compiling "gpg --version" displays: gpg (GnuPG) 1.4.2 [...] Compression: Uncompressed, ZIP, ZLIB, BZIP2 Thanks to everyone! -- My current OpenPGP key ID: 0x500B8987 Key fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Encrypted e-mail preferred. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060107/7b84a12f/signature.pgp From p.guehring at futureware.at Sat Jan 7 02:53:21 2006 From: p.guehring at futureware.at (Philipp =?iso-8859-1?q?G=FChring?=) Date: Sat Jan 7 04:04:42 2006 Subject: OpenPGP debugging Message-ID: <200601070253.24953.p.guehring@futureware.at> Hi, I am searching for an OpenPGP fileformat analyzer. gpg -v -v -v -v -v --list-packets openpgp.key is coming near, but I am still missing a hexdump of the individual fields, or even a description down to the bit level if necessary. This is necessary to analyze the correct encoding of certain fields. One interesting document I found today gives examples of the PKCS standards: http://www.zone-h.org/files/33/examples.pdf Is there something similar available for OpenPGP? Best regards, Philipp G?hring From dshaw at jabberwocky.com Sat Jan 7 04:19:06 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 7 04:18:45 2006 Subject: OpenPGP debugging In-Reply-To: <200601070253.24953.p.guehring@futureware.at> References: <200601070253.24953.p.guehring@futureware.at> Message-ID: <20060107031906.GA30819@jabberwocky.com> On Sat, Jan 07, 2006 at 02:53:21AM +0100, Philipp G?hring wrote: > Hi, > > I am searching for an OpenPGP fileformat analyzer. > > gpg -v -v -v -v -v --list-packets openpgp.key > > is coming near, but I am still missing a hexdump of the individual fields, or > even a description down to the bit level if necessary. > This is necessary to analyze the correct encoding of certain fields. http://pgp.iijlab.net/pgpdump.html > One interesting document I found today gives examples of the PKCS standards: > http://www.zone-h.org/files/33/examples.pdf > Is there something similar available for OpenPGP? RFC-2440 has a few examples, but not that many. David From kfitzner at excelcia.org Sat Jan 7 15:22:24 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Sat Jan 7 15:22:13 2006 Subject: hard-copy backups In-Reply-To: <20060106130444.GE16547@vanheusden.com> References: <20060105052104.53970.qmail@smasher.org> <20060105150555.GI21530@syjon.fantastyka.net> <20060105190720.35059.qmail@smasher.org> <20060106112557.GJ21530@syjon.fantastyka.net> <20060106130444.GE16547@vanheusden.com> Message-ID: <43BFCEA0.1000900@excelcia.org> The most important thing in making archival CD backups is the dye, not the reflective layer. Both gold and silver are used in the reflective layer, and both are considered to be pretty much equivalent in terms of aging. The best dyes to use are phthalocyanine and metal stabilized cyanine. It's difficult to visually tell if a disc has metal stabilized cyanine as it is the same pale color as normal cyanine, which is the worst dye for longevity. Phthalocyanine is a darker dye and easy to tell from cyanine. If you want good archival CD's, then ensure that you are getting a good dye. Manufacturers will sometimes change dyes even in what they label as an archival CD in order to cut costs. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 372 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060107/0a5b82a3/signature.pgp From gpg-0 at ml.turing-complete.org Sat Jan 7 14:22:22 2006 From: gpg-0 at ml.turing-complete.org (Nicolas Rachinsky) Date: Sat Jan 7 15:34:35 2006 Subject: Preferred keyserver Message-ID: <20060107132222.GB19184@mid.pc5.i.0x5.de> Hallo, nicolas@pc5 ~> gpg --refresh 887BAE72 A32C2932 gpg: requesting key A32C2932 from http server www.rachinsky.de gpg: key F66AFAF2: "Nicolas Rachinsky (SIGNING KEY - CERTIFICATION ONLY) " not changed gpg: key A32C2932: "Nicolas Rachinsky (Communication Key) " not changed gpg: Total number processed: 2 gpg: unchanged: 2 gpg: refreshing 1 key from hkp://random.sks.keyserver.penguin.de gpg: requesting key 887BAE72 from hkp server random.sks.keyserver.penguin.de gpg: key 887BAE72: "Nicolas Rachinsky " not changed gpg: Total number processed: 1 gpg: unchanged: 1 nicolas@pc5 ~> gpg --refresh 887BAE72 gpg: requesting key 887BAE72 from http server www.rachinsky.de gpg: key 887BAE72: "Nicolas Rachinsky " not changed gpg: Total number processed: 1 gpg: unchanged: 1 Why is gnupg fetching 887BAE72 one time from the preferred keyserver and the other time from the default one? Nicolas -- http://www.rachinsky.de/nicolas From nixclusive0 at gmail.com Sat Jan 7 18:28:04 2006 From: nixclusive0 at gmail.com (Nicky) Date: Sat Jan 7 18:27:58 2006 Subject: Selecting subkeys while using GnuPG Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have two encryption keys and three signing keys: pub 4096R/057AC4BC created: 2005-12-08 expires: never usage: CS sub 4096R/0DBBD3FD created: 2005-12-08 expires: never usage: SEA sub 4096g/E3DD0205 created: 2005-12-29 expires: 2006-04-29 usage: E sub 1024D/CC89E9DE created: 2005-12-30 expires: 2006-04-30 usage: S but while signing a message, GnuPG uses the DSA key as the default signing key and the ELG-E key as the default encryption key. Is there a way to spe cify which subkey GnuPG should use to sign/encrypt? For example this message was signed using the 1024-bit DSA key using the SHA1 digest algorithm. - ----------------------------------------- Download PGP Public Key for Nicky: https://keyserver2.pgp.com:443/vkd/DownloadKey.event?keyid=0xC0C5F557057AC4BC Key fingerprint = 79FD 0A0A A997 C52A 9133 86D9 C0C5 F557 057A C4BC -----BEGIN PGP SIGNATURE----- iD8DBQFDv5DPZ1InQcyJ6d4RAommAJ9PAwcJA2JEX1mfSQq4PMYU/ej2LACfVSAu VkOhaThFDVOBiOQgIfxsjMs= =yP63 -----END PGP SIGNATURE----- From JPClizbe at comcast.net Sat Jan 7 18:45:47 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Sat Jan 7 18:46:04 2006 Subject: Selecting subkeys while using GnuPG In-Reply-To: References: Message-ID: <43BFFE4B.6020308@comcast.net> Nicky wrote: > I have two encryption keys and three signing keys: > > pub 4096R/057AC4BC created: 2005-12-08 expires: never usage: CS > sub 4096R/0DBBD3FD created: 2005-12-08 expires: never usage: SEA > sub 4096g/E3DD0205 created: 2005-12-29 expires: 2006-04-29 usage: E > sub 1024D/CC89E9DE created: 2005-12-30 expires: 2006-04-30 usage: S > > but while signing a message, GnuPG uses the DSA key as the default signing > key and the ELG-E key as the default encryption key. Is there a way to spe > cify which subkey GnuPG should use to sign/encrypt? Stick a "!" after the keyid you specify and GnuPG will use it verbatim. gpg -u 0xDecafBad! --sign ..... > > For example this message was signed using the 1024-bit DSA key using the > SHA1 digest algorithm. SHA-1 implies DSA which would mean a DSA key. What happen if you specify SHA-256 without explicitly selecting the subkey? -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 669 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060107/fead3f09/signature-0001.pgp From dshaw at jabberwocky.com Sat Jan 7 20:17:22 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 7 20:17:20 2006 Subject: Preferred keyserver In-Reply-To: <20060107132222.GB19184@mid.pc5.i.0x5.de> References: <20060107132222.GB19184@mid.pc5.i.0x5.de> Message-ID: <20060107191722.GA5067@jabberwocky.com> On Sat, Jan 07, 2006 at 02:22:22PM +0100, Nicolas Rachinsky wrote: > Hallo, > > nicolas@pc5 ~> gpg --refresh 887BAE72 A32C2932 > gpg: requesting key A32C2932 from http server www.rachinsky.de > gpg: key F66AFAF2: "Nicolas Rachinsky (SIGNING KEY - CERTIFICATION ONLY) " not changed > gpg: key A32C2932: "Nicolas Rachinsky (Communication Key) " not changed > gpg: Total number processed: 2 > gpg: unchanged: 2 > gpg: refreshing 1 key from hkp://random.sks.keyserver.penguin.de > gpg: requesting key 887BAE72 from hkp server random.sks.keyserver.penguin.de > gpg: key 887BAE72: "Nicolas Rachinsky " not changed > gpg: Total number processed: 1 > gpg: unchanged: 1 > > nicolas@pc5 ~> gpg --refresh 887BAE72 > gpg: requesting key 887BAE72 from http server www.rachinsky.de > gpg: key 887BAE72: "Nicolas Rachinsky " not changed > gpg: Total number processed: 1 > gpg: unchanged: 1 > > Why is gnupg fetching 887BAE72 one time from the preferred keyserver > and the other time from the default one? Bug. I've fixed it for 1.4.3. Thanks for the report! Index: keyserver.c =================================================================== --- keyserver.c (revision 3984) +++ keyserver.c (working copy) @@ -1794,7 +1794,7 @@ int i; /* Try to handle preferred keyserver keys first */ - for(i=0;i >SHA-1 implies DSA which would mean a DSA key. What happen if you specify SHA-256 >without explicitly selecting the subkey? When I select the SHA256 algo, gpg returns an error that DSA will use nothing more than a good 160 bit algo. Thanks for the help though. ----------------------------------------- Download PGP Public Key for Nicky: https://keyserver2.pgp.com:443/vkd/DownloadKey.event?keyid=0xC0C5F557057AC4BC Key fingerprint = 79FD 0A0A A997 C52A 9133 86D9 C0C5 F557 057A C4BC From alphasigmax at gmail.com Sun Jan 8 14:18:19 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Jan 8 14:19:18 2006 Subject: Selecting subkeys while using GnuPG In-Reply-To: References: Message-ID: <43C1111B.8000203@gmail.com> Nicky wrote: >> SHA-1 implies DSA which would mean a DSA key. What happen if you >> specify SHA-256 without explicitly selecting the subkey? > > > When I select the SHA256 algo, gpg returns an error that DSA will use > nothing more than a good 160 bit algo. Thanks for the help though. > Erm... I know(?) GPG is meant to use a subkey "where possible" (ie. if a signing subkey exists it will use it, if an encryption subkeys exists it will use it), but is it meant to exhibit the same behaviour as PGP in that it will use the newest subkey if not explicitly told not to? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 556 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060108/68ff45b8/signature.pgp From kfitzner at excelcia.org Tue Jan 10 04:41:56 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Tue Jan 10 04:41:41 2006 Subject: updating a key's self-signature In-Reply-To: <20060104004301.GD10206@jabberwocky.com> References: <200601040032.k040WSXg091574@mailserver2.hushmail.com> <20060104004301.GD10206@jabberwocky.com> Message-ID: <43C32D04.9000801@excelcia.org> David Shaw wrote: > Anyway, do this: > > gpg --expert --cert-digest-algo (thehash) -u (thekeyid) --sign-key (thekeyid) Does this mean that personal-digest-preferences and/or a key's digest preferences doesn't dictate what digest algorithm is used for self-signatures? If this is the case, it seems to me to be a little dangerous. How does one tell what digest algo is used for one's self sigs? Kurt. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 372 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060109/f7d79450/signature.pgp From dshaw at jabberwocky.com Tue Jan 10 04:52:09 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 10 04:51:49 2006 Subject: updating a key's self-signature In-Reply-To: <43C32D04.9000801@excelcia.org> References: <200601040032.k040WSXg091574@mailserver2.hushmail.com> <20060104004301.GD10206@jabberwocky.com> <43C32D04.9000801@excelcia.org> Message-ID: <20060110035209.GB862@jabberwocky.com> On Mon, Jan 09, 2006 at 08:41:56PM -0700, Kurt Fitzner wrote: > David Shaw wrote: > > Anyway, do this: > > > > gpg --expert --cert-digest-algo (thehash) -u (thekeyid) --sign-key (thekeyid) > > Does this mean that personal-digest-preferences and/or a key's digest > preferences doesn't dictate what digest algorithm is used for > self-signatures? Yes. Signing a document and signing a key are not the same thing, and must not be artificially glued together just because they are both signatures. > If this is the case, it seems to me to be a little dangerous. Why? > How does one tell what digest algo is used for one's self sigs? gpg --export (thekey) | gpg --list-packets David From kfitzner at excelcia.org Wed Jan 11 06:39:00 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Wed Jan 11 06:41:09 2006 Subject: Textmode for dummies (me) Message-ID: <43C499F4.2050808@excelcia.org> I received a request to add support for --textmode to GPGee and did so. I'm about to release a new version and am updating the help file, and I find that I don't have a clear understanding myself of exactly what --textmode does. I'm hoping someone can explain a few things. The man page for GnuPG states: -t, --textmode Treat input files as text and store them in the OpenPGP canonical text form with standard "CRLF" line endings. The only time this would seem to matter is with clearsigning, as that is the only time GnuPG writes an input file to its output as text. So, I did the following on a Linux box: $ gpg --clearsign --textmode test1.txt The output was stored as test1.txt.asc, but didn't have CRLF line endings. The line endings were still native Linux LF-only like the source file. So, if --textmode doesn't convert to CRLF during clearsigning, when does it convert? Also, I noticed when searching for information, some sample command lines given with --textmode and --detach-sign. What is the purpose of textmode for a detached signature? The man page further explains that --textmode sets a text flag in the message. Does a detached signature have this text flag? Is any sort of conversion done on the original file during verification of a detached signature? Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 372 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060110/b33784f7/signature.pgp From wk at gnupg.org Wed Jan 11 12:48:44 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 11 12:52:04 2006 Subject: Textmode for dummies (me) In-Reply-To: <43C499F4.2050808@excelcia.org> (Kurt Fitzner's message of "Tue, 10 Jan 2006 22:39:00 -0700") References: <43C499F4.2050808@excelcia.org> Message-ID: <87slrvnfxf.fsf@wheatstone.g10code.de> On Tue, 10 Jan 2006 22:39:00 -0700, Kurt Fitzner said: > the only time GnuPG writes an input file to its output as text. So, I > did the following on a Linux box: > $ gpg --clearsign --textmode test1.txt --clearsign automatically enables --textmode. The rationale for the plain textmode (binary or armored messages) is to allow the recipient to unpack the data with his native line encodings. To support this the line encodings are canonicalized (to CR,LF) when hashing the document. Thus the signature will can be verified even when the line encodings has been changed. > So, if --textmode doesn't convert to CRLF during clearsigning, when does > it convert? It does not convert the data you see but does it only internally during signature creation/verification. > Also, I noticed when searching for information, some sample command > lines given with --textmode and --detach-sign. What is the purpose of > textmode for a detached signature? The man page further explains Same as above. The signature is calculated over teh canonicalized document. > --textmode sets a text flag in the message. Does a detached signature > have this text flag? Is any sort of conversion done on the original Yes. > file during verification of a detached signature? No (only internally). Salam-Shalom, Werner From kfitzner at excelcia.org Wed Jan 11 13:01:49 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Wed Jan 11 13:01:32 2006 Subject: Bug in GnuPG In-Reply-To: <200601102309160240.003EDEAB@216.135.2.37> References: <000501c615d8$43b82a60$971387d8@net> <878xto2l3c.fsf@wheatstone.g10code.de> <200601101248340340.00194EBF@216.135.2.37> <87wth7yg10.fsf@wheatstone.g10code.de> <200601102309160240.003EDEAB@216.135.2.37> Message-ID: <43C4F3AD.1060501@excelcia.org> It seems to me that the loop nesting just needs to be reversed. It seems like the way GnuPG works is that it has a list of session keys, and a list of private keys. It then iterates through the list of session keys and tries to see if any private key matches. This makes it so that if the session key is anonymous, it has to ask for each private key passphrase in turn, and do this for each and every session key. If the logic were reversed, this would be avoided. Iterate through the private keys first, then test each private key to see if it will decrypt a session key. The passphrase is asked for once for each private key instead of for each session key times the number of private keys. ie: right now, it works this way for (int s = 0; s < NumSessionKeys; s++) { for (int k = 0; k < NumPrivateKeys; k++) { char *PassPhrase = GetPassphrase(PrivateKeyList[k]); if (DecryptSessionKey(SessionKeyList[s], PassPhrase)) /* decrypt message here */ } } Perhaps it would be better like this: for (int k = 0; k < NumPrivateKeys; k++) { char *PassPhrase = GetPassphrase(PrivateKeyList[k]); for (int s = 0; s < NumSessionKeys; s++) { if (DecryptSessionKey(SessionKeyList[s], PassPhrase)) /* decrypt message here */ } } That's a terrible simplification, but it seems to me like the logic works better this way. Kurt. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 305 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060111/03d3a066/signature-0001.pgp From gpg at tapani.tarvainen.info Wed Jan 11 14:31:07 2006 From: gpg at tapani.tarvainen.info (Tapani Tarvainen) Date: Wed Jan 11 17:18:57 2006 Subject: gpg-agent caching with smartcard Message-ID: <20060111133107.GD22656@tarzan.it.jyu.fi> I can't seem to make gpg-agent cache smartcard PIN at all, whether signing, decrypting or authenticating ssh. All of those work fine otherwise, but I have to enter the PIN every time. I did set "signature PIN" to "not forced" in the card. I am using subkeys, which may or may not be relevant, gpg version 1.4.2, gpg-agent 1.9.20 Searching I found only one reference to similar problem, with no solution: http://lists.gnupg.org/pipermail/gnupg-devel/2005-March/021888.html Is this a bug, or am I missing something? -- Tapani Tarvainen From wk at gnupg.org Wed Jan 11 17:34:36 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 11 17:36:49 2006 Subject: gpg-agent caching with smartcard In-Reply-To: <20060111133107.GD22656@tarzan.it.jyu.fi> (Tapani Tarvainen's message of "Wed, 11 Jan 2006 15:31:07 +0200") References: <20060111133107.GD22656@tarzan.it.jyu.fi> Message-ID: <87hd8an2oz.fsf@wheatstone.g10code.de> On Wed, 11 Jan 2006 15:31:07 +0200, Tapani Tarvainen said: > Is this a bug, or am I missing something? Yes, this is a bug. It will soon start to bite me more and more because I am now actually using a card productive many times a day ... Salam-Shalom, Werner From Nikolaus at rath.org Wed Jan 11 20:52:01 2006 From: Nikolaus at rath.org (Nikolaus Rath) Date: Wed Jan 11 22:48:47 2006 Subject: Random seed for symetric encryption Message-ID: <87bqyik0f2.fsf@nokile.rath.org> Hello! I'm using gpg to symetrically encrypt a lot of files. Unfortunately, gpg regularly complains about an empty random seed while processing. Now I wonder why gpg needs random data for symetric encryption. Should I care about the message or not? And how can I make it disappear? Thanks, --Nikolaus -- A: Weil es die Lesbarkeit des Textes verschlechtert. Q: Warum ist TOFU so schlimm? A: TOFU F: Was ist das groesste Aergerniss in eMail und Usenet? From sean at rima.ws Wed Jan 11 22:14:10 2006 From: sean at rima.ws (Sean Rima) Date: Wed Jan 11 22:48:55 2006 Subject: gemplus GEMPC430 reader (resent) Message-ID: <1163179547.20060111211410@rima.ws> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello gnupg-users, I may have the chance to inherit a Gemplus gemPC430 USB card reader to use with my PC. I am looking to get an gpg card from kernel concepts, but want to know if anyone has used this reader with gpg Sean - -- +---------------------------------------------------+ |VOIP= FreeWorldDial: 689482 VOIPBUSTER: thecivvie | |GPG Key http://thecivvie.fastmail.fm/thecivvie.asc | +---------------------------------------------------+ Strange things happen under the midnight sun when Men and Dogs go hunting for gold Cannot open file "\Jasper\MP3 p.txt" To get my public GPG key send me an email with the Subject of GET GPG KEY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Gossamer Spider Web of Trust: http://www.gswot.org iD8DBQFDxCnjDif86V/dzTsRApvYAJ9yaW1eRW8n4bfS40TOcfXeSxbtlwCbBv2h 1FA3R8OKyEk8zLIpoFtZGxg= =RqGX -----END PGP SIGNATURE----- From sean at rima.ws Tue Jan 10 22:40:48 2006 From: sean at rima.ws (Sean Rima) Date: Wed Jan 11 22:52:58 2006 Subject: gemplus GEMPC430 reader Message-ID: <1614023119.20060110214048@rima.ws> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello gnupg-users, I may have the chance to inherit a Gemplus gemPC430 USB card reader to use with my PC. I am looking to get an gpg card from kernel concepts, but want to know if anyone has used this reader with gpg Sean - -- +---------------------------------------------------+ |VOIP= FreeWorldDial: 689482 VOIPBUSTER: thecivvie | |GPG Key http://thecivvie.fastmail.fm/thecivvie.asc | +---------------------------------------------------+ Strange things happen under the midnight sun when Men and Dogs go hunting for gold Cannot open file "\Jasper\MP3 p.txt" To get my public GPG key send me an email with the Subject of GET GPG KEY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Gossamer Spider Web of Trust: http://www.gswot.org iD8DBQFDxCnjDif86V/dzTsRApvYAJ9yaW1eRW8n4bfS40TOcfXeSxbtlwCbBv2h 1FA3R8OKyEk8zLIpoFtZGxg= =RqGX -----END PGP SIGNATURE----- From cam at mathematica.scientia.net Thu Jan 12 01:48:09 2006 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Thu Jan 12 01:47:47 2006 Subject: Random seed for symetric encryption In-Reply-To: <87bqyik0f2.fsf@nokile.rath.org> References: <87bqyik0f2.fsf@nokile.rath.org> Message-ID: <43C5A749.2010302@mathematica.scientia.net> Nikolaus Rath wrote: >Now I wonder why gpg needs random data for symetric encryption. Should >I care about the message or not? And how can I make it disappear? > > As far as I know, even for symmetric encryption gnupg uses a session key package, which is than encrypted via s2k-algorithms (your passphrase and salt and so). See section 5.3 of the standard (http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-15.txt). The reason for doing so is mainly that you can specify more than one recipents. The standard would also allow to directly use the s2k-generated key, but I don't know wheter or not gpg support this. Chris. From cam at mathematica.scientia.net Thu Jan 12 01:51:00 2006 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Thu Jan 12 01:50:29 2006 Subject: gemplus GEMPC430 reader In-Reply-To: <1614023119.20060110214048@rima.ws> References: <1614023119.20060110214048@rima.ws> Message-ID: <43C5A7F4.6000702@mathematica.scientia.net> Sean Rima wrote: > I may have the chance to inherit a Gemplus gemPC430 USB card reader > to use with my PC. I am looking to get an gpg card from kernel > concepts, but want to know if anyone has used this reader with gpg I cannot tell you definitely if it works, but at least in Debian there are lib packages provided for the PC430 for pcscd. So it should work with gnupg, too. Chris. From gpg at tapani.tarvainen.info Thu Jan 12 04:45:45 2006 From: gpg at tapani.tarvainen.info (Tapani Tarvainen) Date: Thu Jan 12 04:45:48 2006 Subject: gpg-agent caching with smartcard In-Reply-To: <87hd8an2oz.fsf@wheatstone.g10code.de> References: <20060111133107.GD22656@tarzan.it.jyu.fi> <87hd8an2oz.fsf@wheatstone.g10code.de> Message-ID: <20060112034544.GA27455@tarzan.it.jyu.fi> On Wed, Jan 11, 2006 at 05:34:36PM +0100, Werner Koch (wk@gnupg.org) wrote: > Yes, this is a bug. > > It will soon start to bite me more and more because I am now actually > using a card productive many times a day ... Duh. It makes the card essentially unusable for the purpose I had in mind (replacing ssh-agent with gpg-agent using the card). :-( -- Tapani Tarvainen From huber+gpg at alum.wpi.edu Fri Jan 13 18:13:03 2006 From: huber+gpg at alum.wpi.edu (Josh) Date: Fri Jan 13 20:18:31 2006 Subject: BZIP2 algorithm In-Reply-To: <43BEF9A1.6090706@gmail.com> (lusfert@gmail.com's message of "Sat, 07 Jan 2006 02:13:37 +0300") References: <62399C46.36B44AEF.0307202B@netscape.net> <43BEF9A1.6090706@gmail.com> Message-ID: <874q48qcf4.fsf@callisto.paradoxical.net> lusfert writes: > Henry Hertz Hobbit wrote on 06.01.2006 16:34: >> http://www.bzip.org/ >> > Thanks, this helps. > I installed bzip2-1.0.3.tar.gz and after this command "./configure" > found bzlib.h without additional options. Now after compiling "gpg > --version" displays: Rather than installing from source, the correct thing to do here would be to install the bzip2 library "dev" package: # apt-get install libbz2-dev You can use dpkg to verify that it contains the files you want/need: $ dpkg -L libbz2-dev /. /usr /usr/lib /usr/lib/libbz2.a /usr/include /usr/include/bzlib.h /usr/share /usr/share/doc /usr/lib/libbz2.so /usr/share/doc/libbz2-dev In the future, if you're looking for a development package, and you don't know what to install, I'd recommed using the apt-file utility. (install with "apt-get install apt-file") First, make sure the file lists are up-to-date: # apt-file update [snip output] Next, search by filename pattern: # apt-file search bzlib.h libbz2-dev: usr/include/bzlib.h Similarly, you can use "apt-cache" to search package names and descriptions: Make sure the package lists are up-to-date: # apt-get update [snip output] Search based on name/description: $ apt-cache search bz2 development libbz2-dev - high-quality block-sorting file compressor library - development Hope that helps in the future, Josh -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available Url : /pipermail/attachments/20060113/9c1793b8/attachment.pgp From kfitzner at excelcia.org Fri Jan 13 18:35:13 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Fri Jan 13 21:51:14 2006 Subject: [Announce] GPGee version 1.3.0 Released Message-ID: <43C7E4D1.4070400@excelcia.org> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From nixclusive0 at gmail.com Fri Jan 13 20:57:43 2006 From: nixclusive0 at gmail.com (Nicky) Date: Fri Jan 13 21:53:14 2006 Subject: What is MDC? Message-ID: <43C80637.6030409@gmail.com> When I edit my key: Command> showpref pub 4096R/057AC4BC created: 2005-12-08 expires: never usage: CS trust: ultimate validity: ultimate [ultimate] (1). Nicky Cipher: TWOFISH, AES256, AES192, AES, BLOWFISH, CAST5, 3DES, IDEA Digest: SHA512, SHA384, SHA256, RIPEMD160, SHA1, MD5 Compression: BZIP2, ZLIB, ZIP, Uncompressed Features: MDC, Keyserver no-modify Preferred keyserver: http://keyserver.pgp.com/ [ultimate] (2) [jpeg image of size 28144] Cipher: TWOFISH, AES256, AES192, AES, BLOWFISH, CAST5, 3DES, IDEA Digest: SHA512, SHA384, SHA256, RIPEMD160, SHA1, MD5 Compression: BZIP2, ZLIB, ZIP, Uncompressed Features: MDC, Keyserver no-modify there is something called MDC in the features list. What is it and how do I benefit from it? I found some info here but didn't knew what to do with it: http://www.google.com/search?q=define:MDC -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060114/f0d89e52/signature.pgp From pkern at debian.org Fri Jan 13 22:11:39 2006 From: pkern at debian.org (Philipp Kern) Date: Fri Jan 13 22:11:43 2006 Subject: What is MDC? In-Reply-To: <43C80637.6030409@gmail.com> References: <43C80637.6030409@gmail.com> Message-ID: <43C8178B.708@debian.org> Nicky wrote: > there is something called MDC in the features list. What is it and how > do I benefit from it? I found some info here but didn't knew what to do > with it: See http://lwn.net/Articles/7688/. Kind regards, Philipp Kern -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060113/bb0c295e/signature.pgp From cam at mathematica.scientia.net Fri Jan 13 22:57:42 2006 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Fri Jan 13 22:57:15 2006 Subject: What is MDC? In-Reply-To: <43C80637.6030409@gmail.com> References: <43C80637.6030409@gmail.com> Message-ID: <43C82256.4000606@mathematica.scientia.net> You may also look at section 5.14 in the standard (http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-15.txt). From nidhog at gmail.com Sun Jan 15 02:20:47 2006 From: nidhog at gmail.com (nidhog) Date: Sun Jan 15 04:18:44 2006 Subject: Fwd: hard-copy backups In-Reply-To: References: <20060105052104.53970.qmail@smasher.org> <20060105150555.GI21530@syjon.fantastyka.net> <20060105190720.35059.qmail@smasher.org> <20060106112557.GJ21530@syjon.fantastyka.net> <20060106130444.GE16547@vanheusden.com> <43BFCEA0.1000900@excelcia.org> Message-ID: Going back to basics, IMHO, the best way to keep a backup of your secret key is by splitting it first and giving parts of it to a number of different persons/entities whom you trust to keep it safely. Another requirement is to make sure those entities don't know each other at all... you can do the same with the passphrase... or you can tattoo it on top of your head... but if you have a long one... ouch. :) -- /nh From kfitzner at excelcia.org Sun Jan 15 13:34:57 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Sun Jan 15 13:34:42 2006 Subject: Secret key not found - is this normal? Message-ID: <43CA4171.6080902@excelcia.org> I have found that on the gpg command line, I can't specify a key to sign with by using a user id unless that user id is the primary. For example, my primary user id is kfitzner@excelcia.org, and one of my secondary ones is kfitzner@shaw.ca. This works: $ gpg -u kfitzner@excelcia.org --detach-sign while this doesn't: $ gpg -u kfitzner@shaw.ca --detach-sign gpg: skipped "kfitzner@shaw.ca": secret key not available gpg: signing failed: secret key not available I can list the key this way, though: $ gpg --list-key kfitzner@shaw.ca I never noticed this behavior before. Is this normal/intended, or have my too-frequent edits of my key done something bad? Kurt. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 305 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060115/78303442/signature.pgp From wk at gnupg.org Sun Jan 15 18:10:59 2006 From: wk at gnupg.org (Werner Koch) Date: Sun Jan 15 18:17:04 2006 Subject: Secret key not found - is this normal? In-Reply-To: <43CA4171.6080902@excelcia.org> (Kurt Fitzner's message of "Sun, 15 Jan 2006 05:34:57 -0700") References: <43CA4171.6080902@excelcia.org> Message-ID: <874q45s9gc.fsf@wheatstone.g10code.de> On Sun, 15 Jan 2006 05:34:57 -0700, Kurt Fitzner said: > I have found that on the gpg command line, I can't specify a key to sign > with by using a user id unless that user id is the primary. That is a problem with syncronizing secret and public key. The secret key should contains all the inforation of the public one plus the secret stuff. However it is hard to keep them in sync and so sometimes we don't get it right or even don't try to do. The effect is that whenever gpg searches for a key in the secring.gpg it won't find a key if the specification is for a example a user ID missing on the secret key. Please use a key ID or fingerprint, they are always valid. The actual solution is to never search by looking at the secring but to seacrh the pubring and then to check whether a candidate key has secret counterpart. This is the solution used for gpgsm and it works quite well. The required changes are pretty large, so I don't think it makes sense to add it to gpg 1.4 now. Salam-Shalom, Werner From jharris at widomaker.com Sun Jan 15 21:26:04 2006 From: jharris at widomaker.com (Jason Harris) Date: Sun Jan 15 22:01:28 2006 Subject: new (2006-01-08) keyanalyze results (+sigcheck) Message-ID: <20060115202603.GA463@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2006-01-08/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 5bb5d8a407e06b5a6b6e0ce501a45bf59134cc1a 13201218 preprocess.keys 39ce26b91187732004474f5a9fc821b2772c4f40 7989999 othersets.txt 8db103fd8007c9e2b07d07495509457d6b191032 3265292 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html be184646b736dd40e6eca5c76ce71153364156bb 2291 keyring_stats 07ed524e7f7b3a5e7ab7d1c8bb80641d2ff633a7 1278076 msd-sorted.txt.bz2 29b525da814cf19d8ddd1b3ae67835fd5807457c 26 other.txt 9fef3fa32a80b6f772502b28ae88409e8562a7ad 1722601 othersets.txt.bz2 d91508dbac9382994fdf69031317476ae0d73c0b 5342573 preprocess.keys.bz2 dbb2b34d7385fa93c2454e73a33ba955e7294bd9 13336 status.txt 78315a010646c70e3f6a75bfd8aacce7a6493b74 210078 top1000table.html e506bb7f276b3ee43632998b19084211b9d2951e 30083 top1000table.html.gz a28e7f0cd5362b007604f00a1bdd3fca8005b99c 10780 top50table.html b1610820aa1e16cabf4b6e4f2e6c07aeb871f8b2 2514 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20060115/90d70885/attachment.pgp From Nikolaus at rath.org Mon Jan 16 11:47:31 2006 From: Nikolaus at rath.org (Nikolaus Rath) Date: Mon Jan 16 11:46:53 2006 Subject: Random seed for symetric encryption In-Reply-To: <43CB7529.8040303@securemecca.net> (Henry Hertz Hobbit's message of "Mon, 16 Jan 2006 03:27:53 -0700") References: <43CB7529.8040303@securemecca.net> Message-ID: <87bqyc30vw.fsf@nokile.rath.org> Henry Hertz Hobbit writes: >> >Now I wonder why GPG needs random data for symmetric >> >encryption. Should I care about the message or not? >> >And how can I make it disappear? > > The SHORT answer is, yes it does need random data for just doing > symmetric encryption. Yes, you should care about the message. > To make the message disapper create a public / private key with > a passphrase that will NEVER be the same passphrase that is used > for the encryption of your files. If you never use it (don't > send email messages that are signed or encrypted) make it > something you are guaranteed to forget and never use again > (repeatable random key strokes? - you need to type it twice). I do have a public/private keypair which is regularly used. An the random seed file actually exists. The warning is not always displayed but only from time to time, just as if gpg ran out of randomness. So I dare say that creating another keypair will not make it disappear, will it? Thanks, --Nikolaus -- In Linux werden mehr Sicherheitsl?cken gefunden. In Windows sind mehr Sicherheitsl?cken drin. -- Lutz Donnerhacke From nicolas-g.blanc at laposte.net Fri Jan 6 23:41:13 2006 From: nicolas-g.blanc at laposte.net (Blanc Nicolas) Date: Mon Jan 16 13:13:36 2006 Subject: Passphrase problem Message-ID: <200601062341.13632.nicolas-g.blanc@laposte.net> Hi, I am using GnuPG since about 2 years and I never had any problem with it. But recently, I update my KDE to KDE 3.5 and then I got a problem using my keys. Of course, I don't know if there is a link with what I've done, but since then, I can't decrypt any encrypted file. My secret keys are available and when I want to decrypt, it just says that my passphrase is wrong. But, I am SURE about my passphrase ! I have done the update of KDE on my computer and my laptop, and with both I can't use my keys anymore to decrypt (I can still encrypt with). And, if I create a new key and I encrypt with it, I've got no problem decrypting the file. And I really don't know why... Maybe a problem with KDE ? the keyboard mapping ? Or a problem with charset ? Thanks for your response. Nicolas From liljencrantz at gmail.com Fri Jan 13 15:34:08 2006 From: liljencrantz at gmail.com (Axel Liljencrantz) Date: Mon Jan 16 13:13:50 2006 Subject: Providing shell-completions for gpg, minor scripting issues Message-ID: <7dad0d770601130634j319dff52v192b050230015c1c@mail.gmail.com> Hello, I'm currently writing a set of gpg-specific completions for the fish shell (http://roo.no-ip.org/fish). These completions already feature all the switches for gpg, and a description of each switch, usually the first sentence of the manpage description. While doing this, I've run across an issue with scripting. Fish allows you to tab-complete sub-arguments to switches, so you can for instance write fish> gpg --verify-options=show-photos,show-us and the line will complete to fish> gpg --verify-options=show-photos,show-user-notations I'd like to do this for the various switches that accept a crypto algorithm, unfortunatly I have some problems with getting a good listing of the algorithms supported by the users GPG implementation. Running 'gpg --version' prints them, but it does so in format that I'm not very happy with: gpg (GnuPG) 1.4.1 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg St?dda algoritmer: ?ppen nyckel: RSA, RSA-E, RSA-S, ELG-E, DSA Chiffer: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Kontrollsumma: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Komprimering: Okomprimerad, ZIP, ZLIB, BZIP2 As you can see, the format is locale dependant. I'm also worried that changed phrasing, further algorithm subdivision, etc. will mean that my parsing rules will break. To get a locale independant format, I have to invoke GPG with a LC_ALL set to C. This doen't seem very optimal to me. Is there some other way of getting this information that I've missed? If not, could perhaps the --with-colons switch be made to act on --version as well, to get an more robust format? -- Axel From alphasigmax at gmail.com Mon Jan 16 14:43:04 2006 From: alphasigmax at gmail.com (Alphax) Date: Mon Jan 16 14:43:45 2006 Subject: Providing shell-completions for gpg, minor scripting issues In-Reply-To: <7dad0d770601130634j319dff52v192b050230015c1c@mail.gmail.com> References: <7dad0d770601130634j319dff52v192b050230015c1c@mail.gmail.com> Message-ID: <43CBA2E8.3040306@gmail.com> Axel Liljencrantz wrote: > Hello, > > I'm currently writing a set of gpg-specific completions for the fish > shell (http://roo.no-ip.org/fish). These completions already feature > all the switches for gpg, and a description of each switch, usually > the first sentence of the manpage description. > > While doing this, I've run across an issue with scripting. Fish allows > you to tab-complete sub-arguments to switches, so you can for instance > write > > fish> gpg --verify-options=show-photos,show-us > > and the line will complete to > > fish> gpg --verify-options=show-photos,show-user-notations > > I'd like to do this for the various switches that accept a crypto > algorithm, unfortunatly I have some problems with getting a good > listing of the algorithms supported by the users GPG implementation. > Running 'gpg --version' prints them, but it does so in format that I'm > not very happy with: > > gpg (GnuPG) 1.4.1 > Copyright (C) 2005 Free Software Foundation, Inc. > This program comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to redistribute it > under certain conditions. See the file COPYING for details. > > Home: ~/.gnupg > St?dda algoritmer: > ?ppen nyckel: RSA, RSA-E, RSA-S, ELG-E, DSA > Chiffer: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH > Kontrollsumma: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 > Komprimering: Okomprimerad, ZIP, ZLIB, BZIP2 > > As you can see, the format is locale dependant. I'm also worried that > changed phrasing, further algorithm subdivision, etc. will