From pasquires at gmail.com Wed Mar 1 11:46:43 2006 From: pasquires at gmail.com (Paul Squires) Date: Wed Mar 1 13:30:50 2006 Subject: GPGOL regsvr problem Message-ID: Hi, I sent this message previously, but there was no sign of a delivery. Apologies if this is a duplicate... I'm trying to install GPGOL for use with Outlook 2003 on Windows XP SP2. I've followed the instructions and am attempting to register the gpgol.dll file - getting the error message LoadLibrary("gpgol.dll")failed GetLastError returns 0x0000007e There's probably a few "non-standard" components here, but nothing I can see that would cause a problem. I've downloaded the zip from the ftp site and put the other DLLs in the system directory. Any ideas? TIA, -- Paul Squires pasquires@gmail.com | OpenPGP Key ID: 0x423003E0 MSN: pa_squires@hotmail.com | ICQ: 318471677 From gnupg-users at spodhuis.demon.nl Wed Mar 1 14:12:44 2006 From: gnupg-users at spodhuis.demon.nl (Phil Pennock) Date: Wed Mar 1 14:12:03 2006 Subject: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs) In-Reply-To: <200602281307.00624.sbt@megacceso.com> References: <20060227093410.GA27800@domus.home.globnix.net> <20060228043933.GA20051@jabberwocky.com> <20060228101332.GA25308@domus.home.globnix.net> <200602281307.00624.sbt@megacceso.com> Message-ID: <20060301131244.GA28479@domus.home.globnix.net> On 2006-02-28 at 13:07 +0100, sbt@megacceso.com wrote: > Ok, now it works, but can you send me any information that could be > interesting? For example how you create the 0xC9541FB2, It's a public key for someone else, imported with --recv-key, because it's in a trust path I need. I do have a rather large public key ring (69MB); at times when the trust path tools have been broken, I wrote a gpg_fetchsigners wrapper which imports the signers on a key; it's not very good for finding the keys signed _by_ a key, but there is a degree of correlation and so it's been adequate to let me get a decent population of trust paths to things I need (signers of security notices, packages, etc). I'm tempted to dump out my public keyring and only re-import those which are on my current ownertrust list. So yes, I've seen various broken signatures and hit the mpi bug. -- I am keeping international relations on a peaceable footing. You are biding your time before acting. He is coddling tyrants. -- Roger BW on topic of verb conjugation From walter.haidinger at gmx.at Wed Mar 1 17:16:37 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Wed Mar 1 17:16:44 2006 Subject: Howto setup an OpenLDAP PGP keyserver In-Reply-To: <5953.192.168.77.250.1140710468.squirrel@haidinger.dyndns.org> References: <5953.192.168.77.250.1140710468.squirrel@haidinger.dyndns.org> Message-ID: <4405C8E5.50007@gmx.at> Walter Haidinger schrieb: > Used software: OpenLDAP 2.2.27, run under SuSE 10.0 > GnuPG 1.4.3rc1 (subversion revision 4020). > > If you don't want to wait until 1.4.3 is officially released, > grab yourself a copy from svn: >> svn co svn://cvs.gnupg.org/gnupg/trunk Actually, upcoming 1.4.3 is only needed if you want to use --send-keys to store the keys on the the LDAP server. For importing (--recv-keys) or searching, any 1.4.x release should work. Verified this with GnuPG 1.4.1 (Cygwin port) used by Thunderbird's Enigmail 0.94 extension: Opened Key Management -> Keyserver -> Search for keys. Keys were found and imported from ldap://keys.your-server.com just fine. Regards, Walter From sbt at megacceso.com Wed Mar 1 19:10:02 2006 From: sbt at megacceso.com (Sergi Blanch i =?iso-8859-1?q?Torn=E9?=) Date: Wed Mar 1 19:09:31 2006 Subject: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs) In-Reply-To: <20060301131244.GA28479@domus.home.globnix.net> References: <20060227093410.GA27800@domus.home.globnix.net> <200602281307.00624.sbt@megacceso.com> <20060301131244.GA28479@domus.home.globnix.net> Message-ID: <200603011910.02349.sbt@megacceso.com> Ok, in this case (David correct me if i am wrong) it look like there was something broke in the pubring that was fixed when you ran '--update-trustdb' (over an unpatched binary). Now you haven't any problem. All works fine? I, also, download this key in my pubring without problems. I remark: this ecc patch is _experimental_, use it carefully! /Sergi. A Dimecres 01 Mar? 2006 14:12, Phil Pennock va escriure: > On 2006-02-28 at 13:07 +0100, sbt@megacceso.com wrote: > > Ok, now it works, but can you send me any information that could be > > interesting? For example how you create the 0xC9541FB2, > > It's a public key for someone else, imported with --recv-key, because > it's in a trust path I need. > > I do have a rather large public key ring (69MB); at times when the trust > path tools have been broken, I wrote a gpg_fetchsigners wrapper which > imports the signers on a key; it's not very good for finding the keys > signed _by_ a key, but there is a degree of correlation and so it's been > adequate to let me get a decent population of trust paths to things I > need (signers of security notices, packages, etc). I'm tempted to dump > out my public keyring and only re-import those which are on my current > ownertrust list. > > So yes, I've seen various broken signatures and hit the mpi bug. From lporter at hdsmith.com Wed Mar 1 19:12:24 2006 From: lporter at hdsmith.com (lporter@hdsmith.com) Date: Wed Mar 1 19:11:45 2006 Subject: Auto Reply to your message ... Message-ID: <43C6973C0004ADA0@HDSPRIME.hdsmith.com> ----- The following text is an automated response to your message ----- Hello, I'm on vacation from Monday, February 27 through Friday, March 3. I'll be returning on Monday, March 6. If you need IMMEDIATE URGENT help email helpdesk@hdsmith.com. Please do not use helpdesk@hdsmith.com unless it requires immediate action. I will check my email from time to time. Thanks - Lowell From afb at paradise.net.nz Thu Mar 2 01:00:20 2006 From: afb at paradise.net.nz (Adam Bogacki) Date: Thu Mar 2 02:48:07 2006 Subject: Global Deb/XP keys from Deb partition ? Message-ID: <20060302000020.GA3737@paradise.net.nz> Hi, having seen a reverse example at http://lists.gnupg.org/pipermail/gnupg-users/2003-July/019421.html I attempted Tux:~# /usr/bin/gpg gpg: Go ahead and type your message ... gpg --armor --export mykey > mykey.asc .. where it hung. I had thought to move mykey.asc and myseckey.asc to an appropriate WinXP location before doing gpg --import mykey.asc myseckey.asc in an XP window via 'cmd' having already done /usr/bin/thunderbird -install-global-extension /home/adam/Thunderbird/enigmail-0.94.0-tb15-linux.xpi What have I missed here ? Adam Bogacki, afb@paradise.net.nz -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20060302/e27c655a/attachment.pgp From alphasigmax at gmail.com Thu Mar 2 09:31:46 2006 From: alphasigmax at gmail.com (Alphax) Date: Thu Mar 2 09:31:44 2006 Subject: Global Deb/XP keys from Deb partition ? In-Reply-To: <20060302000020.GA3737@paradise.net.nz> References: <20060302000020.GA3737@paradise.net.nz> Message-ID: <4406AD72.1060309@gmail.com> Adam Bogacki wrote: > Hi, having seen a reverse example at > > http://lists.gnupg.org/pipermail/gnupg-users/2003-July/019421.html > > I attempted > > Tux:~# /usr/bin/gpg > gpg: Go ahead and type your message ... > gpg --armor --export mykey > mykey.asc > > .. where it hung. > Running gpg with no arguments assumes that you're either going to type something to sign/encrypt (followed by ^D) or paste a signed/encrypted blob which it will verify/decrypt. You need: # gpg --armor --export mykey > mykey.asc HTH, -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 555 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060302/bf06f9fc/signature.pgp From JPClizbe at comcast.net Thu Mar 2 11:17:58 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Mar 2 11:23:36 2006 Subject: eudora, windows xp, and gpg In-Reply-To: <200602281846.k1SIkTS02644@f7.net> References: <200602281846.k1SIkTS02644@f7.net> Message-ID: <4406C656.4000103@comcast.net> Karl Berry wrote: > Greetings, > > A colleague is stuck using Windows (XP), and prefers Eudora (she has > version 6.2.3.4, which I believe is the latest) to read mail. She only > needs to decrypt occasional gpg/pgp-signed messages. Any advice on the > easiest way to do this would be gratefully received. > > I found the Eudora plugin as part of the Windows Privacy Tools at > http://winpt.sourceforge.net/en/, but the last release was apparently in > 2003, which somewhat worries me with such a new version of Eudora. And > the "tray" idea worries me. We don't need or want any UI or any screen > real estate to be used; all that's needed is email decryption. > > I'd rather use GPG, but I also looked for PGP versions, and was rather > dismayed at the array of products out there. Pretty much all of them > claim to work with Eudora and XP, but it is hard to know which "really" > work, without messing up anything else, etc. If anyone has any > experiences on that front, I'd be grateful to hear those as well. For only occasional use, the current window or clipboard functionality found in WinPT[1] or GPGshell[2] should suffice. At that level of use, PGP Freeware will also do the job. I'm a bit biased, but many folks on Windows platforms are using GnuPG with Thunderbird and the Enigmail extension. Enigmail is to be merged into the Mozilla trunk source and will be enabled out-of-the box in SeaMonkey 1.1. Who knows it might even make its way into Thunderbird 2.0. Sorry I can't be of more specific help with Eudora, but I've only used it on a Kyocera 7135 PDA/Phone. Regards, -John [1] http://winpt.sourceforge.net/en/ [2] http://www.jumaros.de/rsoft/index.html -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 669 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060302/e0ac9cc0/signature.pgp From r.post at sara.nl Thu Mar 2 12:29:22 2006 From: r.post at sara.nl (Remco Post) Date: Thu Mar 2 13:47:56 2006 Subject: [GPGOL] wrapping Message-ID: <4406D712.3040403@sara.nl> Hi all, I've read that there has been some discussion on outlook breaking pgp signatures with gpgol because of line-wrapping. So I was thinking, wouldn't it be possible to do the line-wrapping in the sign/encrypt stage? Find out somehow what the setting for line-wrapping is and do the line-wrapping in gpgol? Or, alternatly, pick 76, the outlook default... This way, there is no reason for outlook to mess with the message after signing, and it is possible for non-outlook clients to correctly verify the signature... -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From gnupg-users at spodhuis.demon.nl Thu Mar 2 16:21:14 2006 From: gnupg-users at spodhuis.demon.nl (Phil Pennock) Date: Thu Mar 2 16:20:37 2006 Subject: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs) In-Reply-To: <200603011910.02349.sbt@megacceso.com> References: <20060227093410.GA27800@domus.home.globnix.net> <200602281307.00624.sbt@megacceso.com> <20060301131244.GA28479@domus.home.globnix.net> <200603011910.02349.sbt@megacceso.com> Message-ID: <20060302152114.GB6251@domus.home.globnix.net> On 2006-03-01 at 19:10 +0100, Sergi Blanch i Torn? wrote: > Ok, in this case (David correct me if i am wrong) it look like there was > something broke in the pubring that was fixed when you ran > '--update-trustdb' (over an unpatched binary). Makes sense, although I'm curious as to what, and how it might have been recoverable. > Now you haven't any problem. All works fine? I, also, download this key in my > pubring without problems. Everything appears to, yes. > I remark: this ecc patch is _experimental_, use it carefully! Thanks. In this case, because there had been recent-ish core MPI changes which David had provided one patch for, I assumed that this was core gnupg and not anything touched by the Gentoo patches. Silly me, Gentoo patches touch _everything_. ;^) I thought that the ECC patch just provided eliptic-curve crypto, so for keys using normal sigs, it wouldn't have any effect; I'm rather surprised that a keyring problem could be caused by it. Thanks, -Phil From sanktwo at attglobal.net Thu Mar 2 15:23:20 2006 From: sanktwo at attglobal.net (Two Sank) Date: Thu Mar 2 16:47:56 2006 Subject: eudora, windows xp, and gpg In-Reply-To: <200602281846.k1SIkTS02644@f7.net> References: <200602281846.k1SIkTS02644@f7.net> Message-ID: <7.0.1.0.2.20060302144251.0933fda8@attglobal.net> Karl, I have been using Winpt on W2000 in conjunction with Eudora without problems. I have not heard of problems with Windows XP. You are right, the sourceforge version is out of date. Timo Shultz seems to maintain it separately for some reason. Try http://wald.intevation.org/projects/winpt/ The latest version there is dated 24 February 2006 which should be recent enough for you. However, Winpt no longer includes the Eudora plug in. The Eudora plugin is quite old (Nov 2003) but seems to work fine for me. That you have to get from http://eudoragpg.sourceforge.net/ver2.0/en/download/index.html and unzip into the Eudora plugins directory. Of course GPG has to be installed first to work. The latest version of Eudora for Windows (as opposed to MAC) is 7.0.1 but don't worry Winpt seems to work with V 6.2 OK. Winpt is a gui to manage GPG which it accesses through the command line. You need GPG at or later than 1.4.2 I believe. If you don't wish to import/export keys, sign keys etc etc then don't run Winput and no real estate will be taken. You can always run GPG from the cmd window ;-) Running winpt shows a small key in the bottom right tray. Unless you put Winput in your startup folder, it will not appear. It is not necessary to run Winpt to use the Eudora plugin, they are unrelated. Any other questions? From sbt at megacceso.com Thu Mar 2 17:37:52 2006 From: sbt at megacceso.com (Sergi Blanch i =?utf-8?q?Torn=C3=A9?=) Date: Thu Mar 2 17:37:21 2006 Subject: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs) In-Reply-To: <20060302152114.GB6251@domus.home.globnix.net> References: <20060227093410.GA27800@domus.home.globnix.net> <200603011910.02349.sbt@megacceso.com> <20060302152114.GB6251@domus.home.globnix.net> Message-ID: <200603021737.53567.sbt@megacceso.com> Right now, I don't know if the root problem came from the patch. As you say this patch only add mathematical and cryptographic functions to provide elliptic curves over finite fields. I run a patched binary usually. I trust in it, but always I have rings backup. There is _not knowed_ bugs, but it is a relative new code that need more hack, and also it will receive improvements. Thank you to use the patch and never doubt to ask. /Sergi. A Dijous 02 Mar? 2006 16:21, Phil Pennock va escriure: > On 2006-03-01 at 19:10 +0100, Sergi Blanch i Torn? wrote: > > Ok, in this case (David correct me if i am wrong) it look like there was > > something broke in the pubring that was fixed when you ran > > '--update-trustdb' (over an unpatched binary). > > Makes sense, although I'm curious as to what, and how it might have been > recoverable. > > > Now you haven't any problem. All works fine? I, also, download this key > > in my pubring without problems. > > Everything appears to, yes. > > > I remark: this ecc patch is _experimental_, use it carefully! > > Thanks. In this case, because there had been recent-ish core MPI > changes which David had provided one patch for, I assumed that this was > core gnupg and not anything touched by the Gentoo patches. Silly me, > Gentoo patches touch _everything_. ;^) > > I thought that the ECC patch just provided eliptic-curve crypto, so for > keys using normal sigs, it wouldn't have any effect; I'm rather > surprised that a keyring problem could be caused by it. > > Thanks, > -Phil From openmacnews at gmail.com Thu Mar 2 21:11:56 2006 From: openmacnews at gmail.com (OpenMacNews) Date: Thu Mar 2 23:48:11 2006 Subject: can't get perl's cpan to 'behave' when using gpg ... Message-ID: <4407518C.5040708@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 hi all, i've gnupg 1.4.2.1 built/installed from src on OSX 10.4.5. when using perl's CPAN, gpg is used for module signature checking. to that end, cpan's Config.pm includes: 'gpg' => q[/usr/local/bin/gpg], i've configured my gpg to use keyrings/perms of "userA". from shell, i typically run as userA. however, cpan is often run as a different user, with superuser perms. when i run cpan as userB to install modules i get warning such as: gpg: WARNING: unsafe ownership on homedir `/Users/userA/gpg_homedir' gpg: WARNING: unsafe ownership on homedir `/Users/userA/gpg_homedir' Signature for /usr/ports/cpan_build/sources/authors/id/O/OL/OLAF/CHECKSUMS ok before running cpan, i see: % ls -al /Users/userA/gpg_homedir total 408 drwx------ 12 userA wheel 408 Mar 2 12:00 . drwxr-xr-x 12 userA wheel 408 Nov 11 20:46 .. -rw------- 1 userA wheel 1437 Feb 24 21:11 gpg.conf -rw------- 1 userA wheel 123269 Feb 24 21:11 pubring.gpg -rw------- 1 userA wheel 600 Feb 24 21:11 random_seed -rw------- 1 userA wheel 14546 Feb 24 21:11 secring.gpg -rw------- 1 userA wheel 3650 Feb 24 21:11 trustdb.gpg but AFTER running cpan as userB i see: % ls -al /Users/userA/gpg_homedir total 408 drwx------ 12 userA wheel 408 Mar 2 12:00 . drwxr-xr-x 12 userA wheel 408 Nov 11 20:46 .. -rw------- 1 userA wheel 1437 Feb 24 21:11 gpg.conf -rw------- 1 userB wheel 124965 Mar 2 11:37 pubring.gpg -rw------- 1 userB wheel 600 Mar 2 11:51 random_seed -rw------- 1 userA wheel 14546 Feb 24 21:11 secring.gpg -rw------- 1 userB wheel 3920 Mar 2 11:37 trustdb.gpg note that CPAN is, apparently, changing user ownership on pubring, random_seed and trustdb !? how/where do i: (a) prevent cpan from making changes to my gpg files' ownership? (b) force cpan to exec gpg as userA -- my typical/intended user? i've changed the Config.pm entry to: 'gpg' => q[sudo -u userA /usr/local/bin/gpg], alas, to no avail. same symptoms/warnings/etc. suggestions are appreciated! cheers, richard - -- /"\ \ / ASCII Ribbon Campaign X against HTML email, vCards / \ & micro$oft attachments [GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (Darwin) iEYEAREDAAYFAkQHUYwACgkQlffdvTZxCMYcuwCfUZoXxIIwnimEpyTDgO/CQ5PF fHIAoKct+QtwFrD8Ub5YOGYat8RdLrVb =lAHG -----END PGP SIGNATURE----- From wagner at rince.de Thu Mar 2 15:38:45 2006 From: wagner at rince.de (Hanno 'Rince' Wagner) Date: Fri Mar 3 10:27:31 2006 Subject: gnupg, news and Signature Verify Message-ID: <20060302143845.GN31833@luggage.rince.de> Hi, I try to establish a way to sign my NewsPostings and - more interesting - also to verify the messages posted by other people. Since I am using new keys, the digest algorithm is SHA1 - which I also use. But gpg seem to have a problem with the signed message (I can not see why). I have put the message on http://texte.rince.de/newssig.asc to verify for everyone. When I do a "gpg --verify --verbose", I get the following: ----- $ gpg --verbose --verify newssig.asc gpg: armor header: Version: GnuPG-v1.4.1 gpg: original file name='' gpg: Signature made Thu Mar 2 14:44:15 2006 CET using DSA key ID 0B707552 gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error ----- pgpdump sais that the digest-algorithm is SHA1 and valid: ----- $ pgpdump newssig.asc [..] Pub alg - DSA Digital Signature Algorithm(pub 17) Hash alg - SHA1(hash 2) [..] Can anyone tell me why gpg sees a digest conflict in that message? I'd understand if the signature would be bad or wrong, but apparently it can not check wether the signature is valid. Ciao, Hanno -- | Hanno Wagner | Member of the HTML Writers Guild | Rince@IRC | | Eine gewerbliche Nutzung meiner Email-Adressen ist nicht gestattet! | | 74 a3 53 cc 0b 19 - we did it! | Generation @ | #"Das Faxe ist alle und jetzt sitze ich hier mit T-Shirt und Krawatte..." # -- sven@joliet.deceiver.org (Sven Hoffmann) erkl?rt das Binden # von Krawatten From marcus.brinkmann at ruhr-uni-bochum.de Fri Mar 3 10:47:02 2006 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri Mar 3 11:12:53 2006 Subject: [Announce] GPGME 1.1.2 released Message-ID: <8764mvhnc9.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hi, We are pleased to announce version 1.1.2 of GnuPG Made Easy, a library designed to make access to GnuPG easier for applications. It may be found in the file (about 860 KB/663 KB compressed) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.2.tar.gz ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.2.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.2.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.2.tar.bz2.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.1-1.1.2.diff.gz It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel@gnupg.org The sha1sum checksums for this distibution are d235499c72af6becb65846722575dfb535ed3938 gpgme-1.1.1-1.1.2.diff.gz ebf8c278e967588acd7c416bd14bfe35615b7e81 gpgme-1.1.2.tar.bz2 f295e2af9a1e9de8267c45165e1172b80b412c42 gpgme-1.1.2.tar.bz2.sig 336d94e3bf2facedd06c52bd016bce647667c347 gpgme-1.1.2.tar.gz 367b51143bafde9bd5958ad521146a0d270e4ccd gpgme-1.1.2.tar.gz.sig Noteworthy changes in version 1.1.2 (2006-03-02) ------------------------------------------------ * Fixed a bug in the W32 glib backend. Noteworthy changes in version 1.1.1 (2006-02-22) ------------------------------------------------ * Fixed a bug in that the fingerprints of subkeys are not available. * Clarified usage of the SECRET flag in key listings. It is now reset for stub keys. * Reading signature notations and policy URLs on key signatures is supported. They can be found in the new field notations of the gpgme_key_sig_t structure. This has to be enabled with the keylist mode flag GPGME_KEYLIST_MODE_SIG_NOTATIONS. * A new gpgme_free() function solves the problem of using different allocators in a single program. This function should now be used instead calling free() to release the buffer returned by gpgme_data_release_and_get_mem. It is recommended that you always do this, but it is only necessary on certain platforms, so backwards compatibility is provided. In other words: If free() worked for you before, it will keep working. * New status codes GPGME_PKA_TRUST_GOOD and GPGME_PKA_TRUST_BAD. They are analyzed by the verify handlers and made available in the new PKA_TRUST and PKA_ADDRESS fields of the signature result structure. * Interface changes relative to the 1.1.0 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gpgme_key_sig_t EXTENDED: New field notations. GPGME_KEYLIST_MODE_SIG_NOTATIONS NEW gpgme_free NEW GPGME_STATUS_PKA_TRUST_BAD NEW GPGME_STATUS_PKA_TRUST_GOOD NEW gpgme_signature_t EXTENDED: New field pka_trust. gpgme_signature_t EXTENDED: New field pka_address. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Marcus Brinkmann mb@g10code.de _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From og at pre-secure.de Fri Mar 3 16:04:52 2006 From: og at pre-secure.de (Olaf Gellert) Date: Fri Mar 3 16:03:59 2006 Subject: Which Digest Algorithm to use? Message-ID: <44085B14.3000006@pre-secure.de> Hi, I do have some old PGP-2 keys (that are pretty well connected in the WebOfTrust). I understand that PGP2 keys use MD5 as default hash algorithm and they do not contain any fields to store adapted preferences. But I still can use "--digest-algorithm" to create SHA1 or SHA256 signatures. But what are the implications of this? I guess GPG will successfully validate these signatures. PGP2 will certainly not. What about PGP 6, 7, 8, ...? Which algorithm should be used instead of MD5? Right now I would switch to SHA256 (because there were first indications of weaknesses in SHA1 already)... Does this makes any sense anyways because the own selfsignatures use MD5 which is weak. I could do new self-sigs with another algorithm, correct? What is the actual proposed way to go? Pointers to documents regardings this are as welcome as any other hints... :-) Regards, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From smilingmolecule at web.de Fri Mar 3 13:25:36 2006 From: smilingmolecule at web.de (smiling molecule) Date: Fri Mar 3 16:17:54 2006 Subject: decription directly from texteditor Message-ID: <715400532@web.de> hallo together, i am searching for a texteditor whicht can directly safe enecripted files with gnupg or which can directly open and decrypt textfiles. is there any plugin for example for scite or so which can do this? i dont want to decrypt files first and than open them. i want to do this in one step. thanks best regards robert ______________________________________________________________ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193 From dshaw at jabberwocky.com Fri Mar 3 16:23:24 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 3 16:22:48 2006 Subject: gnupg, news and Signature Verify In-Reply-To: <20060302143845.GN31833@luggage.rince.de> References: <20060302143845.GN31833@luggage.rince.de> Message-ID: <20060303152324.GA18690@jabberwocky.com> On Thu, Mar 02, 2006 at 03:38:45PM +0100, Hanno 'Rince' Wagner wrote: > Hi, > > I try to establish a way to sign my NewsPostings and - more > interesting - also to verify the messages posted by other people. > Since I am using new keys, the digest algorithm is SHA1 - which I > also use. But gpg seem to have a problem with the signed message (I > can not see why). The file is mangled. Possibly it wasn't generated by GnuPG 1.4.1 as the Version header seems to indicate as GnuPG doesn't generate this header: > gpg: armor header: Version: GnuPG-v1.4.1 The real problem is that it is missing the "Hash" header, which should be the second line in the file, right after the BEGIN PGP SIGNED MESSAGE line. David From dshaw at jabberwocky.com Fri Mar 3 16:50:44 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 3 16:50:32 2006 Subject: Which Digest Algorithm to use? In-Reply-To: <44085B14.3000006@pre-secure.de> References: <44085B14.3000006@pre-secure.de> Message-ID: <20060303155044.GB18690@jabberwocky.com> On Fri, Mar 03, 2006 at 04:04:52PM +0100, Olaf Gellert wrote: > Hi, > > I do have some old PGP-2 keys (that are pretty well > connected in the WebOfTrust). I understand that PGP2 > keys use MD5 as default hash algorithm and they do > not contain any fields to store adapted preferences. > But I still can use "--digest-algorithm" to create > SHA1 or SHA256 signatures. But what are the implications > of this? I guess GPG will successfully validate these > signatures. PGP2 will certainly not. What about PGP 6, > 7, 8, ...? There is a misunderstanding here. PGP 2 keys don't use MD5 as a default hash algorithm. They act just like any other key - they use the prefs on the *recipient* keys, filtered through personal-digest-prefs, and if all else fails, use SHA-1. > Which algorithm should be used instead of MD5? Right > now I would switch to SHA256 (because there were first > indications of weaknesses in SHA1 already)... There are "first indications" of weaknesses in all algorithms. If I recall, SHA-1 even with all attacks against it, is still stronger than MD5 was even before all the attacks against it. > Does this makes any sense anyways because the own > selfsignatures use MD5 which is weak. I could do > new self-sigs with another algorithm, correct? Yes, but then you can't use the key in PGP 2 any longer. > What is the actual proposed way to go? I'd just make a v4 key and move on. David From marcus.brinkmann at ruhr-uni-bochum.de Fri Mar 3 15:51:43 2006 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri Mar 3 16:53:52 2006 Subject: [Announce] GPA 0.7.2 released Message-ID: <87u0affuo0.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hello, We are pleased to announce the release of GPA 0.7.2. GPA is a graphical frontend for the GNU Privacy Guard (GnuPG, http://www.gnupg.org). GPA can be used to encrypt, decrypt, and sign files, to verify signatures and to manage the private and public keys. This is a development release. Please be careful when using it on production keys. You can find the release here: http://wald.intevation.org/frs/download.php/141/gpa-0.7.2.tar.bz2 http://wald.intevation.org/frs/download.php/142/gpa-0.7.2.tar.bz2.sig The SHA1 checksums for this release are: f3c0c400cc5b01b69b36704fdbe26f26abc8531b gpa-0.7.2.tar.bz2 c68868cf6aa383b6ad304d979be301d8620c0ec4 gpa-0.7.2.tar.bz2.sig Noteworthy changes in version 0.7.2 (2006-03-03) ------------------------------------------------ * The key generation wizard does not allow to set a comment anymore. This is an advanced feature available in the advanced GUI version of key generation. * Bug fixes for the Windows target, in particular internationalization and binary mode file handling. Marcus Brinkmann mb@g10code.de _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From marcus.brinkmann at ruhr-uni-bochum.de Fri Mar 3 15:47:58 2006 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri Mar 3 16:58:03 2006 Subject: [Announce] libgpg-error 1.2 released Message-ID: <87veuvfuu9.