mean that > my parsing rules will break. To get a locale independant format, I > have to invoke GPG with a LC_ALL set to C. This doen't seem very > optimal to me. Is there some other way of getting this information > that I've missed? If not, could perhaps the --with-colons switch be > made to act on --version as well, to get an more robust format? > gpg --verbose --version gpg (GnuPG) 1.4.1 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10) Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10) Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2) HTH, -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 556 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060117/499b4d5a/signature.pgp From dshaw at jabberwocky.com Mon Jan 16 14:58:34 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jan 16 14:58:07 2006 Subject: Providing shell-completions for gpg, minor scripting issues In-Reply-To: <7dad0d770601130634j319dff52v192b050230015c1c@mail.gmail.com> References: <7dad0d770601130634j319dff52v192b050230015c1c@mail.gmail.com> Message-ID: <20060116135834.GA13482@jabberwocky.com> On Fri, Jan 13, 2006 at 03:34:08PM +0100, Axel Liljencrantz wrote: > Home: ~/.gnupg > St?dda algoritmer: > ?ppen nyckel: RSA, RSA-E, RSA-S, ELG-E, DSA > Chiffer: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH > Kontrollsumma: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 > Komprimering: Okomprimerad, ZIP, ZLIB, BZIP2 > > As you can see, the format is locale dependant. I'm also worried that > changed phrasing, further algorithm subdivision, etc. will mean that > my parsing rules will break. To get a locale independant format, I > have to invoke GPG with a LC_ALL set to C. This doen't seem very > optimal to me. Is there some other way of getting this information > that I've missed? If not, could perhaps the --with-colons switch be > made to act on --version as well, to get an more robust format? gpg --with-colons --list-config Note the "pubkey", "cipher", "digest", and "compress" fields. David From websites at surfeu.at Mon Jan 16 16:19:47 2006 From: websites at surfeu.at (websites@surfeu.at) Date: Mon Jan 16 18:18:44 2006 Subject: only decrypting signed files? Message-ID: <1137424787.43cbb993d585d@webmail.tiscali-business.at> Is it possible to tell gpg to only decrypt signed files? the problem: i get files which are encrypted and signed with gpg --sign --encrypt is there a way to decrypt the files and get an error message if the file is not signed? bernhard From hhhobbit7 at netscape.net Mon Jan 16 23:25:48 2006 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Tue Jan 17 00:01:01 2006 Subject: Random seed for symetric encryption Message-ID: <19D178EC.402BEE66.0307202B@netscape.net> Nikolaus Rath writes: >Henry Hertz Hobbit writes: >>> >Now I wonder why GPG needs random data for symmetric >>> >encryption. Should I care about the message or not? >>> >And how can I make it disappear? >> >> The SHORT answer is, yes it does need random data for just doing >> symmetric encryption. Yes, you should care about the message. >> To make the message disapper create a public / private key with >> a passphrase that will NEVER be the same passphrase that is used >> for the encryption of your files. If you never use it (don't >> send email messages that are signed or encrypted) make it >> something you are guaranteed to forget and never use again >> (repeatable random key strokes? - you need to type it twice). > >I do have a public/private keypair which is regularly used. And the >random seed file actually exists. The warning is not always displayed >but only from time to time, just as if gpg ran out of randomness. So I >dare say that creating another keypair will not make it disappear, >will it? Oooooh! Now I understand more, and so does everybody else. To have us better help you, it would help if we knew the following (but first, generating another key will NOT make the message disappear): [1] OS & version [2] Whether this has happened all the time or just started. By that I mean did you have a period of time when it never did this after your first set up GPG. [3] The version of GPG you are using and if you have upgraded it at any time. [4] If you are having problems when you send email messages, since it is also using symmetric encryption underneath the hood so to speak. [5] When you encrypt files, if you are doing a lot of them at one time with little or no pause between each file. [6] The exact message again (I lost it) that GPG gives you when the random fails. The reason I say 1 and 5 is because I am curious if you are using a version of Unix that doesn't have a good pseudo random number generator and are instead using the Entropy Gathering Daemon (EGD) or some other randomizer. I can't see how it would happen, but since EGD was written in PERL, it may be overwhelmed if the system is severely loaded. More to the point if you are using Sun Solaris, IBM AIX, HPUX, or some of the other old style versions of Unix, you SHOULD be using something like EGD. If you never have problems sending email, or more to the point RECEIVING encrypted email, it makes the problem even more baffling. Usually, you would expect something like corrupted keys, etc. That doesn't sound like what is going on here. The only other thing I can think of is running out of file descriptors or something, because every time you use GPG, the random_seed file gets changed. Ditto if your system is overloaded and the CPU is maxed. HHH __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From kfitzner at excelcia.org Tue Jan 17 09:32:54 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Tue Jan 17 09:32:37 2006 Subject: Does a secret key need to be signed? Message-ID: <43CCABB6.7070804@excelcia.org> I recently exported my key pair from GnuPG and imported it into PGP in order to get the user ids balanced between my public and secret keys. When I pulled the key pair back into GnuPG, I noticed that my secret key is now much smaller. I did a --list-packets and found that the secret key is missing self-signatures. My question is, does a secret key actually need to be signed? Kurt. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 305 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060117/476d0eb6/signature.pgp From Nikolaus at rath.org Tue Jan 17 10:06:18 2006 From: Nikolaus at rath.org (Nikolaus Rath) Date: Tue Jan 17 10:06:16 2006 Subject: Random seed for symetric encryption In-Reply-To: <19D178EC.402BEE66.0307202B@netscape.net> (Henry Hertz Hobbit's message of "Mon, 16 Jan 2006 17:25:48 -0500") References: <19D178EC.402BEE66.0307202B@netscape.net> Message-ID: <8764ojb4vp.fsf@nokile.rath.org> hhhobbit7@netscape.net (Henry Hertz Hobbit) writes: >>>> >Now I wonder why GPG needs random data for symmetric >>>> >encryption. Should I care about the message or not? >>>> >And how can I make it disappear? >>> >>> The SHORT answer is, yes it does need random data for just doing >>> symmetric encryption. Yes, you should care about the message. >>> To make the message disapper create a public / private key with >>> a passphrase that will NEVER be the same passphrase that is used >>> for the encryption of your files. If you never use it (don't >>> send email messages that are signed or encrypted) make it >>> something you are guaranteed to forget and never use again >>> (repeatable random key strokes? - you need to type it twice). >> >>I do have a public/private keypair which is regularly used. And the >>random seed file actually exists. The warning is not always displayed >>but only from time to time, just as if gpg ran out of randomness. So I >>dare say that creating another keypair will not make it disappear, >>will it? > > Oooooh! Now I understand more, and so does everybody else. > To have us better help you, it would help if we knew the > following (but first, generating another key will NOT make > the message disappear): > > [1] OS & version [0] nokile:~/Work$ uname -a Linux nokile 2.6.12-10-686 #1 Thu Dec 22 11:55:07 UTC 2005 i686 GNU/Linux (Ubuntu Breezy) > [2] Whether this has happened all the time or just started. > By that I mean did you have a period of time when it never > did this after your first set up GPG. Can't tell. It started as soon as I started encrypting lots of files with symmetric encryption (means: about 1 week ago). When I used public key encryption before this never happened. > [3] The version of GPG you are using and if you have upgraded > it at any time. [0] nokile:~/Work$ gpg --version gpg (GnuPG) 1.4.1 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 I did only the regular distribution updates. > [4] If you are having problems when you send email messages, > since it is also using symmetric encryption underneath the > hood so to speak. Hmm. No, never saw the message there. On the other hand, maybe my MUA is just hiding it. I'm using Gnus with PGG. > [5] When you encrypt files, if you are doing a lot of them at > one time with little or no pause between each file. Yes, exactly. About 2 GB in 14000 files. > [6] The exact message again (I lost it) that GPG gives you > when the random fails. I don't have the exact message here at the moment, but I'm pretty sure that it literally complained about an "empty random seed". --Nikolaus -- In Linux werden mehr Sicherheitsl?cken gefunden. In Windows sind mehr Sicherheitsl?cken drin. -- Lutz Donnerhacke From liljencrantz at gmail.com Mon Jan 16 14:54:14 2006 From: liljencrantz at gmail.com (Axel Liljencrantz) Date: Tue Jan 17 10:47:39 2006 Subject: Providing shell-completions for gpg, minor scripting issues In-Reply-To: <43CBA2E8.3040306@gmail.com> References: <7dad0d770601130634j319dff52v192b050230015c1c@mail.gmail.com> <43CBA2E8.3040306@gmail.com> Message-ID: <7dad0d770601160554k5ff7873bh743cd233b9e24d43@mail.gmail.com> On 1/16/06, Alphax wrote: > Axel Liljencrantz wrote: > > Hello, > > > > I'm currently writing a set of gpg-specific completions for the fish > > shell (http://roo.no-ip.org/fish). These completions already feature > > all the switches for gpg, and a description of each switch, usually > > the first sentence of the manpage description. > > > > While doing this, I've run across an issue with scripting. Fish allows > > you to tab-complete sub-arguments to switches, so you can for instance > > write > > > > fish> gpg --verify-options=show-photos,show-us > > > > and the line will complete to > > > > fish> gpg --verify-options=show-photos,show-user-notations > > > > I'd like to do this for the various switches that accept a crypto > > algorithm, unfortunatly I have some problems with getting a good > > listing of the algorithms supported by the users GPG implementation. > > Running 'gpg --version' prints them, but it does so in format that I'm > > not very happy with: > > > > gpg (GnuPG) 1.4.1 > > Copyright (C) 2005 Free Software Foundation, Inc. > > This program comes with ABSOLUTELY NO WARRANTY. > > This is free software, and you are welcome to redistribute it > > under certain conditions. See the file COPYING for details. > > > > Home: ~/.gnupg > > St?dda algoritmer: > > ?ppen nyckel: RSA, RSA-E, RSA-S, ELG-E, DSA > > Chiffer: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH > > Kontrollsumma: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 > > Komprimering: Okomprimerad, ZIP, ZLIB, BZIP2 > > > > As you can see, the format is locale dependant. I'm also worried that > > changed phrasing, further algorithm subdivision, etc. will mean that > > my parsing rules will break. To get a locale independant format, I > > have to invoke GPG with a LC_ALL set to C. This doen't seem very > > optimal to me. Is there some other way of getting this information > > that I've missed? If not, could perhaps the --with-colons switch be > > made to act on --version as well, to get an more robust format? > > > > gpg --verbose --version The only change in the output format when using verbose is that some algorithms have what I assume to be an alternative name in parenthesis, and that the listings of algorithms are now linebreaked. The output is still locale dependant, it is still designed to be human-readable rather than machine readable, and the multiline output makes it slighly harder to parse, so this doesn't really help me. > > gpg (GnuPG) 1.4.1 > Copyright (C) 2005 Free Software Foundation, Inc. > This program comes with ABSOLUTELY NO WARRANTY. > This is free software, and you are welcome to redistribute it > under certain conditions. See the file COPYING for details. > > Home: ~/.gnupg > Supported algorithms: > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), > AES256 (S9), TWOFISH (S10) > Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), > SHA512 (H10) > Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2) > > HTH, > -- > Alphax | /"\ > Encrypted Email Preferred | \ / ASCII Ribbon Campaign > OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards > http://tinyurl.com/cc9up | / \ > -- Axel From wk at gnupg.org Tue Jan 17 11:43:36 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 17 11:46:56 2006 Subject: Random seed for symetric encryption In-Reply-To: <8764ojb4vp.fsf@nokile.rath.org> (Nikolaus Rath's message of "Tue, 17 Jan 2006 10:06:18 +0100") References: <19D178EC.402BEE66.0307202B@netscape.net> <8764ojb4vp.fsf@nokile.rath.org> Message-ID: <877j8z5e3r.fsf@wheatstone.g10code.de> On Tue, 17 Jan 2006 10:06:18 +0100, Nikolaus Rath said: > Yes, exactly. About 2 GB in 14000 files. You are running several concurrent gpg processes? >> [6] The exact message again (I lost it) that GPG gives you >> when the random fails. > I don't have the exact message here at the moment, but I'm pretty sure > that it literally complained about an "empty random seed". Yes, that may indeed happen. gpg does not take a file lock while reading or writing the seed file; thus races may happen. This is usually not a severe problem as gpg will detect it and fill up the entropy pool from /dev/random in this case. The solution is to take a file lock; I don't want to do this always but I see your problem and may be a new option can be used to lock reandom-seed access. Shalom-Salam, Werner From cam at mathematica.scientia.net Tue Jan 17 16:51:49 2006 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Tue Jan 17 16:51:22 2006 Subject: Does a secret key need to be signed? In-Reply-To: <43CCABB6.7070804@excelcia.org> References: <43CCABB6.7070804@excelcia.org> Message-ID: <43CD1295.3040401@mathematica.scientia.net> Kurt Fitzner wrote: >My question is, does a secret key actually need to be signed? > > Correct me if I'm wrong, but _secret_ keys are never selfsigned, at least not under normal circumstances... Perhaps it is allowed to sign it with a 0x1F but I'd have to look this up in the standard,... It wouldn't even make sense,... Chris. From dshaw at jabberwocky.com Tue Jan 17 17:14:47 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 17 17:14:27 2006 Subject: Does a secret key need to be signed? In-Reply-To: <43CCABB6.7070804@excelcia.org> References: <43CCABB6.7070804@excelcia.org> Message-ID: <20060117161447.GB32706@jabberwocky.com> On Tue, Jan 17, 2006 at 01:32:54AM -0700, Kurt Fitzner wrote: > I recently exported my key pair from GnuPG and imported it into PGP in > order to get the user ids balanced between my public and secret keys. > When I pulled the key pair back into GnuPG, I noticed that my secret key > is now much smaller. I did a --list-packets and found that the secret > key is missing self-signatures. > > My question is, does a secret key actually need to be signed? No, a secret key does not need to be selfsigned. The self-signatures from the public key are the ones that matter. When self-signing, GnuPG does put the selfsigs on both the secret and public key as a convenience: when importing a secret key, GPG can then create a public key from the secret key automatically. David From Nikolaus at rath.org Wed Jan 18 10:13:57 2006 From: Nikolaus at rath.org (Nikolaus Rath) Date: Wed Jan 18 10:13:19 2006 Subject: Random seed for symetric encryption In-Reply-To: <877j8z5e3r.fsf@wheatstone.g10code.de> (Werner Koch's message of "Tue, 17 Jan 2006 11:43:36 +0100") References: <19D178EC.402BEE66.0307202B@netscape.net> <8764ojb4vp.fsf@nokile.rath.org> <877j8z5e3r.fsf@wheatstone.g10code.de> Message-ID: <87k6cxlwyy.fsf@nokile.rath.org> Werner Koch writes: > On Tue, 17 Jan 2006 10:06:18 +0100, Nikolaus Rath said: > >> Yes, exactly. About 2 GB in 14000 files. > > You are running several concurrent gpg processes? Hmm. Actually, yes. I didn't notice that until now, but they are up to 4 concurrent processes. >>> [6] The exact message again (I lost it) that GPG gives you >>> when the random fails. > >> I don't have the exact message here at the moment, but I'm pretty sure >> that it literally complained about an "empty random seed". > > Yes, that may indeed happen. gpg does not take a file lock while > reading or writing the seed file; thus races may happen. This is > usually not a severe problem as gpg will detect it and fill up the > entropy pool from /dev/random in this case. > > The solution is to take a file lock; I don't want to do this always > but I see your problem and may be a new option can be used to lock > reandom-seed access. Ok, thanks a lot. Regards, --Nikolaus -- In Linux werden mehr Sicherheitsl?cken gefunden. In Windows sind mehr Sicherheitsl?cken drin. -- Lutz Donnerhacke From wk at gnupg.org Wed Jan 18 11:09:59 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 18 11:12:01 2006 Subject: only decrypting signed files? In-Reply-To: <1137424787.43cbb993d585d@webmail.tiscali-business.at> (websites@surfeu.at's message of "Mon, 16 Jan 2006 16:19:47 +0100") References: <1137424787.43cbb993d585d@webmail.tiscali-business.at> Message-ID: <87fynl26fc.fsf@wheatstone.g10code.de> On Mon, 16 Jan 2006 16:19:47 +0100, websites said: > Is it possible to tell gpg to only decrypt signed files? --skip-verify > the problem: > i get files which are encrypted and signed with gpg --sign --encrypt > is there a way to decrypt the files and get an error message if the file is > not signed? You need to parse the status messages (see --status-fd and doc/DETAILS). Or you may use the gpgme library which makes this much easier. Shalom-Salam, Werner From wk at gnupg.org Wed Jan 18 11:13:31 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 18 11:16:51 2006 Subject: Passphrase problem In-Reply-To: <200601062341.13632.nicolas-g.blanc@laposte.net> (Blanc Nicolas's message of "Fri, 6 Jan 2006 23:41:13 +0100") References: <200601062341.13632.nicolas-g.blanc@laposte.net> Message-ID: <87bqy9269g.fsf@wheatstone.g10code.de> On Fri, 6 Jan 2006 23:41:13 +0100, Blanc Nicolas said: > And I really don't know why... Maybe a problem with KDE ? the keyboard > mapping ? Or a problem with charset ? gpg does not care about the charset for passphrases and thus if you have non-ascii in your passpharse and switch the charset of your terminal this will lead to problems. Workaround is to use the old terminal setting and change the passpharse using only ascii. You may the later change it again using the new charset. Not sure how this maps to KDE. Salam-Shalom, Werner From alex at milivojevic.org Wed Jan 18 16:24:03 2006 From: alex at milivojevic.org (Aleksandar Milivojevic) Date: Wed Jan 18 17:23:52 2006 Subject: Compiling for sparcv8 and above Message-ID: <20060118092403.q592b4hrwg8cg4ws@www.milivojevic.org> There's a small typo in mpi/config.links that prevents usage of optimized assembler code for v8 and later sparc processors (assembler code for v7 gets selected). The config.links expects strings "sparc8" or "sparc9", while main configure accepts sparcv8 and sparcv9 (it bails out with error if passed --build=sparc8-sun-solaris2.9 (or sparc9)). There's some other "dead" CPU strings in config.links that are rejected by main configure (such as ultrasparc). The attached patch fixes this. However, it also exposes another bug. When links are setup to use sparc32v8 assembler routines, compilation fails with following error: gcc -g -O2 -Wall -Wno-pointer-sign -o mpicalc mpicalc.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a /opt/pbl/lib/libintl.so -lc -Wl,-rpath -Wl,/opt/pbl/lib ../mpi/libmpi.a(mpih-div.o): In function `mpihelp_mod_1': ../../mpi/mpih-div.c:186: undefined reference to `__udiv_qrnnd' ../../mpi/mpih-div.c:124: undefined reference to `__udiv_qrnnd' ../../mpi/mpih-div.c:87: undefined reference to `__udiv_qrnnd' ../mpi/libmpi.a(mpih-div.o): In function `mpihelp_divrem': ../../mpi/mpih-div.c:354: undefined reference to `__udiv_qrnnd' ../../mpi/mpih-div.c:238: undefined reference to `__udiv_qrnnd' ../mpi/libmpi.a(mpih-div.o):../../mpi/mpih-div.c:242: more undefined references to `__udiv_qrnnd' follow collect2: ld returned 1 exit status ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -------------- next part -------------- A non-text attachment was scrubbed... Name: config.links.patch Type: text/x-patch Size: 763 bytes Desc: not available Url : /pipermail/attachments/20060118/c6410dd4/config.links.bin From blacq at slingshot.co.nz Thu Jan 19 04:14:59 2006 From: blacq at slingshot.co.nz (Paul Blacquiere) Date: Thu Jan 19 05:18:22 2006 Subject: Cross compile Error Message-ID: <20060119161459.8tx3kissook4kk4c@webmail.slingshot.co.nz> Hi FYI, Attempting to cross compile libgcrypt results in an error in build cipher in the test directory, Hacking the Makefile and adding -lpgp-error and -Lwhere_ever_you_have_it, fixed it for me. Not sure if this is a core issue, or something I did when building my pgp-error library. Cheers PaulB. From carsten.pfeiffer at first.fraunhofer.de Thu Jan 19 13:38:17 2006 From: carsten.pfeiffer at first.fraunhofer.de (Carsten Pfeiffer) Date: Thu Jan 19 15:18:15 2006 Subject: gpgsm: bad signature (which actually is not bad) Message-ID: <200601191338.18219.carsten.pfeiffer@first.fraunhofer.de> Hi, I'm having a problem importing an X.509 certificate in PEM format with gpgsm (1.9.19 -- unfortunately there is no Debian package for 1.9.20, yet). gpgsm reports a bad signature, albeit other applications, e.g. Mozilla Thunderbird are able to import and use it just fine. Any idea what might go wrong? Here's the verbose log I get: ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: -> Home: ~/.gnupg ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: -> Config: /home/gis/.gnupg/gpgsm.conf ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: -> AgentInfo: /tmp/gpg-2bH7v8/S.gpg-agent:4733:1 ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: -> DirmngrInfo: [not set] ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: -> GNU Privacy Guard's S/M server 1.9.19 ready ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: <- OPTION display=:0 ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: -> OK ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: <- OPTION lc-ctype=de_DE@euro ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: -> OK ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: <- OPTION lc-messages=de_DE@euro ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: -> OK ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: <- INPUT FD=13 ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: -> OK ? 4 - 2006-01-18 20:51:53 gpgsm[17943.0x8082e98] DBG: <- IMPORT ? 4 - 2006-01-18 20:51:53 gpgsm[17943]: DBG: signature value: 28 37 3A 73 69 67 2D 76 61 6C 28 33 3A 72 73 61 28 31 3A 73 32 35 36 3A 36 D5 0F DC 43 33 69 95 07 12 C2 75 04 19 B9 38 81 EA 30 54 A2 03 56 51 10 41 5A 0A 37 6D A1 E0 08 C7 30 AE 5E 75 83 F5 C1 E1 F2 A0 B9 27 78 61 DC 6F DC 12 55 D2 AA 10 D1 AC EA FB 94 22 7D B2 B0 08 B1 B9 B7 AC 5E CE 4F D0 74 93 9C FE 96 0A 1E 9A 85 AF BA 53 21 FC 8B 57 1D CF 4F 97 FE 9A C9 A1 CD 8A A9 F0 E5 46 86 DA 17 63 38 36 CC 0D 95 8B 08 FC E5 97 67 86 C2 E5 DD 8A AE 91 8C C3 53 B9 FB 92 96 35 3F FE 88 FC 55 23 47 F1 0B 37 5A 9E D8 D9 97 3A 89 D9 19 60 E5 79 58 2F 6A 9D F1 E7 AF 85 2A AC 05 27 01 54 E4 7F C4 DC 60 BB 62 E6 48 16 06 D8 B9 FB BA 60 8D E4 EF 01 27 3B 58 22 66 28 C8 CD C0 EA 12 7F 09 71 6D 6B 40 8F EB 28 85 94 47 19 60 21 AF E0 D7 D5 29 1B 5E 15 F9 CF 53 7A 4E BA E9 9D 1B EF D9 56 3B DB A3 4D 70 7B F3 AB 72 D0 23 7E 13 A0 43 1C 31 38 7A 28 29 29 29 ? 4 - 2006-01-18 20:51:53 gpgsm[17943]: DBG: encoded hash: 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 2C 4A 36 0F 60 5D 38 21 6F 3D 82 13 39 B4 3F 5F 7B C4 A4 E7 ? 4 - 2006-01-18 20:51:53 gpgsm[17943]: DBG: gcry_pk_verify: Falsche Unterschrift ? 4 - 2006-01-18 20:51:53 gpgsm[17943]: self-signed certificate has a BAD signature: Falsche Unterschrift ? 4 - 2006-01-18 20:51:53 gpgsm[17943]: DBG: BEGIN Certificate `self-signing cert': ? 4 - 2006-01-18 20:51:53 gpgsm[17943]: DBG: ? ? ?serial: 01 ? 4 - 2006-01-18 20:51:54 gpgsm[17943]: DBG: ? notBefore: 2004-03-04 09:22:06 ? 4 - 2006-01-18 20:51:54 gpgsm[17943]: DBG: ? ?notAfter: 2006-12-31 23:00:00 ? 4 - 2006-01-18 20:51:54 gpgsm[17943]: DBG: ? ? ?issuer: CN=Fraunhofer-Gesellschaft Root-CA v2,O=Fraunhofer,C=DE ? 4 - 2006-01-18 20:51:54 gpgsm[17943]: DBG: ? ? subject: CN=Fraunhofer-Gesellschaft Root-CA v2,O=Fraunhofer,C=DE ? 4 - 2006-01-18 20:51:54 gpgsm[17943]: DBG: ? hash algo: 1.2.840.113549.1.1.5 ? 4 - 2006-01-18 20:51:54 gpgsm[17943]: DBG: ? SHA1 Fingerprint: 43:50:27:11:E1:13:C6:E5:04:E3:26:A9:A6:9D:F8:A4:3E:73:57:64 ? 4 - 2006-01-18 20:51:54 gpgsm[17943]: DBG: END Certificate ? 4 - 2006-01-18 20:51:54 gpgsm[17943]: basic certificate checks failed - not imported ? 4 - 2006-01-18 20:51:54 gpgsm[17943.0x8082e98] DBG: -> S IMPORT_PROBLEM 1 43502711E113C6E504E326A9A69DF8A43E735764 ? 4 - 2006-01-18 20:51:54 gpgsm[17943]: total number processed: 1 ? 4 - 2006-01-18 20:51:54 gpgsm[17943]: ? ? ? ? ? not imported: 1 Thanks and best wishes, Carsten Pfeiffer -- Fraunhofer Institute Computer Architecture and Software Technology, FIRST Kekul?stra?e 7, 12489 Berlin Tel.: +49 (0)30 6392-1900, Fax: +49 (0)30 6392-1805 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2045 bytes Desc: not available Url : /pipermail/attachments/20060119/3439c60b/smime.bin From blacq at slingshot.co.nz Wed Jan 18 02:24:24 2006 From: blacq at slingshot.co.nz (Paul Blacquiere) Date: Fri Jan 20 01:53:45 2006 Subject: libgcrypt cross compilation error Message-ID: <20060118142424.1z0go00wckocgs0g@webmail.slingshot.co.nz> Hi, I am attempting to build libgcrypt for use on an embedded Linux Arm board. I am using uclibc, and toolchain built with builtroot. I evoke configure with the --build=arm-linux option, and all seems to run OK, inspecting the console output from configure, it does not detect the cross compiler. A run of make confirms this. So I have tried various permutation of using --build, --host & --target, with the best success using --host=arm-linux, which detects the correct toolchain, and will run make till it fails on an error in rndlinux.c through a FD_ZERO macro, included though select.h, however what is strange is that the included directory on the arm-linux-gcc command line param is -I/usr/include, which would suggest inclusion of i386 stuff. If anybody has some comments or thoughts please let me know Thanks PaulB. From david.t.kerns at us.hsbc.com Fri Jan 20 04:39:14 2006 From: david.t.kerns at us.hsbc.com (david.t.kerns@us.hsbc.com) Date: Fri Jan 20 06:18:19 2006 Subject: mpi larger than indicated length Message-ID: I'm doing some inter platform/product testing.. I was running GnuPG 1.4.1 and pks0.9.4 keyserver on Solaris 5.8 I sent my publickey to my counter part running PsypherOPS on the mainframe He encrypted a file and sent it to me. When I tried to decrypt it I got the following error message: $ gpg -d IFO.SECURE.PGP gpg: mpi too large (51692 bits) gpg: Ohhhh jeeee: mpi crosses packet border secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 Abort So I Googled the error message and found several articles about upgrading to pks0.9.5 to rid the error (I was a bit skeptical since I had sent him my public key and not used the keyserver for the exchange) but I figured I'd try it. I found pks0.9.6 on sourceforge and built and installed it. While that was building I Googled more and found an article that said GnuPG 1.4.2 had a better error message for mpi problems So I build and installed GnuPG1.4.2 (woot! I'm current, for the moment) Now I'm getting the following error message: $ gpg -d -vvv IFO.SECURE.PGP gpg: using character set `iso-8859-1' gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: PsypherOPS 4.30.00 - www.primefactors.com :pubkey enc packet: version 3, algo 16, keyid 9E1BA0486180F04C data: [2047 bits] data: [2045 bits] gpg: public key is 6180F04C gpg: using subkey 6180F04C instead of primary key CDCF6506 gpg: public key encrypted data: good DEK :pubkey enc packet: version 3, algo 16, keyid D2DDC51A2F833978 data: [1024 bits] gpg: mpi larger than indicated length (0 bytes) data: [MPI_NULL] Can anyone shed some light on this? Do I need to regenerate my key and send my counter part the new public key? Or have I run into a compatibility issue with PsypherOPS? other data: $ gpg --list-public-keys .../.gnupg/pubring.gpg ------------------------------------- pub 1024D/CDCF6506 2005-11-18 uid dkerns@xxxxxx sub 2048g/6180F04C 2005-11-18 Thanks ----------------------------------------- ******************************************************************* **** This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ******************************************************************* **** From blacq at slingshot.co.nz Wed Jan 18 19:11:40 2006 From: blacq at slingshot.co.nz (Paul Blacquiere) Date: Fri Jan 20 11:20:07 2006 Subject: libgcrypt cross compilation error Message-ID: <20060119071140.3goc044cok8cocwo@webmail.slingshot.co.nz> Hi, I am attempting to build libgcrypt for use on an embedded Linux Arm board. I am using uclibc, and toolchain built with builtroot. I evoke configure with the --build=arm-linux option, and all seems to run OK, inspecting the console output from configure, it does not detect the cross compiler. A run of make confirms this. So I have tried various permutation of using --build, --host & --target, with the best success using --host=arm-linux, which detects the correct toolchain, and will run make till it fails on an error in rndlinux.c through a FD_ZERO macro, included though select.h, however what is strange is that the included directory on the arm-linux-gcc command line param is -I/usr/include, which would suggest inclusion of i386 stuff. If anybody has some comments or thoughts please let me know Thanks PaulB. From nixclusive0 at gmail.com Fri Jan 20 17:35:26 2006 From: nixclusive0 at gmail.com (Nicky) Date: Fri Jan 20 19:11:20 2006 Subject: Using other compression algos with GnuPG Message-ID: <43D1114E.80207@gmail.com> The current version of GnuPG I have supports only three compression algorithms viz: ZIP, ZLIB and BZIP2 Is there a way to direct GnuPG to use some other algorithm besides these? for example RAR (http://rarlabs.com/)... -- Nix. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060120/5ac9d3b0/signature.pgp From dshaw at jabberwocky.com Fri Jan 20 19:56:17 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 20 19:55:49 2006 Subject: Using other compression algos with GnuPG In-Reply-To: <43D1114E.80207@gmail.com> References: <43D1114E.80207@gmail.com> Message-ID: <20060120185617.GA1929@jabberwocky.com> On Fri, Jan 20, 2006 at 10:05:26PM +0530, Nicky wrote: > The current version of GnuPG I have supports only three compression > algorithms viz: ZIP, ZLIB and BZIP2 > Is there a way to direct GnuPG to use some other algorithm besides > these? for example RAR (http://rarlabs.com/)... No. GPG supports all of the compression algorithms that are defined by the OpenPGP standard. RAR isn't one of them. It's always possible for someone to add a nonstandard algorithm, but if you really want a particular algorithm, it's healthier to get the OpenPGP working group to add it officially. David From ryan at malayter.com Fri Jan 20 23:49:11 2006 From: ryan at malayter.com (Ryan Malayter) Date: Sat Jan 21 00:53:21 2006 Subject: Using other compression algos with GnuPG In-Reply-To: <20060120185617.GA1929@jabberwocky.com> References: <43D1114E.80207@gmail.com> <20060120185617.GA1929@jabberwocky.com> Message-ID: <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> On 1/20/06, David Shaw wrote: > It's always possible for someone to add a nonstandard algorithm, but > if you really want a particular algorithm, it's healthier to get the > OpenPGP working group to add it officially. The RAR compression algorithm proprietary and closed source, so it is not likely to make it into any standards. RARlabs has refused for years to allow anyone else to make RAR encoders (although they exist in violation of the RARlabs license). See http://en.wikipedia.org/wiki/RAR A much better choice would be the LZMA algorithm from 7zip, which is open-source and unpatented. It compresses with similar efficiency and speed to RAR. In any case, though, such slow-but-compact algorithms are really only useful for archival purposes. While I have used PGP for some archiving, this is not the most common usage of PGP, and probably not an OpenPGP design goal. There are much faster file encryption tools than PGP out there. We actually use 7zip to compress and encrypt backups for offsite storage, as its AES implementation is so much more efficient than GnuPG's. -- RPM ========================= All problems can be solved by diplomacy, but violence and treachery are equally effective, and more fun. -Anonymous From eocsor at gmail.com Sat Jan 21 08:23:23 2006 From: eocsor at gmail.com (Roscoe) Date: Sat Jan 21 09:23:06 2006 Subject: Using other compression algos with GnuPG In-Reply-To: <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> References: <43D1114E.80207@gmail.com> <20060120185617.GA1929@jabberwocky.com> <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> Message-ID: LZMA seems to be notably[1] faster/better than BZIP2, which has made it into the standard so I wouldn't immediately rule out its suitability for OpenPGP. That said I don't much think it should be included. It could *replace* BZIP2 but replacing BZIP2 with LZMA would break backwards compatibility a bit, and adding it resulting in having both BZIP2 and LZMA seems a bit redundant when we've been getting along fine with just BZIP2. Back to on-topic-ness... I'd just use whatever compression scheme you want and pipe it into |gpg --compress-algo none. One tool one job :). [1] http://tukaani.org/lzma/benchmarks On 1/21/06, Ryan Malayter wrote: > On 1/20/06, David Shaw wrote: > > It's always possible for someone to add a nonstandard algorithm, but > > if you really want a particular algorithm, it's healthier to get the > > OpenPGP working group to add it officially. > > The RAR compression algorithm proprietary and closed source, so it is > not likely to make it into any standards. RARlabs has refused for > years to allow anyone else to make RAR encoders (although they exist > in violation of the RARlabs license). > > See http://en.wikipedia.org/wiki/RAR > > A much better choice would be the LZMA algorithm from 7zip, which is > open-source and unpatented. It compresses with similar efficiency and > speed to RAR. > > In any case, though, such slow-but-compact algorithms are really only > useful for archival purposes. While I have used PGP for some > archiving, this is not the most common usage of PGP, and probably not > an OpenPGP design goal. > > There are much faster file encryption tools than PGP out there. We > actually use 7zip to compress and encrypt backups for offsite storage, > as its AES implementation is so much more efficient than GnuPG's. > > > -- > RPM > ========================= > All problems can be solved by diplomacy, but violence and treachery > are equally effective, and more fun. > -Anonymous > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From alphasigmax at gmail.com Sat Jan 21 14:00:15 2006 From: alphasigmax at gmail.com (Alphax) Date: Sat Jan 21 14:00:59 2006 Subject: Using other compression algos with GnuPG In-Reply-To: References: <43D1114E.80207@gmail.com> <20060120185617.GA1929@jabberwocky.com> <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> Message-ID: <43D2305F.9030800@gmail.com> Roscoe wrote: > On 1/21/06, Ryan Malayter wrote: > >>The RAR compression algorithm proprietary and closed source, so it is >>not likely to make it into any standards. RARlabs has refused for >>years to allow anyone else to make RAR encoders (although they exist >>in violation of the RARlabs license). >> >>See http://en.wikipedia.org/wiki/RAR >> >>A much better choice would be the LZMA algorithm from 7zip, which is >>open-source and unpatented. It compresses with similar efficiency and >>speed to RAR. >> >>In any case, though, such slow-but-compact algorithms are really only >>useful for archival purposes. While I have used PGP for some >>archiving, this is not the most common usage of PGP, and probably not >>an OpenPGP design goal. >> >>There are much faster file encryption tools than PGP out there. We >>actually use 7zip to compress and encrypt backups for offsite storage, >>as its AES implementation is so much more efficient than GnuPG's. >> > > LZMA seems to be notably[1] faster/better than BZIP2, which has made > it into the standard so I wouldn't immediately rule out its > suitability for OpenPGP. > How well was LZMA known when BZIP2 made it in? Why was BZIP2 included when ZIP and ZLIB were already available? Does this preclude LZMA? I don't mind adding functionality so long as it is widely supported and will "just work" :) > That said I don't much think it should be included. It could *replace* > BZIP2 but replacing BZIP2 with LZMA would break backwards > compatibility a bit, and adding it resulting in having both BZIP2 and > LZMA seems a bit redundant when we've been getting along fine with > just BZIP2. > Don't forget that ZIP and ZLIB are also there... I regularly use a machine which has GPG 1.4.1 without BZIP2. Interestingingly enough bzip2 exists on the system... > > Back to on-topic-ness... > I'd just use whatever compression scheme you want and pipe it into > |gpg --compress-algo none. > One tool one job :). > Yes, this has the added "advantage" that your recipient has to be able to deal with whatever non-standard compression you choose. YMMV. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 556 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060121/8bd4c286/signature.pgp From dshaw at jabberwocky.com Sat Jan 21 14:53:51 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 21 14:53:27 2006 Subject: Using other compression algos with GnuPG In-Reply-To: <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> References: <43D1114E.80207@gmail.com> <20060120185617.GA1929@jabberwocky.com> <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> Message-ID: <20060121135351.GA3459@jabberwocky.com> On Fri, Jan 20, 2006 at 04:49:11PM -0600, Ryan Malayter wrote: > On 1/20/06, David Shaw wrote: > > It's always possible for someone to add a nonstandard algorithm, but > > if you really want a particular algorithm, it's healthier to get the > > OpenPGP working group to add it officially. > > The RAR compression algorithm proprietary and closed source, so it is > not likely to make it into any standards. RARlabs has refused for > years to allow anyone else to make RAR encoders (although they exist > in violation of the RARlabs license). > > See http://en.wikipedia.org/wiki/RAR > > A much better choice would be the LZMA algorithm from 7zip, which is > open-source and unpatented. It compresses with similar efficiency and > speed to RAR. > > In any case, though, such slow-but-compact algorithms are really only > useful for archival purposes. While I have used PGP for some > archiving, this is not the most common usage of PGP, and probably not > an OpenPGP design goal. In fact, BZIP2 was added pretty much for archival purposes: http://www.imc.org/ietf-openpgp/mail-archive/msg04624.html I wouldn't be against LZMA if it was significantly better than BZIP2. David From dshaw at jabberwocky.com Sat Jan 21 15:19:29 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 21 15:19:05 2006 Subject: Using other compression algos with GnuPG In-Reply-To: <43D2305F.9030800@gmail.com> References: <43D1114E.80207@gmail.com> <20060120185617.GA1929@jabberwocky.com> <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> <43D2305F.9030800@gmail.com> Message-ID: <20060121141929.GB3459@jabberwocky.com> On Sat, Jan 21, 2006 at 11:30:15PM +1030, Alphax wrote: > > LZMA seems to be notably[1] faster/better than BZIP2, which has made > > it into the standard so I wouldn't immediately rule out its > > suitability for OpenPGP. > > > > How well was LZMA known when BZIP2 made it in? Why was BZIP2 included > when ZIP and ZLIB were already available? Does this preclude LZMA? I > don't mind adding functionality so long as it is widely supported and > will "just work" :) I don't recall that LZMA was considered. BZIP2 was added pretty much for the reason you'd expect: better compression. It does not preclude LZMA. It doesn't preclude any new compression algorithm. Compression algorithms are different than ciphers and hashes, where it is prudent to carefully scrutinize each new algorithm. Compression algorithms don't really impact security, so the barrier for inclusion is significantly lower than for ciphers and hashes. David From kfitzner at excelcia.org Sat Jan 21 17:22:36 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Sat Jan 21 17:22:19 2006 Subject: Using other compression algos with GnuPG In-Reply-To: <20060121135351.GA3459@jabberwocky.com> References: <43D1114E.80207@gmail.com> <20060120185617.GA1929@jabberwocky.com> <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> <20060121135351.GA3459@jabberwocky.com> Message-ID: <43D25FCC.1050102@excelcia.org> David Shaw wrote: > In fact, BZIP2 was added pretty much for archival purposes: > http://www.imc.org/ietf-openpgp/mail-archive/msg04624.html > > I wouldn't be against LZMA if it was significantly better than BZIP2. My understanding of the reason behind compression in OpenPGP is that it was less to give you a smaller output file than it was to reduce obvious redundancy in the message so as to improve resistance to cryptanalysis. Is it cryptographically useful to have LZMA over zlib or bzip2? Wouldn't a better approach be to add detection of compressed data to GnuPG? This way it can turn off compression if it sees precompressed data. If you are looking for better compression, you can then pipe your data through your compressor-du-jour first, and then run it through GnuPG. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 305 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060121/5fb951c0/signature.pgp From dshaw at jabberwocky.com Sat Jan 21 17:34:49 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 21 17:34:22 2006 Subject: Using other compression algos with GnuPG In-Reply-To: <43D25FCC.1050102@excelcia.org> References: <43D1114E.80207@gmail.com> <20060120185617.GA1929@jabberwocky.com> <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> <20060121135351.GA3459@jabberwocky.com> <43D25FCC.1050102@excelcia.org> Message-ID: <20060121163449.GA3725@jabberwocky.com> On Sat, Jan 21, 2006 at 09:22:36AM -0700, Kurt Fitzner wrote: > David Shaw wrote: > > > In fact, BZIP2 was added pretty much for archival purposes: > > http://www.imc.org/ietf-openpgp/mail-archive/msg04624.html > > > > I wouldn't be against LZMA if it was significantly better than BZIP2. > > My understanding of the reason behind compression in OpenPGP is that it > was less to give you a smaller output file than it was to reduce obvious > redundancy in the message so as to improve resistance to cryptanalysis. No. The removing obvious redundancy is a nice side benefit, but compression is not intended to be secure in any way. If the cipher isn't enough to make you safe without compression, you're not going to be really safe no matter what you do with compression. > Is it cryptographically useful to have LZMA over zlib or bzip2? No. But similarly, it is not really cryptographically useful to have bzip2 over zlib. Or zlib over zip. > Wouldn't a better approach be to add detection of compressed data to > GnuPG? This way it can turn off compression if it sees precompressed > data. If you are looking for better compression, you can then pipe your > data through your compressor-du-jour first, and then run it through GnuPG. GnuPG in fact does this. David From johanw at vulcan.xs4all.nl Sat Jan 21 12:04:26 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Jan 22 21:40:38 2006 Subject: Using other compression algos with GnuPG In-Reply-To: <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> Message-ID: <200601211104.k0LB4Q4A003134@vulcan.xs4all.nl> Ryan Malayter wrote: >In any case, though, such slow-but-compact algorithms are really only >useful for archival purposes. If speed isn't an issue, why would anyone prefer rar over bzip2? Bzip2 compresses much better than rar anyway, although it's slow. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From bob.henson at galen.org.uk Sun Jan 22 21:35:52 2006 From: bob.henson at galen.org.uk (Bob Henson) Date: Sun Jan 22 23:18:09 2006 Subject: GPGOL breaks Enigmail Message-ID: <43D3ECA8.8020407@galen.org.uk> I decided to try GPGOL for the few occasions that I use Outlook. Unfortunately, since installing it, Enigmail's Key Management shows an empty screen and I cannot use GnuPG via Enigmail at all. How do I get out of this, please? In desperation I removed all the programs and registry entries that I could find relating to GPGOL, but it hasn't helped. Regards, Bob From ryan at malayter.com Sun Jan 22 23:54:39 2006 From: ryan at malayter.com (Ryan Malayter) Date: Sun Jan 22 23:54:07 2006 Subject: Using other compression algos with GnuPG In-Reply-To: <200601211104.k0LB4Q4A003134@vulcan.xs4all.nl> References: <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> <200601211104.k0LB4Q4A003134@vulcan.xs4all.nl> Message-ID: <5d7f07420601221454l58612631sda2f228a0ae76bbb@mail.gmail.com> On 1/21/06, Johan Wevers wrote: > If speed isn't an issue, why would anyone prefer rar over bzip2? Bzip2 > compresses much better than rar anyway, although it's slow. Bzip2 does not compress better than RAR or LZMA, at least with my test corpus. See http://www.malayter.com/compressiontest.html 7-zip (using LZMA) produced the smalles files in this test, followed by RAR. bzip produced files 30% larger than 7-zip. -- RPM ========================= All problems can be solved by diplomacy, but violence and treachery are equally effective, and more fun. -Anonymous From patrick at mozilla-enigmail.org Mon Jan 23 09:25:18 2006 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Mon Jan 23 10:04:47 2006 Subject: GPGOL breaks Enigmail In-Reply-To: <43D3ECA8.8020407__19725.8474342108$1137972032$gmane$org@galen.org.uk> References: <43D3ECA8.8020407__19725.8474342108$1137972032$gmane$org@galen.org.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bob Henson wrote: > I decided to try GPGOL for the few occasions that I use Outlook. > Unfortunately, since installing it, Enigmail's Key Management shows an empty > screen and I cannot use GnuPG via Enigmail at all. How do I get out of this, > please? In desperation I removed all the programs and registry entries that > I could find relating to GPGOL, but it hasn't helped. Does GPGOL install gpg, or does it modify the path to the GnuPG home directory? - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBQ9SS6XcOpHodsOiwAQJJ+Qf/Sg5XHEzUcD03+2Rgt2KULA6qlQY4N3M5 XgrhwtFoq7ZMvdpytIUXbtwPGIIjsqJEZlzNIImb0O12UMD51voQSQQxdZ8NCH9n xygQuohBMRMhlWYkGJ/YT4fhTgk7Y8BzO32Xx4+f14m6YeXHHyXJIBwB1p51fgJX TkIgmZINU+9GOK5z45Y57qk07SePm36kd0x+Blwa61WonEvNLfwTK29qfQNkFR+n 4AOlS/wjVIOeW3FjoF7FRwp2C80krgSCOvR6PuHanI6d5hG/rg+6X5dFncy2tk+i CbbFhupfM4S9EIX3YqZBIV1AsXL2NexwFZ7wQyd0miPsPUk4EDiGXA== =CQon -----END PGP SIGNATURE----- From nunodonato at gmail.com Wed Jan 18 22:44:26 2006 From: nunodonato at gmail.com (Nuno Donato) Date: Mon Jan 23 12:59:56 2006 Subject: problems with gnupg-pgp Message-ID: <3bae2af20601181344v72e44bc8x298a5e056180f88c@mail.gmail.com> hello i've recently installed gnupg to be able to communicate with some persons who are using PGP (i like free alternatives :) before installing i certified that both systems were compatible. i sucessfully created my private and public keys and we exchanged them. after that, i send a couple of test emails to another person using GPG, and we were able to encrypt and decrypt the message. however, i can not do the same with the PGP guys. when i try to decrypt the message i get an error saying something it is not a valid file... i checked some docs and faqs, and found out that to have compatibility the PGP version must be 5.x or higher.. they are using 8, so that is not a problem. what can i do to solve this? or to find out whats wrong..? thank you very much nuno donato From linux at codehelp.co.uk Mon Jan 23 12:38:22 2006 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Jan 23 14:18:16 2006 Subject: GPGOL breaks Enigmail In-Reply-To: <43D3ECA8.8020407@galen.org.uk> References: <43D3ECA8.8020407@galen.org.uk> Message-ID: <200601231138.28376.linux@codehelp.co.uk> On Sunday 22 January 2006 8:35 pm, Bob Henson wrote: > I decided to try GPGOL for the few occasions that I use Outlook. > Unfortunately, since installing it, Enigmail's Key Management shows an > empty screen and I cannot use GnuPG via Enigmail at all. How do I get out > of this, please? In desperation I removed all the programs and registry > entries that I could find relating to GPGOL, but it hasn't helped. Check that your own keys are still set to ultimate trust, then run $ gpg --update-trustdb (It should find and re-import the old trust settings once your own key(s) is/are ultimately trusted again). I had this problem once or twice with Kgpg - the key management GUI front-end for KDE - when I upgraded to KDE 3.5. It shouldn't happen but .... -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060123/fabf4d78/attachment.pgp From wk at gnupg.org Mon Jan 23 16:01:33 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 23 16:06:52 2006 Subject: GPGOL breaks Enigmail In-Reply-To: (Patrick Brunschwig's message of "Mon, 23 Jan 2006 09:25:18 +0100") References: <43D3ECA8.8020407__19725.8474342108$1137972032$gmane$org@galen.org.uk> Message-ID: <87zmlnng36.fsf@wheatstone.g10code.de> On Mon, 23 Jan 2006 09:25:18 +0100, Patrick Brunschwig said: > Does GPGOL install gpg, or does it modify the path to the GnuPG home > directory? Yes, it installs gpg into the same location as the new installer of gpg does. The HOMEDIR is the user specific directory. c:\Program files\gnu\gnupg\gpg --version should show the homedir. Salam-Shalom, Werner From wk at gnupg.org Mon Jan 23 16:07:25 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 23 16:11:49 2006 Subject: Using other compression algos with GnuPG In-Reply-To: <5d7f07420601221454l58612631sda2f228a0ae76bbb@mail.gmail.com> (Ryan Malayter's message of "Sun, 22 Jan 2006 16:54:39 -0600") References: <5d7f07420601201449j71c3133el4dfc9b2375f7f5c9@mail.gmail.com> <200601211104.k0LB4Q4A003134@vulcan.xs4all.nl> <5d7f07420601221454l58612631sda2f228a0ae76bbb@mail.gmail.com> Message-ID: <87vewbnfte.fsf@wheatstone.g10code.de> Hi! just a short note: The reason why we have compresion algorithms in OpenPGP are mainly out of tradition. On a Unix system the use of specialized tools is the way to go; e.g. gpg for encryption and bzip2 for compressing. If you want to compress your data with a different algorithm you may run foocompressor data.txt | gpg -e >data.foo.gpg Shalom-Salam, Werner From lusfert at gmail.com Mon Jan 23 17:04:58 2006 From: lusfert at gmail.com (lusfert) Date: Mon Jan 23 18:04:55 2006 Subject: GPGOL breaks Enigmail In-Reply-To: <87zmlnng36.fsf@wheatstone.g10code.de> References: <43D3ECA8.8020407__19725.8474342108$1137972032$gmane$org@galen.org.uk> <87zmlnng36.fsf@wheatstone.g10code.de> Message-ID: <43D4FEAA.5020401@gmail.com> Werner Koch wrote on 23.01.2006 18:01: > On Mon, 23 Jan 2006 09:25:18 +0100, Patrick Brunschwig said: > >> Does GPGOL install gpg, or does it modify the path to the GnuPG home >> directory? > > Yes, it installs gpg into the same location as the new installer of > gpg does. The HOMEDIR is the user specific directory. > > c:\Program files\gnu\gnupg\gpg --version > > should show the homedir. > Above command should be used with quotation marks: "c:\Program files\gnu\gnupg\gpg" --version -- Regards My current OpenPGP key ID: 0x500B8987 Key fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Encrypted e-mail preferred. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060123/c4fb9116/signature.pgp From patrick at mozilla-enigmail.org Mon Jan 23 18:11:56 2006 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Mon Jan 23 18:12:17 2006 Subject: GPGOL breaks Enigmail In-Reply-To: <87zmlnng36.fsf@wheatstone.g10code.de> References: <43D3ECA8.8020407__19725.8474342108$1137972032$gmane$org@galen.org.uk> <87zmlnng36.fsf@wheatstone.g10code.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > On Mon, 23 Jan 2006 09:25:18 +0100, Patrick Brunschwig said: > >> Does GPGOL install gpg, or does it modify the path to the GnuPG home >> directory? > > Yes, it installs gpg into the same location as the new installer of > gpg does. The HOMEDIR is the user specific directory. > > c:\Program files\gnu\gnupg\gpg --version > > should show the homedir. So, possibly the HOMEDIR could have changed, which would result in an "empty" keyring. Bob, if your keyring is originally stored in C:\Gnupg, then you should move it to the directory that "c:\Program files\gnu\gnupg\gpg --version" will tell you. - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBQ9UOWncOpHodsOiwAQIYbAf/eDJiDbAo0KhWEx+fuAworh3ozMFsUo2W tB34y2yzasAWCIPNzVSrtRMlPsO+juL5smKNJqIntx/rSRsmL6iQkmDcfvO/1YPJ L/ymklS3NpqEWBkEI9WPkAirCSNbmLyQZeIJ9wn0FovEAY9bWbwrkZihHZuBaYwS L1CIu2MLSfuxK47J7nIZLOOr3VxTu8xJVZnmzzwHElz1qr6+iUqGiTPvNKdXSPYm hEacCZmCdMohcHii5YiYZnL8vtCz/+h9ERVHqpvu9B1STw3SOaeI5RMsedAtYAaB ADdk/inOKYO9uYesNfc2sZqihI2ZWX4yeqk7a4ldUsZRqOfHL1PT3A== =xUdM -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Mon Jan 23 13:30:10 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Jan 23 19:06:00 2006 Subject: problems with gnupg-pgp In-Reply-To: <3bae2af20601181344v72e44bc8x298a5e056180f88c@mail.gmail.com> Message-ID: <200601231230.k0NCUAig003599@vulcan.xs4all.nl> Nuno Donato wrote: As I already wrote in alt.security.pgp: >using GPG, and we were able to encrypt and decrypt the message. >however, i can not do the same with the PGP guys. when i try to >decrypt the message i get an error saying something it is not a valid >file... Standard question: did you install the IDEA extension for GnuPG? If not, make sure that PGP doesn't encrypt the file with the IDEA algorithm, or, better, install the IDEA extension (a dll if you're running windows, a C source file to the source and a recompile on another system). They can be found on my site: http://www.xs4all.nl/~johanw/idea.c.gz http://www.xs4all.nl/~johanw/idea.c.gz.sig http://www.xs4all.nl/~johanw/ideadll.zip http://www.xs4all.nl/~johanw/ideadll.zip.sig (Signatures are from Werner Koch, the author of GnuPG). -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From lusfert at gmail.com Mon Jan 23 19:18:13 2006 From: lusfert at gmail.com (lusfert) Date: Mon Jan 23 19:19:32 2006 Subject: problems with gnupg-pgp In-Reply-To: <3bae2af20601181344v72e44bc8x298a5e056180f88c@mail.gmail.com> References: <3bae2af20601181344v72e44bc8x298a5e056180f88c@mail.gmail.com> Message-ID: <43D51DE5.6060503@gmail.com> Nuno Donato wrote on 19.01.2006 0:44: > hello > > i've recently installed gnupg to be able to communicate with some > persons who are using PGP (i like free alternatives :) > before installing i certified that both systems were compatible. > i sucessfully created my private and public keys and we exchanged > them. after that, i send a couple of test emails to another person > using GPG, and we were able to encrypt and decrypt the message. > however, i can not do the same with the PGP guys. when i try to > decrypt the message i get an error saying something it is not a valid > file... What *exactly* was written in an error message? Try to use options "--verbose", alternatively you may temporary add option "verbose" without "--" in gpg.conf. -- Regards My current OpenPGP key ID: 0x500B8987 Key fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Encrypted e-mail preferred. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060123/4d2d2b80/signature-0001.pgp From jeandavid8 at verizon.net Mon Jan 23 19:03:32 2006 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Mon Jan 23 20:48:13 2006 Subject: Trouble with enigmail and Thunderbird 1.5 Message-ID: <43D51A74.8010501@verizon.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have recently switched ISP, but I also upgraded Thunderbird at the same time. Now when I get a gpg signed e-mail, I supposedly can check the pen? and it will offer to download the key, giving me a choice of keyservers. I generally pick random.sks.keyserver.penguin.de But now, when I do that, it just buzzes around and never downloads the key. I looked at my firewall, and it is not blocking it. I tried it manually with gpg --keyserver keyserver.kjsl.com --recv-key 0xF621EDAD for example, and it worked fine. Is this a known problem? Or should I find a Thunderbird newsgroup to ask? And if so, which one? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 12:55:00 up 3 days, 4:21, 5 users, load average: 4.16, 4.19, 4.17 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1Rp0Ptu2XpovyZoRAmLcAJsGQUuAQcG4p7/gOITq4zHpifYtHgCfaQXi ohrBBohLGujQKXu1TlKrD0M= =Ilk3 -----END PGP SIGNATURE----- From bob.henson at galen.org.uk Mon Jan 23 20:43:11 2006 From: bob.henson at galen.org.uk (Bob Henson) Date: Mon Jan 23 21:23:12 2006 Subject: GPGOL breaks Enigmail In-Reply-To: References: <43D3ECA8.8020407__19725.8474342108$1137972032$gmane$org@galen.org.uk> <87zmlnng36.fsf@wheatstone.g10code.de> Message-ID: <43D531CF.9040101@galen.org.uk> Patrick Brunschwig wrote > Werner Koch wrote: >>> On Mon, 23 Jan 2006 09:25:18 +0100, Patrick Brunschwig said: >>> >>>> Does GPGOL install gpg, or does it modify the path to the GnuPG home >>>> directory? >>> >>> Yes, it installs gpg into the same location as the new installer of >>> gpg does. The HOMEDIR is the user specific directory. >>> >>> c:\Program files\gnu\gnupg\gpg --version >>> >>> should show the homedir. > > So, possibly the HOMEDIR could have changed, which would result in an > "empty" keyring. > > Bob, if your keyring is originally stored in C:\Gnupg, then you should > move it to the directory that "c:\Program files\gnu\gnupg\gpg --version" > will tell you. > > -Patrick That's exactly what had happened. GnuPG was looking for the keyring in its own directory, c:\program files\gnu\gnupg, rather than under the user specific directory where the keyring lives normally. I'm not used to using it from the command line, but I saw that in the gpg directory there were 0 byte keyrings so I deleted them, then ran the --list-keys command and it recreated them. Assuming, therefore, that it had "lost" the directory, I read back in the install notes and found the appropriate registry key and reset it to point GnuPG back at my keyrings and voila! - all was well. Anyway, thanks to everyone for the help. Now the only problem is to get rid of the bits of GPGOL left in Outlook - every time I run it I get an error message telling me it can't find the GPGOL .dll file - hardly surprising because I deleted it. It looks as though there are a few registry entries I haven't found and deleted yet. Still, now everything is working again that's the least of my worries. Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060123/14510af0/signature.pgp From johnmoore3rd at joimail.com Mon Jan 23 21:04:03 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Mon Jan 23 21:42:31 2006 Subject: For Jean-David Bryer Message-ID: <43D536B3.9000209@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 You're using GnuPG 1.2.1, so the immediate suggestion would be to upgrade to 1.4.2. A *lot* has changes since 1.2.1. JOHN :) Timestamp: Monday 23 Jan 2006, 15:02 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3989: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJD1TaxAAoJEBCGy9eAtCsPt7cIAJAeTyAcpJuEW5RtlthOvJm8 UiTcE59CH5u8jR5lqXm/fcbHv1faFzWnFwWwjkesrwfNef/V7Bp3QbHFBybwhZq2 QGh9hHgKMo3YSeOXH9GeCf/TzEMBkJUDeKxalKhewaIoVH08ePbTlCQ3RpOpyPeX G+q0VrQ+veZ37u04hMcfxLW9cIJKVtPoHGqUr/tSB4DFRvF8Y2Ew7+CRivjY/Mxf F69daNaxWAclEcM9/3Od1E0+i4UNRyN6L7oB18g6PzyqdRcesOxleFW5mfpKDyDq XuqZ0gXUDv+xiXYG6Qjxre303ygNm5zS91BCQ5kEJBHIfhz74S3J5nvcCXG3kVk= =GNa7 -----END PGP SIGNATURE----- From lusfert at gmail.com Mon Jan 23 21:47:48 2006 From: lusfert at gmail.com (lusfert) Date: Mon Jan 23 21:49:06 2006 Subject: Trouble with enigmail and Thunderbird 1.5 In-Reply-To: <43D51A74.8010501@verizon.net> References: <43D51A74.8010501@verizon.net> Message-ID: <43D540F4.8090208@gmail.com> Jean-David Beyer wrote on 23.01.2006 21:03: > I have recently switched ISP, but I also upgraded Thunderbird at the same time. > As I can see in armor header you are using _very old_ GnuPG version. 1.2.1 has a serious vulnerability, please update GnuPG immediately. For details read this announcement: http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html Also from 1.2.1 to 1.4.2 (latest stable version) there were many features added including support for various key servers. > Now when I get a gpg signed e-mail, I supposedly can check the pen? and it > will offer to download the key, giving me a choice of keyservers. I > generally pick random.sks.keyserver.penguin.de > > But now, when I do that, it just buzzes around and never downloads the key. > I looked at my firewall, and it is not blocking it. I tried it manually with > > gpg --keyserver keyserver.kjsl.com --recv-key 0xF621EDAD > > for example, and it worked fine. > Both key servers works fine for me. > Is this a known problem? Or should I find a Thunderbird newsgroup to ask? > And if so, which one? > At first, update GnuPG (see above why), then try again and if it won't be successful let us know. -- Regards My current OpenPGP key ID: 0x500B8987 Key fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Encrypted e-mail preferred. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060123/daafbe90/signature.pgp From bob.henson at galen.org.uk Mon Jan 23 20:48:24 2006 From: bob.henson at galen.org.uk (Bob Henson) Date: Mon Jan 23 21:57:04 2006 Subject: GPGOL breaks Enigmail In-Reply-To: <200601231138.28376.linux@codehelp.co.uk> References: <43D3ECA8.8020407@galen.org.uk> <200601231138.28376.linux@codehelp.co.uk> Message-ID: <43D53308.3070705@galen.org.uk> Neil Williams wrote > On Sunday 22 January 2006 8:35 pm, Bob Henson wrote: >> I decided to try GPGOL for the few occasions that I use Outlook. >> Unfortunately, since installing it, Enigmail's Key Management shows an >> empty screen and I cannot use GnuPG via Enigmail at all. How do I get out >> of this, please? In desperation I removed all the programs and registry >> entries that I could find relating to GPGOL, but it hasn't helped. > > Check that your own keys are still set to ultimate trust, then run > $ gpg --update-trustdb > (It should find and re-import the old trust settings once your own key(s) > is/are ultimately trusted again). > > I had this problem once or twice with Kgpg - the key management GUI front-end > for KDE - when I upgraded to KDE 3.5. It shouldn't happen but .... Luckily, the key-ring was only "lost" not damaged and all the trust levels etc appear unchanged - does it still need running? I don't suppose it will do any harm to run it anyway, just to make sure all is back as it was? Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060123/1bf80e4a/signature.pgp From bob.henson at galen.org.uk Mon Jan 23 21:13:05 2006 From: bob.henson at galen.org.uk (Bob Henson) Date: Mon Jan 23 22:04:54 2006 Subject: Trouble with enigmail and Thunderbird 1.5 In-Reply-To: <43D51A74.8010501@verizon.net> References: <43D51A74.8010501@verizon.net> Message-ID: <43D538D1.1080906@galen.org.uk> Jean-David Beyer wrote > I have recently switched ISP, but I also upgraded Thunderbird at the same time. > > Now when I get a gpg signed e-mail, I supposedly can check the pen? and it > will offer to download the key, giving me a choice of keyservers. I > generally pick random.sks.keyserver.penguin.de > > But now, when I do that, it just buzzes around and never downloads the key. > I looked at my firewall, and it is not blocking it. I tried it manually with > > gpg --keyserver keyserver.kjsl.com --recv-key 0xF621EDAD > > for example, and it worked fine. > > Is this a known problem? Or should I find a Thunderbird newsgroup to ask? > And if so, which one? > I use Thunderbird 1.5/GnuPG/Enigmail and haven't had any major problems ( I just downloaded your key quite quickly from random.sks.keyserver.penguin.de a minute or two ago) but I have noticed that server to be intermittently slow during the last few days - I recall one one occasion changing server to get a key quickly. I put it down to the server being busy or under repair or whatever. I haven't seen any mention of problems in the Thunderbird support newsgroup or forums, so it may just be a coincidence that the server had problems just as you switched to TB. On the other hand, encryption doesn't get discussed much in the forums. Sorry that's not very positive. Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060123/14de7812/signature.pgp From blueness at gmx.net Mon Jan 23 22:15:58 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Mon Jan 23 23:17:58 2006 Subject: failure notice In-Reply-To: <871wzqu4h8.fsf@wheatstone.g10code.de> References: <1106152097.20051224144923@gmx.net> <871wzqu4h8.fsf@wheatstone.g10code.de> Message-ID: <1302693236.20060123221558@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Was Mon, 02 Jan 2006, at 14:46:59 +0100, when Werner wrote: > On Sat, 24 Dec 2005 14:49:23 +0100, Mica Mijatovic said: >> : >> 217.69.77.222_failed_after_I_sent_the_message./Remote_host_said:_550_Administrative_prohibition/ > The sending host is on one of the blacklists or the message has been > rejected due to other reasons. Without more information I can't tell > the problem. Thanks for the response, Werner, anyway. To my knowledge I wouldn't have more informations, except perhaps the fact I suppose was the reason that my mailer in the reply routine takes over the name of the sender of the message I reply to, and puts after his name the address of the list in the TO field. Vedaal though does not use his name in address field but only naked/nude address, so my mailer took over his address, placed it on the place for the name, and added address of the list after. It made actually a form thus which is not "standard", namely "address
" and it was probably the syntax which confused the server. I didn't notice this immediately, but later, after I did and had corrected it myself and sent to the list again, my reply ahpilly arrived. So I suppose it was the only reason. - -- Mica PGP keys nestled at: http://blueness.port5.com/pgpkeys/ ~~~ For personal mail please use my address as it is *exactly* given in my "From|Reply To" field(s). ~~~ Famous last words: Don't unplug it, it will just take a moment to fix. -----BEGIN PGP SIGNATURE----- iQEVAwUBQ9VHjbSpHvHEUtv8AQOccggAk9f59fPTGEAam2yEw7Gu83P1HKQcsijj Ndz+yiveiC5vnbuVtU6DzeBVTuHznuxTF9MoqaMfoiTYpFopFnro+/7lADQlNjKL rOvdNv/94mdyGupeDY0jrH2NiJDiFWsFJzcXgFH3I1XJkFvx01NyfjjgNhAgq6tP Y6uQj7fC1dK7Jf0Qky76v3rzb3RwrwV9iavRydEigzAfHX3+DngWEhj+B9mpsyQa jiAZJViXI4uI6dsex8wAtPI0jj/2KU7lwvDl3hU5uGTOJqhSD226gvlu+7s+zQSN Fri7yThaiLvepAhMmtgHzoXa/H3vk3mKobBzBinx8t6GqQnGYdVLXg== =k0mw -----END PGP SIGNATURE----- From JPClizbe at comcast.net Mon Jan 23 23:26:26 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jan 24 00:01:15 2006 Subject: Trouble with enigmail and Thunderbird 1.5 In-Reply-To: <43D51A74.8010501@verizon.net> References: <43D51A74.8010501@verizon.net> Message-ID: <43D55812.40402@comcast.net> Jean-David Beyer wrote: > I have recently switched ISP, but I also upgraded Thunderbird at the same time. > > Now when I get a gpg signed e-mail, I supposedly can check the pen? and it > will offer to download the key, giving me a choice of keyservers. I > generally pick random.sks.keyserver.penguin.de > > But now, when I do that, it just buzzes around and never downloads the key. > I looked at my firewall, and it is not blocking it. I tried it manually with > > gpg --keyserver keyserver.kjsl.com --recv-key 0xF621EDAD > > for example, and it worked fine. > > Is this a known problem? Or should I find a Thunderbird newsgroup to ask? > And if so, which one? It's a known problem. You are using Enigmail 0.94.0 with GnuPG 1.2.1. Enigmail versions >= 0.90.0 *require* GnuPG 1.4.x for full functionality. Please upgrade to GnuPG 1.4.2. As far as a Thunderbird newsgroup, may I suggest instead the Enigmail mailing list/newsgroup: enigmail@mozdev.org or news:public.mozdev.enigmail. The Enigmail list is well versed with common problems experienced with using Thunderbird and SeaMonkey with GnuPG. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 669 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060123/ad89a144/signature-0001.pgp From engage at n0sq.us Tue Jan 24 01:25:58 2006 From: engage at n0sq.us (engage) Date: Tue Jan 24 02:27:03 2006 Subject: problems with gnupg-pgp In-Reply-To: <3bae2af20601181344v72e44bc8x298a5e056180f88c@mail.gmail.com> References: <3bae2af20601181344v72e44bc8x298a5e056180f88c@mail.gmail.com> Message-ID: <200601231725.58621.engage@n0sq.us> On Wednesday 18 January 2006 02:44 pm, Nuno Donato wrote: >hello > >i've recently installed gnupg to be able to communicate with some >persons who are using PGP (i like free alternatives :) >before installing i certified that both systems were compatible. >i sucessfully created my private and public keys and we exchanged >them. after that, i send a couple of test emails to another person >using GPG, and we were able to encrypt and decrypt the message. >however, i can not do the same with the PGP guys. when i try to >decrypt the message i get an error saying something it is not a valid >file... > >i checked some docs and faqs, and found out that to have compatibility >the PGP version must be 5.x or higher.. they are using 8, so that is >not a problem. >what can i do to solve this? or to find out whats wrong..? > >thank you very much >nuno donato > It's probably an IDEA issue. IDEA is not included with the standard issue of gnupg. You can get the IDEA from gnupg.org. From vedaal at hush.com Tue Jan 24 21:33:03 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Tue Jan 24 22:25:16 2006 Subject: gnupg commandline // ? option to view passphrase while typing Message-ID: <200601242033.k0OKX4lw085797@mailserver3.hushmail.com> is there a gnupg option to view the passphrase while it is being entered? (in pgp 2.x there was one, 'ShowPass = on') if not, can it be considered as a future feature? as passphrases become longer, it would be helpful ;-) and, alone at the privacy of one's own system, it shouldn't be any more of a security risk ... TIA, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From nidhog at gmail.com Wed Jan 25 01:57:42 2006 From: nidhog at gmail.com (nidhog) Date: Wed Jan 25 01:57:13 2006 Subject: gnupg commandline // ? option to view passphrase while typing In-Reply-To: References: <200601242033.k0OKX4lw085797@mailserver3.hushmail.com> Message-ID: On 1/25/06, vedaal@hush.com wrote: > is there a gnupg option to view the passphrase while it is being > entered? > (in pgp 2.x there was one, 'ShowPass = on') > > if not, > can it be considered as a future feature? > > as passphrases become longer, it would be helpful ;-) > and, alone at the privacy of one's own system, > it shouldn't be any more of a security risk ... echo -n "my very long and quite secure passphrase" | gpg -e \ --passphrase-fd 0 > > -- > /nh > -- /nh From wk at gnupg.org Wed Jan 25 10:29:21 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 25 10:32:01 2006 Subject: GPGOL breaks Enigmail In-Reply-To: <43D531CF.9040101@galen.org.uk> (Bob Henson's message of "Mon, 23 Jan 2006 19:43:11 +0000") References: <43D3ECA8.8020407__19725.8474342108$1137972032$gmane$org@galen.org.uk> <87zmlnng36.fsf@wheatstone.g10code.de> <43D531CF.9040101@galen.org.uk> Message-ID: <873bjc8xla.fsf@wheatstone.g10code.de> On Mon, 23 Jan 2006 19:43:11 +0000, Bob Henson said: > Anyway, thanks to everyone for the help. Now the only problem is to get rid > of the bits of GPGOL left in Outlook - every time I run it I get an error > message telling me it can't find the GPGOL .dll file - hardly surprising You need to unregister it. Type regsvr32 /u gpgol.dll Obviously you need to have gpgol.dll available. Outlook also offers an option to disable non-working plugins; you may use this as a workaround. > haven't found and deleted yet. Still, now everything is working again that's > the least of my worries. In fact you need to add a special registry entry to cause Outlook scanning for new or deleted plugins. regsrv32 /u does this for you (actually it calls a function in gpgol.dll to do this). Salam-Shalom, Werner From wk at gnupg.org Wed Jan 25 10:34:38 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 25 10:36:47 2006 Subject: gnupg commandline // ? option to view passphrase while typing In-Reply-To: <200601242033.k0OKX4lw085797@mailserver3.hushmail.com> (vedaal@hush.com's message of "Tue, 24 Jan 2006 15:33:03 -0500") References: <200601242033.k0OKX4lw085797@mailserver3.hushmail.com> Message-ID: <87y8147is1.fsf@wheatstone.g10code.de> On Tue, 24 Jan 2006 15:33:03 -0500, said: > if not, > can it be considered as a future feature? I don't think that this option makes much sense. GUI frondends usually have a way to show the typing and nidhog gave an example on how to do this - also this will leave the passphrase in the shell's history; using just cat instead of echo is safer. Shalom-Salam, Werner From bob.henson at galen.org.uk Wed Jan 25 15:04:44 2006 From: bob.henson at galen.org.uk (Bob Henson) Date: Wed Jan 25 15:04:59 2006 Subject: GPGOL breaks Enigmail In-Reply-To: <873bjc8xla.fsf@wheatstone.g10code.de> References: <43D3ECA8.8020407__19725.8474342108$1137972032$gmane$org@galen.org.uk> <87zmlnng36.fsf@wheatstone.g10code.de> <43D531CF.9040101@galen.org.uk> <873bjc8xla.fsf@wheatstone.g10code.de> Message-ID: <43D7857C.9030909@galen.org.uk> Werner Koch wrote > On Mon, 23 Jan 2006 19:43:11 +0000, Bob Henson said: > >> Anyway, thanks to everyone for the help. Now the only problem is to get rid >> of the bits of GPGOL left in Outlook - every time I run it I get an error >> message telling me it can't find the GPGOL .dll file - hardly surprising > > You need to unregister it. Type > > regsvr32 /u gpgol.dll > > Obviously you need to have gpgol.dll available. Outlook also offers > an option to disable non-working plugins; you may use this as a > workaround. I found and applied the work-around. Now I'll try the unregister. Thanks very much, again, for your help. Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060125/268587f8/signature.pgp From udjinrg at forenet.by Wed Jan 25 11:46:53 2006 From: udjinrg at forenet.by (Maxim Britov) Date: Wed Jan 25 15:48:23 2006 Subject: There new XMPP (aka Jabber) room GnuPG-ru Message-ID: <20060125124653.6783e7c8@maxim-l.office.modum.by> I created new chat room on jabber.ru: room: gnupg-ru server: conference.jabber.ru There is gnupg@conference.jabber.ru also. For use it, you should have XMPP / Jabber account and client with conference support. Clients is: tkabber, psi, gaim, iChat and many others. Public servers is: jabber.org, jabber.ru, gtalk.google.com and many others. -- Maxim Britov GnuPG KeyID 0x4580A6D66F3DB1FB xmpp:maxim@modum.by icq 198171258 Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB GnuPG-ru Team (http://lists.gnupg.org/mailman/listinfo/gnupg-ru) From kim at haverblad.se Wed Jan 25 16:14:16 2006 From: kim at haverblad.se (Kim Haverblad) Date: Wed Jan 25 16:14:48 2006 Subject: Problem using GemSage 16k Smartcards Message-ID: <43D795C8.1070700@haverblad.se> Have tried to get GemSafe 16k cards to work together with OpenPGP / GnuPG (using Windows XP SP2 / Thunderbird 1.5 / gnupt-2.6.2.1_gpg1.4.1-wpt0.9.92-gpgrelay0.959-int) and it won't work at all. Currently I'm using the OpenPGP card from g10code.de and it works fine. But when trying to create keys on GemSafe via OpenPGP plugin for Thunderbird I get following error: gpg: detected reader 'Gemplus GemPC400 0' gpg: pcsc_connect failed: sharing violation (0x8010000b) gpg: card reader not available gpg: OpenPGP card bot available: general error Does the card work; well yes since I then tried with the same card to create keypair using PGP Desktop and that works fine. So kind of stuck here. Also tried to use the g10code.de card together with PGP Desktop and that card isn't accepted since PGP has hard coded what cards they support. /Kim From gct3 at blueyonder.co.uk Mon Jan 23 23:28:15 2006 From: gct3 at blueyonder.co.uk (Graham) Date: Wed Jan 25 18:02:53 2006 Subject: Trouble with enigmail and Thunderbird 1.5 In-Reply-To: <43D51A74.8010501@verizon.net> References: <43D51A74.8010501@verizon.net> Message-ID: <200601232228.39612.gct3@blueyonder.co.uk> On Monday 23 Jan 2006 18:03, Jean-David Beyer wrote: > Is this a known problem? Or should I find a Thunderbird newsgroup to > ask? And if so, which one? [snipped] The official Enigmail list can be joined at http://mozdev.org/mailman/listinfo/enigmail But there is also an unofficial Thunderbird forum which you can join at http://groups.yahoo.com/group/Mozilla_Thunderbird/ This yahoogroup was set up by Nick Andriash, who also set up the PGP-Basics yahoogroup, so it could be of use. But these are both UNOFFICIAL yahoogroups -- Graham -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 243 bytes Desc: not available Url : /pipermail/attachments/20060123/52115dd9/attachment.pgp From ivalladt at punkass.com Wed Jan 25 18:21:07 2006 From: ivalladt at punkass.com (Ismael Valladolid Torres) Date: Wed Jan 25 22:18:10 2006 Subject: There new XMPP (aka Jabber) room GnuPG-ru In-Reply-To: <20060125124653.6783e7c8@maxim-l.office.modum.by> References: <20060125124653.6783e7c8@maxim-l.office.modum.by> Message-ID: <20060125172107.GD2228@spma33> Maxim Britov escribe: > For use it, you should have XMPP / Jabber account and client with > conference support. Clients is: tkabber, psi, gaim, iChat and many > others. I suggest Gajim which is truly ellegant and available for Linux and Windows. Cordially, Ismael -- Dropping science like when Galileo dropped his orange -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: not available Url : /pipermail/attachments/20060125/efe8a80f/attachment.pgp From johanw at vulcan.xs4all.nl Wed Jan 25 23:33:41 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Jan 25 23:31:29 2006 Subject: Problem upgrading WinPT Message-ID: <200601252233.k0PMXfA0002905@vulcan.xs4all.nl> Hello, I just upgraded WinPT from 0.9.90 to 0.11.6. I just deleted all files (except the keyserver config) from the old WinPT dir and copied the new files there. However, now WinPT crashes at startup. This happens both at win2000 and winXP. Did I do anything wrong with this update method? I'd prefer not to use the installer since I prefer to install GnuPG by hand (I'm using GnuPG 1.4.2 on both machines). -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From twoaday at gmx.net Thu Jan 26 07:13:42 2006 From: twoaday at gmx.net (Timo Schulz) Date: Thu Jan 26 08:15:12 2006 Subject: Problem upgrading WinPT In-Reply-To: <200601252233.k0PMXfA0002905@vulcan.xs4all.nl> References: <200601252233.k0PMXfA0002905@vulcan.xs4all.nl> Message-ID: <20060126061342.GB1186@daredevil.joesixpack.net> On Wed Jan 25 2006; 23:33, Johan Wevers wrote: > (except the keyserver config) from the old WinPT dir and copied the new > files there. However, now WinPT crashes at startup. This happens both at I got some reports about this problem but I was never able to reproduce it. On most machines it works and currently I've no clue what the problem is. > win2000 and winXP. Did I do anything wrong with this update method? I'd No. If you deleted all existing (older versions) of PTD.dll, libgpgme-11.dll and replace WinPT.exe and all DLL's in the WinPT folder it should work. I tested it myself without any problems. Maybe you can check out the latest CVS snapshot, it contains some fixes: http://www.stud.uni-hannover.de/~twoaday/winpt-cvs-exe.zip (the file just contains the WinPT.exe and PTD.dll, so you need an existing WinPT installation) From udjinrg at forenet.by Thu Jan 26 08:59:10 2006 From: udjinrg at forenet.by (Maxim Britov) Date: Thu Jan 26 08:59:12 2006 Subject: There new XMPP (aka Jabber) room GnuPG-ru In-Reply-To: <20060125172107.GD2228@spma33> References: <20060125124653.6783e7c8@maxim-l.office.modum.by> <20060125172107.GD2228@spma33> Message-ID: <20060126095910.55cdab63@maxim-l.office.modum.by> On Wed, 25 Jan 2006 18:21:07 +0100 Ismael Valladolid Torres wrote: > Maxim Britov escribe: > > For use it, you should have XMPP / Jabber account and client with > > conference support. Clients is: tkabber, psi, gaim, iChat and many > > others. > > I suggest Gajim which is truly ellegant and available for Linux and > Windows. I not used gajim yet. I prefer tkabber and psi at the moment. Tkabber can sign messages with gnupg. PSI/Tkabber can encrypt messages with gnupg. -- Maxim Britov GnuPG KeyID 0x4580A6D66F3DB1FB xmpp:maxim@modum.by icq 198171258 Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB GnuPG-ru Team (http://lists.gnupg.org/mailman/listinfo/gnupg-ru) From alphasigmax at gmail.com Thu Jan 26 13:06:16 2006 From: alphasigmax at gmail.com (Alphax) Date: Thu Jan 26 13:06:57 2006 Subject: There new XMPP (aka Jabber) room GnuPG-ru In-Reply-To: <20060126095910.55cdab63@maxim-l.office.modum.by> References: <20060125124653.6783e7c8@maxim-l.office.modum.by> <20060125172107.GD2228@spma33> <20060126095910.55cdab63@maxim-l.office.modum.by> Message-ID: <43D8BB38.1070905@gmail.com> Maxim Britov wrote: > On Wed, 25 Jan 2006 18:21:07 +0100 > Ismael Valladolid Torres wrote: > > >>Maxim Britov escribe: >> >>>For use it, you should have XMPP / Jabber account and client with >>>conference support. Clients is: tkabber, psi, gaim, iChat and many >>>others. >> >>I suggest Gajim which is truly ellegant and available for Linux and >>Windows. > > > I not used gajim yet. I prefer tkabber and psi at the moment. > Tkabber can sign messages with gnupg. > PSI/Tkabber can encrypt messages with gnupg. > > PSI also has "signed presence". -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 556 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060126/4285b2e9/signature.pgp From udjinrg at forenet.by Thu Jan 26 13:49:40 2006 From: udjinrg at forenet.by (Maxim Britov) Date: Thu Jan 26 13:49:38 2006 Subject: There new XMPP (aka Jabber) room GnuPG-ru In-Reply-To: <43D8BB38.1070905@gmail.com> References: <20060125124653.6783e7c8@maxim-l.office.modum.by> <20060125172107.GD2228@spma33> <20060126095910.55cdab63@maxim-l.office.modum.by> <43D8BB38.1070905@gmail.com> Message-ID: <20060126144940.06adc91c@maxim-l.office.modum.by> On Thu, 26 Jan 2006 22:36:16 +1030 Alphax wrote: > Maxim Britov wrote: > > On Wed, 25 Jan 2006 18:21:07 +0100 > > Ismael Valladolid Torres wrote: > > > >>Maxim Britov escribe: > >> > >>>For use it, you should have XMPP / Jabber account and client with > >>>conference support. Clients is: tkabber, psi, gaim, iChat and many > >>>others. > >> > >>I suggest Gajim which is truly ellegant and available for Linux and > >>Windows. > > I not used gajim yet. I prefer tkabber and psi at the moment. > > Tkabber can sign messages with gnupg. > > PSI/Tkabber can encrypt messages with gnupg. > > PSI also has "signed presence". Yes, but psi doesn't support sign messages. Tkabber does. -- Maxim Britov GnuPG KeyID 0x4580A6D66F3DB1FB xmpp:maxim@modum.by icq 198171258 Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB GnuPG-ru Team (http://lists.gnupg.org/mailman/listinfo/gnupg-ru) From johnmoore3rd at joimail.com Thu Jan 26 14:38:15 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Thu Jan 26 14:37:50 2006 Subject: Reply Message-ID: <43D8D0C7.2060101@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Maxim Britov wrote: > > Yes, but psi doesn't support sign messages. Tkabber does. Time for You to check out Psi 0.10 My Friend. JOHN :) Timestamp: Thursday 26 Jan 2006, 08:36 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3991: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJD2NDFAAoJEBCGy9eAtCsPew4H/AvngNmFUAbbzAHrhxSI4UrL u4p04ovJBl8Vw0ci1/XgTkSSIXGG1F1YgX5N+WnMnG33iRmaQvCrHGwgo5Qc+igC yrPIQFONwQVbLXhrRJcbh2CJmg9whT/qfP2qbPy/fe+vltPi5ZJgGCXFJ1iiiNt6 0P2uhs9nSJl/d30uhS62JDyqFDDsD8eJAO15OIfBAzZLEU8mO7Kr5wDnj2TNutCK /UoFsgIsfJyfuxwwYmBCD/0t9tpR4nwdmDdONoYnJwcl5FvAjA2szcgXEoy8Brj4 XaABMQRydEWqxVrd1Wc6FO/ssKOvD+PxzleblxaGOwWcGRcgsEDtFyeHEC9on3A= =EuUT -----END PGP SIGNATURE----- From udjinrg at forenet.by Thu Jan 26 15:06:03 2006 From: udjinrg at forenet.by (Maxim Britov) Date: Thu Jan 26 15:06:08 2006 Subject: Reply In-Reply-To: <43D8D0C7.2060101@joimail.com> References: <43D8D0C7.2060101@joimail.com> Message-ID: <20060126160603.10474ad8@maxim-l.office.modum.by> On Thu, 26 Jan 2006 08:38:15 -0500 John W. Moore III wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Maxim Britov wrote: > > > > Yes, but psi doesn't support sign messages. Tkabber does. > > Time for You to check out Psi 0.10 My Friend. PSI sign presence only at the moment. afaik Discussion from psi@conference.jabber.ru sent to you. -- Maxim Britov GnuPG KeyID 0x4580A6D66F3DB1FB xmpp:maxim@modum.by icq 198171258 Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB GnuPG-ru Team (http://lists.gnupg.org/mailman/listinfo/gnupg-ru) From ivalladt at punkass.com Thu Jan 26 10:49:50 2006 From: ivalladt at punkass.com (Ismael Valladolid Torres) Date: Thu Jan 26 15:48:18 2006 Subject: There new XMPP (aka Jabber) room GnuPG-ru In-Reply-To: <20060126095910.55cdab63@maxim-l.office.modum.by> References: <20060125124653.6783e7c8@maxim-l.office.modum.by> <20060125172107.GD2228@spma33> <20060126095910.55cdab63@maxim-l.office.modum.by> Message-ID: <20060126094950.GB556@spma33> Maxim Britov escribe: > On Wed, 25 Jan 2006 18:21:07 +0100 > Ismael Valladolid Torres wrote: > > > Maxim Britov escribe: > > > For use it, you should have XMPP / Jabber account and client with > > > conference support. Clients is: tkabber, psi, gaim, iChat and many > > > others. > > > > I suggest Gajim which is truly ellegant and available for Linux and > > Windows. > > I not used gajim yet. I prefer tkabber and psi at the moment. > Tkabber can sign messages with gnupg. > PSI/Tkabber can encrypt messages with gnupg. > > Gajim supports OpenPGP. I've not tried it, though. Cordially, Ismael -- Tout fourmille de commentaries, d'auteurs il en est grande cherté http://lamediahostia.blogspot.com/ http://www.flickr.com/photos/ivalladt/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: not available Url : /pipermail/attachments/20060126/821ee455/attachment.pgp From wk at gnupg.org Thu Jan 26 17:27:04 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 26 17:31:52 2006 Subject: gpgsm: bad signature (which actually is not bad) In-Reply-To: <200601191338.18219.carsten.pfeiffer@first.fraunhofer.de> (Carsten Pfeiffer's message of "Thu, 19 Jan 2006 13:38:17 +0100") References: <200601191338.18219.carsten.pfeiffer@first.fraunhofer.de> Message-ID: <8764o70xbb.fsf@wheatstone.g10code.de> On Thu, 19 Jan 2006 13:38:17 +0100, Carsten Pfeiffer said: > I'm having a problem importing an X.509 certificate in PEM format with gpgsm > (1.9.19 -- unfortunately there is no Debian package for 1.9.20, yet). May you send me this certificate by PM so that I can have a look at it? Salam-Shalom, Werner From johanw at vulcan.xs4all.nl Thu Jan 26 17:57:34 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Jan 26 18:04:25 2006 Subject: Problem upgrading WinPT In-Reply-To: <20060126061342.GB1186@daredevil.joesixpack.net> Message-ID: <200601261657.k0QGvYln004717@vulcan.xs4all.nl> Timo Schulz wrote: >No. If you deleted all existing (older versions) of PTD.dll, libgpgme-11.dll >and replace WinPT.exe and all DLL's in the WinPT folder it should work. OK, so no registering of dll's is required. The only file I kept was keyserver.conf, containing a single line: http://subkeys.pgp.net >Maybe you can check out the latest CVS snapshot, it contains some fixes: >http://www.stud.uni-hannover.de/~twoaday/winpt-cvs-exe.zip I'll test it ASAP. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From vedaal at hush.com Thu Jan 26 20:24:17 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Jan 26 20:24:31 2006 Subject: Problem upgrading WinPT Message-ID: <200601261924.k0QJOM3V066207@mailserver2.hushmail.com> Timo Schulz twoaday at gmx.net wrote on Thu Jan 26 07:13:42 CET 2006 : >> (except the keyserver config) from the old WinPT dir and copied the new >> files there. However, now WinPT crashes at startup. >I got some reports about this problem but I was never able to >reproduce it. >On most machines it works and currently I've no clue what the problem >is. i think i might have found the problem, and also, why only some of us, Johan, myself, and only a very few others, are having it, and why it is hard for most others to reproduce it ... _v3 rsa keys_ ! while these are accepted by gnupg (am currently using 1.4.2 and 1.4.3 cvs mingw32), they refuse to be imported by winpt 0.11.6 or the winpt-cvs, have tried a new install on a new machine, never having winpt or gnupg and imported keys one by one into winpt when the first v3 key was imported, 0.11.6 said it didn't have a self-signature, (it did, but it was a v3 md5 one) and then after that, 0.11.6 crashes upon startup on my other machine, with existing gnupg keyrings, with v3 keys in them, winpt-cvs crashes upon loading the pubring.gpg on start-up would like to ask others here to confirm if this is so, (with respect to those who prefer not to have idea loaded, have prepared a v3 twofish keypair for testing, that does not require 'idea') -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.3-cvs (MingW32) Comment: v3 key-twofish // photo has old key in hyperspace ;-) mQCNAzvpqngAAAEEAMdzrhUz+sZHrU1soIuhgN1abgkaJa+MInPfS14VxvWi8lfT qUPzQD/g1d1zqWOv1p+pkGcYzv/iCexHpU9HYzR2t9xQtbWarsoAppHy8ZzUHzMA xS+qiHdq+R8tOhARzVrjc+XR4ERUz17ok+BE7bW+CNPURJZIlKrPna4qLD4XAAUR tB50ZnJzYXRlc3QgPHRmcnNhdGVzdEBrZXkudGVzdD6JAJUDBRA76ap4qs+drios PhcBA8gEBACQP8hwrZ0fBFAWglfizvUYUM0YYrPo5mX4dinbkT01IGnAIhN5m8z3 D9holNuuVvPSknkEldRtWrfwAFE32QykuEfnrI+C8gqVbMccaSiIKaOYP3zYPmWV +5FGXmorWqujmfzxiM8pHgDVTvbWV1AZl8uYJU3p9U/78Uk7uG8kfQ== =fxtV -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.4.3-cvs (MingW32) Comment: passphrase: tfrsatest@key.test lQHoAzvpqngAAAEEAMdzrhUz+sZHrU1soIuhgN1abgkaJa+MInPfS14VxvWi8lfT qUPzQD/g1d1zqWOv1p+pkGcYzv/iCexHpU9HYzR2t9xQtbWarsoAppHy8ZzUHzMA xS+qiHdq+R8tOhARzVrjc+XR4ERUz17ok+BE7bW+CNPURJZIlKrPna4qLD4XAAUR CrY6FwIQXMh3je8FQVLuybUD/ujkFoKrFupR7490gasSOfWZDFYaO+JCW6R7JNSl Vfj6sTCKwMalGrPsAx4aDPEZtiJxtsAAgrf2+y6BC3F/dkiuMA+H3Zcci7ozLdAK lYHHPbgPTBb+gzLsje0Qfbi/nhNDRlpDJBtdQW3rjenoO7Z59g2veUzhedRmXuvv TB31AgDDLoTJZniynJWlPQxL9IYNnuBzDs2U+FN9NS1z0keW69NyoTlOaYx/MD6H NrDlZMnKVQ1kWNa6ByJ0eL7zYMB2AgDsuoIqVGxBvUFbkVXlih0oaf74kFPkExg3 CLkNqAuoxb6XwNrR9p7ABtXqAG7aGrMw4je9+6BfH8hh/QEGjYJ2Af1k0Dujo4P0 p02Cb0SmzxLVSiEAn68DNhht5GfKpjBSvv5kZoVOQ+E6ixCwWH/HipXCsVEieQdc 9tPoBOzDLWGko260HnRmcnNhdGVzdCA8dGZyc2F0ZXN0QGtleS50ZXN0Pg== =aKox -----END PGP PRIVATE KEY BLOCK----- the key works fine in gnupg, and used to work fine in earlier winpt versions (on my system) Thanks in Advance for testing/clarifying vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From vedaal at hush.com Thu Jan 26 21:54:34 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Jan 26 21:54:03 2006 Subject: Problem upgrading WinPT // spam protection changed the passphrase Message-ID: <200601262054.k0QKsZGk080987@mailserver2.hushmail.com> vedaal at hush.com vedaal at hush.com wrote Thu Jan 26 20:24:17 CET 2006 : the spam protection changed the passphrase > -----BEGIN PGP PRIVATE KEY BLOCK----- >Version: GnuPG v1.4.3-cvs (MingW32) >Comment: passphrase: tfrsatest at key.test ^^^^^^ the correct passphrase has the @ immediately following tfrsatest and key.test immediately following the @ no spaces anywhere in the passphrase (my early test keys were all done with the passphrase exactly the same name as the key, so when prompted for the passphrase, it could be copied just by loking at the name of the key that gnupg lists, have since modified it to leave out the @ and address) sorry ;-) vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From twoaday at gmx.net Fri Jan 27 00:46:41 2006 From: twoaday at gmx.net (Timo Schulz) Date: Fri Jan 27 00:44:44 2006 Subject: Problem upgrading WinPT In-Reply-To: <200601261924.k0QJOM3V066207@mailserver2.hushmail.com> References: <200601261924.k0QJOM3V066207@mailserver2.hushmail.com> Message-ID: <20060126234641.GA1257@daredevil.joesixpack.net> On Thu Jan 26 2006; 14:24, vedaal@hush.com wrote: > why only some of us, Johan, myself, and only a very few others, are > having it, and why it is hard for most others to reproduce it ... > > _v3 rsa keys_ ! Excellent work. > on my other machine, with existing gnupg keyrings, > with v3 keys in them, > winpt-cvs crashes upon loading the pubring.gpg on start-up Thanks for the test data, I will definitely check this out tomorrow and hopefully I can fix the crashes and release 0.11.7 which works again on these machines. Timo From johanw at vulcan.xs4all.nl Fri Jan 27 01:10:03 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Jan 27 01:07:24 2006 Subject: Problem upgrading WinPT In-Reply-To: <20060126061342.GB1186@daredevil.joesixpack.net> Message-ID: <200601270010.k0R0A3MK000684@vulcan.xs4all.nl> Timo Schulz wrote: >Maybe you can check out the latest CVS snapshot, it contains some fixes: >http://www.stud.uni-hannover.de/~twoaday/winpt-cvs-exe.zip >(the file just contains the WinPT.exe and PTD.dll, so you need an existing > WinPT installation) Still gives the same error: a NULL pointer assignment: The instruction at "0x00441dfd" referenced memory at "0x00000000". The memory could not be read. Click on OK to terminate the program. Click on CANCEL to debug the program. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From daniel at kingsofcode.net Thu Jan 26 23:42:06 2006 From: daniel at kingsofcode.net (=?ISO-8859-1?Q?Daniel_L=F6fquist?=) Date: Fri Jan 27 01:18:07 2006 Subject: Problem with revoking my old key Message-ID: <43D9503E.6030903@kingsofcode.net> Hello everybody, This is my first post on this mailinglist so please bear with me ;-) I've had a gnupg-keypair for about 4 years and the public key is published on several keyservers. Recently however my key has been compromised so yesterday I decided to make a new one. First I made a revocation certificate for the old key using "gpg --revoke-gen --output revoke_old_key.asc daniel@kingsofcode.net". The revocation certificate looks like this: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: A revocation certificate should follow iGcEIBECACcFAkPYlycgHQNVbnNhdGlzZmFjdG9yeSBudW1iZXIgb2YgYml0cy4A CgkQYFyEwpQ49PDniwCeKoortWgSt0+G1323SDwQztF3CkYAn0Gy2bNPXwKuSMyp MQwoa/N8cu2O =Vzao -----END PGP PUBLIC KEY BLOCK----- Now I've been trying to upload the revocation certificate to the various keyservers but none of them wants to accept it. For example, when I try uploading it to wwwkey.pgp.net I get this as a response: Add failed: Malformed Key --- unexpected packet type and/or order of packets Am I doing something wrong or why is my key not being accepted by the keyservers? //Daniel -- Excuse me, I believe you have my stapler...? Support cryptography for personal privacy: http://www.gnupg.org Download my OpenPGP public key at: http://www.kingsofcode.net/dl/pubkey.asc From dshaw at jabberwocky.com Fri Jan 27 01:44:28 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 27 01:44:05 2006 Subject: Problem with revoking my old key In-Reply-To: <43D9503E.6030903@kingsofcode.net> References: <43D9503E.6030903@kingsofcode.net> Message-ID: <20060127004428.GA32473@jabberwocky.com> On Thu, Jan 26, 2006 at 11:42:06PM +0100, Daniel L?fquist wrote: > Hello everybody, > This is my first post on this mailinglist so please bear with me ;-) > I've had a gnupg-keypair for about 4 years and the public key is published on > several keyservers. Recently however my key has been compromised so yesterday I > decided to make a new one. First I made a revocation certificate for the old key > using "gpg --revoke-gen --output revoke_old_key.asc daniel@kingsofcode.net". > The revocation certificate looks like this: Do this: gpg --import revoke_old_key.asc So the key on your keyring is revoked. Now upload the key to the keyserver: gpg --keyserver wwwkeys.pgp.net --send-key daniel@kingsofcode.net David From jeandavid8 at verizon.net Fri Jan 27 03:52:01 2006 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Fri Jan 27 04:51:35 2006 Subject: Problem with revoking my old key In-Reply-To: <43D9503E.6030903@kingsofcode.net> References: <43D9503E.6030903@kingsofcode.net> Message-ID: <43D98AD1.4080907@verizon.