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hi, We are pleased to announce version 1.2 of libgpg-error, a library for common error values and messages in GnuPG components. This is a shared library so it can be updated independently of each individual component, while still allowing the use of new error values in inter-process communication. It may be found in the file (about 438 KB/328 KB compressed) ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.2.tar.gz ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.2.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.2.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.2.tar.bz2.sig ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.1-1.2.diff.gz It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel@gnupg.org The sha1sum checksums for this distibution are f9b757d1ebdf9dbdbaa6341fe10bc08d1c943ae6 libgpg-error-1.1-1.2.diff.gz 468657e5bccd534f350b1a0109e19d2a9cc5d027 libgpg-error-1.2.tar.bz2 77fa306f82cdab01b7efb41b2bfa68da0911dfb2 libgpg-error-1.2.tar.bz2.sig 54068686e109f28bb64c0d8e52bd79172cdf56ae libgpg-error-1.2.tar.gz c1a49600856c15865222647723aca1e71bbec2c2 libgpg-error-1.2.tar.gz.sig Noteworthy changes in version 1.2 (2006-03-03) ---------------------------------------------- * New function gpg_err_init, which binds the locale directory to the text domain. This function is a constructor on GCC targets, so it does not need to be called explicitely. The header file defines GPG_ERR_INITIALIZED in this case. This is experimental for now. * "./autogen.sh --build-w32" does now also build a DLL for W32. Translations are not yet provided for this platform. * New error codes GPG_ERR_UNKNOWN_EXTN and GPG_ERR_UNKNOWN_CRIT_EXTN. * New error code GPG_ERR_LOCKED. * New translations included for France, Romania, and Vietnamese. * Interface changes relative to the 1.1 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GPG_ERR_UNKNOWN_EXTN NEW GPG_ERR_UNKNOWN_CRIT_EXTN NEW GPG_ERR_LOCKED NEW gpg_err_init NEW GPG_ERR_INITIALIZED NEW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Marcus Brinkmann mb@g10code.de _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From yochanon at localnet.com Fri Mar 3 17:22:00 2006 From: yochanon at localnet.com (John B) Date: Fri Mar 3 19:18:05 2006 Subject: decription directly from texteditor In-Reply-To: <715400532@web.de> References: <715400532@web.de> Message-ID: <200603031022.01061.yochanon@localnet.com> On Friday 03 March 2006 06:25, smiling molecule wrote: > i am searching for a texteditor whicht can directly safe enecripted files > with gnupg or which can directly open and decrypt textfiles. Kgpg has this editor built in. Just cut and paste the message into the editor and decrypt it using your passphrase. From cam at mathematica.scientia.net Fri Mar 3 19:29:30 2006 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Fri Mar 3 19:28:50 2006 Subject: Which Digest Algorithm to use? In-Reply-To: <20060303155044.GB18690@jabberwocky.com> References: <44085B14.3000006@pre-secure.de> <20060303155044.GB18690@jabberwocky.com> Message-ID: <44088B0A.40302@mathematica.scientia.net> >>Does this makes any sense anyways because the own >>selfsignatures use MD5 which is weak. I could do >>new self-sigs with another algorithm, correct? >> >> >Yes, but then you can't use the key in PGP 2 any longer. > > Than he should also revoke his old selfsigs, correct? Chris. From dshaw at jabberwocky.com Fri Mar 3 19:35:41 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 3 19:35:07 2006 Subject: Which Digest Algorithm to use? In-Reply-To: <44088B0A.40302@mathematica.scientia.net> References: <44085B14.3000006@pre-secure.de> <20060303155044.GB18690@jabberwocky.com> <44088B0A.40302@mathematica.scientia.net> Message-ID: <20060303183541.GC18690@jabberwocky.com> On Fri, Mar 03, 2006 at 07:29:30PM +0100, Christoph Anton Mitterer wrote: > > >>Does this makes any sense anyways because the own > >>selfsignatures use MD5 which is weak. I could do > >>new self-sigs with another algorithm, correct? > >> > >> > >Yes, but then you can't use the key in PGP 2 any longer. > > > > > Than he should also revoke his old selfsigs, correct? He can if he wants to. It doesn't actually make a difference either way since the new signature overrides the older one. David From unknown_kev_cat at hotmail.com Sat Mar 4 04:01:28 2006 From: unknown_kev_cat at hotmail.com (Joe Smith) Date: Sat Mar 4 04:01:44 2006 Subject: Using an official Austrian key on a smartcard with OpenPG References: <200602192235.21285.reinhold@kainhofer.com><43F909CD.4040903@comcast.net> <200602200918.53150.reinhold@kainhofer.com> Message-ID: >> And since it works with Mozilla, I suspect your banking card is using a >> X.509 certificate not a PGP key. > > Probably. However, I still need to sign mails with this smartcard, so is > there > still a way to use this card with the X.509 certificates with kmail / > gnupg? > For official documents I'll sooner or later need to sign with this card. I'm pretty sure that what you want is gpg 1.9 AFAICT, X.509 certs are usually used with S/MIME. There is nothing that prevents the use of OpenPGP encyption formating, but few utilities will support that. Fortuanteately GPG 1.9 does (or will) support many types of cards other than the OpenPGP card when doing S/MIME encyption, so you may be in luck. Feel free to contact Werner as he is really in change of of this project, and is also quite involved in the smart card aspects. > Cheers, > Reinhold > > - -- > - ------------------------------------------------------------------ > Reinhold Kainhofer, Vienna, Austria > email: reinhold@kainhofer.com, http://reinhold.kainhofer.com/ > * Financial and Actuarial Mathematics, TU Wien, > http://www.fam.tuwien.ac.at > * K Desktop Environment, http://www.kde.org/, KOrganizer maintainer > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > > iD8DBQFD+XttTqjEwhXvPN0RAhZ/AKDHEA72XfmANWFJoqf2OHh0A6jPpgCglphv > dJUQ3cVA9SqtSw9yc5zG6YY= > =LlvB > -----END PGP SIGNATURE----- From alphasigmax at gmail.com Sat Mar 4 08:09:58 2006 From: alphasigmax at gmail.com (Alphax) Date: Sat Mar 4 08:10:00 2006 Subject: decription directly from texteditor In-Reply-To: <715400532@web.de> References: <715400532@web.de> Message-ID: <44093D46.3040801@gmail.com> smiling molecule wrote: > hallo together, > > i am searching for a texteditor whicht can directly safe enecripted > files with gnupg or which can directly open and decrypt textfiles. > > is there any plugin for example for scite or so which can do this? > Only if you can write a Lua extesion for it :) > i dont want to decrypt files first and than open them. i want to do > this in one step. > If you're on W32 you can try GPGShell which has an "edit clipboard" function available from the tray. Otherwise KGPG etc. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 555 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060304/41dcb561/signature.pgp From cam at mathematica.scientia.net Sat Mar 4 15:27:54 2006 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Sat Mar 4 15:27:19 2006 Subject: Which Digest Algorithm to use? In-Reply-To: <20060303183541.GC18690@jabberwocky.com> References: <44085B14.3000006@pre-secure.de> <20060303155044.GB18690@jabberwocky.com> <44088B0A.40302@mathematica.scientia.net> <20060303183541.GC18690@jabberwocky.com> Message-ID: <4409A3EA.1000809@mathematica.scientia.net> David Shaw wrote: >He can if he wants to. It doesn't actually make a difference either >way since the new signature overrides the older one. > > Is this only gpg behaviour or does the standard specify to only consider the most recent sig? Chris. From dshaw at jabberwocky.com Sat Mar 4 17:36:23 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Mar 4 17:35:53 2006 Subject: Which Digest Algorithm to use? In-Reply-To: <4409A3EA.1000809@mathematica.scientia.net> References: <44085B14.3000006@pre-secure.de> <20060303155044.GB18690@jabberwocky.com> <44088B0A.40302@mathematica.scientia.net> <20060303183541.GC18690@jabberwocky.com> <4409A3EA.1000809@mathematica.scientia.net> Message-ID: <20060304163623.GA19409@jabberwocky.com> On Sat, Mar 04, 2006 at 03:27:54PM +0100, Christoph Anton Mitterer wrote: > David Shaw wrote: > > >He can if he wants to. It doesn't actually make a difference either > >way since the new signature overrides the older one. > > > > > Is this only gpg behaviour or does the standard specify to only consider > the most recent sig? An implementation that encounters multiple self-signatures on the same object may resolve the ambiguity in any way it sees fit, but it is RECOMMENDED that priority be given to the most recent self-signature. There is no implementation that behaves otherwise. David From rjh at sixdemonbag.org Sun Mar 5 07:53:14 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun Mar 5 09:18:31 2006 Subject: Questionnaire about GnuPG usage Message-ID: <440A8ADA.2090204@sixdemonbag.org> This semester I'm taking a course in Human-Computer Interactions, under Prof. Juan-Pablo Hourcade. The course is mostly about how to design humane interfaces--how to make GUIs that help you get work done, instead of getting in your way. A couple of people in the class are crypto freaks, and so we decided to see if we couldn't put together a high-quality user-friendly GUI for the GNU Privacy Guard--or, at the very least, some good ideas of what a user-friendly GUI would look like. Thus, I'm asking the list: if you're willing to take a questionnaire and give feedback on your needs and requirements for a GnuPG UI, please email me _off-list_. Your reports will be stripped of all identifying data and your answers will be compiled into aggregate results. The final report, in addition to being turned in for class credit, will be released under the Creative Commons Noncommercial Attribution Sharealike license, for the benefit of the entire GnuPG community. Thanks much! :) From maria.l.vandenberg at gmx.de Sun Mar 5 16:23:33 2006 From: maria.l.vandenberg at gmx.de (Maria Lukas van den Berg) Date: Sun Mar 5 18:18:12 2006 Subject: Keys without signatures Message-ID: <20060305152333.GC4266@vandenberg.localhost> Dear All, I was wondering about the following application of keys without signatures on the public key (except the auto- matically generated self-sig). Assume that I create a keypair A and sign my Usenet postings using A. I do not want to rely on any signatures on the public key of A. Instead I define my identity via the postings I make. This means that after I published postings P_1 to P_n, I want to be able to do a posting P and by a signature on P to prove that P was posted by the same person who also posted P_1 to P_n, i.e., me. (Unless my private key and passphrase got compromised.) I am aware that no-one can practically generate a signature for some posting that will validate against the public key of A. This is the one component I need for my scheme. However, there is a second requirement. No-one should be able to create a second keypair B - which has the same key ID as A, - where signatures made with A validate against the public key of B. If such a key B existed, a reader not having the public key of A could be tricked into thinking a posting signed by B originates from the same person who also signed postings P_1 to P_n, because the signatures on *all* of those postings validate against the public key of B. Am I on the right track so far in recognizing the possible weaknesses of my scheme? If so, is it practically possible to create such a key B? If so, what measures could be taken to enhance my scheme? How about publishing with every posting P_1 to P_n the fingerprint of A? At least a watchful receipient would then realize that key B is not the right one for checking the signatures on postings P_1 to P_n. That's unless the attacker succeeds in creating a key B which also has the same fingerprint as A. Is this practically doable? And, asking further, how can I make it as hard as possible to create a key with the same fingerprint as A? Is the length of the key an issue? Would it, e.g., be more secure to create a 4096 bit RSA key instead of a 1024 bit DSA key? Thanks a lot for your answers and suggestions! If there is a mailing list where these topics would fit better, I'd also be interested to ask there. Best regards, Luke. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 177 bytes Desc: not available Url : /pipermail/attachments/20060305/11e504e5/attachment.pgp From unknown_kev_cat at hotmail.com Sun Mar 5 21:37:50 2006 From: unknown_kev_cat at hotmail.com (Joe Smith) Date: Sun Mar 5 21:37:26 2006 Subject: Keys without signatures References: <20060305152333.GC4266@vandenberg.localhost> Message-ID: "Maria Lukas van den Berg" wrote in message news:20060305152333.GC4266@vandenberg.localhost... The following post is based on my understanding. I think I'm correct, but it is possible I am wrong. >Assume that I create a keypair A and sign my Usenet postings >using A. I do not want to rely on any signatures on the >public key of A. Instead I define my identity via the >postings I make. This means that after I published postings >P_1 to P_n, I want to be able to do a posting P and by a >signature on P to prove that P was posted by the same person >who also posted P_1 to P_n, i.e., me. (Unless my private key >and passphrase got compromised.) This is entirely reasonable. By doing that people can reasonable assume that unless the key is compromised, or that the private key is held by more than one person (a group key), the poster of all the messages are the same. You are asking about how the web of trust relates to identity. The simple fact is that identity is far from clear. In the case where one simply wants to veryify that two messages were created by the same entity, then the web of trust is not needed. In the case that one only eeds to know that the holder of the key ca read and send email of a particular email address then a bot that verifies email adresses and then signs the key is usefull. The web of trust is most useful in the case where verifying that a particular individual who uses a given name in the real world is the holder of the key is what is important. >I am aware that no-one can practically generate a signature >for some posting that will validate against the public key >of A. This is the one component I need for my scheme. > >However, there is a second requirement. No-one should be >able to create a second keypair B > >- which has the same key ID as A, Short key id's are not secure, there are many keys with duplicate short ids. Long ids are more secure, but it is still easier to duplicate that than duplicating the fingerprint, as long ids are only a partial fingerprint. >- where signatures made with A validate against the public > key of B. First of all the OpenPGP signature format is designed to resist such an attack by doing things like including the key id. Looking at just the underlying crypto: This is all but impossible. If just one signature needed to validate using this new key then it might be somewhat easier than the attack you mention as your first component. If *all* signatures are to validate then this is really becomes as hard as making the key you describe as impractical as your first component. >If such a key B existed, a reader not having the public key >of A could be tricked into thinking a posting signed by B >originates from the same person who also signed postings P_1 >to P_n, because the signatures on *all* of those postings >validate against the public key of B. > >Am I on the right track so far in recognizing the possible >weaknesses of my scheme? I'm pretty sure this is not a weakness. If one was able to create such a key it would cause major problems. Even the web of trust would have problems becaue the key creator could use his/her real info in the UID and get his/her key into the web of trust. This would no be cheating the system any as that person really would control that new key. >If so, is it practically possible to create such a key B? I would say no. >If so, what measures could be taken to enhance my scheme? If I am correct this is irrelevant. >How about publishing with every posting P_1 to P_n the >fingerprint of A? At least a watchful receipient would then >realize that key B is not the right one for checking the >signatures on postings P_1 to P_n. That's unless the >attacker succeeds in creating a key B which also has the >same fingerprint as A. Is this practically doable? Fingerprint duplication (ignoring the other contraints) is considered fairly difficult. It would however be much easier to duplicate a fingerprint using brute force than creating the key you described above. Nevertheless it is still fairly impractical. Combining this with the other features of key B described above really would pretty much require creating a key with identical cryptographic material to your key. If somebody could do that then it would be a real problem. >Thanks a lot for your answers and suggestions! >If there is a mailing list where these topics would fit >better, I'd also be interested to ask there. This question is reasonably on-topic here. The only better place I can think of is the newsgroup comp.sci.crypto >Best regards, Luke. From minnesotan at runbox.com Sun Mar 5 22:11:27 2006 From: minnesotan at runbox.com (Randy Burns) Date: Sun Mar 5 22:11:33 2006 Subject: Keys without signatures In-Reply-To: <20060305152333.GC4266@vandenberg.localhost> Message-ID: <20060305211127.89400.qmail@web511.biz.mail.mud.yahoo.com> --- Maria Lukas van den Berg wrote: [snip] > However, there is a second requirement. No-one should be > able to create a second keypair B > > - which has the same key ID as A, > - where signatures made with A validate against the public > key of B. > > If such a key B existed, a reader not having the public key > of A could be tricked into thinking a posting signed by B > originates from the same person who also signed postings P_1 > to P_n, because the signatures on *all* of those postings > validate against the public key of B. > > Am I on the right track so far in recognizing the possible > weaknesses of my scheme? > > If so, is it practically possible to create such a key B? > > If so, what measures could be taken to enhance my scheme? > > How about publishing with every posting P_1 to P_n the > fingerprint of A? At least a watchful receipient would then > realize that key B is not the right one for checking the > signatures on postings P_1 to P_n. That's unless the > attacker succeeds in creating a key B which also has the > same fingerprint as A. Is this practically doable? > > And, asking further, how can I make it as hard as possible > to create a key with the same fingerprint as A? Is the > length of the key an issue? Would it, e.g., be more secure > to create a 4096 bit RSA key instead of a 1024 bit DSA key? > > Thanks a lot for your answers and suggestions! > If there is a mailing list where these topics would fit > better, I'd also be interested to ask there. > > Best regards, Luke. Here's one educated opinion on that, that I found: http://lwn.net/2000/0316/a/pgp1.html All the best, Randy From gpg-0 at ml.turing-complete.org Sun Mar 5 23:09:49 2006 From: gpg-0 at ml.turing-complete.org (Nicolas Rachinsky) Date: Mon Mar 6 00:01:54 2006 Subject: decrypt multiple files to stdout Message-ID: <20060305220949.GA65146@mid.pc5.i.0x5.de> Hallo, how can I decrypt multiple files to stdout? I have two (or more) files, a.gpg and b.gpg, and want the equivalent of "gpg a.gpg; gpg b.gpg; cat a b" without the intermediate files. "gpg --multifile --decrypt a.gpg b.gpg" does not work. The behaviour seems to differ from the manual. | nicolas@pc5 ~/rd> gpg --multifile --decrypt a.gpg b.gpg | | You need a passphrase to unlock the secret key for | user: "Nicolas Rachinsky " 2048-bit ELG-E key, ID 46D2F6CE, created 2005-10-25 (main key ID 887BAE72) | | gpg: encrypted with 2048-bit ELG-E key, ID 46D2F6CE, created 2005-10-25 | "Nicolas Rachinsky " | File `a' exists. Overwrite? (y/N) | --decrypt [file] | Decrypt file (or stdin if no file is specified) and write it | to stdout (or the file specified with --output). If the | decrypted file is signed, the signature is also verified. | This command differs from the default operation, as it never | writes to the filename which is included in the file and it | rejects files which don't begin with an encrypted message. And if there is no 'a' and no 'b', they are created. --output seems to be incompatible with --multifile. Nicolas -- http://www.rachinsky.de/nicolas From og at pre-secure.de Mon Mar 6 14:32:53 2006 From: og at pre-secure.de (Olaf Gellert) Date: Mon Mar 6 14:32:03 2006 Subject: Which Digest Algorithm to use? In-Reply-To: <20060303155044.GB18690@jabberwocky.com> References: <44085B14.3000006@pre-secure.de> <20060303155044.GB18690@jabberwocky.com> Message-ID: <440C3A05.3010500@pre-secure.de> David Shaw wrote: >> I do have some old PGP-2 keys (that are pretty well >> connected in the WebOfTrust). I understand that PGP2 >> keys use MD5 as default hash algorithm and they do >> not contain any fields to store adapted preferences. >> But I still can use "--digest-algorithm" to create >> SHA1 or SHA256 signatures. But what are the implications >> of this? I guess GPG will successfully validate these >> signatures. PGP2 will certainly not. What about PGP 6, >> 7, 8, ...? > > There is a misunderstanding here. PGP 2 keys don't use MD5 as a > default hash algorithm. They act just like any other key - they use > the prefs on the *recipient* keys, filtered through > personal-digest-prefs, and if all else fails, use SHA-1. Well, it seems to be like this: When I sign a PGP-2 key (which has no preferences) with my own PGP2-key, MD5 is the default hash algorithm (which makes some sense because PGP2 will probably not be able to validate signatures based on other algorithms). When I sign a PGP2 key with a newer key (DSA), it would be SHA1 (even though the recipient will probably not be able to validate this with his PGP2 program). Correct? Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From dshaw at jabberwocky.com Tue Mar 7 00:54:49 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 7 00:54:22 2006 Subject: Which Digest Algorithm to use? In-Reply-To: <440C3A05.3010500@pre-secure.de> References: <44085B14.3000006@pre-secure.de> <20060303155044.GB18690@jabberwocky.com> <440C3A05.3010500@pre-secure.de> Message-ID: <20060306235449.GA6697@jabberwocky.com> On Mon, Mar 06, 2006 at 02:32:53PM +0100, Olaf Gellert wrote: > David Shaw wrote: > >> I do have some old PGP-2 keys (that are pretty well > >> connected in the WebOfTrust). I understand that PGP2 > >> keys use MD5 as default hash algorithm and they do > >> not contain any fields to store adapted preferences. > >> But I still can use "--digest-algorithm" to create > >> SHA1 or SHA256 signatures. But what are the implications > >> of this? I guess GPG will successfully validate these > >> signatures. PGP2 will certainly not. What about PGP 6, > >> 7, 8, ...? > > > > There is a misunderstanding here. PGP 2 keys don't use MD5 as a > > default hash algorithm. They act just like any other key - they use > > the prefs on the *recipient* keys, filtered through > > personal-digest-prefs, and if all else fails, use SHA-1. > > Well, it seems to be like this: > > When I sign a PGP-2 key (which has no preferences) > with my own PGP2-key, MD5 is the default hash algorithm > (which makes some sense because PGP2 will probably not > be able to validate signatures based on other algorithms). > > When I sign a PGP2 key with a newer key (DSA), it > would be SHA1 (even though the recipient will probably > not be able to validate this with his PGP2 program). > > Correct? I was talking about signing data, and you were talking about signing keys. Your understanding is correct. Unless some option is used to change things, the default behavior is to use SHA-1 except in the one specific case of signing a PGP 2.x key with another PGP 2.x key. This case uses MD5. This is done to avoid breaking the PGP 2.x key, as modern signatures will render it unusable in PGP 2.x. David From boldyrev+nospam at cgitftp.uiggm.nsc.ru Tue Mar 7 05:15:01 2006 From: boldyrev+nospam at cgitftp.uiggm.nsc.ru (Ivan Boldyrev) Date: Tue Mar 7 06:34:57 2006 Subject: decrypt multiple files to stdout References: <20060305220949.GA65146@mid.pc5.i.0x5.de> Message-ID: <5vdvd3-ifi.ln1@ibhome.cgitftp.uiggm.nsc.ru> On 9405 day of my life Nicolas Rachinsky wrote: > Hallo, > > how can I decrypt multiple files to stdout? I have two (or more) > files, a.gpg and b.gpg, and want the equivalent of "gpg a.gpg; gpg > b.gpg; cat a b" without the intermediate files. > > "gpg --multifile --decrypt a.gpg b.gpg" does not work. The behaviour > seems to differ from the manual. (gpg < a.gpg; gpg < b.gpg) | cat But you will be asked password twice. Use gpg-agent :) -- Ivan Boldyrev Life! Don't talk to me about life. From felix.klee at inka.de Tue Mar 7 21:31:01 2006 From: felix.klee at inka.de (Felix E. Klee) Date: Tue Mar 7 22:07:19 2006 Subject: gpg: OpenPGP card not available: Assuan server fault In-Reply-To: <87bqxbe5fc.fsf@wheatstone.g10code.de> References: <87ek28wdw8.wl%felix.klee@inka.de> <87bqxbe5fc.fsf@wheatstone.g10code.de> Message-ID: <87k6b6knei.wl%felix.klee@inka.de> At Mon, 13 Feb 2006 14:47:51 +0100, Werner Koch wrote: > > As I'm at it, a minor complaint: In order to get the gpg2 binary, I > > had to do: > > You shall not build gpg2. Configure does not enable this option for a > reason. Use gpg 1.4.2 (or the cvs version) for OpenPGP. This is > stated at several places. But I don't want to do OpenPGP: I want to do SSH with the OpenPGP card. I roughly followed the howto behind the following URL: http://cyphertext.de/ssh-openpgpcard-howto.txt This howto mentions the use of "gpg2". -- Felix E. Klee From jeremiah at devmodul.com Tue Mar 7 22:43:06 2006 From: jeremiah at devmodul.com (Jeremiah Foster) Date: Wed Mar 8 01:18:08 2006 Subject: Problem removing a public key whose private key is gone Message-ID: <1141767786.7336.28.camel@localhost.localdomain> Hello, I overwrote the partition upon which my private key was stored. To confuse matters I generated a new secret / public key pair on the same machine and even imported my old public key, thinking, rather foolishly, that I might somehow be able to restore the destroyed secret key. How do I properly remove the old, unusable public key when I do not possess the secret key any longer and without destroying my entire gpg installation. Kind regards, Jeremiah From gnupg-users=gnupg.org at lists.palfrader.org Tue Mar 7 23:12:12 2006 From: gnupg-users=gnupg.org at lists.palfrader.org (Peter Palfrader) Date: Wed Mar 8 01:18:16 2006 Subject: add notation to self sig Message-ID: <20060307221212.GI25580@asteria.noreply.org> Hey, I wanted to add a notation to my self sig on my key by giving --cert-notation on the command line and then updating the cipher preferences (as a nice way to generate a new self sig): | gpg --cert-notation preferred-email-encoding@pgp.com=pgpmime --edit 94c09c7f | Command> setpref S9 S8 S7 S3 S2 H2 H8 Z2 Z3 Z1 mdc no-ks-modify [...] However, the resulting new self sig does not have the cert notation set. Can anybody tell me what the procedure is to issue a new self sig with cert notations? [Running svn head of gnupg14 as of now.] Cheers, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From atom at smasher.org Wed Mar 8 01:35:22 2006 From: atom at smasher.org (Atom Smasher) Date: Wed Mar 8 01:34:55 2006 Subject: Problem removing a public key whose private key is gone In-Reply-To: <1141767786.7336.28.camel@localhost.localdomain> References: <1141767786.7336.28.camel@localhost.localdomain> Message-ID: <20060308003529.69539.qmail@smasher.org> On Tue, 7 Mar 2006, Jeremiah Foster wrote: > I overwrote the partition upon which my private key was stored. To > confuse matters I generated a new secret / public key pair on the same > machine and even imported my old public key, thinking, rather foolishly, > that I might somehow be able to restore the destroyed secret key. > > How do I properly remove the old, unusable public key when I do not > possess the secret key any longer and without destroying my entire gpg > installation. ================ you can remove any public key from your keyring with: gpg --delete-key {key-id} if you have any doubts about doing it right, or if you're having a bad day, backup the keyring before trying to delete anything from it. if no one else has a copy of the key, you're done. if the key is in circulation among key-servers (and if you don't have a revocation certificate) you're beat. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "If Jesus Christ were to come today, people would not even crucify him. They would ask him to dinner, and hear what he had to say, and make fun of it." -- Thomas Carlyle From cam at mathematica.scientia.net Wed Mar 8 01:36:30 2006 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Wed Mar 8 01:35:49 2006 Subject: Problem removing a public key whose private key is gone In-Reply-To: <1141767786.7336.28.camel@localhost.localdomain> References: <1141767786.7336.28.camel@localhost.localdomain> Message-ID: <440E270E.50106@mathematica.scientia.net> Jeremiah Foster wrote: >How do I properly remove the old, unusable public key when I do not >possess the secret key any longer and without destroying my entire gpg >installation. > > --delete-key name Remove key from the public keyring. In batch mode either --yes is required or the key must be specified by finger? print. This is a safeguard against accidental deletion of multiple keys. (where name is a valid name for your old key; note however, that this doesn't revoke your old key) Chris. From hhhobbit7 at netscape.net Wed Mar 8 10:59:51 2006 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Wed Mar 8 10:59:58 2006 Subject: Gnupg make error Message-ID: <7F7272D3.48A652F8.0307202B@netscape.net> CHRISTINA MARJI wrote: > >Hi, > >I have downloaded gnupg 1.4.2.1 source code from >gnupg.org. I get the following errors when I run the >make utility: > >make[1]: Entering directory >`/home/tina/gnupg-1.4.2.1/checks' >../g10/gpg --homedir . --quiet --yes >--no-permission-warning --import ./pubdemo. >asc >gpg: mpi larger than indicated length (124 bytes) >gpg: read_block: read error: invalid packet >gpg: no valid OpenPGP data found. >gpg: import from `./pubdemo.asc' failed: invalid >keyring >make[1]: *** [prepared.stamp] Error 2 >make[1]: Leaving directory >`/home/tina/gnupg-1.4.2.1/checks' >make: *** [check-recursive] Error 1 > >Can someone help me regarding this matter. > >Thank you >Christina Michael Since I had not built 1.4.2.1 (still using 1.4.2), and nobody else has responded in the digest (if somebody else responded, I apologize) I downloaded 1.4.2.1 and had no problems. You can help by starting over (by that I mean start with a fresh set of files from the very beginning, including a new download if you feel that is necessary) and doing it the following way in some sort of SH type shell, bash, sh, ksh: [hhhobbit@gandalf ~]$ bzip2 -dc gnupg-1.4.2.1.tar.bz2 | tar -xf - [hhhobbit@gandalf ~]$ cd gnupg-1.4.2.1 [hhhobbit@gandalf gnupg-1.4.2.1]$ ./configure > LOG.config 2> ERR.config [hhhobbit@gandalf gnupg-1.4.2.1]$ ls -l LOG.* ERR.* -rw-r--r-- 1 hhhobbit hhhobbit 0 Mar 8 02:38 ERR.config -rw-r--r-- 1 hhhobbit hhhobbit 13899 Mar 8 02:39 LOG.config [hhhobbit@sirius gnupg-1.4.2.1]$ ls -l LOG.* ERR.* -rw-r--r-- 1 hhhobbit hhhobbit 0 Mar 8 02:38 ERR.config -rw-r--r-- 1 hhhobbit hhhobbit 108 Mar 8 02:40 ERR.make -rw-r--r-- 1 hhhobbit hhhobbit 13899 Mar 8 02:39 LOG.config -rw-r--r-- 1 hhhobbit hhhobbit 44623 Mar 8 02:41 LOG.make [hhhobbit@sirius gnupg-1.4.2.1]$ cat ERR.make ttyio.c: In function `tty_get_ttyname': ttyio.c:103: warning: null argument where non-null required (arg 1) You can see that I took the defaults and it worked just fine. I think one of your files somehow got altered. I don't know which one it is, or how or even when it got corrupted. BTW, I suggest ALWAYS doing your builds not just of GnuPG, but all software this way to let you know if before you even made it to make whether you were able to get a good configure. You also didn't specify if you gave configure any options. I will assume you didn't. You SHOULD end up with a ZERO size ERR.config file. If you don't, start there. Henry Hertz Hobbit __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From cam at mathematica.scientia.net Wed Mar 8 18:42:15 2006 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Wed Mar 8 18:41:48 2006 Subject: Problem removing a public key whose private key is gone In-Reply-To: <1141837926.7336.31.camel@localhost.localdomain> References: <1141767786.7336.28.camel@localhost.localdomain> <440E270E.50106@mathematica.scientia.net> <1141837926.7336.31.camel@localhost.localdomain> Message-ID: <440F1777.2090007@mathematica.scientia.net> Jeremiah Foster wrote: >Hey Chris, > >Yeah I saw that from the man page and it did not help. Specifically >because the names are identical and when you issue --delete-key name you >get prompted to specify the secret key which does not exist in my case. >So delete-key fails to work for my needs. > >Jeremiah > > If you'd read the other parts of the manpage you'd see that name is not only limited to your name or the UIDs email adress but you can also specify one of the key IDs. You'll get the key IDs of you keys with gpg --list-keys. They (should) key ID should be different for both of your keys, if not, you'll have to use the long key ID, but that is pretty unlikely. If even the long key IDs would be equal - that should be even posted to the list because it is an rarety - you'd have to use the fingerprint of the key as name (if even those would be equal,.. this would be nearly a sensation ;) ). So take the key ID of you old unwanted key (something like 0x23459837) and make gpg --delete-key . Regards, Chris. From dshaw at jabberwocky.com Wed Mar 8 19:46:52 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Mar 8 19:46:21 2006 Subject: add notation to self sig In-Reply-To: <20060307221212.GI25580@asteria.noreply.org> References: <20060307221212.GI25580@asteria.noreply.org> Message-ID: <20060308184652.GA12996@jabberwocky.com> On Tue, Mar 07, 2006 at 11:12:12PM +0100, Peter Palfrader wrote: > Hey, > > I wanted to add a notation to my self sig on my key by giving > --cert-notation on the command line and then updating the cipher > preferences (as a nice way to generate a new self sig): > > | gpg --cert-notation preferred-email-encoding@pgp.com=pgpmime --edit 94c09c7f > | Command> setpref S9 S8 S7 S3 S2 H2 H8 Z2 Z3 Z1 mdc no-ks-modify > [...] > > However, the resulting new self sig does not have the cert notation set. > > Can anybody tell me what the procedure is to issue a new self sig with > cert notations? --edit-key the key, delsig the current selfsig, and "sign". Sign will do the right thing. That's pretty icky, though. I'll see if I can add a "notation" --edit-key command for 1.4.3. David From jeremiah at devmodul.com Wed Mar 8 20:13:20 2006 From: jeremiah at devmodul.com (Jeremiah Foster) Date: Wed Mar 8 20:12:48 2006 Subject: [Fwd: Re: Problem removing a public key whose private key is gone] Message-ID: <1141845200.7336.72.camel@localhost.localdomain> On Wed, 2006-03-08 at 18:42 +0100, Christoph Anton Mitterer wrote: *snip* > You'll get the key IDs of you keys with gpg --list-keys. They (should) > key ID should be different for both of your keys, if not, you'll have to > use the long key ID, but that is pretty unlikely. > If even the long key IDs would be equal - that should be even posted to > the list because it is an rarety - you'd have to use the fingerprint of > the key as name (if even those would be equal,.. this would be nearly a > sensation ;) ). > > So take the key ID of you old unwanted key (something like 0x23459837) > and make gpg --delete-key . Excellent, I will try that, thanks Chris. Jeremiah From gnupg-users=gnupg.org at lists.palfrader.org Wed Mar 8 20:32:53 2006 From: gnupg-users=gnupg.org at lists.palfrader.org (Peter Palfrader) Date: Wed Mar 8 20:32:07 2006 Subject: add notation to self sig In-Reply-To: <20060308184652.GA12996@jabberwocky.com> References: <20060307221212.GI25580@asteria.noreply.org> <20060308184652.GA12996@jabberwocky.com> Message-ID: <20060308193253.GS25580@asteria.noreply.org> On Wed, 08 Mar 2006, David Shaw wrote: > On Tue, Mar 07, 2006 at 11:12:12PM +0100, Peter Palfrader wrote: > > Hey, > > > > I wanted to add a notation to my self sig on my key by giving > > --cert-notation on the command line and then updating the cipher > > preferences (as a nice way to generate a new self sig): > > > > | gpg --cert-notation preferred-email-encoding@pgp.com=pgpmime --edit 94c09c7f > > | Command> setpref S9 S8 S7 S3 S2 H2 H8 Z2 Z3 Z1 mdc no-ks-modify > > [...] > > > > However, the resulting new self sig does not have the cert notation set. > > > > Can anybody tell me what the procedure is to issue a new self sig with > > cert notations? > > --edit-key the key, delsig the current selfsig, and "sign". Sign will > do the right thing. > > That's pretty icky, though. I'll see if I can add a "notation" > --edit-key command for 1.4.3. Thanks, that seems to work (as does --expert and sign). Something related. Is --with-colons supposed to show me notation informations? weasel@galaxy:~/gpg$ gpg --no-options --list-options show-notation --list-sigs ./pubring.gpg ------------- pub 1024D/94C09C7F 1999-11-10 uid Peter Palfrader sig 3 94C09C7F 2000-02-29 Peter Palfrader sig 3 N 94C09C7F 2006-03-08 Peter Palfrader Signature notation: preferred-email-encoding@pgp.com=pgpmime weasel@galaxy:~/gpg$ gpg --no-options --list-options show-notation --with-colons --list-sigs tru::1:1141845941:0:3:1:5 pub:-:1024:17:DE7AAF6E94C09C7F:1999-11-10:::-:Peter Palfrader::scaSCA: sig:::17:DE7AAF6E94C09C7F:2000-02-29::::Peter Palfrader:13x: sig:::17:DE7AAF6E94C09C7F:2006-03-08::::Peter Palfrader:13x: Cheers, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From r.post at sara.nl Wed Mar 8 19:47:23 2006 From: r.post at sara.nl (Remco Post) Date: Wed Mar 8 20:54:55 2006 Subject: gpg-agent cache Message-ID: <440F26BB.8090706@sara.nl> Hi all, I just build gpg-agent from the 1.9.20 source-tree. Everything seems to work as expected for both signing and even ssh authentication apart from the passphrase cache. I've started gpg-agent with: /usr/local/bin/gpg-agent --use-standard-socket --pinentry-program /usr/bin/pinentry-gtk-2 --default-cache-ttl 1800 --default-cache-ttl-ssh 900 --enable-ssh-support --write-env-file $HOME/.gpg-agent-info --daemon --sh /usr/bin/fvwm2 and added the use-agent option to my config file. No problem (well ok enigmail is a bit of a pain), apart from the fact that caching doesn't seem to work. Each time I sign some mail or log in I'm prompted for my pin... What am I missing, and/or how can I maybe see why gpg-agent keeps on prompting for my pin? -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From r.post at sara.nl Wed Mar 8 22:46:07 2006 From: r.post at sara.nl (Remco Post) Date: Wed Mar 8 22:46:00 2006 Subject: building gnupg-1.9.20 on macos Message-ID: <440F509F.9080104@sara.nl> Hi all, I've just successfully build gpg 1.9.20 on macos libksba requiters one small patch (the reverse patch is:) diff -ur libksba-0.9.12/gl/Makefile.in /Users/remco/src/libksba-0.9.12/gl/Makefile.in --- libksba-0.9.12/gl/Makefile.in 2006-03-08 21:46:25.000000000 +0100 +++ /Users/remco/src/libksba-0.9.12/gl/Makefile.in 2005-08-01 17:15:04.000000000 +0200 @@ -64,7 +64,7 @@ CONFIG_CLEAN_FILES = LTLIBRARIES = $(noinst_LTLIBRARIES) libgnu_la_DEPENDENCIES = @LTLIBOBJS@ @LTALLOCA@ -am_libgnu_la_OBJECTS = alloca.lo +am_libgnu_la_OBJECTS = libgnu_la_OBJECTS = $(am_libgnu_la_OBJECTS) DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir) depcomp = tools/Makefile.in on gnupg also requires one patch, gpg-connect-agent depends on pth but does not have $(PTH_LIBS) in the LDD_ADD statement: pipmac:~/src/gnupg-1.9.20/tools remco$ diff -u Makefile.in Makefile.in.remco --- Makefile.in 2005-12-20 10:49:35.000000000 +0100 +++ Makefile.in.remco 2006-03-08 22:38:15.000000000 +0100 @@ -406,7 +406,7 @@ gpg_connect_agent_SOURCES = gpg-connect-agent.c no-libgcrypt.c gpg_connect_agent_LDADD = ../jnlib/libjnlib.a \ ../common/libcommon.a ../gl/libgnu.a \ - $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) $(LIBINTL) + $(PTH_LIBS) $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) $(LIBINTL) gpgkey2ssh_SOURCES = gpgkey2ssh.c gpgkey2ssh_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) now... I have no usefull output from ssh-add -l yet, but 'make check' is successfull... -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From shavital at mac.com Wed Mar 8 23:29:47 2006 From: shavital at mac.com (Charly Avital) Date: Wed Mar 8 23:29:11 2006 Subject: building gnupg-1.9.20 on macos In-Reply-To: <440F509F.9080104@sara.nl> References: <440F509F.9080104@sara.nl> Message-ID: <440F5ADB.3060801@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thanks for the information. I have never succeeded to build gpg 1.9.xx on MacOS, in spite of help and tips from WK, so I gave it up. If you are kind enough to keep posting your findings and tips, I shall be very grateful. Charly MacOS 10.4.5 - MacGPG 1.4.3rc1 Remco Post wrote the following on 3/8/06 4:46 PM: > Hi all, > [snip] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc1 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRA9azm69XHxycyfPAQjP3g//Wf6zlqSrP9/qkv7lP+iXoxl/JQJBO7yT LxUMeXcUPo4I+E4vf2/M/0+MexxNXGSTqzbXtSvTtx3+YW0AuTdJFYxw9+lxExvF llVNFRH7W+aqrzHjMJJEq0VTCHgy6JxOG6O4b9TRcDjjftw2t7wgOuJQa8YMDXCf l+7VDey90q6GYKIUeQJFfmuh3RKVdQeSAL3WY0izD6d962ReylLKOWZFOTFTr+Wd fnBw0ZY/nI+M3tOdybNYAdUa4B56wz+bcetMZmOZ3lylB3MP/u+nGkaeWvKDuQl5 nz23fqjXkqKevQxe+UJKyG2UyOp2kf6O5uc0SWhu7wD7kgEYwhoQaOBzgAD8+nuz Vz3CNPQx1/Mw+vJ6K4FVxAEe38uh8Zr+aQi8fzPEOztvkIghdO7i9S940kiy9NiG aqN9/15XvbS8QdL+gr6ioWzJtBR0vTiFCh1c0OVXgj/Mo/M9tlLAPNVUd+t/J6NS frs9nTBdS+glLNeg2OEdMm94tUkK8trvIdRNW5YdqpfaDJwgTE4nwRUhE1SEVEAv OqGwi6zAhFl2mfVLIPpnBMrINUIaB21GkHRPUVWMfYKSV6sJqQkyK5S+hXxgpmYy Vw8I8E6O0h280hmiFP1Nr2bfBi14efesfpo7d648lHaKykkWdNvz8SduxzYQOhZ8 Ac9D0oPx3so= =5TA4 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Mar 9 04:27:09 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 9 04:26:37 2006 Subject: add notation to self sig In-Reply-To: <20060308193253.GS25580@asteria.noreply.org> References: <20060307221212.GI25580@asteria.noreply.org> <20060308184652.GA12996@jabberwocky.com> <20060308193253.GS25580@asteria.noreply.org> Message-ID: <20060309032709.GB20497@jabberwocky.com> On Wed, Mar 08, 2006 at 08:32:53PM +0100, Peter Palfrader wrote: > On Wed, 08 Mar 2006, David Shaw wrote: > > > On Tue, Mar 07, 2006 at 11:12:12PM +0100, Peter Palfrader wrote: > > > Hey, > > > > > > I wanted to add a notation to my self sig on my key by giving > > > --cert-notation on the command line and then updating the cipher > > > preferences (as a nice way to generate a new self sig): > > > > > > | gpg --cert-notation preferred-email-encoding@pgp.com=pgpmime --edit 94c09c7f > > > | Command> setpref S9 S8 S7 S3 S2 H2 H8 Z2 Z3 Z1 mdc no-ks-modify > > > [...] > > > > > > However, the resulting new self sig does not have the cert notation set. > > > > > > Can anybody tell me what the procedure is to issue a new self sig with > > > cert notations? > > > > --edit-key the key, delsig the current selfsig, and "sign". Sign will > > do the right thing. > > > > That's pretty icky, though. I'll see if I can add a "notation" > > --edit-key command for 1.4.3. > > Thanks, that seems to work (as does --expert and sign). If you're tracking SVN, try the latest. I've added a notation command under --edit-key. > Something related. Is --with-colons supposed to show me notation > informations? Yes, but only if you ask for it specifically. Try adding "show-sig-subpackets=20" to your --list-options. David From r.post at sara.nl Thu Mar 9 09:10:57 2006 From: r.post at sara.nl (Remco Post) Date: Thu Mar 9 09:10:46 2006 Subject: building gnupg-1.9.20 on macos In-Reply-To: <440F5ADB.3060801@mac.com> References: <440F509F.9080104@sara.nl> <440F5ADB.3060801@mac.com> Message-ID: <440FE311.6080806@sara.nl> Charly Avital wrote: > Thanks for the information. I have never succeeded to build gpg 1.9.xx > on MacOS, in spite of help and tips from WK, so I gave it up. > > If you are kind enough to keep posting your findings and tips, I shall > be very grateful. > Charly Well, everything seems to work as expected but: 1- I had to build a wrapper script for gpg for use in enigmail to source the .gpg-agent-env file I had the agent write. For some reason, on Linux enigmail/thunderbird strips the required variables from gpg's environment, of course on MacOS those vars were never there. This is minor compared to the next thing. Still, not being able to statically configure the socket for gpg-agent is a nuisance. 2- pinentry. When I start the gpg-agent in a Terminal (from .bashrc/.bash_profile) I usually get a pinentry-cucrus prompt in that window, but not when enigmail starts gpg. Since there is no native gui pinentry (yet?) I'd love to be able to force gpg-agent to _allways_ use one tty for pinentry, no matter what. For now I've decided that the second issue is a 'show stopper' for implementing gpg-agent based login auth with MacOS. I have to choose between gpg-agent and decrypting/signing e-mail, and mail functionality won. So I guess the next thing on the list for me is finding some way around the second issue. ps. I've not tested gpgsm in any way on MacOS. I see it's there, I just haven't done anything with it (nor will I do so any time soon). > MacOS 10.4.5 - MacGPG 1.4.3rc1 > > Remco Post wrote the following on 3/8/06 4:46 PM: >>> Hi all, >>> > [snip] -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From shavital at mac.com Thu Mar 9 10:10:22 2006 From: shavital at mac.com (Charly Avital) Date: Thu Mar 9 10:09:46 2006 Subject: building gnupg-1.9.20 on macos In-Reply-To: <440FE311.6080806@sara.nl> References: <440F509F.9080104@sara.nl> <440F5ADB.3060801@mac.com> <440FE311.6080806@sara.nl> Message-ID: <440FF0FE.8010800@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thanks for your message. All these issues are well beyond my very basic grasp, so I'll just lay back and wait for you to come up with more solutions ;-) Remco Post wrote the following on 3/9/06 3:10 AM: [...] > > Well, everything seems to work as expected but: > > 1- I had to build a wrapper script for gpg for use in enigmail to source > the .gpg-agent-env file I had the agent write. For some reason, on Linux > enigmail/thunderbird strips the required variables from gpg's > environment, of course on MacOS those vars were never there. This is > minor compared to the next thing. Still, not being able to statically > configure the socket for gpg-agent is a nuisance. > > 2- pinentry. When I start the gpg-agent in a Terminal (from > .bashrc/.bash_profile) I usually get a pinentry-cucrus prompt in that > window, but not when enigmail starts gpg. Since there is no native gui > pinentry (yet?) I'd love to be able to force gpg-agent to _allways_ use > one tty for pinentry, no matter what. > > For now I've decided that the second issue is a 'show stopper' for > implementing gpg-agent based login auth with MacOS. I have to choose > between gpg-agent and decrypting/signing e-mail, and mail functionality won. > > So I guess the next thing on the list for me is finding some way around > the second issue. > > ps. I've not tested gpgsm in any way on MacOS. I see it's there, I just > haven't done anything with it (nor will I do so any time soon). [snip] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc1 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRA/w9269XHxycyfPAQgs5w/9FmyAQ2Ie1C4V+kSDXV7PUtOKoZ6SZD+T u2P+rmZUAtfj69fSPaY+O6pGnbXEeTARDH3hPYse7lTcvu3k0HoCS/YYo++DbNKl jVVNKjeP0dPrtbq5oxOC4vLsUGJwxGid/KILTRpoOTn9zXE22lmlCTd4CV8u/01C BW1tE3a/xp/7cMqLnt5XZtcNviSmu7OJ6G6pIV5CtHSEj/qYlLNyEgMeO6Cr9sbj 2faDmuBQzLgFugdPMniuOSHb9s4H/MauItebpJ47TTqgTFzh5UfNbFqGE/zha/7N CHzS1UXSw98YZwjPeCUUY4pwZvcPPIHXpKcrURaRED7I5O1ZTZlR4CJYKAUOlkTc BxY6G+FSZGDwl1gYvGteTzJlyJxjzjoIrAkDvZyAhDKVsWXj2al8AkER6UlsTXD6 m/N4wZkabBdszKb4pqSCqzl5EbbVa2KhQVSAF1tcwP+ScLe4NPIRP1602kG9GE2E enjKF6eFxyHGu/7FU3TuM2LRW3s89/d6SKEWYSNwSWRGIRIhYCPrwtFmGST93Z5w yalAP2qaKf7rSgd1DVko7OgWLgx+0QoJ2gk4mmFMDc7yzLtOBAoU6owtl/ata56P EnurXbtlxXvm307TsaS4gxCXSggCkmq5NiBq6PiKGDq2PXqz+23JkRX+wQrdYutE zY0NWCHX/hc= =Sdfd -----END PGP SIGNATURE----- From gnupg-users=gnupg.org at lists.palfrader.org Thu Mar 9 14:40:33 2006 From: gnupg-users=gnupg.org at lists.palfrader.org (Peter Palfrader) Date: Thu Mar 9 14:40:04 2006 Subject: add notation to self sig In-Reply-To: <20060309032709.GB20497@jabberwocky.com> References: <20060307221212.GI25580@asteria.noreply.org> <20060308184652.GA12996@jabberwocky.com> <20060308193253.GS25580@asteria.noreply.org> <20060309032709.GB20497@jabberwocky.com> Message-ID: <20060309134033.GX25580@asteria.noreply.org> On Wed, 08 Mar 2006, David Shaw wrote: > > Thanks, that seems to work (as does --expert and sign). > > If you're tracking SVN, try the latest. I've added a notation command > under --edit-key. Great, thanks. Adding notations and removing all of them works just fine. According to the manual page, setting an empty value should remove a notation: | notation Set a name=value notation for the specified user | ID(s). See --cert-notation for more on how this | works. Setting a value of "none" removes all nota- | tions, and setting a name with no value removes | that notation alone. However, | weasel@simona:~/tmp/gpg$ gpg --list-options show-notations --list-sigs | pub 1024D/A12B80B9 2006-03-09 [expires: 2006-03-16] | uid test1 | sig 3 A12B80B9 2006-03-09 test1 | sub 2048g/7FAFEDE3 2006-03-09 [expires: 2006-03-16] | sig A12B80B9 2006-03-09 test1 | weasel@simona:~/tmp/gpg$ gpg --edit test1 [..] | Command> notation foo@example.com= | No notations on user ID "test1" | Adding notation: foo@example.com= [..] [just doing 'notation foo@example.com' is not allowed.] | weasel@simona:~/tmp/gpg$ gpg --list-options show-notations --list-sigs | pub 1024D/A12B80B9 2006-03-09 [expires: 2006-03-16] | uid test1 | sig 3 N A12B80B9 2006-03-09 test1 | Signature notation: foo@example.com= | sub 2048g/7FAFEDE3 2006-03-09 [expires: 2006-03-16] | sig A12B80B9 2006-03-09 test1 it seems that this part doesn't work. Also, is issuing a notation again with the same key supposed to replace an existing notation, or should it - as it does now - add a second notation with the same key? Cheers, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From wk at gnupg.org Thu Mar 9 19:53:40 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 9 20:16:51 2006 Subject: [Announce] GnuPG does not detect injection of unsigned data Message-ID: <87d5gvh2kr.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dshaw at jabberwocky.com Thu Mar 9 20:22:45 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 9 20:22:17 2006 Subject: add notation to self sig In-Reply-To: <20060309134033.GX25580@asteria.noreply.org> References: <20060307221212.GI25580@asteria.noreply.org> <20060308184652.GA12996@jabberwocky.com> <20060308193253.GS25580@asteria.noreply.org> <20060309032709.GB20497@jabberwocky.com> <20060309134033.GX25580@asteria.noreply.org> Message-ID: <20060309192245.GA8999@jabberwocky.com> On Thu, Mar 09, 2006 at 02:40:33PM +0100, Peter Palfrader wrote: > | weasel@simona:~/tmp/gpg$ gpg --edit test1 > [..] > | Command> notation foo@example.com= > | No notations on user ID "test1" > | Adding notation: foo@example.com= > [..] > [just doing 'notation foo@example.com' is not allowed.] > > | weasel@simona:~/tmp/gpg$ gpg --list-options show-notations --list-sigs > | pub 1024D/A12B80B9 2006-03-09 [expires: 2006-03-16] > | uid test1 > | sig 3 N A12B80B9 2006-03-09 test1 > | Signature notation: foo@example.com= > | sub 2048g/7FAFEDE3 2006-03-09 [expires: 2006-03-16] > | sig A12B80B9 2006-03-09 test1 > > it seems that this part doesn't work. That's actually a feature. I didn't explain it too well in the manual. Basically the problem is that zero-length notations are legal in OpenPGP. So if there was a foo@example.com notation on the sig already, then foo@example.com= would remove it. If there was no foo@example.com notation on the sig already, then foo@example.com= would be added as a zero-length notation. Let's make it simpler: I just added the ability to delete notations directly by using a minus sign prefix like "-foo@example.com". Given these notations: foo@example.com=one foo@example.com=two foo@example.com=three if you use "-foo@example.com=one" you'll delete that specific notation. If you use "-foo@example.com" you'll delete all three. > Also, is issuing a notation again with the same key supposed to replace > an existing notation, or should it - as it does now - add a second > notation with the same key? I went back and forth on this a few times, as I can see a good argument for either replacement or adding a second notation, but finally went with the current behavior as more flexible. It's easy enough to change if it doesn't work out well in the field. Note that this only applies to key matches. Adding a completely matching notation (both key and value) is skipped. David From gnupg-users=gnupg.org at lists.palfrader.org Thu Mar 9 22:52:53 2006 From: gnupg-users=gnupg.org at lists.palfrader.org (Peter Palfrader) Date: Thu Mar 9 22:52:09 2006 Subject: add notation to self sig In-Reply-To: <20060309192245.GA8999@jabberwocky.com> References: <20060307221212.GI25580@asteria.noreply.org> <20060308184652.GA12996@jabberwocky.com> <20060308193253.GS25580@asteria.noreply.org> <20060309032709.GB20497@jabberwocky.com> <20060309134033.GX25580@asteria.noreply.org> <20060309192245.GA8999@jabberwocky.com> Message-ID: <20060309215252.GJ15833@asteria.noreply.org> On Thu, 09 Mar 2006, David Shaw wrote: > Let's make it simpler: I just added the ability to delete notations > directly by using a minus sign prefix like "-foo@example.com". > > Given these notations: > foo@example.com=one > foo@example.com=two > foo@example.com=three > > if you use "-foo@example.com=one" you'll delete that specific > notation. If you use "-foo@example.com" you'll delete all three. > > > Also, is issuing a notation again with the same key supposed to replace > > an existing notation, or should it - as it does now - add a second > > notation with the same key? > > I went back and forth on this a few times, as I can see a good > argument for either replacement or adding a second notation, but > finally went with the current behavior as more flexible. It's easy > enough to change if it doesn't work out well in the field. Note that > this only applies to key matches. Adding a completely matching > notation (both key and value) is skipped. Thanks, this looks very good now. I don't think the fact that one cannot add notation keys that start with a dash will be very relevant in practice. Cheers, Peter -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From dshaw at jabberwocky.com Thu Mar 9 23:35:39 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 9 23:35:00 2006 Subject: add notation to self sig In-Reply-To: <20060309215252.GJ15833@asteria.noreply.org> References: <20060307221212.GI25580@asteria.noreply.org> <20060308184652.GA12996@jabberwocky.com> <20060308193253.GS25580@asteria.noreply.org> <20060309032709.GB20497@jabberwocky.com> <20060309134033.GX25580@asteria.noreply.org> <20060309192245.GA8999@jabberwocky.com> <20060309215252.GJ15833@asteria.noreply.org> Message-ID: <20060309223539.GA9241@jabberwocky.com> On