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel L?fquist wrote: > Hello everybody, > This is my first post on this mailinglist so please bear with me ;-) > I've had a gnupg-keypair for about 4 years and the public key is published on > several keyservers. Recently however my key has been compromised so yesterday I > decided to make a new one. First I made a revocation certificate for the old key > using "gpg --revoke-gen --output revoke_old_key.asc daniel@kingsofcode.net". > The revocation certificate looks like this: > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: A revocation certificate should follow > > iGcEIBECACcFAkPYlycgHQNVbnNhdGlzZmFjdG9yeSBudW1iZXIgb2YgYml0cy4A > CgkQYFyEwpQ49PDniwCeKoortWgSt0+G1323SDwQztF3CkYAn0Gy2bNPXwKuSMyp > MQwoa/N8cu2O > =Vzao > -----END PGP PUBLIC KEY BLOCK----- > > Now I've been trying to upload the revocation certificate to the various > keyservers but none of them wants to accept it. For example, when I try > uploading it to wwwkey.pgp.net I get this as a response: > > Add failed: Malformed Key --- unexpected packet type and/or order of packets > > Am I doing something wrong or why is my key not being accepted by the keyservers? > > > //Daniel > > I get the same message when I try to import your key. So if it is not you, it is both Thunderbird 1.5 and the keyserver. I would not expect both to be buggy in the same way. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 21:50:00 up 6 days, 13:17, 5 users, load average: 4.22, 4.41, 4.58 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD2YrQPtu2XpovyZoRAtt9AKDJzYJva9KX/HW9MLRW/4QM4nzpVwCgiFIR LDWbGg7zA1Qol3eyXECxX3M= =B8Pg -----END PGP SIGNATURE----- From shavital at mac.com Fri Jan 27 07:12:08 2006 From: shavital at mac.com (Charly Avital) Date: Fri Jan 27 08:48:18 2006 Subject: Problem with revoking my old key In-Reply-To: <43D98AD1.4080907@verizon.net> References: <43D9503E.6030903@kingsofcode.net> <43D98AD1.4080907@verizon.net> Message-ID: <43D9B9B8.9020803@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Running Thunderbird version 1.5 (20051201) + enigmail 0.94.0, Macintosh OSX 10.4.4, GnuPG 1.4.2. When I received Daniel's message, TB+Enigmail indicated, in a colored strip over the message's text "click the Decrypt icon to import key" (I don't remember the exact words). When I clicked that icon, a message was displayed "...cannot import revocation certificate key 9438F4F0...". Again, I don't remember the exact words, but that was the gist of the message. I then searched for Daniel's keys with CLI: $ gpg -search-keys daniel@kingsofcode.net (I don't have to specify the keyserver in CLI, this is done in GPGPreferences, a feature of MacGPG, which is the GnuPG for the Mac Project) This produced two keys: one created 2002-10-20 one created 2006-01-25 Both keys were valid, none contained any trace of revocation. I then went back to Daniel's original message, clicked again the Decrypt icon, and GnuPG[via TB+enigmail] displayed a long message the gist of which was the successful import of the revocation certificate, and detailing other data e.g. trust levels, etc. Went to $ gpg --edit-key 9438F4F0 with the following output: - ----- This key was revoked on 2006-01-26 by DSA key 9438F4F0 Daniel L?fquist pub 1024D/9438F4F0 created: 2002-10-20 revoked: 2006-01-26 usage: CSA trust: unknown validity: revoked This key was revoked on 2006-01-26 by DSA key 9438F4F0 Daniel L?fquist sub 1024g/DDF10144 created: 2002-10-20 revoked: 2006-01-26 usage: E [ revoked] (1). Daniel L?fquist - ----- I don't know whether Daniel has already followed David Shaw's suggestion: import the revocation certificate into Daniel's keyring, and they upload the resulting public key keyblock to a keyserver, which is the standard way to use a revocation certificate. I am sure that when I downloaded Daniel's keys from a keyserver (wwwkeys.pgp.net) the key was not revoked. I have *not* of course uploaded the revoked public key keyblock to a keyserver. That's Daniel's privilege. Therefore it seems that by importing the revocation certificate as it appeared in Daniel's email, *when the corresponding key was present in my keyring* gpg actually revoked the key. If this is what happened, that means that when one has obtained the revocation certificate, it is possible to revoke the corresponding key in one's own keyserver, without the intervention of the certificate's issuer, and I believe that is detailed in GnuPG documentation. This is why revocation certificates must be carefully saved and protected in the issuer's system, until such time the user him/herself needs to apply the certificate. Wouldn't it be "better" if the actual application of the revocation certificate would be conditioned to the use of the key's passphrase, thus limiting the revocation certificate's application to the key's owner only? Just 2? Charly Jean-David Beyer wrote the following on 1/26/06 9:52 PM: > Daniel L?fquist wrote: [...] >>> Now I've been trying to upload the revocation certificate to the various >>> keyservers but none of them wants to accept it. For example, when I try >>> uploading it to wwwkey.pgp.net I get this as a response: >>> >>> Add failed: Malformed Key --- unexpected packet type and/or order of packets >>> >>> Am I doing something wrong or why is my key not being accepted by the keyservers? >>> >>> >>> //Daniel >>> >>> > I get the same message when I try to import your key. So if it is not you, > it is both Thunderbird 1.5 and the keyserver. I would not expect both to be > buggy in the same way. > > -- > .~. Jean-David Beyer Registered Linux User 85642. > /V\ PGP-Key: 9A2FC99A Registered Machine 241939. > /( )\ Shrewsbury, New Jersey http://counter.li.org > ^^-^^ 21:50:00 up 6 days, 13:17, 5 users, load average: 4.22, 4.41, 4.58 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBQ9m5sm69XHxycyfPAQh91BAAlLA6u2GJmJBpgxPq0f+Sw8PRQR0Oig9P m1jyL9oXCr88kdozc6YuJN/ORcw4mUBpzpK5uUJayAVppjVTT0yZ2TtabNryL1FG B3AVHRi4IpZ69RqpYPHPwsrtWzgrniPppMKUjTHUWXkdoDNuVcdaIFNEVmY+7Ddg KTmp+F1Z0s0L+Et8QKR1OIjcthXp06E9//8mItAKcxBFKiYKU8FH40SjAVmt65ff AHZzdraz9NB3SqVR0h0lRWfry+dLCU2FUTrqE7eUjlmVNlfUi1kEwuKHd8juKfxC tv3DacjSxUhiinpqScEOcilk7IkN/EK43Si0AOHIF9sx/SwT/hnTOkWl1g8lMnpr fLT5MUY6ekjCAi4OKrdGPHG8Fw3O1T5kGVI/hPL96xWbCZL5QtZvPMS1u5oG23oB 0VAVHeUxShKkiMxJtJIlj5lzhIKrLgNtmgqF+CsU739jxunxHoUx2uXuyv12JTKg DwQMbIMETS9WoDoY/PTFs3iFKqzlTDDcC9A6uEqcWM+0/IZJSWVm/vp4ELwp0pkX iIZanHbFGeVAtOsvzMNpVWrhikYFb2ZVRC6YJjqW+fO5vWpyFkgIvv5xpJCI0beE VeiPB5ZeyQUgEWExe46jfeHoKNsTSNkG0TZhbtt1BMltFeJd44quLZyrZUXgCR5R BU9gr4vHPaw= =JPDx -----END PGP SIGNATURE----- From twoaday at gmx.net Fri Jan 27 10:09:05 2006 From: twoaday at gmx.net (Timo Schulz) Date: Fri Jan 27 10:10:03 2006 Subject: Problem upgrading WinPT In-Reply-To: <200601270010.k0R0A3MK000684@vulcan.xs4all.nl> References: <20060126061342.GB1186@daredevil.joesixpack.net> <200601270010.k0R0A3MK000684@vulcan.xs4all.nl> Message-ID: <20060127090905.GA1211@daredevil.joesixpack.net> On Fri Jan 27 2006; 01:10, Johan Wevers wrote: > Still gives the same error: a NULL pointer assignment: > > The instruction at "0x00441dfd" referenced memory at "0x00000000". The > memory could not be read. I fixed this in the CVS. A new release should be available within some hours. Timo From sven at radde.name Fri Jan 27 09:24:51 2006 From: sven at radde.name (Sven Radde) Date: Fri Jan 27 13:49:49 2006 Subject: Problem with revoking my old key In-Reply-To: <43D9B9B8.9020803@mac.com> Message-ID: <000401c6231b$24d732d0$5784e784@IFIS.unipassau.de> Hello! > -----Original Message----- > If this is what happened, that means that when one has obtained the > revocation certificate, it is possible to revoke the corresponding key > in one's own keyserver, without the intervention of the certificate's > issuer, and I believe that is detailed in GnuPG documentation. This is > why revocation certificates must be carefully saved and > protected in the > issuer's system, until such time the user him/herself needs > to apply the > certificate. Exactly. One should not send out one's revocation certificate to the world, as anybody can revoke the key with it (and then upload it to the keyservers). In this actual case it doesn't matter, as the key is to be revoked anyway. > Wouldn't it be "better" if the actual application of the revocation > certificate would be conditioned to the use of the key's passphrase, > thus limiting the revocation certificate's application to the key's > owner only? IMHO not. One of the purposes of a revocation-certificate is to give you the chance to make the key unusable if you have *forgotten* your passphrase. btw, the GnuPG documentation explicitly details the process how to revoke a key: http://www.gnupg.org/(en)/documentation/faqs.html#q4.17 cu, Paeniteo From david.t.kerns at us.hsbc.com Sat Jan 28 00:27:40 2006 From: david.t.kerns at us.hsbc.com (david.t.kerns@us.hsbc.com) Date: Sat Jan 28 01:27:31 2006 Subject: mpi larger than indicated length Message-ID: No advise from anyone on this? __________________ I'm doing some inter platform/product testing.. I was running GnuPG 1.4.1 and pks0.9.4 keyserver on Solaris 5.8 I sent my publickey to my counter part running PsypherOPS on the mainframe He encrypted a file and sent it to me. When I tried to decrypt it I got the following error message: $ gpg -d IFO.SECURE.PGP gpg: mpi too large (51692 bits) gpg: Ohhhh jeeee: mpi crosses packet border secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 Abort So I Googled the error message and found several articles about upgrading to pks0.9.5 to rid the error (I was a bit skeptical since I had sent him my public key and not used the keyserver for the exchange) but I figured I'd try it. I found pks0.9.6 on sourceforge and built and installed it. While that was building I Googled more and found an article that said GnuPG 1.4.2 had a better error message for mpi problems So I build and installed GnuPG1.4.2 (woot! I'm current, for the moment) Now I'm getting the following error message: $ gpg -d -vvv IFO.SECURE.PGP gpg: using character set `iso-8859-1' gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: PsypherOPS 4.30.00 - www.primefactors.com :pubkey enc packet: version 3, algo 16, keyid 9E1BA0486180F04C data: [2047 bits] data: [2045 bits] gpg: public key is 6180F04C gpg: using subkey 6180F04C instead of primary key CDCF6506 gpg: public key encrypted data: good DEK :pubkey enc packet: version 3, algo 16, keyid D2DDC51A2F833978 data: [1024 bits] gpg: mpi larger than indicated length (0 bytes) data: [MPI_NULL] Can anyone shed some light on this? Do I need to regenerate my key and send my counter part the new public key? Or have I run into a compatibility issue with PsypherOPS? other data: $ gpg --list-public-keys .../.gnupg/pubring.gpg ------------------------------------- pub 1024D/CDCF6506 2005-11-18 uid dkerns@xxxxxx sub 2048g/6180F04C 2005-11-18 Thanks ----------------------------------------- ******************************************************************* **** This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ******************************************************************* **** From dshaw at jabberwocky.com Sat Jan 28 05:11:01 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 28 05:10:45 2006 Subject: mpi larger than indicated length In-Reply-To: References: Message-ID: <20060128041101.GA4693@jabberwocky.com> On Fri, Jan 27, 2006 at 05:27:40PM -0600, david.t.kerns@us.hsbc.com wrote: > $ gpg -d -vvv IFO.SECURE.PGP > gpg: using character set `iso-8859-1' > gpg: armor: BEGIN PGP MESSAGE > gpg: armor header: Version: PsypherOPS 4.30.00 - www.primefactors.com > :pubkey enc packet: version 3, algo 16, keyid 9E1BA0486180F04C > data: [2047 bits] > data: [2045 bits] > gpg: public key is 6180F04C > gpg: using subkey 6180F04C instead of primary key CDCF6506 > gpg: public key encrypted data: good DEK > :pubkey enc packet: version 3, algo 16, keyid D2DDC51A2F833978 > data: [1024 bits] > gpg: mpi larger than indicated length (0 bytes) > data: [MPI_NULL] > > Can anyone shed some light on this? > Do I need to regenerate my key and send my counter part the new public key? > Or have I run into a compatibility issue with PsypherOPS? As you noted, this is unlikely to be related to pks. It looks like some interaction between GnuPG and PsypherOPS. The message was encrypted to two keys, 9E1BA0486180F04C (you) and D2DDC51A2F833978 (someone else). The encrypted session key for the second key (the one who isn't you) appears malformed. Specifically, the error says that the pubkey enc packet contained two MPIs, the first of which seems to be 1024 bits (too small), and the second of which is missing altogether. Anyway, that's breaking the decryption. David From gct3 at blueyonder.co.uk Mon Jan 30 09:22:33 2006 From: gct3 at blueyonder.co.uk (Graham) Date: Mon Jan 30 09:21:12 2006 Subject: Problems Deleting Key and Adding Key to Keyring Message-ID: <200601300822.33547.gct3@blueyonder.co.uk> I have Gpg 1.4.2 installed by default on my Mepis system. When I tried to delete a key from my keyring both from the command line and through Kgpg I got this error: gpg --delete-keys 0xCB1AA7B0 pub 1024D/CB1AA7B0 2003-11-18 Robert Blayzor (INOC) Delete this key from the keyring? (y/N) y gpg: /home/graham/.gnupg/pubring.gpg: copy to `/home/graham/.gnupg/pubring.gpg.tmp' failed: file read error gpg: deleting keyblock failed: file read error gpg: 0xCB1AA7B0: delete key failed: file read error When I tried to import a key I got a similar file read error. I tried renaming my .gnupg file as .gnupg_old, rerunning gpg --help so a new .gnupg file would be set up and copying my keyrings, gpg.conf file, and gpg.trust file. Still no luck. I've checked permissions and they seem OK with all access except by owner being forbidden. I've tried adding a .gnupg/pubring/pubring.gpg.temp folder and file without success. Anybody know what I should do to get this to work? -- Graham From johanw at vulcan.xs4all.nl Mon Jan 30 11:51:35 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Jan 30 11:50:33 2006 Subject: Problem upgrading WinPT In-Reply-To: <20060127090905.GA1211@daredevil.joesixpack.net> Message-ID: <200601301051.k0UApZZi002561@vulcan.xs4all.nl> Timo Schulz wrote: >I fixed this in the CVS. A new release should be available within >some hours. OK, 0.11.7 starts fine. Was the problem indeed related to v3 keys? They can't be that uncommon. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From twoaday at gmx.net Mon Jan 30 12:40:04 2006 From: twoaday at gmx.net (Timo Schulz) Date: Mon Jan 30 12:52:08 2006 Subject: Problem upgrading WinPT In-Reply-To: <200601301051.k0UApZZi002561@vulcan.xs4all.nl> References: <20060127090905.GA1211@daredevil.joesixpack.net> <200601301051.k0UApZZi002561@vulcan.xs4all.nl> Message-ID: <20060130114004.GA1185@daredevil.joesixpack.net> On Mon Jan 30 2006; 11:51, Johan Wevers wrote: > >I fixed this in the CVS. A new release should be available within > >some hours. > > OK, 0.11.7 starts fine. Was the problem indeed related to v3 keys? Yes. > They can't be that uncommon. I tested it with several keys without any problems. The problem was related to some keys only. Now it is fixed and should work with all v3 keys. Timo From veronatif at free.fr Sun Jan 29 21:43:13 2006 From: veronatif at free.fr (Alain Bench) Date: Mon Jan 30 16:18:19 2006 Subject: uncleanable expired sig Message-ID: <20060129204313.GA15202@free.fr> Hello, I have on my key 0xC1C46015 as fetched on subkeys.pgp.net several temporary signatures from PGP Global Directory Verification Key. Those signatures seem all verified, but are expired. With GnuPG 1.4.2 I do --edit and "clean sigs", and they are gone. Except one of those expired sigs done on 2005-09-04 stays uncleanable? | $ gpg --check-sigs C1C46015 | pub 1024D/C1C46015 2003-11-29 | uid Alain Bench | sig!3 C1C46015 2006-01-26 Alain Bench | uid Alain Bench | sig!3 C1C46015 2005-01-01 Alain Bench [snip some permanent sigs] | sig! X CA57AD7C 2005-09-04 PGP Global Directory Verification Key | sub 1024g/BFD57A5F 2003-11-29 | sig! C1C46015 2003-11-29 Alain Bench Bye! Alain. -- When you want to reply to a mailing list, please avoid doing so from a digest. This often builds incorrect references and breaks threads. From dshaw at jabberwocky.com Mon Jan 30 16:50:30 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jan 30 16:50:03 2006 Subject: uncleanable expired sig In-Reply-To: <20060129204313.GA15202@free.fr> References: <20060129204313.GA15202@free.fr> Message-ID: <20060130155030.GA7193@jabberwocky.com> On Sun, Jan 29, 2006 at 09:43:13PM +0100, Alain Bench wrote: > Hello, > > I have on my key 0xC1C46015 as fetched on subkeys.pgp.net several > temporary signatures from PGP Global Directory Verification Key. Those > signatures seem all verified, but are expired. With GnuPG 1.4.2 I do > --edit and "clean sigs", and they are gone. Except one of those expired > sigs done on 2005-09-04 stays uncleanable? > > | $ gpg --check-sigs C1C46015 > | pub 1024D/C1C46015 2003-11-29 > | uid Alain Bench > | sig!3 C1C46015 2006-01-26 Alain Bench > | uid Alain Bench > | sig!3 C1C46015 2005-01-01 Alain Bench > [snip some permanent sigs] > | sig! X CA57AD7C 2005-09-04 PGP Global Directory Verification Key > | sub 1024g/BFD57A5F 2003-11-29 > | sig! C1C46015 2003-11-29 Alain Bench Yes. That's the last signature you have from the GD. The older ones don't carry a meaning (the were replaced by the newer ones), but this last one must stay as it does carry meaning - that as of 2005-09-04, the GD had expired a signature for you. David From gct3 at blueyonder.co.uk Mon Jan 30 17:48:44 2006 From: gct3 at blueyonder.co.uk (Graham) Date: Mon Jan 30 17:47:57 2006 Subject: Problems Deleting Key and Adding Key to Keyring In-Reply-To: <200601300822.33547.gct3@blueyonder.co.uk> References: <200601300822.33547.gct3@blueyonder.co.uk> Message-ID: <200601301649.20720.gct3@blueyonder.co.uk> On Monday 30 Jan 2006 08:22, Graham wrote: > I have Gpg 1.4.2 installed by default on my Mepis system. When I > tried to delete a key from my keyring both from the command line and > through Kgpg I got this error: > > gpg --delete-keys 0xCB1AA7B0 > > pub 1024D/CB1AA7B0 2003-11-18 Robert Blayzor (INOC) > > > Delete this key from the keyring? (y/N) y > gpg: /home/graham/.gnupg/pubring.gpg: copy to > `/home/graham/.gnupg/pubring.gpg.tmp' failed: file read error > gpg: deleting keyblock failed: file read error > gpg: 0xCB1AA7B0: delete key failed: file read error [snipped] I don't know why it did it, but solved the problem by naming pubring.gpg and secring.gpg with a suffix "old" (eg pubring.gpg.old), then doing an import on each file. It asked me for my passphrase on each of my (old) keypairs but imported them fine. I can now import and export keys to my hearts content! As I said, I don't know what was wrong with the old keyrings, but its the simple things we tend to overlook.... HTH anyone with the same problem! -- Graham -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 243 bytes Desc: not available Url : /pipermail/attachments/20060130/f4fa769f/attachment.pgp