Thu, Mar 09, 2006 at 10:52:53PM +0100, Peter Palfrader wrote: > On Thu, 09 Mar 2006, David Shaw wrote: > > > Let's make it simpler: I just added the ability to delete notations > > directly by using a minus sign prefix like "-foo@example.com". > > > > Given these notations: > > foo@example.com=one > > foo@example.com=two > > foo@example.com=three > > > > if you use "-foo@example.com=one" you'll delete that specific > > notation. If you use "-foo@example.com" you'll delete all three. > > > > > Also, is issuing a notation again with the same key supposed to replace > > > an existing notation, or should it - as it does now - add a second > > > notation with the same key? > > > > I went back and forth on this a few times, as I can see a good > > argument for either replacement or adding a second notation, but > > finally went with the current behavior as more flexible. It's easy > > enough to change if it doesn't work out well in the field. Note that > > this only applies to key matches. Adding a completely matching > > notation (both key and value) is skipped. > > Thanks, this looks very good now. I don't think the fact that one > cannot add notation keys that start with a dash will be very relevant > in practice. Yes. I figured that since nobody has complained yet about not being able to start a non-critical notation with a !, then - was safe. :) David From vedaal at hush.com Thu Mar 9 23:55:43 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Mar 9 23:55:34 2006 Subject: [Announce] GnuPG does not detect injection of unsigned data Message-ID: <200603092255.k29Mtjvc027551@mailserver2.hushmail.com> in the announcement of the fix for this condition on the gnupg announce list, it says the following: =====[ begin quoted text ]===== The only correct solution to this problem is to get rid of the feature to check concatenated signatures - this allows for strict checking of valid packet composition. This is what has been done in 1.4.2.2 and in the forthcoming 1.4.3rc2. These versions accept signatures only if they are composed of O + D + S S + D =====[ end quoted text ]===== am not sure of the difference between concatenated signatures and double-signed signatures double signed signatures are still allowed in 1.4.2.2 and still verified here is an example: -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: armored double signed file, signed with two rsa keys owEBdwOI/JANAwAIAayhY/YEre4gAJANAwAIAWoFoLeFMG0lAawnYgdkc20udHh0 RBCwGnRlc3QgZG91YmxlIHNpZ25lZCBtZXNzYWdliQEVAwUARBCwGmoFoLeFMG0l AQh2wQgAmpw0z7++Fiebum0FR1psIfo9/231NsNfGlwPTrOwltir1XmcgeG6vuln S4+E1PSRZAXEKzqRrGLBM2yWC0QsbeWeHrkl6v56SxP7/Gu7fHc2esHRZ0vdcR6Y gg2RttrGwWN3Docmuufp4E6a55IVnhUDY5CJmvcPm7JYtxYJ7ufsCjGcqGhVGMdL Nx3tvIqNyX0yHnxGZyPbvMsvCBTUEIMmDS27MRwUa6DHVrKg04AIrCOC4Fgxl7x+ K4EVhV/aUjHHE+khRENCX9aUeNDxdkYy/N2uu3U2/6cCuaxhFoWrN8PYU4y0u0GM qqMx2vtj8neycqNdtx8P3kbqyFdSRYkCFQMFAEQQsBusoWP2BK3uIAEIeogP/0ng isFK3mGWJhYSfAHEGAdY+DcwMQyoisCTHZjRuKXKFJ/bq/Ol/Gz4rXOFjFilYsHE vp3tcH064PGXe7rJG4fbHWj/p8gMAIuxiaAvAVMAvgK7xbyfTi5IgLvgp7Zv9UrZ ID+RLlOSJNZZMN5/h3P/NDcIIrbTHOiAxej5ugKkJbFzoxdlVT7LLHLBSjEcLBaz aYjI5+wvGc1aqE3UATqT1yiJRjzVoLdaUqxvSsPCAMLcsQ6HSGvx+ODDIZoSC8d1 /x90+nXE+olo4uVcBqgIClBgletnoiIC0oKVxMAO0EcKz+VHpn+xBFJbQWFVIL+F 5Be1x1RmVHpExmMenaEMZ0I7jmmF8mbSBaGjuoaHDXG2hW05Tx/c1+bv2TyLl0kX I8TdHL27GwwlE8kpmmo2XODFKX5vlj3wOoXN9dkEtZs+qk7h88s3qQk79+0mfX5n eFa5/fvx7uBvRKsd3NKpnzbQvfDw3KfMlLX66cR0jp6QoSTQtrTsx5HOI8JtbFxR TEa2BV+eu6qmLa3ooYv66BNUn/FGiOfsqqWsjAxM5JHLoioXO4XXzNJtDlk6X6Vq HcNNKNPOrse40D4HUSN4dmwdGg+nlvCiQQde0DHbmyHpodu3J2qFh2OEWXIjs35c i/slwpqTqhU0ECFtNDhK7iv8Lue0IqxGyCaNlRBe =ySCn -----END PGP MESSAGE----- are double signed signatures not concatenated ? Thanks, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From dshaw at jabberwocky.com Fri Mar 10 00:20:26 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 10 00:19:42 2006 Subject: [Announce] GnuPG does not detect injection of unsigned data In-Reply-To: <200603092255.k29Mtjvc027551@mailserver2.hushmail.com> References: <200603092255.k29Mtjvc027551@mailserver2.hushmail.com> Message-ID: <20060309232026.GB9241@jabberwocky.com> On Thu, Mar 09, 2006 at 05:55:43PM -0500, vedaal@hush.com wrote: > in the announcement of the fix for this condition > on the gnupg announce list, it says the following: > > =====[ begin quoted text ]===== > > The only correct solution to this problem is to get rid of the > feature > to check concatenated signatures - this allows for strict checking > of > valid packet composition. This is what has been done in 1.4.2.2 > and > in the forthcoming 1.4.3rc2. These versions accept signatures only > if > they are composed of > > O + D + S > S + D > > =====[ end quoted text ]===== > > am not sure of the difference between concatenated signatures > and double-signed signatures > > double signed signatures are still allowed in 1.4.2.2 and still > verified That is legal. Using the same notation as before, that is: O + O + D + S + S David From dshaw at jabberwocky.com Fri Mar 10 01:36:05 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 10 01:35:41 2006 Subject: [Announce] Second release candidate for 1.4.3 available Message-ID: <20060310003605.GA9614@jabberwocky.com> We are pleased to announce the availability of the second release candidate for the forthcoming 1.4.3 version of GnuPG: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc2.tar.bz2 (3.0M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc2.tar.bz2.sig SHA-1 checksums for the above files are: eb5b839555ff1957b5956aaf4c96505223a2f9d0 gnupg-1.4.3rc2.tar.bz2 2168b475f49100f5c41fa3830d90eb6d863220e7 gnupg-1.4.3rc2.tar.bz2.sig Note that this is only a release candidate, and as such is not intended for use on production systems. If you are inclined to help test, however, we would appreciate you trying this new version and reporting any problems. Note that this release candidate contains fixes for both the "False positive signature verification in GnuPG" and "GnuPG does not detect injection of unsigned data" problems reported against 1.4.2. Noteworthy changes since 1.4.2: * If available, cURL-based keyserver helpers are built that can retrieve keys using HKP or any protocol that cURL supports (HTTP, HTTPS, FTP, FTPS, etc). If cURL is not available, HKP and HTTP are still supported using a built-in cURL emulator. To force building the old pre-cURL keyserver helpers, use the configure option --enable-old-keyserver-helpers. Note that none of this affects finger or LDAP support, which are unchanged. Note also that a future version of GnuPG will remove the old keyserver helpers altogether. * Implemented Public Key Association (PKA) signature verification. This uses special DNS records and notation data to associate a mail address with an OpenPGP key to prove that mail coming from that address is legitimate without the need for a full trust path to the signing key. * When exporting subkeys, those specified with a key ID or fingerpint and the '!' suffix are now merged into one keyblock. * Added "gpg-zip", a program to create encrypted archives that can interoperate with PGP Zip. * Added support for signing subkey cross-certification "back signatures". Requiring cross-certification to be present is currently off by default, but will be changed to on by default in the future, once more keys use it. A new "cross-certify" command in the --edit-key menu can be used to update signing subkeys to have cross-certification. * The key cleaning options for --import-options and --export-options have been further polished. "import-clean" and "export-clean" replace the older import-clean-sigs/import-clean-uids and export-clean-sigs/export-clean-uids option pairs. * New "minimize" command in the --edit-key menu removes everything that can be removed from a key, rendering it as small as possible. There are corresponding "export-minimal" and "import-minimal" commands for --export-options and --import-options. * New --fetch-keys command to retrieve keys by specifying a URI. This allows direct key retrieval from a web page or other location that can be specified in a URI. Available protocols are HTTP and finger, plus anything that cURL supplies, if built with cURL support. * Files containing several signed messages are not allowed any longer as there is no clean way to report the status of such files back to the caller. To partly revert to the old behaviour the new option --allow-multisig-verification may be used. * The keyserver helpers can now handle keys in either ASCII armor or binary format. * New auto-key-locate option that takes an ordered list of methods to locate a key if it is not available at encryption time (-r or --recipient). Possible methods include "cert" (use DNS CERT as per RFC2538bis, "pka" (use DNS PKA), "ldap" (consult the LDAP server for the domain in question), "keyserver" (use the currently defined keyserver), as well as arbitrary keyserver URIs that will be contacted for the key. * Able to retrieve keys using DNS CERT records as per RFC-2538bis (currently in draft): http://www.josefsson.org/rfc2538bis Happy Hacking, David, Timo, Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : /pipermail/attachments/20060309/6f69ee57/attachment.pgp From shavital at mac.com Fri Mar 10 03:23:39 2006 From: shavital at mac.com (Charly Avital) Date: Fri Mar 10 03:23:10 2006 Subject: [Announce] Second release candidate for 1.4.3 available In-Reply-To: <20060310003605.GA9614@jabberwocky.com> References: <20060310003605.GA9614@jabberwocky.com> Message-ID: <4410E32B.6030800@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, compiled and installed over existing 1.4.3rc1, with idea.c, Darwin 8.5.0 MacOS 10.4.5 PPC. Running fine. Thanks to David, Timo, Werner, and a fine week end. Charly David Shaw wrote the following on 3/9/06 7:36 PM: > We are pleased to announce the availability of the second release > candidate for the forthcoming 1.4.3 version of GnuPG: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc2.tar.bz2 (3.0M) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc2.tar.bz2.sig > > SHA-1 checksums for the above files are: > > eb5b839555ff1957b5956aaf4c96505223a2f9d0 gnupg-1.4.3rc2.tar.bz2 > 2168b475f49100f5c41fa3830d90eb6d863220e7 gnupg-1.4.3rc2.tar.bz2.sig > > Note that this is only a release candidate, and as such is not > intended for use on production systems. If you are inclined to help > test, however, we would appreciate you trying this new version and > reporting any problems. > > Note that this release candidate contains fixes for both the "False > positive signature verification in GnuPG" and "GnuPG does not detect > injection of unsigned data" problems reported against 1.4.2. > > Noteworthy changes since 1.4.2: > > * If available, cURL-based keyserver helpers are built that can > retrieve keys using HKP or any protocol that cURL supports > (HTTP, HTTPS, FTP, FTPS, etc). If cURL is not available, HKP > and HTTP are still supported using a built-in cURL emulator. To > force building the old pre-cURL keyserver helpers, use the > configure option --enable-old-keyserver-helpers. Note that none > of this affects finger or LDAP support, which are unchanged. > Note also that a future version of GnuPG will remove the old > keyserver helpers altogether. > > * Implemented Public Key Association (PKA) signature verification. > This uses special DNS records and notation data to associate a > mail address with an OpenPGP key to prove that mail coming from > that address is legitimate without the need for a full trust > path to the signing key. > > * When exporting subkeys, those specified with a key ID or > fingerpint and the '!' suffix are now merged into one keyblock. > > * Added "gpg-zip", a program to create encrypted archives that can > interoperate with PGP Zip. > > * Added support for signing subkey cross-certification "back > signatures". Requiring cross-certification to be present is > currently off by default, but will be changed to on by default > in the future, once more keys use it. A new "cross-certify" > command in the --edit-key menu can be used to update signing > subkeys to have cross-certification. > > * The key cleaning options for --import-options and > --export-options have been further polished. "import-clean" and > "export-clean" replace the older > import-clean-sigs/import-clean-uids and > export-clean-sigs/export-clean-uids option pairs. > > * New "minimize" command in the --edit-key menu removes everything > that can be removed from a key, rendering it as small as > possible. There are corresponding "export-minimal" and > "import-minimal" commands for --export-options and > --import-options. > > * New --fetch-keys command to retrieve keys by specifying a URI. > This allows direct key retrieval from a web page or other > location that can be specified in a URI. Available protocols > are HTTP and finger, plus anything that cURL supplies, if built > with cURL support. > > * Files containing several signed messages are not allowed any > longer as there is no clean way to report the status of such > files back to the caller. To partly revert to the old behaviour > the new option --allow-multisig-verification may be used. > > * The keyserver helpers can now handle keys in either ASCII armor > or binary format. > > * New auto-key-locate option that takes an ordered list of methods > to locate a key if it is not available at encryption time (-r or > --recipient). Possible methods include "cert" (use DNS CERT as > per RFC2538bis, "pka" (use DNS PKA), "ldap" (consult the LDAP > server for the domain in question), "keyserver" (use the > currently defined keyserver), as well as arbitrary keyserver > URIs that will be contacted for the key. > > * Able to retrieve keys using DNS CERT records as per RFC-2538bis > (currently in draft): http://www.josefsson.org/rfc2538bis > > Happy Hacking, > > David, Timo, Werner > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc2 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRBDjIm69XHxycyfPAQhpBA//e1UFnPVMlDQBBUUSoa+RR3JmqyBX/9Xg b46k0d9NtlPogh9F3BhFdFyOz89LP92kRJnDP9CdQuCUHCNCm2dD/JekgKdIUFmh s1IcYhwLhtQD2IUMncfgmMa8BSjGKzka4r2APA63O8E/8RDQ+bj6nSpBSXpE/hS8 hhwUiXQu9ygSBzolZpxPKYJqk4SIQn7omLRRqmhEeI1eEjHnhLeJVKljLc0quODT qvsLOj5/tvl0jgP5q2rBBz5DYjuYHvXy3kijDfeRoVkie1JhG3KkOX7bwJpkuLef 48AZScLadOs7QYTuKoCI/zxu/F789WcTidxswS8kGbp3gywa4FDRM5d9iL/I5pfA lTaLyW28wCTgZfVM7YIH6tkJxiMuqCa4GKNunnKsOcNAvHxbbpU+c+M0IArL+HC0 0uZ/AOzyRLAdjHJjHUn6PMnj+BbebqrkKit5GHUrlbX7cN9fIH4t6rhH8vIxdJK5 8RaZlYMcK+iNVddfQZYiivkkR19mhPCDP/fTHwxRkmZocl+CL4u1w1UIuQnvJdsf tiA5K/AC5ky3kC5hwDagVuIXrFscG3V9MR8sjoLYCE7s0CdaI32v+CPJfIwTN6eX 6BmpkeVa+cd12KxHit0vZ14lHyGSWMSsA/tCRM3rbJjJtdaFKOxEi+7gwnGHVcyk g59278Oddms= =Cgtk -----END PGP SIGNATURE----- From qed at tiscali.it Fri Mar 10 14:37:39 2006 From: qed at tiscali.it (qed@tiscali.it) Date: Fri Mar 10 16:17:58 2006 Subject: Uid management for IM Message-ID: <15986196.1141997859260.JavaMail.root@ps22> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 I want to add my ICQ number to my pubkey. What is the best solution? 1.create a new uid, without email address, named "ICQ myicqnumber" 2.modify an existing uid adding a comment with my icq number I'm concerned about creating an uid without an associated email address. - -- Q.E.D. OpenPGP public key available trough keyservers, ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Always check key fingerprints! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFEEOMcH+Dh0Dl5XacRA3MzAJ45k8DM8sSor3+IhiiS+tSLUd/gDgCfbhK1 OhpaN+BTs2f+/D8v4kk1yPo= =c+41 -----END PGP SIGNATURE----- Tiscali ADSL 4 Mega Flat Naviga senza limiti con l'unica Adsl a 4 Mega di velocit? a soli 19,95 ? al mese! Attivala subito e hai GRATIS 2 MESI e l'ATTIVAZIONE. http://abbonati.tiscali.it/banner/middlepagetracking.html?c=webmailadsl&r=http://abbonati.tiscali.it/adsl/sa/4flat_tc/&a=webmail&z=webmail&t=14 From shavital at mac.com Fri Mar 10 17:13:49 2006 From: shavital at mac.com (Charly Avital) Date: Fri Mar 10 17:13:18 2006 Subject: Uid management for IM In-Reply-To: <15986196.1141997859260.JavaMail.root@ps22> References: <15986196.1141997859260.JavaMail.root@ps22> Message-ID: <4411A5BD.2030606@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Option 2 is better, IMO. I don't think you can create a new uid *without* an e-mail address, unless you present it (when going through the generation's prompts) as something that looks like an e-mail address, e.g. ICQ12345@ICQ12345.notaneimailaddress, of whatever you like, but consisting of two parts separated by the at-mark (shift-2). Just a thought. Auguri. Charly qed@tiscali.it wrote the following on 3/10/06 8:37 AM: > I want to add my ICQ number to my pubkey. > > What is the best solution? > 1.create a new uid, without email address, named "ICQ myicqnumber" > 2.modify an existing uid adding a comment with my icq number > > I'm concerned about creating an uid without an associated email > address. > > -- > Q.E.D. > > OpenPGP public key available trough keyservers, ID: 0x58D14EB3 > Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 > Always check key fingerprints! >[...] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc2 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRBGltm69XHxycyfPAQjXuA/9HnHMamWoIKoZQHgc6az2mwZdVMClQ8cx jBzmBZsNC9vyLSxtgaekd5iyDA4CNy4WNIg2SgRHyV2A2/POAtYTzPAFlq+qJPnQ 5arACyi9dcbaxpPeL0RNKUVe7E4dYIHhIr+FI2oKZtNg6c9Iqm1hL5F1gO4fqVd5 WxJLYVHc/YlUgMztBL9jn1aSrBAMAAAp2pWprZshEAW2wOsrkHjyQr3W5NHVadXj 6oftXZQ2fiuI4TX8q0Dw93DVep9wfbl55HEFa7+0ATJkuSX/pE7DBvsIACFjR8+K 1Fy6F3UHp1dDmDuout3rXG+0UwJIEIY5L8j+7ZmjTqYZFaN1HFqdUDvRQ0imHR6S h2LRTt6edY3vzHtmUpMoLK2ie6QPDKW1ChFuVyIKfgnJSyAtxj+h7lplv0MC/uqu 3HZuHdjP4Il/OY96h4q5MrRM3zOI09B7PebSDlkAhHFssAYbcCKrRzSwcxvJ5RNc LMDdGti8DvW39ftjzEIRUfyuOJzuQZ+Y8WemudwRtnoUPGJz4J8BcxertaWiwXoH mU79gIsWxLI5ZPwaGHZSlkV7rD++cG+EKxeSjaMLG251Z7a+1P59JQBhKoh5dV4c +jzBZpJCox6NvF9uPjRd2DpN+FA71BaCDWWhA30I1HFh30BbRBKapEG4Ep1YvesI StbebuvUlAA= =AAXI -----END PGP SIGNATURE----- From jluehr at gmx.net Fri Mar 10 19:40:54 2006 From: jluehr at gmx.net (Jan Luehr) Date: Fri Mar 10 21:18:02 2006 Subject: [Announce] GnuPG does not detect injection of unsigned data In-Reply-To: <87d5gvh2kr.fsf@wheatstone.g10code.de> References: <87d5gvh2kr.fsf@wheatstone.g10code.de> Message-ID: <200603101940.55221.jluehr@gmx.net> Hello, Am Donnerstag, 9. M?rz 2006 19:53 schrieb Werner Koch: > Summary > ======= > > In the aftermath of the false positive signature verfication bug > (announced 2006-02-15) more thorough testing of the fix has been done > and another vulnerability has been detected. > > This new problem affects the use of *gpg* for verification of > signatures which are _not_ detached signatures. The problem also > affects verification of signatures embedded in encrypted messages; > i.e. standard use of gpg for mails. > well, this takes me to a difficult question: How much more are to come? (Have you begun a code audit? How long will it take then?) I haven't been following the gnupg development so far, but imho the recent development of actions rater is rather disturbing - and these kind of bugs tend to disqualify gnupg from mission critical use. Please don't get me wrong, I really like gnupg and appreciate what you've done so far, but the recent development worries me. Keep smiling yanosz From johnmoore3rd at joimail.com Fri Mar 10 21:23:48 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Fri Mar 10 21:23:11 2006 Subject: Uid management for IM In-Reply-To: <4411A5BD.2030606@mac.com> References: <15986196.1141997859260.JavaMail.root@ps22> <4411A5BD.2030606@mac.com> Message-ID: <4411E054.7080105@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Charly Avital wrote: > Option 2 is better, IMO. > > I don't think you can create a new uid *without* an e-mail address, > unless you present it (when going through the generation's prompts) as > something that looks like an e-mail address, e.g. > ICQ12345@ICQ12345.notaneimailaddress, of whatever you like, but > consisting of two parts separated by the at-mark (shift-2). Just a thought. I don't see why one could not add a "Free form" UID consisting of one's icq # (or any other identifier) and then if one chose, select it as the _Primary_ UID on the Key. JOHN ;) Timestamp: Friday 10 Mar 2006, 15:22 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc2-cvs4061: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Latest Build: http://groups.yahoo.com/group/GPG_cvsBuilds Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJEEeBSAAoJEBCGy9eAtCsPInoH/AijMQXL2+x+Yu8RZwK8vz9t Hy7ST5OS1mQ1qzMsFqExB59mEy8GFXlU+yToWuqH6QEup0HnmvLSGGnoDlgKRN5c xqwXGRGH/Bh2D0TUMzKPMs3uFdWfDahEEdtTS+vWcLwxyMsyqQdHKpajGpi53Mg7 KnHbxX99dADx5s7TG+Bq2nK5D80pZ9pseadv2ii0DQex44RwhFnbfVFU6B0M/mok 8vo9aKV3vAAiqChBxetYLoaLT0E7WGHpAMCLXX1pRXEoD8qfzO7a84dS6hBaQvjd WaWpbsSOhZV+vRFvrwdszGMRpcPIXpGR+rqQKR/wNKpHfhehHiqpaz6BzaQ/LBs= =Nz4n -----END PGP SIGNATURE----- From gnupg at raphael.poss.name Fri Mar 10 17:19:49 2006 From: gnupg at raphael.poss.name (=?ISO-8859-1?Q?Rapha=EBl_Poss?=) Date: Fri Mar 10 21:27:25 2006 Subject: Uid management for IM In-Reply-To: <4411A5BD.2030606@mac.com> References: <15986196.1141997859260.JavaMail.root@ps22> <4411A5BD.2030606@mac.com> Message-ID: <4411A725.6060809@raphael.poss.name> Charly Avital wrote: > Option 2 is better, IMO. > > I don't think you can create a new uid *without* an e-mail address, > unless you present it (when going through the generation's prompts) as > something that looks like an e-mail address, e.g. > ICQ12345@ICQ12345.notaneimailaddress, of whatever you like, but > consisting of two parts separated by the at-mark (shift-2). Just a thought. You can create a user id without an email address with --allow-freeform-uid Just my 2c. -- Rapha?l -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060310/ac40a216/signature.pgp From shavital at mac.com Fri Mar 10 22:44:46 2006 From: shavital at mac.com (Charly Avital) Date: Fri Mar 10 22:44:07 2006 Subject: Uid management for IM In-Reply-To: <4411A725.6060809@raphael.poss.name> References: <15986196.1141997859260.JavaMail.root@ps22> <4411A5BD.2030606@mac.com> <4411A725.6060809@raphael.poss.name> Message-ID: <4411F34E.7060103@mac.com> Not really 2?. More like 2M. Thanks, I didn't know about that option (from the man pages): -------------------------------- --allow-freeform-uid Disable all checks on the form of the user ID while generating a new one. This option should only be used in very special environments as it does not ensure the de-facto standard format of user IDs. -------------------------------- I should have known better: when in doubt, RTFM. Thanks. Charly Rapha?l Poss wrote the following on 3/10/06 11:19 AM: [...] > > You can create a user id without an email address with --allow-freeform-uid > > Just my 2c. From vladimir at doisan.com Sat Mar 11 02:48:00 2006 From: vladimir at doisan.com (Vladimir Doisan) Date: Sat Mar 11 02:48:20 2006 Subject: file encryption and integrity check In-Reply-To: <20060222132831.GA10374@jabberwocky.com> References: <43F9F265.2070803@email.it> <43FB1F36.40308@gmail.com> <43FC108C.2070004@gmail.com> <20060222132831.GA10374@jabberwocky.com> Message-ID: <43FCCA0C.5090305@doisan.com> Yes, I did exactly the same for my encrypted backups, only I chose Twofish due to speed advantage (TW256 - 16.2 mbps vs. AES256 - 12.6 mbps). With compression enabled - encryption speed was within 0.5 mbps across all ciphers at around 12 mbps. I did switch over to public key encryption last month. Some benches (this is on single Xeon 2.8 EM64T, 1 Gig RAM with RAID5 running Gentoo in two separate 64 and 32 bit installs) GnuPG 1.4.2 Benchmarks (symmetric encryption, no compress) 512 MB backup file GnuPG-64 | GnuPG-32 --------------------------------------------------------------------------- twofish (256) 33.5s (15.3 mbps) | 32.2s (15.9 mbps) aes (128) 33.3s (15.4 mbps) | 34.5s (14.8 mbps) aes192 35.0s (14.6 mbps) | 33.8s (15.1 mbps) aes256 37.5s (13.7 mbps) | 36.8s (13.9 mbps) blowfish 52.3s (9.8 mbps) | 52.7s (9.7 mbps) CAST5 26.9s (19.0 mbps) | 25.0s (20.5 mbps) 3DES 48.3s (10.6 mbps) | 47.0s (10.9 mbps) 4.0 Gig backup file GnuPG-64 | GnuPG-32 --------------------------------------------------------------------------- twofish (256) 253s (16.2 mbps) | 257s (15.9 mbps) aes (128) 310s (13.2 mbps) | 278s (14.7 mbps) aes192 318s (12.8 mbps) | 288s (14.2 mbps) aes256 325s (12.6 mbps) | 311s(13.2 mbps) OpenSSL 0.9.7-r2 Benchmarks (probably for another topic - it blows GnuPG out of the water in terms of speed) 512MB backup file OpenSSL-64 | OpenSSL-32 ----------------------------------------------------------------------------- aes (128) 14.0s (36.6 mbps) | 17.9s (28.6 mbps) aes192 15.1s (33.9 mbps) | 19.2s (26.7 mbps) aes256 16.8s (30.5 mbps) | 18.0s (28.4 mbps) blowfish 13.3s (38.5 mbps) | 13.0s (39.4 mbps) CAST5 20.5s (25.0 mbps) | 16.8s (30.5 mbps) 3DES 39.5s (13.0 mbps) | 32.2s (15.9 mbps) 4.0 Gig backup file OpenSSL-64 | OpenSSL-32 --------------------------------------------------------------------------- aes (128) 164s (25.0 mbps) | 163s(25.1 mbps) aes192 166s (33.9 mbps) | 168s(24.4 mbps) aes256 173s (23.5 mbps) | 179s (22.9 mbps) David Shaw wrote: > On Wed, Feb 22, 2006 at 05:49:40PM +1030, Alphax wrote: > >> Francesco Turco wrote: >> >> >>> i have disabled compression becouse files i have to encrypt are already >>> compressed, and compression takes much more time then encryption. >>> >>> do you think it is a good choice? >>> >>> >> IIRC GnuPG will detect if data is compressed before it tries to compress >> it; if so, it won't try to. >> > > This is correct. Of course, it's possible that GnuPG doesn't > recognize a particular kind of compression. If I recall, it looks for > bzip, gzip, and zip. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From vladimir at doisan.com Sat Mar 11 04:34:13 2006 From: vladimir at doisan.com (Vladimir Doisan) Date: Sat Mar 11 04:34:24 2006 Subject: file encryption and integrity check In-Reply-To: <43FB1F36.40308@gmail.com> References: <43F9F265.2070803@email.it> <43FB1F36.40308@gmail.com> Message-ID: <43FB71EF.6060100@doisan.com> Yes, I did exactly the same for my encrypted backups, only I chose Twofish due to speed advantage (TW256 - 16.2 mbps vs. AES256 - 12.6 mbps). With compression enabled - encryption speed was within 0.5 mbps across all ciphers at around 12 mbps. I did switch over to public key encryption last month. Some benches (this is on single Xeon 2.8 EM64T, 1 Gig RAM with RAID5 running Gentoo in two separate 64 and 32 bit installs) GnuPG 1.4.2 Benchmarks (symmetric encryption, no compress) 512 MB backup file GnuPG-64 | GnuPG-32 --------------------------------------------------------------------------- twofish (256) 33.5s (15.3 mbps) | 32.2s (15.9 mbps) aes (128) 33.3s (15.4 mbps) | 34.5s (14.8 mbps) aes192 35.0s (14.6 mbps) | 33.8s (15.1 mbps) aes256 37.5s (13.7 mbps) | 36.8s (13.9 mbps) blowfish 52.3s (9.8 mbps) | 52.7s (9.7 mbps) CAST5 26.9s (19.0 mbps) | 25.0s (20.5 mbps) 3DES 48.3s (10.6 mbps) | 47.0s (10.9 mbps) 4.0 Gig backup file GnuPG-64 | GnuPG-32 --------------------------------------------------------------------------- twofish (256) 253s (16.2 mbps) | 257s (15.9 mbps) aes (128) 310s (13.2 mbps) | 278s (14.7 mbps) aes192 318s (12.8 mbps) | 288s (14.2 mbps) aes256 325s (12.6 mbps) | 311s(13.2 mbps) OpenSSL 0.9.7-r2 Benchmarks (probably for another topic - it blows GnuPG out of the water in terms of speed) 512MB backup file OpenSSL-64 | OpenSSL-32 ----------------------------------------------------------------------------- aes (128) 14.0s (36.6 mbps) | 17.9s (28.6 mbps) aes192 15.1s (33.9 mbps) | 19.2s (26.7 mbps) aes256 16.8s (30.5 mbps) | 18.0s (28.4 mbps) blowfish 13.3s (38.5 mbps) | 13.0s (39.4 mbps) CAST5 20.5s (25.0 mbps) | 16.8s (30.5 mbps) 3DES 39.5s (13.0 mbps) | 32.2s (15.9 mbps) 4.0 Gig backup file OpenSSL-64 | OpenSSL-32 --------------------------------------------------------------------------- aes (128) 164s (25.0 mbps) | 163s(25.1 mbps) aes192 166s (33.9 mbps) | 168s(24.4 mbps) aes256 173s (23.5 mbps) | 179s (22.9 mbps) From sgarlick at gmail.com Sat Mar 11 11:31:42 2006 From: sgarlick at gmail.com (Simon H. Garlick) Date: Sat Mar 11 13:18:05 2006 Subject: file encryption and integrity check In-Reply-To: <43FB71EF.6060100@doisan.com> References: <43F9F265.2070803@email.it> <43FB1F36.40308@gmail.com> <43FB71EF.6060100@doisan.com> Message-ID: <49aa5b1b0603110231hbc15cc5w2f55079636412448@mail.gmail.com> On 2/22/06, Vladimir Doisan wrote: > 512 MB backup file > GnuPG-64 | GnuPG-32 > --------------------------------------------------------------------------- > twofish (256) 33.5s (15.3 mbps) | 32.2s (15.9 mbps) > aes (128) 33.3s (15.4 mbps) | 34.5s (14.8 mbps) > aes192 35.0s (14.6 mbps) | 33.8s (15.1 mbps) > aes256 37.5s (13.7 mbps) | 36.8s (13.9 mbps) > blowfish 52.3s (9.8 mbps) | 52.7s (9.7 mbps) > CAST5 26.9s (19.0 mbps) | 25.0s (20.5 mbps) > 3DES 48.3s (10.6 mbps) | 47.0s (10.9 mbps) Whoa. Blowfish slower than 3DES? shg From jharris at widomaker.com Mon Mar 13 03:03:04 2006 From: jharris at widomaker.com (Jason Harris) Date: Mon Mar 13 03:03:07 2006 Subject: new (2006-03-05) keyanalyze results (+sigcheck) Message-ID: <20060313020304.GA2003@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2006-03-05/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 696cbdd0ea6dcd7d6092ef556ca5858df9e78d48 13421916 preprocess.keys 432c526fb5a74d2b2f76deff2d6a1d326a7fe98f 8071792 othersets.txt 9e77fda9b3062a34be06bd52eff20e4d409300b4 3296640 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html ab2e4191117a1b2daa368e3bc21aac73c89a7e67 2291 keyring_stats 3d703ba67cd749ac1a5be4885c10fd641df34259 1295948 msd-sorted.txt.bz2 ca80b83d8e9b6cf7fb43824bc45c0f6a1f50b6a7 26 other.txt d3ce0a6aacbb2d6d28e82ae495dac269021764f9 1746431 othersets.txt.bz2 f985211c71b5e0b1099553cef7eb6ad1ba7c4566 5441921 preprocess.keys.bz2 de45f3736e7c4710eff26b2eac0abee5d22fc331 13454 status.txt 8215a8171333e6c702f744a9fd9873943e5eccb4 209898 top1000table.html 75f811cc1d420da4f4b9a6aea831835a82fac8c3 29977 top1000table.html.gz cf55849b2ded63023a6bcff388da2d0823a902fc 10779 top50table.html dfc7fdf2deb3ddfb375ee811ce8c04715b0288b1 2544 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 315 bytes Desc: not available Url : /pipermail/attachments/20060312/27b4e93d/attachment.pgp From joerg at schmitz-linneweber.de Mon Mar 13 09:26:00 2006 From: joerg at schmitz-linneweber.de (Joerg Schmitz-Linneweber) Date: Mon Mar 13 09:25:44 2006 Subject: gpg-agent cache In-Reply-To: <440F26BB.8090706@sara.nl> References: <440F26BB.8090706@sara.nl> Message-ID: <200603130926.14803.joerg@schmitz-linneweber.de> Hi Remco! Am Mittwoch, 8. M?rz 2006 19:47 schrieb Remco Post: > ... > I've started gpg-agent with: > > /usr/local/bin/gpg-agent --use-standard-socket --pinentry-program > /usr/bin/pinentry-gtk-2 --default-cache-ttl 1800 --default-cache-ttl-ssh > 900 --enable-ssh-support --write-env-file $HOME/.gpg-agent-info --daemon > --sh /usr/bin/fvwm2 From your mail it's not quite clear if you used the output from gpg-agent (the environment vars)... I would have guessed something like: eval "$(gpg-agent --gpg-agent-options)" And then start your gpg-agent-using-applications in the same shell afterwards. HTH. Salut, J?rg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 ?7e8b fcf4 2053 d7fa 4512 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : /pipermail/attachments/20060313/5a26cfe3/attachment.pgp From r.post at sara.nl Mon Mar 13 10:17:31 2006 From: r.post at sara.nl (Remco Post) Date: Mon Mar 13 10:17:27 2006 Subject: gpg-agent cache In-Reply-To: <200603130926.14803.joerg@schmitz-linneweber.de> References: <440F26BB.8090706@sara.nl> <200603130926.14803.joerg@schmitz-linneweber.de> Message-ID: <441538AB.1020700@sara.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joerg Schmitz-Linneweber wrote: > Hi Remco! > > Am Mittwoch, 8. M?rz 2006 19:47 schrieb Remco Post: > >>... >>I've started gpg-agent with: >> >>/usr/local/bin/gpg-agent --use-standard-socket --pinentry-program >>/usr/bin/pinentry-gtk-2 --default-cache-ttl 1800 --default-cache-ttl-ssh >>900 --enable-ssh-support --write-env-file $HOME/.gpg-agent-info --daemon >>--sh /usr/bin/fvwm2 > > From your mail it's not quite clear if you used the output from gpg-agent (the > environment vars)... > > I would have guessed something like: > eval "$(gpg-agent --gpg-agent-options)" > > And then start your gpg-agent-using-applications in the same shell afterwards. > > HTH. Salut, J?rg > Ow, Maybe I should have mantioned that I use gpg-agent to start my X windowmanager (fvwm2) and run my applications from there. Of course, gpg-agent does work, I am able to sign/decrypt and even login using gpg-agent, no problem. But apperently, no caching is going on. In the mean time I've moved most of gpg-agent options to gpg-agent.conf with the same effect. - -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iQCVAwUBRBU4oSrZkcVehrp5AQLHrwP/XQQ1HKaCedBA+f7JheAgL7ltcohxWZ1x wlVkeBlc4TI3VA4jh1Xls0RXTvDTedGREGg/97WYAF1eVh6BquiZOfymiXH9XoQI 2CK4BSAh2VokuKZENzvZtUxL1lRI9miyxSms26BPokSsf9vhKH+pEmr7gGbAqYZI K2sTOwdJG1s= =xnpX -----END PGP SIGNATURE----- From jeremiah.foster at gmail.com Wed Mar 8 19:06:50 2006 From: jeremiah.foster at gmail.com (Jeremiah Foster) Date: Mon Mar 13 10:42:58 2006 Subject: Problem removing a public key whose private key is gone In-Reply-To: <440F1777.2090007@mathematica.scientia.net> References: <1141767786.7336.28.camel@localhost.localdomain> <440E270E.50106@mathematica.scientia.net> <1141837926.7336.31.camel@localhost.localdomain> <440F1777.2090007@mathematica.scientia.net> Message-ID: <1141841210.7336.51.camel@localhost.localdomain> On Wed, 2006-03-08 at 18:42 +0100, Christoph Anton Mitterer wrote: > Jeremiah Foster wrote: > > >Hey Chris, > > > >Yeah I saw that from the man page and it did not help. Specifically > >because the names are identical and when you issue --delete-key name you > >get prompted to specify the secret key which does not exist in my case. > >So delete-key fails to work for my needs. > > > >Jeremiah > > > > > If you'd read the other parts of the manpage you'd see that name is not > only limited to your name or the UIDs email adress but you can also > specify one of the key IDs. > > You'll get the key IDs of you keys with gpg --list-keys. They (should) > key ID should be different for both of your keys, if not, you'll have to > use the long key ID, but that is pretty unlikely. > If even the long key IDs would be equal - that should be even posted to > the list because it is an rarety - you'd have to use the fingerprint of > the key as name (if even those would be equal,.. this would be nearly a > sensation ;) ). > > So take the key ID of you old unwanted key (something like 0x23459837) > and make gpg --delete-key . Excellent, I will try that, thanks Chris. Jeremiah From jeremiah.foster at gmail.com Wed Mar 8 18:15:27 2006 From: jeremiah.foster at gmail.com (Jeremiah Foster) Date: Mon Mar 13 10:43:05 2006 Subject: Problem removing a public key whose private key is gone In-Reply-To: <20060308003529.69539.qmail@smasher.org> References: <1141767786.7336.28.camel@localhost.localdomain> <20060308003529.69539.qmail@smasher.org> Message-ID: <1141838127.7336.35.camel@localhost.localdomain> On Tue, 2006-03-07 at 19:35 -0500, Atom Smasher wrote: > On Tue, 7 Mar 2006, Jeremiah Foster wrote: > > > I overwrote the partition upon which my private key was stored. To > > confuse matters I generated a new secret / public key pair on the same > > machine and even imported my old public key, thinking, rather foolishly, > > that I might somehow be able to restore the destroyed secret key. > > > > How do I properly remove the old, unusable public key when I do not > > possess the secret key any longer and without destroying my entire gpg > > installation. > ================ > > you can remove any public key from your keyring with: > gpg --delete-key {key-id} This prompts for the secret key id, which I do not have. > if you have any doubts about doing it right, or if you're having a bad > day, backup the keyring before trying to delete anything from it. > > if no one else has a copy of the key, you're done. if the key is in > circulation among key-servers (and if you don't have a revocation > certificate) you're beat. The key is on key servers and I do not have a revocation cert. Would you elaborate on "beat"? Jeremiah From sehrgut at marketweighton.com Sun Mar 12 08:19:47 2006 From: sehrgut at marketweighton.com (Sehrgut) Date: Mon Mar 13 10:43:08 2006 Subject: GPG and GroupWise Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have any of you found an easy way to integrate GPG with Novell GroupWise's Win client? There is an old project floating around which worked with PGP and former versions of GW, but I can't find anything recent. My institution uses GroupWoes for their email, and I have quite a few co-workers who would use GPG if they could use it relatively seamlessly, but are stuck on using the Win Novell client. Any help would be appreciated, as I'm at a double disadvantage here: I refuse to use any Novell client, and I'm a Mac/Linux guy anyway. Thanks! Keith -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) Comment: Sehr Gut iD8DBQFEE8uiMMqs2HQmRBkRAsalAJ47z+YKq6npC+pzdb05Vs+HCZeSFgCg/B+0 6XuPMrR1/+HNihv99z5fkIo= =Rug4 -----END PGP SIGNATURE----- From linux at codehelp.co.uk Mon Mar 13 11:09:52 2006 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Mar 13 11:11:57 2006 Subject: Problem removing a public key whose private key is gone In-Reply-To: <1141838127.7336.35.camel@localhost.localdomain> References: <1141767786.7336.28.camel@localhost.localdomain> <20060308003529.69539.qmail@smasher.org> <1141838127.7336.35.camel@localhost.localdomain> Message-ID: <200603131009.56619.linux@codehelp.co.uk> On Wednesday 08 March 2006 5:15 pm, Jeremiah Foster wrote: > > > > you can remove any public key from your keyring with: > > gpg --delete-key {key-id} > > This prompts for the secret key id, which I do not have. Same as the public key ID for that secret key. It's only the ID, not the key, that is needed. But seeing as you were too idle to create a revocation certificate before you thrust this useless key onto the keyservers, that's a moot point. > > if no one else has a copy of the key, you're done. if the key is in > > circulation among key-servers (and if you don't have a revocation > > certificate) you're beat. > > The key is on key servers and I do not have a revocation cert. Why not? You are advised to create a revocation certificate when you create the key! If you couldn't be bothered to even do that, you are beyond help. Nothing can be done to remove / revoke a key that has been sent to a keyserver unless you have EITHER the secret key OR the revocation certificate. > Would you > elaborate on "beat"? > > Jeremiah Sunk. Lost. Beaten. Hopeless situation. Impossible to resolve. Doh! Take your pick. There's no point in deleting a public key from your keyring if it's on a keyserver. You've just given the word another unusable key. Thanks. ALWAYS create a revocation certificate BEFORE you send your key to a keyserver!!!! No excuses. Just a test key? Keep it to yourself. Don't send to keyservers - ever. Usable key? Create a revocation certificate BEFORE you send to a keyserver. Keyservers are for the rest of us. If we don't need to know about your key, don't put it on a keyserver. It does not benefit you to send a key to a keyserver, it is for the benefit of others. Werner et al. : Maybe it's time that --send-key checks if the key to be sent has a secret key in the secret keyring and if it does, prompts the user about a revocation certificate BEFORE allowing the key to be sent? Even a simple prompt, default NO, would prevent the majority of these useless keys on keyservers. It's not that much hassle for those who have their certificate, depending on how often they add subkeys etc. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : /pipermail/attachments/20060313/7338d4d2/attachment-0001.pgp From linux at codehelp.co.uk Mon Mar 13 11:11:08 2006 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Mar 13 11:18:10 2006 Subject: Problem removing a public key whose private key is gone In-Reply-To: <1141841210.7336.51.camel@localhost.localdomain> References: <1141767786.7336.28.camel@localhost.localdomain> <440F1777.2090007@mathematica.scientia.net> <1141841210.7336.51.camel@localhost.localdomain> Message-ID: <200603131011.08924.linux@codehelp.co.uk> On Wednesday 08 March 2006 6:06 pm, Jeremiah Foster wrote: > > If even the long key IDs would be equal - that should be even posted to > > the list because it is an rarety - you'd have to use the fingerprint of > > the key as name (if even those would be equal,.. this would be nearly a > > sensation ;) ). > > > > So take the key ID of you old unwanted key (something like 0x23459837) > > and make gpg --delete-key . > > Excellent, I will try that, thanks Chris. > > Jeremiah Sadly, that doesn't help the rest of us as the key is already on keyservers. :-( -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : /pipermail/attachments/20060313/1220f28a/attachment.pgp From atom at smasher.org Mon Mar 13 13:58:20 2006 From: atom at smasher.org (Atom Smasher) Date: Mon Mar 13 13:58:12 2006 Subject: Problem removing a public key whose private key is gone In-Reply-To: <200603131009.56619.linux@codehelp.co.uk> References: <1141767786.7336.28.camel@localhost.localdomain> <20060308003529.69539.qmail@smasher.org> <1141838127.7336.35.camel@localhost.localdomain> <200603131009.56619.linux@codehelp.co.uk> Message-ID: <20060313125824.47723.qmail@smasher.org> On Mon, 13 Mar 2006, Neil Williams wrote: > Werner et al. : > Maybe it's time that --send-key checks if the key to be sent has a > secret key in the secret keyring and if it does, prompts the user about > a revocation certificate BEFORE allowing the key to be sent? ================== how many noobs upload new keys on the command-line? how many use "-a --export" and then copy-n-paste into a web interface? if more noobs opt for the former, your idea would spare the world of some useless keys. i suspect that more noobs opt for the latter, in which case the idea wouldn't help much. maybe there needs to be a sandbox keyserver where users can upload keys for practice, but it purges itself of keys >1 year old and doesn't sync with "real" keyservers. if such a keyserver existed, it should probably be the default keyserver in the preferences. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "It must be in our vital interest whether we ever send troops. The mission must be clear. Soldiers must understand why we're going. The force must be strong enough so that the mission can be accomplished. And the exit strategy needs to be well-defined." -- George "dubya" Bush 3rd Bush-Gore debate, 17 Oct 2000 From alphasigmax at gmail.com Mon Mar 13 11:02:30 2006 From: alphasigmax at gmail.com (Alphax) Date: Mon Mar 13 13:58:27 2006 Subject: Problem removing a public key whose private key is gone In-Reply-To: <1141838127.7336.35.camel@localhost.localdomain> References: <1141767786.7336.28.camel@localhost.localdomain> <20060308003529.69539.qmail@smasher.org> <1141838127.7336.35.camel@localhost.localdomain> Message-ID: <44154336.60706@gmail.com> Jeremiah Foster wrote: > On Tue, 2006-03-07 at 19:35 -0500, Atom Smasher wrote: > >>On Tue, 7 Mar 2006, Jeremiah Foster wrote: >> > >>if you have any doubts about doing it right, or if you're having a bad >>day, backup the keyring before trying to delete anything from it. >> >>if no one else has a copy of the key, you're done. if the key is in >>circulation among key-servers (and if you don't have a revocation >>certificate) you're beat. > > > The key is on key servers and I do not have a revocation cert. Would you > elaborate on "beat"? > Sore out of luck. People will keep using the key which is on the key server, and you will be unable to do anything except reply "Sorry, I lost that secret key, can't decrypt, here is my new key". This is why it is *very* important to have both a backup of you secret keys & a revovation certificate. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 558 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060313/51b55fd6/signature.pgp From dshaw at jabberwocky.com Mon Mar 13 14:52:21 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Mar 13 14:51:42 2006 Subject: Problem removing a public key whose private key is gone In-Reply-To: <20060313125824.47723.qmail@smasher.org> References: <1141767786.7336.28.camel@localhost.localdomain> <20060308003529.69539.qmail@smasher.org> <1141838127.7336.35.camel@localhost.localdomain> <200603131009.56619.linux@codehelp.co.uk> <20060313125824.47723.qmail@smasher.org> Message-ID: <20060313135221.GB26335@jabberwocky.com> On Mon, Mar 13, 2006 at 07:58:20AM -0500, Atom Smasher wrote: > On Mon, 13 Mar 2006, Neil Williams wrote: > > >Werner et al. : > >Maybe it's time that --send-key checks if the key to be sent has a > >secret key in the secret keyring and if it does, prompts the user about > >a revocation certificate BEFORE allowing the key to be sent? > ================== > > how many noobs upload new keys on the command-line? how many use "-a > --export" and then copy-n-paste into a web interface? > > if more noobs opt for the former, your idea would spare the world of some > useless keys. i suspect that more noobs opt for the latter, in which case > the idea wouldn't help much. > > maybe there needs to be a sandbox keyserver where users can upload keys > for practice, but it purges itself of keys >1 year old and doesn't sync > with "real" keyservers. if such a keyserver existed, it should probably be > the default keyserver in the preferences. Cough, cough. ldap://keyserver.pgp.com It purges keys that aren't confirmed via email and doesn't sync with any other keyserver. Still, even with a keyserver that doesn't sync, that doesn't stop other people from (accidentally or otherwise) downloading a key from ldap://keyserver.pgp.com and distributing it via other means. David From pgp_dev at sympatico.ca Mon Mar 13 17:48:35 2006 From: pgp_dev at sympatico.ca (Michael Conahan) Date: Mon Mar 13 19:18:00 2006 Subject: Need to test with a PGP Universal Server user Message-ID: Hi folks, I need help to test the interoperability of my custom PGP app with other PGP apps. One example is that I like to test my app with a PGP Universal Server user. I'd be interested in testing with other 'not-for-free' PGP products too. Is anybody available for a quick test? If so, please let me know. Thanks, Michael From wk at gnupg.org Thu Mar 9 19:53:40 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 14 00:47:44 2006 Subject: [Announce] GnuPG does not detect injection of unsigned data Message-ID: <87d5gvh2kr.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From michael at vorlon.ping.de Tue Mar 14 00:46:54 2006 From: michael at vorlon.ping.de (Michael Bienia) Date: Tue Mar 14 02:47:59 2006 Subject: OpenPGP card and signing Message-ID: <20060313234654.GA21493@vorlon.ping.de> Hello, does signing with the OpenPGP card only work with SHA1 as digest-algo? With SHA1 and RIPEMD160 gpg asks for the PIN but only SHA1 generates a working signature. Trying RIPEMD160 I get: | gpg: checking created signature failed: bad signature | gpg: signing failed: bad signature | gpg: signing failed: bad signature Michael From wk at gnupg.org Thu Mar 9 19:53:40 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 14 03:23:03 2006 Subject: [Announce] GnuPG does not detect injection of unsigned data Message-ID: <87d5gvh2kr.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From r.post at sara.nl Tue Mar 14 08:23:58 2006 From: r.post at sara.nl (Remco Post) Date: Tue Mar 14 08:23:47 2006 Subject: OpenPGP card and signing In-Reply-To: <20060313234654.GA21493@vorlon.ping.de> References: <20060313234654.GA21493@vorlon.ping.de> Message-ID: <44166F8E.4020401@sara.nl> Michael Bienia wrote: > Hello, > > does signing with the OpenPGP card only work with SHA1 as digest-algo? > > With SHA1 and RIPEMD160 gpg asks for the PIN but only SHA1 generates a > working signature. Trying RIPEMD160 I get: > | gpg: checking created signature failed: bad signature > | gpg: signing failed: bad signature > | gpg: signing failed: bad signature > From marcus.brinkmann at ruhr-uni-bochum.de Tue Mar 14 14:00:34 2006 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Tue Mar 14 14:20:31 2006 Subject: [Announce] libgpg-error 1.3 released Message-ID: <87hd616v0t.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hi, We are pleased to announce version 1.3 of libgpg-error, a library for common error values and messages in GnuPG components. This is a shared library so it can be updated independently of each individual component, while still allowing the use of new error values in inter-process communication. It may be found in the file (about 561 KB/441 KB compressed) ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.3.tar.gz ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.3.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.3.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.3.tar.bz2.sig ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.2-1.3.diff.gz It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel@gnupg.org The sha1sum checksums for this distibution are 8f354d70a54ec2d9f8d24b43237c08165ed19478 libgpg-error-1.2-1.3.diff.gz 10bd8d8503b674e114ecc6620324d5d1c8c918b7 libgpg-error-1.3.tar.bz2 2b46aed8b21703bcbbdc85b696b37b0d528046fb libgpg-error-1.3.tar.bz2.sig 6c7425b3634af05a0314287fff7ba13010c4c26a libgpg-error-1.3.tar.gz 4c3ab083706a21a30ffd2bd06989ecd3d9b6db17 libgpg-error-1.3.tar.gz.sig Noteworthy changes in version 1.3 (2006-03-14) ---------------------------------------------- * GNU gettext is included for systems that do not provide it. Marcus Brinkmann mb@g10code.de _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dennis at discworld.ping.de Tue Mar 14 14:58:13 2006 From: dennis at discworld.ping.de (Dennis Heitmann) Date: Tue Mar 14 16:26:31 2006 Subject: Change PIN on OpenPGP-Card with Cherry SmartTerminal ST-1044 Message-ID: <4416CBF5.8000009@discworld.ping.de> Hallo, I just rendered my expensive OpenPGP Card useless. I tried to change the Admin PIN 3 times. I typed the right Admin PIN (12345678), but GnuPG maybe cannot communicate properly with the "Cherry SmartTerminal ST-1044" I thought the timer would not count, because there was a I/O-Error, but that is not right. $gpg --change-pin gpg: detected reader `Cherry SmartTerminal XX44 0' gpg: OpenPGP Karte Nr. D2760001240101010001000008530000 erkannt 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Ihre Auswahl? 1 PIN gpg: pcsc_transmit failed: invalid PC/SC error code (0x45d) gpg: apdu_send_simple(0) failed: card I/O error gpg: Pr?fung des CHV2 fehlgeschlagen: Allgemeiner Fehler Error changing the PIN: Allgemeiner Fehler 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Ihre Auswahl? q $gpg --card-status gpg: detected reader `Cherry SmartTerminal XX44 0' Application ID ...: D2760001240101010001000008530000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000853 Name of cardholder: Dennis Heitmann Language prefs ...: de Sex ..............: m?nnlich URL of public key : [nicht gesetzt] Login data .......: [nicht gesetzt] Private DO 1 .....: [nicht gesetzt] Private DO 2 .....: [nicht gesetzt] Signature PIN ....: zwingend Max. PIN lengths .: 254 254 254 PIN retry counter : 3 2 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1752 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20060314/e94d4ba7/smime.bin From dennis at discworld.ping.de Tue Mar 14 15:18:01 2006 From: dennis at discworld.ping.de (Dennis Heitmann) Date: Tue Mar 14 16:26:41 2006 Subject: Change PIN on OpenPGP-Card with Cherry SmartTerminal ST-1044 Message-ID: <4416D099.8070906@discworld.ping.de> Hallo, I just rendered my expensive OpenPGP Card useless. I tried to change the Admin PIN 3 times. I typed the right Admin PIN (12345678), but GnuPG maybe cannot communicate properly with the "Cherry SmartTerminal ST-1044" I thought the timer would not count, because there was a I/O-Error, but that is not right. Is there any information why it does not work? Dennis $gpg --change-pin gpg: detected reader `Cherry SmartTerminal XX44 0' gpg: OpenPGP Karte Nr. D2760001240101010001000008530000 erkannt 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Ihre Auswahl? 1 PIN gpg: pcsc_transmit failed: invalid PC/SC error code (0x45d) gpg: apdu_send_simple(0) failed: card I/O error gpg: Pr?fung des CHV2 fehlgeschlagen: Allgemeiner Fehler Error changing the PIN: Allgemeiner Fehler 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Ihre Auswahl? q $gpg --card-status gpg: detected reader `Cherry SmartTerminal XX44 0' Application ID ...: D2760001240101010001000008530000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000853 Name of cardholder: Dennis Heitmann Language prefs ...: de Sex ..............: m?nnlich URL of public key : [nicht gesetzt] Login data .......: [nicht gesetzt] Private DO 1 .....: [nicht gesetzt] Private DO 2 .....: [nicht gesetzt] Signature PIN ....: zwingend Max. PIN lengths .: 254 254 254 PIN retry counter : 3 2 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] From dennis at discworld.ping.de Tue Mar 14 15:08:39 2006 From: dennis at discworld.ping.de (Dennis Heitmann) Date: Tue Mar 14 16:26:57 2006 Subject: Change PIN on OpenPGP-Card with Cherry SmartTerminal ST-1044 Message-ID: <4416CE67.5050602@discworld.ping.de> Hallo, I just rendered my expensive OpenPGP Card useless. I tried to change the Admin PIN 3 times. I typed the right Admin PIN (12345678), but GnuPG maybe cannot communicate properly with the "Cherry SmartTerminal ST-1044" I thought the timer would not count, because there was a I/O-Error, but that is not right. Is there any information why it does not work? Dennis $gpg --change-pin gpg: detected reader `Cherry SmartTerminal XX44 0' gpg: OpenPGP Karte Nr. D2760001240101010001000008530000 erkannt 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Ihre Auswahl? 1 PIN gpg: pcsc_transmit failed: invalid PC/SC error code (0x45d) gpg: apdu_send_simple(0) failed: card I/O error gpg: Pr?fung des CHV2 fehlgeschlagen: Allgemeiner Fehler Error changing the PIN: Allgemeiner Fehler 1 - change PIN 2 - unblock PIN 3 - change Admin PIN Q - quit Ihre Auswahl? q $gpg --card-status gpg: detected reader `Cherry SmartTerminal XX44 0' Application ID ...: D2760001240101010001000008530000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000853 Name of cardholder: Dennis Heitmann Language prefs ...: de Sex ..............: m?nnlich URL of public key : [nicht gesetzt] Login data .......: [nicht gesetzt] Private DO 1 .....: [nicht gesetzt] Private DO 2 .....: [nicht gesetzt] Signature PIN ....: zwingend Max. PIN lengths .: 254 254 254 PIN retry counter : 3 2 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1752 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20060314/3c1cad83/smime.bin From dennis at discworld.ping.de Tue Mar 14 19:49:56 2006 From: dennis at discworld.ping.de (Dennis Heitmann) Date: Tue Mar 14 19:49:21 2006 Subject: Change PIN on OpenPGP-Card with Cherry SmartTerminal ST-1044 In-Reply-To: <4416D099.8070906@discworld.ping.de> References: <4416D099.8070906@discworld.ping.de> Message-ID: <44171054.7060309@discworld.ping.de> Sorry for posting 3 times, but the mailinglist-server response was so slow. Additional info: Cherry says that the reader is compatible to the Omnikey CardMan 3121. Dennis Dennis Heitmann wrote: > I just rendered my expensive OpenPGP Card useless. > I tried to change the Admin PIN 3 times. I typed the right Admin PIN > (12345678), but GnuPG maybe cannot communicate properly with the "Cherry > SmartTerminal ST-1044" > I thought the timer would not count, because there was a I/O-Error, but > that is not right. > Is there any information why it does not work? > [cut] -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1752 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20060314/47e6ddea/smime.bin From dennis at discworld.ping.de Tue Mar 14 20:07:21 2006 From: dennis at discworld.ping.de (Dennis Heitmann) Date: Tue Mar 14 20:06:32 2006 Subject: Change PIN on OpenPGP-Card with Cherry SmartTerminal ST-1044 In-Reply-To: <44171054.7060309@discworld.ping.de> References: <4416D099.8070906@discworld.ping.de> <44171054.7060309@discworld.ping.de> Message-ID: <44171469.8040108@discworld.ping.de> The error message under linux: gpg: pcsc_transmit failed: not transacted (0x80100016) gpg: apdu_send_simple(0) failed: card I/O error gpg: Pr?fung des CHV2 fehlgeschlagen: Allgemeiner Fehler Error changing the PIN: Allgemeiner Fehler -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1752 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20060314/c8464c99/smime.bin From michael at vorlon.ping.de Tue Mar 14 23:42:52 2006 From: michael at vorlon.ping.de (Michael Bienia) Date: Tue Mar 14 23:51:20 2006 Subject: OpenPGP card and signing In-Reply-To: <44166F8E.4020401@sara.nl> References: <20060313234654.GA21493@vorlon.ping.de> <44166F8E.4020401@sara.nl> Message-ID: <20060314224252.GA11976@vorlon.ping.de> On 2006-03-14 08:23:58 +0100, Remco Post wrote: > Michael Bienia wrote: > > Hello, > > > > does signing with the OpenPGP card only work with SHA1 as digest-algo? > > > > With SHA1 and RIPEMD160 gpg asks for the PIN but only SHA1 generates a > > working signature. Trying RIPEMD160 I get: > > | gpg: checking created signature failed: bad signature > > | gpg: signing failed: bad signature > > | gpg: signing failed: bad signature > > > > From the basiccard website I read that it only supports sha-1, so this > might be true. I noticed the same just recently. A friend who uses his OpenPGP card with enigmail under windows can successfully create a RIPEMD160 signature. I could also create one if I use gpg with pcscd. Can someone explain me, why it works if I use gpg with pcscd and not if I use gpg alone? Michael From r.post at sara.nl Wed Mar 15 00:29:00 2006 From: r.post at sara.nl (Remco Post) Date: Wed Mar 15 00:28:44 2006 Subject: OpenPGP card and signing In-Reply-To: <20060314224252.GA11976@vorlon.ping.de> References: <20060313234654.GA21493@vorlon.ping.de> <44166F8E.4020401@sara.nl> <20060314224252.GA11976@vorlon.ping.de> Message-ID: <441751BC.40804@sara.nl> Michael Bienia wrote: > On 2006-03-14 08:23:58 +0100, Remco Post wrote: >> Michael Bienia wrote: >>> Hello, >>> >>> does signing with the OpenPGP card only work with SHA1 as digest-algo? >>> >>> With SHA1 and RIPEMD160 gpg asks for the PIN but only SHA1 generates a >>> working signature. Trying RIPEMD160 I get: >>> | gpg: checking created signature failed: bad signature >>> | gpg: signing failed: bad signature >>> | gpg: signing failed: bad signature >>> >> From the basiccard website I read that it only supports sha-1, so this >> might be true. I noticed the same just recently. > > A friend who uses his OpenPGP card with enigmail under windows can > successfully create a RIPEMD160 signature. > I could also create one if I use gpg with pcscd. > > Can someone explain me, why it works if I use gpg with pcscd and not if > I use gpg alone? > gpg alone means gpg with ccid I guess, this might indicate a difference in implementation between the ccid and the pcsc parts of the implementation, where the ccid part might not work as designed... > Michael > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From msimon at adartis.de Wed Mar 15 10:21:05 2006 From: msimon at adartis.de (msimon@adartis.de) Date: Wed Mar 15 11:56:18 2006 Subject: How to view non-default keyrings ? Message-ID: <1896.212.168.164.28.1142414465.squirrel@webmail.adartis.de> I've got my default Keyring and some seperated keyrings, which I'd like to view. How can I list the keys in a non-default-keyring ? I don't want to import these keyrings as long as I don't know which key's are in there. From alphasigmax at gmail.com Wed Mar 15 13:14:10 2006 From: alphasigmax at gmail.com (Alphax) Date: Wed Mar 15 13:14:24 2006 Subject: How to view non-default keyrings ? In-Reply-To: <1896.212.168.164.28.1142414465.squirrel@webmail.adartis.de> References: <1896.212.168.164.28.1142414465.squirrel@webmail.adartis.de> Message-ID: <44180512.5090107@gmail.com> msimon@adartis.de wrote: > I've got my default Keyring and some > seperated keyrings, which I'd like to view. > > How can I list the keys in a non-default-keyring ? > I don't want to import these keyrings as long as I don't know > which key's are in there. > > Use --keyring on the command line, or without the -- in your config file. A ~/ in will be expanded to $HOME, and if no path details are given it is assumed that the file is in $GNUPGHOME (usually ~/.gnupg/). -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 558 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060315/ef29b35a/signature.pgp From pgp_dev at sympatico.ca Wed Mar 15 17:36:09 2006 From: pgp_dev at sympatico.ca (Michael Conahan) Date: Wed Mar 15 17:36:38 2006 Subject: Need to test with a PGP Universal Server user In-Reply-To: Message-ID: Does anybody know how I can get my hands on a PGP Universal Server test harness? I would like to test my app with PGP Universal Server, and finding users to test with has been difficult. Any ideas? Michael >From: "Michael Conahan" >To: gnupg-users@gnupg.org >Subject: Need to test with a PGP Universal Server user >Date: Mon, 13 Mar 2006 16:48:35 +0000 > >Hi folks, > > I need help to test the interoperability of my custom PGP app with other >PGP apps. One example is that I like to test my app with a PGP Universal >Server user. I'd be interested in testing with other 'not-for-free' PGP >products too. Is anybody available for a quick test? If so, please let me >know. > > >Thanks, > >Michael > > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users From daniel-gnupg-users at rio-grande.ping.de Wed Mar 15 18:10:28 2006 From: daniel-gnupg-users at rio-grande.ping.de (Daniel Hess) Date: Wed Mar 15 19:56:35 2006 Subject: OpenPGP card and signing In-Reply-To: <20060314224252.GA11976@vorlon.ping.de> References: <20060313234654.GA21493@vorlon.ping.de> <44166F8E.4020401@sara.nl> <20060314224252.GA11976@vorlon.ping.de> Message-ID: <20060315171028.GA20211@rio-grande.ping.de> Hello, as my last mail did not get through, here is a new one (maybe the list-moderators could drop the old one). On Tue, Mar 14, 2006 at 11:42:52PM +0100, Michael Bienia wrote: > On 2006-03-14 08:23:58 +0100, Remco Post wrote: > > Michael Bienia wrote: > > > does signing with the OpenPGP card only work with SHA1 as digest-algo? > > > > > > With SHA1 and RIPEMD160 gpg asks for the PIN but only SHA1 generates a > > > working signature. Trying RIPEMD160 I get: > > > | gpg: checking created signature failed: bad signature > > > | gpg: signing failed: bad signature > > > | gpg: signing failed: bad signature > > > > > > > From the basiccard website I read that it only supports sha-1, so this > > might be true. I noticed the same just recently. The "OpenPGP Card 1.1" specification mentions that ripemd as digest (page 35). > A friend who uses his OpenPGP card with enigmail under windows can > successfully create a RIPEMD160 signature. > I could also create one if I use gpg with pcscd. I could do even without pcscd. > Can someone explain me, why it works if I use gpg with pcscd and not if > I use gpg alone? What Michael has not mentioned was, that he (as well as i) do use gpg-agent. Using the agent enables openssh to use the key for public-key auth. When using the --use-agent switch (with gpg), the agent will communicate to the openpgp card using scdaemon. To sign a message gpg will send an PKSIGN command along with the Data to sign (e.g. the fingerprint of an message). What is missing is the information about which digest (e.g. sha1 or ripemd160) has been used to create the fingerprint that should be signed by scdaemon. In scd/command.c PKSIGN gets mapped to the function cmd_pksig which sets sha1 as digest when calling app_sign. As this information gets part of the pgp block which contains the signed data a sha1 signature with the ripemd160 hash is created. This obviously ends in a bad signature. Altering the call to app_sign by replacing GCRY_MD_SHA1 with GCRY_MD_RMD160 enables gpg to create valid ripemd160 signatures, but also make it impossible to create sha1 signatures. Maybe gpg and gpg-agent could get altered to pass the digest along with the call to PKSIGN? This would be a real improvement :) Hope that one of the gnupg developers can say something about this. TIA Daniel From stef at caunter.ca Thu Mar 16 07:10:25 2006 From: stef at caunter.ca (Stef Caunter) Date: Thu Mar 16 08:56:44 2006 Subject: batch mode lack of randomness FreeBSD Message-ID: I'm sure I have just missed this in the archives, but I cannot see mention of a way to get sufficient randomness when running gpg remotely in a shell account to batch generate key pairs, i.e. gpg --gen-key --batch tmp where tmp is populated according to doc/DETAILS example. Here is what I've done to help randomness. I'm just a user on this system so my options for IRQ mapping to acquire randomness are limited: I've started a child process that continually writes to a disk file during the --gen-key --batch job... I have populated ~/.gnupg/random_seed with 600 bytes from /dev/urandom I have asked the admin to add IRQs to rndcontrol. Is this just the way it is on FreeBSD (4.11-RELEASE)? There is plenty of randomness in /dev/urandom, and none in /dev/random... Stef http://caunter.ca/contact.html From msimon at adartis.de Thu Mar 16 09:35:47 2006 From: msimon at adartis.de (msimon@adartis.de) Date: Thu Mar 16 09:35:01 2006 Subject: How to view non-default keyrings ? In-Reply-To: <44180512.5090107@gmail.com> References: <1896.212.168.164.28.1142414465.squirrel@webmail.adartis.de> <44180512.5090107@gmail.com> Message-ID: <1322.212.168.164.28.1142498147.squirrel@webmail.adartis.de> Thanks Alphax, didn't realize this command-line option. > msimon@adartis.de wrote: >> I've got my default Keyring and some >> seperated keyrings, which I'd like to view. >> >> How can I list the keys in a non-default-keyring ? >> I don't want to import these keyrings as long as I don't know >> which key's are in there. >> >> > > Use --keyring on the command line, or without the -- in your > config file. A ~/ in will be expanded to $HOME, and if no path > details are given it is assumed that the file is in $GNUPGHOME (usually > ~/.gnupg/). > > -- > Alphax | /"\ > Encrypted Email Preferred | \ / ASCII Ribbon Campaign > OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards > http://tinyurl.com/cc9up | / \ > From og at pre-secure.de Thu Mar 16 10:43:06 2006 From: og at pre-secure.de (Olaf Gellert) Date: Thu Mar 16 10:41:31 2006 Subject: How to tell the gpg agent to forget a passphrase Message-ID: <4419332A.6080505@pre-secure.de> Hi, is there any documentation on the commands that the gpg agent understands? I am usign gpg agent with Mozilla/Enigmail. This works fine. One thing that I am missing is how to tell the agent to forget the stored passphrases. I know that I can use gpg-connect-agent to send commands directly to the agent. The command "clear_passphrase" sounds exactly like what I am looking for, but what argument does it require? I did not find any documents on the commands that the agent understands. That would be very much apreciated! By the way: What does "--enable-ssh- support" do? Sounds like acting as a replacement for the ssh-agent? Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From malte.gell at gmx.de Thu Mar 16 16:22:35 2006 From: malte.gell at gmx.de (Malte Gell) Date: Thu Mar 16 16:22:31 2006 Subject: add notation to self sig In-Reply-To: <20060307221212.GI25580@asteria.noreply.org> References: <20060307221212.GI25580@asteria.noreply.org> Message-ID: <200603161622.36020.malte.gell@gmx.de> Hi, On Tuesday 07 March 2006 23:12, Peter Palfrader wrote: > I wanted to add a notation to my self sig on my key by giving > --cert-notation on the command line and then updating the cipher > > gpg --cert-notation preferred-email-encoding@pgp.com=pgpmime This notation looks interesting, does any MUA or even GnuPG directly honor it and automagically use PGP/MIME or is it more a comment for correspondents? Thanks Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: not available Url : /pipermail/attachments/20060316/c0cee819/attachment.pgp From tmz at pobox.com Thu Mar 16 17:54:53 2006 From: tmz at pobox.com (Todd Zullinger) Date: Thu Mar 16 18:42:06 2006 Subject: How to tell the gpg agent to forget a passphrase In-Reply-To: <4419332A.6080505@pre-secure.de> References: <4419332A.6080505@pre-secure.de> Message-ID: <20060316165453.GA16524@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Olaf Gellert wrote: > Hi, > > is there any documentation on the commands that the > gpg agent understands? info gnupg has documentation on gpg-agent. I'm not sure if it has all that you're looking for, but it should be a good start. > I am usign gpg agent with Mozilla/Enigmail. This works > fine. One thing that I am missing is how to tell the > agent to forget the stored passphrases. Send the agent a SIGHUP. That will clear all stored passphrases. > By the way: What does "--enable-ssh- support" do? Sounds > like acting as a replacement for the ssh-agent? It is. The info page has an example for how to do this. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Every time I close the door on reality, it comes in through the windows. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkQZmF0mGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1o0vACggau2751AzNGMlB+YGceMqkM3vF0AoLK2t0L3 Qt+YR2fPe3qZ4o2GwqD+ =kD2L -----END PGP SIGNATURE----- From schof at dakim.com Fri Mar 17 20:16:25 2006 From: schof at dakim.com (John Schofield) Date: Fri Mar 17 21:26:24 2006 Subject: How to receive keys from a keyserver when you don't have a key ID, using command-line. Message-ID: <0187DB28-ADE3-4A6F-86D5-E685F7931C13@dakim.com> I'm setting up an experimental private keyserver network and trying to write scripts to interact with it from the command-line. (OS: Ubuntu Linux 5.10) Let's say that my script is asked to encrypt to a unique user ID. (All user IDs will be unique; this is a closed system and I can control that.) If the local machine has the key in its keyring, it can just enter the following: gpg -se -r $RECIPIENTID -o $TARGETFILE -u $SIGNINGID $SOURCEFILE However, if the $RECIPIENTID does not exist in the local keyring, gpg fails. Fine. I should be able to request the key from the keyserver. But in order to request the key from the keyserver, I need the Key ID (ie 0xEE3A668A) rather than a unique identifier (unique.id. 12345678@testsystems.dakim.com). But if I don't have the key, how do I get the Key ID? Do I have to store that separately and pass it to the script? Am I missing something obvious here? -------------------------------------------------- John Schofield Director, Information Technology Director, DCFS Dakim, Inc. 2121 Cloverfield Blvd. Suite 205 Santa Monica, CA 90404 www.dakim.com (310) 566-1355 (direct) (310) 829-1865 (fax) schof@dakim.com (e-mail) dakimschof (AIM) From dshaw at jabberwocky.com Fri Mar 17 22:18:28 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Mar 17 22:17:54 2006 Subject: How to receive keys from a keyserver when you don't have a key ID, using command-line. In-Reply-To: <0187DB28-ADE3-4A6F-86D5-E685F7931C13@dakim.com> References: <0187DB28-ADE3-4A6F-86D5-E685F7931C13@dakim.com> Message-ID: <20060317211828.GD13241@jabberwocky.com> On Fri, Mar 17, 2006 at 11:16:25AM -0800, John Schofield wrote: > I'm setting up an experimental private keyserver network and trying > to write scripts to interact with it from the command-line. (OS: > Ubuntu Linux 5.10) > > Let's say that my script is asked to encrypt to a unique user ID. > (All user IDs will be unique; this is a closed system and I can > control that.) > > If the local machine has the key in its keyring, it can just enter > the following: > gpg -se -r $RECIPIENTID -o $TARGETFILE -u $SIGNINGID $SOURCEFILE > > However, if the $RECIPIENTID does not exist in the local keyring, gpg > fails. Fine. I should be able to request the key from the keyserver. > But in order to request the key from the keyserver, I need the Key ID > (ie 0xEE3A668A) rather than a unique identifier (unique.id. > 12345678@testsystems.dakim.com). Upgrade to 1.4.3 when it comes out (or use the 1.4.3rc2, the latest release candidate). This version has a feature called auto-key-locate. Put: auto-key-locate hkp://your.keyserver in your gpg.conf. Then, when encrypting, if $RECIPIENTID is in the form of an email address (in your example it is), and that key is not on the local keyring, GPG will automatically fetch it from the keyserver. David From peter at palfrader.org Sat Mar 18 05:08:49 2006 From: peter at palfrader.org (Peter Palfrader) Date: Sat Mar 18 05:27:59 2006 Subject: add notation to self sig In-Reply-To: <200603161622.36020.malte.gell@gmx.de> References: <20060307221212.GI25580@asteria.noreply.org> <200603161622.36020.malte.gell@gmx.de> Message-ID: <20060318040849.GJ3805@asteria.noreply.org> Malte Gell schrieb am Donnerstag, dem 16. M?rz 2006: > On Tuesday 07 March 2006 23:12, Peter Palfrader wrote: > > > I wanted to add a notation to my self sig on my key by giving > > --cert-notation on the command line and then updating the cipher > > > > gpg --cert-notation preferred-email-encoding@pgp.com=pgpmime > > This notation looks interesting, does any MUA or even GnuPG directly > honor it and automagically use PGP/MIME or is it more a comment for > correspondents? The notation name came up on the IETF openpgp workinggroup's list a bit over a year ago[0]. I am not aware of anything in the Free Software world that uses it yet, but the PGP products by pgp.com do. As far as I know (and that's all second hand, so don't blame me if it isn't correct), all versions PGP Universal, Satellite and Desktop 9.x should do it as long as they're not using MAPI. Oh, and PGP on the Blackberry doesn't either. Peter 0 http://www.mhonarc.org/archive/html/ietf-openpgp/2005-01/msg00003.html -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From supraexpress at globaleyes.net Sun Mar 19 05:29:40 2006 From: supraexpress at globaleyes.net (User1001) Date: Sun Mar 19 08:56:37 2006 Subject: decription directly from texteditor References: <715400532@web.de> <200603031022.01061.yochanon__22195.2696018436$1141410199$gmane$org@localnet.com> Message-ID: Gnome2 text editor (gedit) gets a GnuPG plugin from Seahorse (GnuPG GUI interface application). On Fri, 03 Mar 2006 10:22:00 -0600, John B wrote: > On Friday 03 March 2006 06:25, smiling molecule wrote: >> [quoted text muted] > Kgpg has this editor built in. Just cut and paste the message into the > editor and decrypt it using your passphrase. From d.stoeckner at gmx.net Mon Mar 20 01:52:01 2006 From: d.stoeckner at gmx.net (Daniel =?ISO-8859-1?Q?St=F6ckner?=) Date: Mon Mar 20 03:26:26 2006 Subject: URL returned error: 500 when sending key to server Message-ID: <1142815922.16823.20.camel@lapp31000.local> Hello, I created a standard key-pair for my mail-address. When trying to send the key to one of the servers with: gpg -v -v --keyserver subkeys.pgp.net --send-key I get the following message: gpg: sending key to hkp server subkeys.pgp.net gpgkeys: HTTP post error 22: The requested URL returned error: 500 It is again and again reproducible. Does that mean "Internal Server Error" as with http? I don't know what to do about this or even if I can do anything about this. I haven't found any solution here or with google. Any hint greatly appreciated! Thanks in advance! -Daniel Stoeckner From jharris at widomaker.com Mon Mar 20 03:43:41 2006 From: jharris at widomaker.com (Jason Harris) Date: Mon Mar 20 04:12:40 2006 Subject: new (2006-03-19) keyanalyze results (+sigcheck) Message-ID: <20060320024341.GA2229@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2006-03-19/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 42f41c0ec053e69962a39725d086c439ac949ae0 13502250 preprocess.keys 9db98972c47d8211936a2d6c5613c7ef049d43fa 8093130 othersets.txt 182bb9f38cdad28e6aedf97840ea83eb7f19354d 3310342 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html 2768956a80bcc898fc2a52ce86fc1adcda3ec870 2291 keyring_stats 53af7022a35f776759827a914b9aa969190ebbab 1300050 msd-sorted.txt.bz2 e47fe01b6fc27b8afee93e27daca0a54c6fb4d64 26 other.txt c6aae14e09db7d281f5aecef414d0ff0a4c497a1 1751618 othersets.txt.bz2 bbba2a226881fe28dbea74b9088a8a39c1fe2805 5466524 preprocess.keys.bz2 ef27a0d4bc58e5382c7171f96d8e99c2f7460786 13742 status.txt 7c31dc78708944eb8f342b9b1240e826c78cc612 209832 top1000table.html a9e02c0d2e37d042f79ca19580d0a8206b138abc 29875 top1000table.html.gz 4f0864a9f27b28166cf4762ac61eb9d23257a107 10776 top50table.html ffb4922c1a83ead0d6316366e4e5485de5e2a7cb 2544 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 315 bytes Desc: not available Url : /pipermail/attachments/20060319/cb94e5bd/attachment.pgp From jharris at widomaker.com Mon Mar 20 04:35:51 2006 From: jharris at widomaker.com (Jason Harris) Date: Mon Mar 20 04:35:20 2006 Subject: URL returned error: 500 when sending key to server In-Reply-To: <1142815922.16823.20.camel@lapp31000.local> References: <1142815922.16823.20.camel@lapp31000.local> Message-ID: <20060320033551.GA2604@wilma.widomaker.com> On Mon, Mar 20, 2006 at 01:52:01AM +0100, Daniel St?ckner wrote: > I created a standard key-pair for my mail-address. When trying to send > the key to one of the servers with: > > gpg -v -v --keyserver subkeys.pgp.net --send-key > > I get the following message: > > gpg: sending key to hkp server subkeys.pgp.net > gpgkeys: HTTP post error 22: The requested URL returned error: 500 > > It is again and again reproducible. 195.113.19.83 (pks.gpg.cz) and 212.247.204.136 (party.nic.se) return this error for me, the other servers don't. > Does that mean "Internal Server Error" as with http? I don't know what > to do about this or even if I can do anything about this. I haven't > found any solution here or with google. Any hint greatly appreciated! > Thanks in advance! Hopefully the admins of these servers will check their logs and reply. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 315 bytes Desc: not available Url : /pipermail/attachments/20060319/24b6a239/attachment.pgp From pchapin at sover.net Mon Mar 20 18:14:17 2006 From: pchapin at sover.net (Peter C. Chapin) Date: Mon Mar 20 19:26:20 2006 Subject: Problem decrypting large file. Message-ID: Hello! I've googled a bit on this problem but I have not so far found anything helpful. I am using gpg v1.4.2 on Windows (*not* the Cygwin version of gpg). I recently encrypted a rather large archive file... over 6 GBytes. However, when I tried to decrypt it using exactly the same gpg program, I get errors. Specifically the first 2.whatever GBytes decrypts fine and then I get: gpg: [don't know]: invalid packet (ctb=0d) File `backup.rar' exists. Overwrite? (y/N) y gpg: [don't know]: invalid packet (ctb=07) gpg: WARNING: message was not integrity protected gpg: packet(6) with unknown version 205 gpg: fatal: cipher_decrypt: invalid mode 0 secmem usage: 1408/2208 bytes in 2/5 blocks of pool 2208/32768 In the screen capture above I selected "y" in response to the "Overwrite?" prompt. The additional lines were printed afterwards. After selecting "y" the output file was a small binary file with content that was meaningless to me. In other runs when I select "n" in response to "Overwrite" my output file is incomplete but otherwise fine. That is, the Rar program can extract the files without any problems but complains about an "unexpected end of file" when it finds the archive cut off. I'm not sure what this error is telling me or if there is a way to force gpg to move past it and attempt to decrypt the rest of the file. I can live with a corrupt file or two, but I'd like to get at the other 4 GBytes or so of my archive (I'm trying to restore my system after a hard drive failure). If gpg can't move past the error is it feasible to reach into the encrypted file and "manually" modify the packet type to get gpg through it? I'm prepared to write a program to do this and to study RFC-2440 to figure out what such a program would need to do. Obviously I'd rather not go through that trouble if it's not necessary. I understand it might not even be possible. Any advice you folks can offer would be much appreciated. Thanks! Peter From alphasigmax at gmail.com Tue Mar 21 09:41:12 2006 From: alphasigmax at gmail.com (Alphax) Date: Tue Mar 21 09:41:28 2006 Subject: Problem decrypting large file. In-Reply-To: References: Message-ID: <441FBC28.9040303@gmail.com> Peter C. Chapin wrote: > Hello! I've googled a bit on this problem but I have not so far found > anything helpful. > http://lists.gnupg.org/pipermail/gnupg-users/2005-September/026646.html http://lists.gnupg.org/pipermail/gnupg-users/2005-October/027259.html http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028073.html and their replies. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 558 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060321/fec7b2b3/signature.pgp From pchapin at sover.net Tue Mar 21 12:32:44 2006 From: pchapin at sover.net (Peter C. Chapin) Date: Tue Mar 21 13:46:06 2006 Subject: Problem decrypting large file. In-Reply-To: <441FBC28.9040303@gmail.com> References: <441FBC28.9040303@gmail.com> Message-ID: On Tue, 21 Mar 2006, Alphax wrote: > http://lists.gnupg.org/pipermail/gnupg-users/2005-September/026646.html > > http://lists.gnupg.org/pipermail/gnupg-users/2005-October/027259.html > > http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028073.html > > and their replies. Thanks for the links; I found them interesting. Alas, none of those messages contain any suggestions for how one might recover data from the (corrupted?) encrypted file. That's my primary concern at the moment. Also the workaround described in the September posts was shown to possibly not work in the October posts and no resolution was discussed. Am I to conclude that gpg simply can't reliably encrypt multi-gigabyte files on Win32? Peter From wk at gnupg.org Tue Mar 21 13:45:09 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 21 13:52:04 2006 Subject: Change PIN on OpenPGP-Card with Cherry SmartTerminal ST-1044 In-Reply-To: <44171469.8040108@discworld.ping.de> (Dennis Heitmann's message of "14 Mar 2006 20:07:21 +0100") References: <4416D099.8070906@discworld.ping.de> <44171054.7060309@discworld.ping.de> <44171469.8040108@discworld.ping.de> Message-ID: <87zmjk7yqy.fsf@wheatstone.g10code.de> On 14 Mar 2006 20:07:21 +0100, Dennis Heitmann said: > gpg: pcsc_transmit failed: not transacted (0x80100016) > gpg: apdu_send_simple(0) failed: card I/O error That is a catch all error of thye underlying ifd-handler. I have never tried that board with the PCSC driver. It works fine when using the internal GnuPG driver. I sorry, that you burned your card. In general it is always advisable to take some caution when using a new reader device. And you should always start with the regular PIN, this gives you more tries in case something went wrong. Using gpg with the option "--debug 2048" will show details of the card communication. Salam-Shalom, Werner From daniel.carrera at zmsl.com Tue Mar 21 12:13:20 2006 From: daniel.carrera at zmsl.com (Daniel Carrera) Date: Tue Mar 21 13:56:17 2006 Subject: /dev/tty error Message-ID: <441FDFD0.6080102@zmsl.com> Hello, I'm trying to use gpg on a remote server (the server has a copy of my public key, a file is encrypted there and my client downloads it by HTTP). I'm getting the following error: gpg: cannot open /dev/tty: No such device or address This is a Linux box (Red Hat I think). Do you know what this error means? What can I do to fix it? Thank you for your help. Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ A life? Sounds great! \/_/ Do you know where I could download one? / From daniel.carrera at zmsl.com Tue Mar 21 13:13:16 2006 From: daniel.carrera at zmsl.com (Daniel Carrera) Date: Tue Mar 21 13:56:37 2006 Subject: Help: /dev/tty error Message-ID: <441FEDDC.8080707@zmsl.com> Hello, I'm trying to use gpg on a remote server (the server has a copy of my public key, a file is encrypted there and my client downloads it by HTTP). I'm getting the following error: gpg: cannot open /dev/tty: No such device or address This is a Linux box (Red Hat I think). Do you know what this error means? What can I do to fix it? Thank you for your help. Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ A life? Sounds great! \/_/ Do you know where I could download one? / From wk at gnupg.org Tue Mar 21 14:10:52 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 21 14:17:04 2006 Subject: [Announce] GnuPG does not detect injection of unsigned data In-Reply-To: <200603101940.55221.jluehr@gmx.net> (Jan Luehr's message of "Fri, 10 Mar 2006 19:40:54 +0100") References: <87d5gvh2kr.fsf@wheatstone.g10code.de> <200603101940.55221.jluehr@gmx.net> Message-ID: <87veu87xk3.fsf@wheatstone.g10code.de> On Fri, 10 Mar 2006 19:40:54 +0100, Jan Luehr said: > well, this takes me to a difficult question: > How much more are to come? (Have you begun a code audit? How long will it take > then?) Common wisdoms tells that it is pretty ineffective for a developer to audit his own code. Despite that developer prefer writing new code, I would really like to put more time into quality assurance. First of all this means writing regression tests and more tests and still more tests. Then and only then we could start cleaning up the code to get rid of stuff required 8 years ago but which is by now mostly obsolete. Without enough support contracts or other financial resources we can't really do that. David Wheeler's SLOCcount estimates the development effort for gnupg-1.4 at 30 person years. And that does not even take into account that GnuPG can't be estimated using the basic COCOMO; in reality it will be much higher. A code audit would be at least that expensive. > I haven't been following the gnupg development so far, but imho the recent > development of actions rater is rather disturbing - and these kind of bugs > tend to disqualify gnupg from mission critical use. Do you really believe it is different with other applications or even with the Linux, which is the most sensitive part of the OS? I do quick audits from time to time to figure out what application to use for a specific task: there is so much horrible flawed software in production use that I sometimes want to plug out the network cable immediately. That is not to say that proprietary software is in any regard better; just to the contrary: all non free mass market software hampers from the probelm that there is not enough quality checking. And well, who is going to do that? Shalom-Salam, Werner p.s. Sorry for replying so late to some message; I accidently unsubscribed from users and didn't noticed. From hhhobbit7 at netscape.net Tue Mar 21 14:45:47 2006 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Tue Mar 21 14:45:39 2006 Subject: batch mode lack of randomness FreeBSD Message-ID: <5F57E385.00AF3AC2.0307202B@netscape.net> Stef Caunter wrote: >I'm sure I have just missed this in the archives, but I cannot see >mention of a way to get sufficient randomness when running gpg >remotely in a shell account to batch generate key pairs, i.e. > >gpg --gen-key --batch tmp > >where tmp is populated according to doc/DETAILS example. Here is >what I've done to help randomness. I'm just a user on this system >so my options for IRQ mapping to acquire randomness are limited: > >I've started a child process that continually writes to a disk file >during the --gen-key --batch job... > >I have populated ~/.gnupg/random_seed with 600 bytes from >/dev/urandom > >I have asked the admin to add IRQs to rndcontrol. > >Is this just the way it is on FreeBSD (4.11-RELEASE)? There is >plenty of randomness in /dev/urandom, and none in /dev/random... > >Stef >http://caunter.ca/contact.html Can you ask your admin to add the Entropy Gathering Daemon that is written in PERL? http://www.gnupg.org/download/ (search for Entropy) I can't speak as to the effectiveness or lack thereof of your method. I am tempted to say that it will probably work, but I may be wrong. The main point I worry about is when you generate your keys, not when encrypting stuff. Lucas, who is writing a book on encryption using both GnuPG and new style PGP uses FreeBSD and I believe he uses the EGD: http://www.blackhelicopters.org/~mwlucas/reviewers.html I have no idea how you can get to him because he has finally given up on email and your message may be considered to be trash. If I remember correctly, he did say in an email message that he was using the EGD (Entropy Gathering Daemon). It sounds like you are on a multi-user system which is NOT a very good state of affairs. If you have your own system, you can install any of the many good versions of Linux (make partitions with Partition Magic with an ext3 partitions for / & /home, another partition for SWAP yet another for a FAT32 partition to transfer files back and forth from Linux to MS Windows. Only the "/" partition needs to be a Primary partition. All the rest can be logicals. Feel free to convert the PERL script to C if you don't think it runs fast enough. It is Gnu protected so that is permissible. HHH __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From gnupg at raphael.poss.name Tue Mar 21 14:58:40 2006 From: gnupg at raphael.poss.name (=?ISO-8859-1?Q?Rapha=EBl_Poss?=) Date: Tue Mar 21 14:58:11 2006 Subject: batch mode lack of randomness FreeBSD In-Reply-To: References: Message-ID: <44200690.9040802@raphael.poss.name> Hi, Stef Caunter wrote: > I have populated ~/.gnupg/random_seed with 600 bytes from /dev/urandom This is generally a very *bad* idea in terms of cryptography: /dev/urandom uses a pseudo-random generator with predictable results, (relatively) low random quality that is not suitable at all for generating secure key pairs. That is covered in the GnuPG documentation. > I have asked the admin to add IRQs to rndcontrol. This on the other hand is a pretty good idea. > Is this just the way it is on FreeBSD (4.11-RELEASE)? There is plenty of > randomness in /dev/urandom, and none in /dev/random... It is always "the way it is" when you attempt to use the entropy pool on a remote system that you control through the network : there are simply not enough unpredictable physical events around the server to gather quickly more entropy. Also happen with linux, or other flavours of . Mind that Henry Herts Hobbits has a point here: you should not be generating keys that you intend to be secure using a remote shell access. Rationale for this is covered in the GnuPG documentation as well. Regards, -- Rapha?l -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060321/bb98668a/signature.pgp From wk at gnupg.org Tue Mar 21 15:44:57 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 21 15:47:00 2006 Subject: Problem decrypting large file. In-Reply-To: (Peter C. Chapin's message of "Tue, 21 Mar 2006 06:32:44 -0500") References: <441FBC28.9040303@gmail.com> Message-ID: <87r74v97rq.fsf@wheatstone.g10code.de> On Tue, 21 Mar 2006 06:32:44 -0500, Peter C Chapin said: > the workaround described in the September posts was shown to possibly not > work in the October posts and no resolution was discussed. Am I to > conclude that gpg simply can't reliably encrypt multi-gigabyte files on It definitely can. The safe why of doing so is by using i/o redirection; i.e.: gpg -e plain.gpg This way the size of PLAIN is irrelevant to gpg. The shell (cmd.exe) is responsible for opening the files the correct way. Salam-Shalom, Werner From wk at gnupg.org Tue Mar 21 15:46:57 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 21 15:51:56 2006 Subject: /dev/tty error In-Reply-To: <441FDFD0.6080102@zmsl.com> (Daniel Carrera's message of "Tue, 21 Mar 2006 11:13:20 +0000") References: <441FDFD0.6080102@zmsl.com> Message-ID: <87mzfj97oe.fsf@wheatstone.g10code.de> On Tue, 21 Mar 2006 11:13:20 +0000, Daniel Carrera said: > This is a Linux box (Red Hat I think). Do you know what this error > means? What can I do to fix it? You need to give more information. Very likely you are running gpg without a TTY associated; there are enough mails with the same question as well as followups. Hint: Use --batch and possible --no-tty. Shalom-Salam, Werner From wk at gnupg.org Tue Mar 21 15:52:19 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 21 15:57:00 2006 Subject: batch mode lack of randomness FreeBSD In-Reply-To: (Stef Caunter's message of "Thu, 16 Mar 2006 01:10:25 -0500 (EST)") References: Message-ID: <87fylb97fg.fsf@wheatstone.g10code.de> On Thu, 16 Mar 2006 01:10:25 -0500 (EST), Stef Caunter said: > I've started a child process that continually writes to a disk file during > the --gen-key --batch job... That won't help much. A better thing is find /usr -type f | xargs cat >dev/null > Is this just the way it is on FreeBSD (4.11-RELEASE)? There is plenty of > randomness in /dev/urandom, and none in /dev/random... There is no randomness (well, entropy) in /dev/urandom at all if you read too much of it. Instead of blocking on low entropy as /dev/random does, /dev/uranmdom simply falls back into a pseudo random mode. Further, reading from /dev/urandom depletes the inetranl random pool and thus a read on /dev/random will block untilo you stop using /dev/urandom. Salam-Shalom, Werner From pchapin at sover.net Tue Mar 21 16:27:22 2006 From: pchapin at sover.net (Peter C. Chapin) Date: Tue Mar 21 16:27:37 2006 Subject: Problem decrypting large file. In-Reply-To: <87r74v97rq.fsf@wheatstone.g10code.de> References: <441FBC28.9040303@gmail.com> <87r74v97rq.fsf@wheatstone.g10code.de> Message-ID: On Tue, 21 Mar 2006, Werner Koch wrote: > It definitely can. The safe why of doing so is by using i/o > redirection; i.e.: > > gpg -e plain.gpg > > This way the size of PLAIN is irrelevant to gpg. The shell (cmd.exe) > is responsible for opening the files the correct way. Hmmm. The post here: http://lists.gnupg.org/pipermail/gnupg-users/2005-October/027259.html Describes a case where I/O redirection was used, and yet problems occured anyway. Of course they might be different problems. I do not understand the error messages posted well enough to evaluate that possibility. Peter From daniel.carrera at zmsl.com Tue Mar 21 16:34:16 2006 From: daniel.carrera at zmsl.com (Daniel Carrera) Date: Tue Mar 21 16:33:26 2006 Subject: /dev/tty error In-Reply-To: <87mzfj97oe.fsf@wheatstone.g10code.de> References: <441FDFD0.6080102@zmsl.com> <87mzfj97oe.fsf@wheatstone.g10code.de> Message-ID: <44201CF8.60905@zmsl.com> Werner Koch wrote: >>This is a Linux box (Red Hat I think). Do you know what this error >>means? What can I do to fix it? > > You need to give more information. Yes, but I didn't know what else I should say. > Very likely you are running gpg without a TTY associated; I'm running it from a PHP script: exec("gpg ...") I guess that means I don't have a TTY. In any event, --batch helped. Thanks! Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ A life? Sounds great! \/_/ Do you know where I could download one? / From daniel.carrera at zmsl.com Tue Mar 21 16:55:02 2006 From: daniel.carrera at zmsl.com (Daniel Carrera) Date: Tue Mar 21 16:54:22 2006 Subject: Error: "unusable public key" Message-ID: <442021D6.4050108@zmsl.com> Hello, I'm having another problem, again not in the FAQ: sql.gz: encryption failed: unusable public key This happens when I try to encrypt a file with my public key. This is what I'm trying to do: I want to backup a remote database regularly but I'd like to transmit it encrypted. So I want to run this command: sqldump ... | gzip -c | gpg ... -o backup.gpg And then send the file backup.gpg to the client. This should be more than enogh for my needs. So, I have gpg installed in the server. I imported my public key and I didn't see any errors. I went to the .gnupg directory and pubring.gpg is there and has a non-zero size. When I do a --list-keys on the server I see my public key there: /path/to/.gnupg/pubring.gpg -------------------------------------------------------- pub 1024D/42713DE9 2006-03-21 Daniel Carrera sub 2048g/F2EB9C97 2006-03-21 I am trying to encrypt with the following command: $ gpg -a --homedir /path/to/.gnupg -r daniel@theingots.org --batch -o sql.asc -e sql.gz Note: The '-e sql.gz' is for testing. I'll replace this by a pipe later. When I run this command from a PHP script I get this error: gpg: F2EB9C97: There is no indication that this key really belongs to the owner gpg: sql.gz: encryption failed: unusable public key I don't care about the first line. I don't plan to have a secret key on the server. But that first line does show that it located the correct public key. I don't understand how the public key can be unusable if it can identify the key ID correctly. What are the chances of that? Could it be that I don't have a secret key? Why would a secret key be required if I just want to encrypt? Could it be because I'm running this from a PHP script? Why would that make the key unusable? I'm sure I'm not the first person who has thought of putting gpg on a server and using only a public key for encryption. Help? Any suggestions would be most appreciated. Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ A life? Sounds great! \/_/ Do you know where I could download one? / From jas at extundo.com Tue Mar 21 16:02:51 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue Mar 21 17:26:21 2006 Subject: How to sign with non-subkey? Message-ID: <87pskfzvqc.fsf@latte.josefsson.org> I recently created a signing sub-key (on a smartcard, if it matters) and gpg now use it by default. How do I sign messages using my non-subkey? I thought -u would do it, but it doesn't seem to work: jas@latte:~$ echo foo |gpg -a -s -v -u b565716f gpg: using subkey AABB1F7B instead of primary key B565716F gpg: writing to stdout gpg: using subkey AABB1F7B instead of primary key B565716F gpg: RSA/SHA1 signature from: "AABB1F7B Simon Josefsson " -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.2.2 (GNU/Linux) owGbwMvMwMS4XF34xKrd8tWMp7mSGFwURP6l5edzdZxiYWBkYjBhZQKJ6Io0MACB KAN/QXaibmJKSlFqcbFDel5pQbpeflF6VmKxQ2pFSWleSr5ecn4uAxenAMzQy+bM /4v/zBGfa+XAOvOGXqTUwQde0rPmL9P6KDS/8HLSjbKjN5fM+bfO0StszgfhZK0N R3X5lKuSzsUa1B5fWvKed/HOTZ9rbrUw8ZdwuT9d33bV/8xzcbFLe+y//76ttcg8 v3G1sbjG1kSh62GcnIEmgay1uU4C06ezaT7wbJ1222IN60yGD7w3DwAA =HgpN -----END PGP MESSAGE----- jas@latte:~$ The key details are: jas@latte:~$ gpg --edit-key b565716f gpg (GnuPG) 1.4.2.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. pub 1280R/B565716F created: 2002-05-05 expires: 2006-08-14 usage: CS trust: ultimate validity: ultimate sub 1280R/4D5D40AE created: 2002-05-05 expires: 2006-08-14 usage: E sub 1024R/09CC4670 created: 2006-03-18 expires: 2007-04-22 usage: A sub 1024R/AABB1F7B created: 2006-03-18 expires: 2007-04-22 usage: S sub 1024R/A14C401A created: 2006-03-18 expires: 2007-04-22 usage: E [ultimate] (1). Simon Josefsson [ultimate] (2) Simon Josefsson Command> jas@latte:~$ Thanks, Simon From mwlucas at blackhelicopters.org Tue Mar 21 14:59:39 2006 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Tue Mar 21 17:26:33 2006 Subject: batch mode lack of randomness FreeBSD In-Reply-To: <5F57E385.00AF3AC2.0307202B@netscape.net> References: <5F57E385.00AF3AC2.0307202B@netscape.net> Message-ID: <20060321135939.GA16626@bewilderbeast.blackhelicopters.org> On Tue, Mar 21, 2006 at 08:45:47AM -0500, Henry Hertz Hobbit wrote: > Stef Caunter wrote: > >Is this just the way it is on FreeBSD (4.11-RELEASE)? There is > >plenty of randomness in /dev/urandom, and none in /dev/random... Definitely ask on freebsd-security@freebsd.org. > Can you ask your admin to add the Entropy Gathering Daemon that is > written in PERL? I believe you can install this and run it as a regular user, as well, but I might be wrong. > I can't speak as to the effectiveness or lack thereof of your method. > I am tempted to say that it will probably work, but I may be wrong. > The main point I worry about is when you generate your keys, not when > encrypting stuff. Lucas, who is writing a book on encryption using both > GnuPG and new style PGP uses FreeBSD and I believe he uses the EGD: > > http://www.blackhelicopters.org/~mwlucas/reviewers.html > Not on FreeBSD, but I've never had to generate large numbers of keys. > I have no idea how you can get to him because he has finally given > up on email and your message may be considered to be trash. I pay more attention to mailing lists than messages sent to me. Email is no longer a useful personal communications medium for me. :-( Good luck! ==ml -- Michael W. Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ "The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur From dshaw at jabberwocky.com Tue Mar 21 17:34:09 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 21 17:33:25 2006 Subject: How to sign with non-subkey? In-Reply-To: <87pskfzvqc.fsf@latte.josefsson.org> References: <87pskfzvqc.fsf@latte.josefsson.org> Message-ID: <20060321163409.GA14972@jabberwocky.com> On Tue, Mar 21, 2006 at 04:02:51PM +0100, Simon Josefsson wrote: > I recently created a signing sub-key (on a smartcard, if it matters) > and gpg now use it by default. How do I sign messages using my > non-subkey? I thought -u would do it, but it doesn't seem to work: > > jas@latte:~$ echo foo |gpg -a -s -v -u b565716f > gpg: using subkey AABB1F7B instead of primary key B565716F > gpg: writing to stdout Put a ! after the key ID to tell GPG that you want that exact key. David From wk at gnupg.org Tue Mar 21 20:17:34 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 21 20:35:55 2006 Subject: [Announce] GPA 0.7.3 released Message-ID: <87wten1ub5.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From alphasigmax at gmail.com Wed Mar 22 03:57:24 2006 From: alphasigmax at gmail.com (Alphax) Date: Wed Mar 22 03:57:44 2006 Subject: Error: "unusable public key" In-Reply-To: <442021D6.4050108@zmsl.com> References: <442021D6.4050108@zmsl.com> Message-ID: <4420BD14.8040303@gmail.com> Daniel Carrera wrote: > Hello, > > I'm having another problem, again not in the FAQ: > > sql.gz: encryption failed: unusable public key > > This happens when I try to encrypt a file with my public key. > > /path/to/.gnupg/pubring.gpg > -------------------------------------------------------- > pub 1024D/42713DE9 2006-03-21 Daniel Carrera > sub 2048g/F2EB9C97 2006-03-21 > > > I am trying to encrypt with the following command: > > $ gpg -a --homedir /path/to/.gnupg -r daniel@theingots.org --batch -o > sql.asc -e sql.gz > > Note: The '-e sql.gz' is for testing. I'll replace this by a pipe later. > > When I run this command from a PHP script I get this error: > > gpg: F2EB9C97: There is no indication that this key really belongs to > the owner > gpg: sql.gz: encryption failed: unusable public key > You haven't specified that the key is trusted in the local trustdb. You'll need to either remote login and: $ gpg --edit 0x42713DE9 Command> trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 4 or add the option --trust-model always to your gpg exectution command, ie. $ gpg -a --homedir /path/to/.gnupg --trust-model always -r daniel@theingots.org --batch -o sql.asc -e sql.gz or add trust-model always to your .gnupg/gpg.conf file. HTH, -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 558 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060322/50181e0d/signature.pgp From erpo41 at hotpop.com Wed Mar 22 09:11:39 2006 From: erpo41 at hotpop.com (Eric) Date: Wed Mar 22 09:27:51 2006 Subject: Network Neutrality In-Reply-To: <441AD129.7020400@techsanctuary.com> References: <441AD129.7020400@techsanctuary.com> Message-ID: <1143015099.4315.31.camel@localhost.localdomain> On Fri, 2006-03-17 at 07:09 -0800, Robert Wohleb wrote: > This morning I was > surprised to find my download and upload speed higher than normal. Hell, > a 2.8GB download i supposed to complete in 12 hours. That hasn't > happened for a while on Cox. Hopefully this isn't a fluke. I'll report > back if this keeps up. As far as I can tell, Cox stopped sniping bittorrent and gnutella connections with reset packets the day or the day after I told them that I'd expose their practices. Maybe they started again afterwards. Or maybe they only stopped corrupting my and my friends' traffic. If encrypting your connections gives a speed boost, then maybe some more investigating needs to be done. > I'm sure it is also only a matter of time before > Cox gets around this if this is really helping. I doubt it. Provided that bittorrent end to end encryption means something akin to Diffie-Hellman key exchange at the start of each connection, there are two ways "around" this, that I can think of, both of which suck for Cox: 1. Content-based whitelisting, meaning you can't make any kind of connection in or out unless Cox can identify the type of traffic by its content. If Cox can't determine the content of the connection because it's encrypted and Cox has not broken the encryption, then Cox terminates the connection. This would mean lots of work for Cox, and lots of support calls from lots of unhappy customers ("My streaming video never works!" "I'm sorry, but we haven't programmed our systems to track all of your streaming video viewing yet. You'll have to wait."). 2. A man in the middle attack, meaning Cox decides to break the encryption, which is a mostly straightforward process in this case. This creates several interesting problems. The first is that Cox would have to attempt such an attack on each unidentifiable connection ("Oh, that's not HTTP. Better mess with it."). The result would be that any connection using a protocol that Cox's system isn't set up to interpret and that is NOT using bittorrent end to end encryption (think multiplayer games, NFS, whatever) would almost certainly be corrupted. This is maybe worse for the end user than whitelisting. The second is that provided Cox wants to keep its activities secret (as seems to be the case so far), it would have to throttle encrypted bittorrent connections instead of terminating them entirely. That would mean that a Cox computer would have to participate in each encrypted connection from start to finish. Let's be conservative and say that there are 5,000 bittorrent connections in and out of humboldt county via Cox's network at any given time. Then Cox's servers would have to perform the encrypting and decrypting work normally parcelled out to 10,000 home PCs continuously.* Eric *P.S. There is a neat game to be played here. Suppose that Cox can purchase enough computing power to do the job (hardware+software+electricity +maintenance), and that the massive P2P throttling system pays for itself in bandwidth savings. Then suppose peer to peer developers start layering symmetric ciphers. Then the CPUs participating in the peer to peer network will be a little more loaded down, but Cox will need a much larger throttle farm to do the job. Will P2P users not be able to participate in the network because they don't have fast enough computers to do all the encryption? Or will Cox decide that the throttle farm costs more to operate than they are saving in bandwidth? Who will give up first? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20060322/fff5e952/attachment.pgp From daniel.carrera at zmsl.com Wed Mar 22 10:23:27 2006 From: daniel.carrera at zmsl.com (Daniel Carrera) Date: Wed Mar 22 10:22:36 2006 Subject: Error: "unusable public key" In-Reply-To: <4420BD14.8040303@gmail.com> References: <442021D6.4050108@zmsl.com> <4420BD14.8040303@gmail.com> Message-ID: <4421178F.5080707@zmsl.com> Alphax wrote: > You haven't specified that the key is trusted in the local trustdb. Thanks! That did it. For some reason my gpg on the server didn't like the --trust-model option ("invalid option") either on the command line or in gpg.conf. But I updated the trustdb and that worked. Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ A life? Sounds great! \/_/ Do you know where I could download one? / From daniel.carrera at zmsl.com Wed Mar 22 10:49:34 2006 From: daniel.carrera at zmsl.com (Daniel Carrera) Date: Wed Mar 22 10:49:51 2006 Subject: Force GPG to write a file? Message-ID: <44211DAE.6020801@zmsl.com> Hi all, Last question :) By default, gpg will refuse to write to a file (myfile.gpg) that already exists. Is there a way to change this behaviour? I am running gpg on batch mode on a server to encrypt a database before downloading. So I need to temporarily store the encrypted file on the server. There are two ways to accomplish this: 1) Give Apache write permission to an entire directory, so it can add and delete files in that directory. 2) Give Apache write permission to just one file (myfile.gpg) and keep overwriting every time I download a new encrypted backup. Right now I'm doing (1) but I guess that (2) would be better. But I can only do (2) if I can confince gpg to overwrite an existing file. I looked at the man page and FAQs and I couldn't find this information. Thank you for your help. Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ A life? Sounds great! \/_/ Do you know where I could download one? / From daniel.carrera at zmsl.com Wed Mar 22 11:24:16 2006 From: daniel.carrera at zmsl.com (Daniel Carrera) Date: Wed Mar 22 11:24:19 2006 Subject: Passphrase on the command line Message-ID: <442125D0.3090306@zmsl.com> Hello, This should be a simple question. What is the recommended way to decrypt a file from a script that runs on a cron job? This is what I have so far: cat passphrase | gpg -o MyData --passphrase-fd 0 -d MyData.asc Where 'passphrase' has the chmod permission 400. Is this the best option? Background: I want to setup a cron job to regularly download an encrypted backup of a database, decrypt it, and store it here (this computer then gets backed up onto tape drives). Thank you for your advice. Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ A life? Sounds great! \/_/ Do you know where I could download one? / From peter at palfrader.org Wed Mar 22 14:29:07 2006 From: peter at palfrader.org (Peter Palfrader) Date: Wed Mar 22 14:28:24 2006 Subject: segfault in gnupg14 (was: How to sign with non-subkey?) In-Reply-To: <87pskfzvqc.fsf@latte.josefsson.org> References: <87pskfzvqc.fsf@latte.josefsson.org> Message-ID: <20060322132907.GL1760@asteria.noreply.org> On Tue, 21 Mar 2006, Simon Josefsson wrote: > jas@latte:~$ echo foo |gpg -a -s -v -u b565716f > gpg: using subkey AABB1F7B instead of primary key B565716F > gpg: writing to stdout > gpg: using subkey AABB1F7B instead of primary key B565716F > gpg: RSA/SHA1 signature from: "AABB1F7B Simon Josefsson " > -----BEGIN PGP MESSAGE----- > Version: GnuPG v1.4.2.2 (GNU/Linux) > > owGbwMvMwMS4XF34xKrd8tWMp7mSGFwURP6l5edzdZxiYWBkYjBhZQKJ6Io0MACB > KAN/QXaibmJKSlFqcbFDel5pQbpeflF6VmKxQ2pFSWleSr5ecn4uAxenAMzQy+bM > /4v/zBGfa+XAOvOGXqTUwQde0rPmL9P6KDS/8HLSjbKjN5fM+bfO0StszgfhZK0N > R3X5lKuSzsUa1B5fWvKed/HOTZ9rbrUw8ZdwuT9d33bV/8xzcbFLe+y//76ttcg8 > v3G1sbjG1kSh62GcnIEmgay1uU4C06ezaT7wbJ1222IN60yGD7w3DwAA > =HgpN > -----END PGP MESSAGE----- > jas@latte:~$ While handling this block my gpg segfaulted. | weasel@asteria:~$ gpg < blurb | foo | gpg: Signature made Tue Mar 21 16:00:14 2006 CET using RSA key ID AABB1F7B | | gpg: Segmentation fault caught ... exiting | zsh: segmentation fault gpg < blurb After enabling coredumps: #0 0x08066b35 in is_valid_mailbox (name=0x20
) at misc.c:1112 1112 return !( !name (gdb) bt #0 0x08066b35 in is_valid_mailbox (name=0x20
) at misc.c:1112 #1 0x0806111c in get_pka_address (sig=0x8188cf0) at mainproc.c:1350 #2 0x08061198 in pka_uri_from_sig (sig=0x812f9c0) at mainproc.c:1377 #3 0x08062181 in check_sig_and_print (c=0x8133820, node=0x812faf8) at mainproc.c:1576 #4 0x080628cb in proc_tree (c=0x8133820, node=0x8131698) at mainproc.c:1965 #5 0x0805e84c in release_list (c=0x8133820) at mainproc.c:97 #6 0x08060ed1 in do_proc_packets (c=0x8133820, a=0x812d538) at mainproc.c:1323 #7 0x08060c8e in proc_packets (anchor=0x8188cf0, a=0x8188cf0) at mainproc.c:1135 #8 0x08054c22 in handle_compressed (procctx=0x8188cf0, cd=0x812d490, callback=0, passthru=0x8188cf0) at compress.c:326 #9 0x0805fcf8 in proc_compressed (c=0x8131638, pkt=0x812d480) at mainproc.c:756 #10 0x08060f28 in do_proc_packets (c=0x8131638, a=0x812d538) at mainproc.c:1281 #11 0x08060c8e in proc_packets (anchor=0x8188cf0, a=0x8188cf0) at mainproc.c:1135 #12 0x0804fc75 in main (argc=0, argv=0xbf9db188) at gpg.c:3736 full: #0 0x08066b35 in is_valid_mailbox (name=0x20
) at misc.c:1112 No locals. #1 0x0806111c in get_pka_address (sig=0x8188cf0) at mainproc.c:1350 pka = (pka_info_t *) 0x0 nd = (struct notation *) 0x8188cf0 notation = (struct notation *) 0x8188cf0 #2 0x08061198 in pka_uri_from_sig (sig=0x812f9c0) at mainproc.c:1377 No locals. #3 0x08062181 in check_sig_and_print (c=0x8133820, node=0x812faf8) at mainproc.c:1576 uri = 0x8188cf0 "\220\214\030\b@\212\030\b" sig = (PKT_signature *) 0x812f9c0 astr = 0x810c42a "RSA" rc = 9 is_expkey = 0 is_revkey = 0 #4 0x080628cb in proc_tree (c=0x8133820, node=0x8131698) at mainproc.c:1965 n1 = 0x812faf8 rc = 135826672 #5 0x0805e84c in release_list (c=0x8133820) at mainproc.c:97 No locals. #6 0x08060ed1 in do_proc_packets (c=0x8133820, a=0x812d538) at mainproc.c:1323 pkt = (PACKET *) 0x8131790 rc = 0 any_data = 1 newpkt = 0 [...] Latest svn on ia32, debian sarge. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From stef at caunter.ca Wed Mar 22 14:31:26 2006 From: stef at caunter.ca (Stef Caunter) Date: Wed Mar 22 14:30:08 2006 Subject: Passphrase on the command line In-Reply-To: <442125D0.3090306@zmsl.com> References: <442125D0.3090306@zmsl.com> Message-ID: The documentation does not recommend this. Since you appear to not want to store the ciphertext but the plaintext, an encrypted network transfer seems appropriate and less expensive. Write the backup to an ssh pipe instead of a temporary file. Stef http://caunter.ca/contact.html On Wed, 22 Mar 2006, Daniel Carrera wrote: > Hello, > > This should be a simple question. What is the recommended way to decrypt a > file from a script that runs on a cron job? This is what I have so far: > > cat passphrase | gpg -o MyData --passphrase-fd 0 -d MyData.asc > > Where 'passphrase' has the chmod permission 400. > > Is this the best option? > > Background: I want to setup a cron job to regularly download an encrypted > backup of a database, decrypt it, and store it here (this computer then gets > backed up onto tape drives). From daniel.carrera at zmsl.com Wed Mar 22 14:34:39 2006 From: daniel.carrera at zmsl.com (Daniel Carrera) Date: Wed Mar 22 14:33:44 2006 Subject: Passphrase on the command line In-Reply-To: References: <442125D0.3090306@zmsl.com> Message-ID: <4421526F.6090802@zmsl.com> Stef Caunter wrote: > The documentation does not recommend this. > > Since you appear to not want to store the ciphertext but the plaintext, > an encrypted network transfer seems appropriate and less expensive. > Write the backup to an ssh pipe instead of a temporary file. Is there any documentation on how to do that? Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ A life? Sounds great! \/_/ Do you know where I could download one? / From gnupg at raphael.poss.name Wed Mar 22 14:46:42 2006 From: gnupg at raphael.poss.name (=?ISO-8859-1?Q?Rapha=EBl_Poss?=) Date: Wed Mar 22 14:46:15 2006 Subject: Passphrase on the command line In-Reply-To: <4421526F.6090802@zmsl.com> References: <442125D0.3090306@zmsl.com> <4421526F.6090802@zmsl.com> Message-ID: <44215542.8000301@raphael.poss.name> > Is there any documentation on how to do that? Say server A has the original data and server B has the backup. You can do from server A: backup_tool | ssh user@serverB dd of=/path/to/backup or you can do from server B: ssh user@serverA backup_tool | dd of=/path/to/backup Regards, -- Rapha?l -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060322/ac2919a3/signature.pgp From anders at ostling.com Wed Mar 22 13:14:29 2006 From: anders at ostling.com (Anders Eriksson) Date: Wed Mar 22 14:56:18 2006 Subject: [GPGOL] No keys found Message-ID: <000001c64daa$2b483790$0300420a@ostling.sverige> Hello! I have just installed the latest WinPT and GPGOL on a Windows XP SP2, with Outlook 2003. The installation was successful and I have created my own set of keys and imported some friends public keys. In WinPT I can sign and encrypt with my key and I can encrypt using my friends public keys. BUT, in Outlook/GPGOL I create a new mail, select "Sign Message with GPG" and press Send. I now get an dialog, "Secret Key Dialog" which has a DropDown control that's EMPTY! If I instead select "encrypt message with GPG" I get "Recipient Dialog", and my recipients are in the "Recipient which were not found" edit field. So I'm guessing that GPGOL can't find my keys! I have checked preferences for GPG and GPGOL and they are all pointing to the directory where pubkeys.gpg and seckeys.gpg are. Anyone that has a clue what the error is? // Anders -- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1 mQGiBEQg8VYRBACOOXStH4ZhRLmGUDXghrFzlB/UU7Hkcitgkdr/HQeStKC3JRit pwqVvbpGe0y7v1EAXhvxt0GJ8JTNY6E5420O2fThOyKjaf5RoKAzRDb/GnCtuhv2 uvcOFQXR4pLGMekjeqr2GljFD4+CZCQxdHH7gyHoMYzLjqtH5v/py3O5PwCguwbj IK+gJwYyAP6U7hDlkUb7UyMD/j/8HlR0ySvhEIN5zu0f647Rat04uK9v+oqZe084 DVJhmiCpaNn6S4blfMMCxZAWtC7Np/C24c+/fwIVoUkwC60qN7nHUUTUWOBEWYOI 8nv+x8ZzoULRGY25DHRc2eKsBh2CZYUPNrR3++CGFOiLjpMlG9Kdf1jc/hKrvaks klI1A/0cbOuNtwG064repJ1IdB6xtswppCyIdb2oGYA8PWen4vI3xRihWaXGSKBI SIKJO/W88aQlBvZ/Rt08Pfxvfkw8TaJs4E2PCKHGrSV/S6aiwggUJHGYPmaJHn/5 87bkVM7sy9V5glZVH7dSK+qWQM2t42K/DjRgptBsp/kV0wj/hbQkQW5kZXJzIEVy aWtzc29uIDxhbmRlcnNAb3N0bGluZy5jb20+iF0EExECAB0FAkQg8dUFCQeGH/8F CwcKAwQDFQMCAxYCAQIXgAAKCRB28dAybUSHYOnMAJ9+CwLVNFS8WjokFZMKh0c7 KU2tpQCeNmiz4ASuGnIPODdD0gjs4aD0jym5AQ0ERCDxWRAEANGRh5WFIq1TmCD9 FgOuNRGFzANg1kLfOqsvW6GXROXREsR31HFmZ8DSly5eTjYNs9hO49HRqVTeDkyq 83KHnaBGik24fqV7yUx2l4ER0imBM7eepcVJwUE5HIm2gU+rqbrFVBmT/fle7UlS jGLLlhmjnSJV3o4kEpLFhlj9d/i7AAMFA/0WSfLjRlD75+Eg1CC8pb0xtaYtq2mR 4MNsFsFkdforC4218q/2Zjx1iU+Qyjg+KWPW/V0QCqKJy5wArl/lOPgIN2oP+UOq FMOxYV7iRq3x+D82ntlJhTwUAlS0ifHmJ/q8vkhAHVeVo3NSqJgKJWQX3kwJIomx qYbOYDmd5S+se4hGBBgRAgAGBQJEIPFZAAoJEHbx0DJtRIdgz9IAmwUeNJMDnkve Yi110dFf68sB5WC3AKCBmS4Gt9VmbynUsvYsAHz/7Xb9cw== =Ypr/ -----END PGP PUBLIC KEY BLOCK----- From dshaw at jabberwocky.com Wed Mar 22 15:10:30 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Mar 22 15:09:49 2006 Subject: segfault in gnupg14 (was: How to sign with non-subkey?) In-Reply-To: <20060322132907.GL1760@asteria.noreply.org> References: <87pskfzvqc.fsf@latte.josefsson.org> <20060322132907.GL1760@asteria.noreply.org> Message-ID: <20060322141030.GA17294@jabberwocky.com> On Wed, Mar 22, 2006 at 02:29:07PM +0100, Peter Palfrader wrote: > On Tue, 21 Mar 2006, Simon Josefsson wrote: > > > jas@latte:~$ echo foo |gpg -a -s -v -u b565716f > > gpg: using subkey AABB1F7B instead of primary key B565716F > > gpg: writing to stdout > > gpg: using subkey AABB1F7B instead of primary key B565716F > > gpg: RSA/SHA1 signature from: "AABB1F7B Simon Josefsson " > > -----BEGIN PGP MESSAGE----- > > Version: GnuPG v1.4.2.2 (GNU/Linux) > > > > owGbwMvMwMS4XF34xKrd8tWMp7mSGFwURP6l5edzdZxiYWBkYjBhZQKJ6Io0MACB > > KAN/QXaibmJKSlFqcbFDel5pQbpeflF6VmKxQ2pFSWleSr5ecn4uAxenAMzQy+bM > > /4v/zBGfa+XAOvOGXqTUwQde0rPmL9P6KDS/8HLSjbKjN5fM+bfO0StszgfhZK0N > > R3X5lKuSzsUa1B5fWvKed/HOTZ9rbrUw8ZdwuT9d33bV/8xzcbFLe+y//76ttcg8 > > v3G1sbjG1kSh62GcnIEmgay1uU4C06ezaT7wbJ1222IN60yGD7w3DwAA > > =HgpN > > -----END PGP MESSAGE----- > > jas@latte:~$ > > While handling this block my gpg segfaulted. > > | weasel@asteria:~$ gpg < blurb > | foo > | gpg: Signature made Tue Mar 21 16:00:14 2006 CET using RSA key ID AABB1F7B > | > | gpg: Segmentation fault caught ... exiting > | zsh: segmentation fault gpg < blurb Fixed, thanks! David From dshaw at jabberwocky.com Wed Mar 22 15:13:45 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Mar 22 15:12:59 2006 Subject: Force GPG to write a file? In-Reply-To: <44211DAE.6020801@zmsl.com> References: <44211DAE.6020801@zmsl.com> Message-ID: <20060322141345.GB17294@jabberwocky.com> On Wed, Mar 22, 2006 at 09:49:34AM +0000, Daniel Carrera wrote: > Hi all, > > Last question :) > By default, gpg will refuse to write to a file (myfile.gpg) that already > exists. Is there a way to change this behaviour? > > I am running gpg on batch mode on a server to encrypt a database before > downloading. So I need to temporarily store the encrypted file on the > server. There are two ways to accomplish this: > > 1) Give Apache write permission to an entire directory, so it can add > and delete files in that directory. > > 2) Give Apache write permission to just one file (myfile.gpg) and keep > overwriting every time I download a new encrypted backup. > > Right now I'm doing (1) but I guess that (2) would be better. But I can > only do (2) if I can confince gpg to overwrite an existing file. --yes David From stef at caunter.ca Wed Mar 22 15:32:49 2006 From: stef at caunter.ca (Stef Caunter) Date: Wed Mar 22 15:31:13 2006 Subject: Passphrase on the command line In-Reply-To: <44215542.8000301@raphael.poss.name> References: <442125D0.3090306@zmsl.com> <4421526F.6090802@zmsl.com> <44215542.8000301@raphael.poss.name> Message-ID: Here is my idiom; checking for success is vital. See openssh documentation for details on key-based shell access. Test for transparent access, if using gpg, test for undisturbed encryption with --batch. You can pipe the dump (or tar) to gpg instead of gzip. File size will be reduced. The dd command can also hit a tape, though this isn't always practical with nightly cron stuff. OK=`/sbin/dump -0 -f - / | gzip | /usr/bin/ssh x.x.x.x dd of=/path/ok.gz 2>/dev/null;echo $?` if [ $OK != 0 ] then echo "`date` `hostname` backup failed $OK" | mail you exit fi echo "`date` `hostname` backup $OK" | mail -s "`hostname` backup $OK" you Stef Caunter http://caunter.ca/contact.html > >> Is there any documentation on how to do that? > > From malayter at gmail.com Wed Mar 22 19:13:05 2006 From: malayter at gmail.com (Ryan Malayter) Date: Wed Mar 22 19:12:53 2006 Subject: Network Neutrality In-Reply-To: <1143015099.4315.31.camel@localhost.localdomain> References: <441AD129.7020400@techsanctuary.com> <1143015099.4315.31.camel@localhost.localdomain> Message-ID: <5d7f07420603221013k41279062kbc29df0969d4834e@mail.gmail.com> On 3/22/06, Eric wrote: > there are two ways "around" this, that I can think of, both > of which suck for Cox: > > 1. Content-based whitelisting, meaning you can't make any kind of > connection in or out unless Cox can identify the type of traffic by its > content. > ... > 2. A man in the middle attack, meaning Cox decides to break the > encryption, which is a mostly straightforward process in this case. This > creates several interesting problems. > I think you're ignoring the fact that Cox can throttle your connection simply based on analysis of traffic volumes. They don't have to do any crypto at all, or inspect any packets deeply. Throttling rules would be set up that say "hey, here's one client getting data at high speed from a bunch of other folks simultaneously, and sending data quickly upstream to a bunch of people at the same time." Such a rule would be fairly straightforward to implement by tracking a few simple counters per client. I imagine Packeteer and the other traffic-shaping vendors already have something along those lines available. Such traffic-pattern throttling wouldn't step on VPN or SSL connections, as they're typically from a single host to single host. Basically, BitTorrent has a very unique traffic pattern that makes the encryption at best a temporary roadblock to traffic shapers. The vast majority of BT traffic is from copyright violators, so it's not like the imapcted users will complain about the throttling in any official capacity. As for the impact on "legitimate" BT traffic like Linux distros... well, I'm sure Cox doesn't care one bit. It's not like the Ubuntu project is going to sue Cox over BT traffic shaping. -- RPM From awolff at newbreed.com Wed Mar 22 17:23:32 2006 From: awolff at newbreed.com (Wolff, Alex) Date: Wed Mar 22 22:56:29 2006 Subject: Error during MAKE Message-ID: <862A39136A59664EB2DE1937B8B5BA961F5DC3E2@isgms001.newbreed.com> I am getting the following error on MAKE for gpg1.4.2.2 make[2]: *** No rule to make target `../cipher/libcipher.a', needed by `gpgsplit'. Stop. This is a solaris9 box...was able to successfully install previously on another solaris9 box. Anybody have a suggestion? From vedaal at hush.com Thu Mar 23 00:58:31 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Mar 23 00:57:58 2006 Subject: (no subject) Message-ID: <200603222358.k2MNwVm7062446@mailserver3.hushmail.com> was checking the key preferences in gnupg 1.4.2.2(MingW32) with the SHOWPREF command, and found all the algorithms listed except for twofish the key accepts and decrypts messages done in twofish, and works fine have tested this for many of the keys and none of them display twofish in the preferences don't remember which version of gnupg did list twofish, because i don't use showpref that often is there anything new about new gnupg key-preferences that would explain this ? tia, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From JPClizbe at comcast.net Thu Mar 23 01:26:35 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Mar 23 01:26:43 2006 Subject: (no subject) In-Reply-To: <200603222358.k2MNwVm7062446@mailserver3.hushmail.com> References: <200603222358.k2MNwVm7062446@mailserver3.hushmail.com> Message-ID: <4421EB3B.3090707@comcast.net> vedaal@hush.com wrote: > was checking the key preferences in gnupg 1.4.2.2(MingW32) > with the SHOWPREF command, > and found all the algorithms listed except for twofish > > the key accepts and decrypts messages done in twofish, > and works fine > > have tested this for many of the keys and none of them display > twofish in the preferences > > don't remember which version of gnupg did list twofish, > because i don't use showpref that often > > is there anything new about new gnupg key-preferences that would > explain this ? It doesn't show up because it's not on the key's preference list. If you want a list of supported algorithms use --version C:\WINDOWS>gpg --edit-key 0x7ee6202d showpref Secret key is available. pub 2048R/7EE6202D created: 2004-10-20 expires: never usage: SCE trust: ultimate validity: ultimate [ultimate] (1). test key (test RSA S&E key) [ultimate] (1). test key (test RSA S&E key) Cipher: AES256, AES192, AES, CAST5, 3DES, IDEA Digest: SHA1, RIPEMD160 Compression: ZLIB, ZIP, Uncompressed Features: MDC, Keyserver no-modify Command> setpref aes256 aes192 aes cast5 3des twofish blowfish idea sha256 sha1 ripemd160 bzip2 zlib zip Set preference list to: Cipher: AES256, AES192, AES, CAST5, 3DES, TWOFISH, BLOWFISH, IDEA Digest: SHA256, SHA1, RIPEMD160 Compression: BZIP2, ZLIB, ZIP, Uncompressed Features: MDC, Keyserver no-modify Really update the preferences? (y/N) y You need a passphrase to unlock the secret key for user: "test key (test RSA S&E key) " 2048-bit RSA key, ID 7EE6202D, created 2004-10-20 pub 2048R/7EE6202D created: 2004-10-20 expires: never usage: SCE trust: ultimate validity: ultimate [ultimate] (1). test key (test RSA S&E key) Command> showpref [ultimate] (1). test key (test RSA S&E key) Cipher: AES256, AES192, AES, CAST5, 3DES, TWOFISH, BLOWFISH, IDEA Digest: SHA256, SHA1, RIPEMD160 Compression: BZIP2, ZLIB, ZIP, Uncompressed Features: MDC, Keyserver no-modify Command>quit C:\WINDOWS>gpg --version gpg (GnuPG) 1.4.3-cvs-curl-4079-2006-03-22 Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: C:/Documents and Settings//Application Data/GnuPG Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 C:\WINDOWS> -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 668 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060322/4f005154/signature.pgp From sgarlick at gmail.com Thu Mar 23 01:31:30 2006 From: sgarlick at gmail.com (Simon H. Garlick) Date: Thu Mar 23 01:31:02 2006 Subject: (no subject) In-Reply-To: <200603222358.k2MNwVm7062446@mailserver3.hushmail.com> References: <200603222358.k2MNwVm7062446@mailserver3.hushmail.com> Message-ID: <49aa5b1b0603221631u591a576cvdb491c3a4e28cd52@mail.gmail.com> On 3/23/06, vedaal@hush.com wrote: > was checking the key preferences in gnupg 1.4.2.2(MingW32) > with the SHOWPREF command, > and found all the algorithms listed except for twofish > > the key accepts and decrypts messages done in twofish, > and works fine > > have tested this for many of the keys and none of them display > twofish in the preferences C:\>gpg --edit c5dcca32 gpg (GnuPG) 1.4.2.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. pub 2048R/C5DCCA32 created: 2006-03-05 expires: never usage: CS trust: ultimate validity: ultimate sub 2048R/B9F25302 created: 2006-03-05 expires: never usage: E sub 2048R/16D982EE created: 2006-03-05 expires: never usage: S [ultimate] (1). Simon H. Garlick Command> showpref pub 2048R/C5DCCA32 created: 2006-03-05 expires: never usage: CS trust: ultimate validity: ultimate [ultimate] (1). Simon H. Garlick Cipher: TWOFISH, AES256, 3DES Digest: SHA512, SHA384, SHA256, RIPEMD160, SHA1 Compression: ZIP, ZLIB, BZIP2, Uncompressed Features: MDC, Keyserver no-modify Command> working OK here. Simon From unknown_kev_cat at hotmail.com Thu Mar 23 03:24:35 2006 From: unknown_kev_cat at hotmail.com (Joe Smith) Date: Thu Mar 23 03:24:15 2006 Subject: Change PIN on OpenPGP-Card with Cherry SmartTerminal ST-1044 References: <4416D099.8070906@discworld.ping.de><44171054.7060309@discworld.ping.de><44171469.8040108@discworld.ping.de> <87zmjk7yqy.fsf@wheatstone.g10code.de> Message-ID: "Werner Koch" wrote in message news:87zmjk7yqy.fsf@wheatstone.g10code.de... > On 14 Mar 2006 20:07:21 +0100, Dennis Heitmann said: > >> gpg: pcsc_transmit failed: not transacted (0x80100016) >> gpg: apdu_send_simple(0) failed: card I/O error > > That is a catch all error of thye underlying ifd-handler. I have > never tried that board with the PCSC driver. It works fine when using > the internal GnuPG driver. > > I sorry, that you burned your card. In general it is always advisable > to take some caution when using a new reader device. And you should > always start with the regular PIN, this gives you more tries in case > something went wrong. Using gpg with the option "--debug 2048" will > show details of the card communication. > Could the next revision of the OpenPGP card spec (and the next version of the primary implemetation) provide an [optional] command that resets the card to factory condition? (Wipes the key, and then resets the pin counts. Perhaps itwould only work if PIN counter have reached maximum. [At which point the key on the card is for all intents and purposes dead anyway as it is no longer usable, so the user should be able to wipe the card clean. It would save a user's investment.]) From dc at pikkle.com Thu Mar 23 02:43:03 2006 From: dc at pikkle.com (D_C) Date: Thu Mar 23 04:56:58 2006 Subject: encrypted mail and gmail / remote Message-ID: hello group - apologies for the newbie questions. i am wondering if there are any webmail services that can decrypt email, if i somehow inform of my PGP key? also, i am travelling without knowing my pgp key. is this somehow centrally registered, in a way that i can download the key, and use a command line app to decrypt messages sent to me? i guess only the public key is available on the public key registries (if it works that way). thanks! /dc -- _______________________________________________ David "DC" Collier US 1-415-283-7742 dc@pikkle.com skype: callto://d3ntaku http://www.pikkle.com +81 (0)80 6521 9559 http://charajam.com???????????? ??????J-POP???????????????? ??Flash??Flash???????? _______________________________________________ From eocsor at gmail.com Thu Mar 23 08:06:29 2006 From: eocsor at gmail.com (Roscoe) Date: Thu Mar 23 08:05:47 2006 Subject: encrypted mail and gmail / remote In-Reply-To: References: Message-ID: I noticed this plugin for squirrelmail if you wanted to do it on your own server: http://www.squirrelmail.org/plugin_view.php?id=153 Aside from that there are a few services around, like hushmail.com that'll do what you want. On 3/23/06, D_C wrote: > hello group - > > apologies for the newbie questions. > > i am wondering if there are any webmail services that can decrypt > email, if i somehow inform of my PGP key? > > also, i am travelling without knowing my pgp key. is this somehow > centrally registered, in a way that i can download the key, and use a > command line app to decrypt messages sent to me? i guess only the > public key is available on the public key registries (if it works that > way). > > thanks! > > /dc > > -- > _______________________________________________ > David "DC" Collier > US 1-415-283-7742 > dc@pikkle.com > skype: callto://d3ntaku > http://www.pikkle.com > +81 (0)80 6521 9559 > > http://charajam.com???????????? > ??????J-POP???????????????? > ??Flash??Flash???????? > _______________________________________________ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From Heiko.Teichmeier at sw-meerane.de Thu Mar 23 07:11:07 2006 From: Heiko.Teichmeier at sw-meerane.de (Teichmeier, Heiko) Date: Thu Mar 23 09:26:23 2006 Subject: Public Keyserver with LDAP Message-ID: Can anyone tell me - exist a public GPG-Keyserver into the internet with LDAP-protocol as access-way? If this is true, than tell us the adress(es), please. best regards Stadtwerke Meerane GmbH Heiko Teichmeier http://www.sw-meerane.de From alphasigmax at gmail.com Thu Mar 23 10:08:10 2006 From: alphasigmax at gmail.com (Alphax) Date: Thu Mar 23 10:08:18 2006 Subject: [GPGOL] No keys found In-Reply-To: <000001c64daa$2b483790$0300420a@ostling.sverige> References: <000001c64daa$2b483790$0300420a@ostling.sverige> Message-ID: <4422657A.4010000@gmail.com> Anders Eriksson wrote: > Hello! > > I have just installed the latest WinPT and GPGOL on a Windows XP SP2, with > Outlook 2003. Why are you using GPG 1.2.1? There have been several security bugs detected since then, including a few in the last month; you should upgrade to 1.4.2.2 ASAP. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 558 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060323/ca215ba5/signature.pgp From anders at ostling.com Thu Mar 23 10:14:44 2006 From: anders at ostling.com (Anders Eriksson) Date: Thu Mar 23 10:13:49 2006 Subject: [GPGOL] No keys found In-Reply-To: <4422657A.4010000@gmail.com> Message-ID: <001101c64e5a$399224e0$0300420a@ostling.sverige> > Why are you using GPG 1.2.1? There have been several security > bugs detected since then, including a few in the last month; > you should upgrade to 1.4.2.2 ASAP. > I just did and now WinPT doesn't work! It claims that I have an old version of GPG. "Sorry your GnuPG version is not compatible. You need at least GPG 1.1.9x or better" One would think that 1.4.2.2 is better than 1.1.9x, but ... // Anders From og at pre-secure.de Thu Mar 23 10:33:06 2006 From: og at pre-secure.de (Olaf Gellert) Date: Thu Mar 23 10:31:18 2006 Subject: [Fwd:] Public Keyserver with LDAP In-Reply-To: References: Message-ID: <44226B52.5060402@pre-secure.de> This came in on gnupg-users mailinglist, I thought I should forward it to pgp-keyserver-folks, too. Teujn, is there still an LDAP server at surfnet? Teichmeier, Heiko wrote: > Can anyone tell me - exist a public GPG-Keyserver into the internet with > LDAP-protocol as access-way? If this is true, than tell us the > adress(es), please. > > best regards > Stadtwerke Meerane GmbH > > Heiko Teichmeier > http://www.sw-meerane.de -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From anders at ostling.com Thu Mar 23 11:19:24 2006 From: anders at ostling.com (Anders Eriksson) Date: Thu Mar 23 11:17:46 2006 Subject: [GPGOL] No keys found In-Reply-To: <442269BC.1030703@sara.nl> Message-ID: <000001c64e63$420e2570$0300420a@ostling.sverige> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > you'll need to download the latest beta fot winpt from the > sourceforge page, it's much better. > Yess!!!! Now not only do WinPT work with the latest GnuPG, but it also made Gpgol work! Thank you very much! // Anders - -- - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2.2 (MingW32) - WinPT 0.9.12 mQGiBEQg8VYRBACOOXStH4ZhRLmGUDXghrFzlB/UU7Hkcitgkdr/HQeStKC3JRit pwqVvbpGe0y7v1EAXhvxt0GJ8JTNY6E5420O2fThOyKjaf5RoKAzRDb/GnCtuhv2 uvcOFQXR4pLGMekjeqr2GljFD4+CZCQxdHH7gyHoMYzLjqtH5v/py3O5PwCguwbj IK+gJwYyAP6U7hDlkUb7UyMD/j/8HlR0ySvhEIN5zu0f647Rat04uK9v+oqZe084 DVJhmiCpaNn6S4blfMMCxZAWtC7Np/C24c+/fwIVoUkwC60qN7nHUUTUWOBEWYOI 8nv+x8ZzoULRGY25DHRc2eKsBh2CZYUPNrR3++CGFOiLjpMlG9Kdf1jc/hKrvaks klI1A/0cbOuNtwG064repJ1IdB6xtswppCyIdb2oGYA8PWen4vI3xRihWaXGSKBI SIKJO/W88aQlBvZ/Rt08Pfxvfkw8TaJs4E2PCKHGrSV/S6aiwggUJHGYPmaJHn/5 87bkVM7sy9V5glZVH7dSK+qWQM2t42K/DjRgptBsp/kV0wj/hbQkQW5kZXJzIEVy aWtzc29uIDxhbmRlcnNAb3N0bGluZy5jb20+iF0EExECAB0FAkQg8dUFCQeGH/8F CwcKAwQDFQMCAxYCAQIXgAAKCRB28dAybUSHYOnMAJ9+CwLVNFS8WjokFZMKh0c7 KU2tpQCeNmiz4ASuGnIPODdD0gjs4aD0jym5AQ0ERCDxWRAEANGRh5WFIq1TmCD9 FgOuNRGFzANg1kLfOqsvW6GXROXREsR31HFmZ8DSly5eTjYNs9hO49HRqVTeDkyq 83KHnaBGik24fqV7yUx2l4ER0imBM7eepcVJwUE5HIm2gU+rqbrFVBmT/fle7UlS jGLLlhmjnSJV3o4kEpLFhlj9d/i7AAMFA/0WSfLjRlD75+Eg1CC8pb0xtaYtq2mR 4MNsFsFkdforC4218q/2Zjx1iU+Qyjg+KWPW/V0QCqKJy5wArl/lOPgIN2oP+UOq FMOxYV7iRq3x+D82ntlJhTwUAlS0ifHmJ/q8vkhAHVeVo3NSqJgKJWQX3kwJIomx qYbOYDmd5S+se4hGBBgRAgAGBQJEIPFZAAoJEHbx0DJtRIdgz9IAmwUeNJMDnkve Yi110dFf68sB5WC3AKCBmS4Gt9VmbynUsvYsAHz/7Xb9cw== =Ypr/ - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFEInYrdvHQMm1Eh2ARAmnPAJ9QVTjlFuUvJB/ZMp5Lf8/3XoZ3rwCcCaOu 2qti0s7mj9TM3eVTc2jmWhg= =XT5x -----END PGP SIGNATURE----- From alex at bofh.net.pl Thu Mar 23 11:38:23 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Thu Mar 23 11:37:59 2006 Subject: encrypted mail and gmail / remote In-Reply-To: References: Message-ID: <20060323103823.GA3349@hell.pl> On Wed, Mar 22, 2006 at 05:43:03PM -0800, D_C wrote: > hello group - > > apologies for the newbie questions. > > i am wondering if there are any webmail services that can decrypt > email, if i somehow inform of my PGP key? > > also, i am travelling without knowing my pgp key. is this somehow > centrally registered, in a way that i can download the key, and use a > command line app to decrypt messages sent to me? i guess only the > public key is available on the public key registries (if it works that > way). From the description, hushmail.com is right tool for you. Alex From lusfert at gmail.com Thu Mar 23 11:12:33 2006 From: lusfert at gmail.com (lusfert) Date: Thu Mar 23 11:39:15 2006 Subject: [GPGOL] No keys found In-Reply-To: <001101c64e5a$399224e0$0300420a@ostling.sverige> References: <001101c64e5a$399224e0$0300420a@ostling.sverige> Message-ID: <44227491.2050303@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Anders Eriksson wrote on 23.03.2006 12:14: >> Why are you using GPG 1.2.1? There have been several security >> bugs detected since then, including a few in the last month; >> you should upgrade to 1.4.2.2 ASAP. >> > I just did and now WinPT doesn't work! It claims that I have an old version > of GPG. > > "Sorry your GnuPG version is not compatible. You need at least GPG 1.1.9x or > better" > > One would think that 1.4.2.2 is better than 1.1.9x, but ... > Download GnuPG from http://www.gnupg.org/download/ and WinPT from http://www.winpt.org/ or http://wald.intevation.org/frs/?group_id=14 At this time I can't download GnuPG w32 binary from the main site: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.2.2.exe However, you may download from any mirror (http://www.gnupg.org/download/mirrors.html.en): ftp://ftp.surfnet.nl/pub/security/gnupg/binary/gnupg-w32cli-1.4.2.2.exe ftp://ftp.surfnet.nl/pub/security/gnupg/binary/gnupg-w32cli-1.4.2.2.exe.sig Always use latest stable versions, don't forget to check signatures. Now they are GnuPG - 1.4.2.2 WinPT - 0.11.9 After verifying signatures and installation both programs check their versions: WinPT -> Menu -> ? -> Info WinPT -> Menu -> ? -> Info -> About GPG... After updating GnuPG and WinPT check if problem still occurs. - -- Regards OpenPGP Key ID: 0x9E353B56500B8987 Encrypted e-mail preferred. -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAkQidI8ACgkQnjU7VlALiYdaMgCgiKmCCohS4wWNjDKIXsZ1ISSc rEwAn2t9QA6+egU66dj4Cfd7hcU0tNPd =JHvz -----END PGP SIGNATURE----- From lusfert at gmail.com Thu Mar 23 10:59:33 2006 From: lusfert at gmail.com (lusfert) Date: Thu Mar 23 11:57:43 2006 Subject: Public Keyserver with LDAP In-Reply-To: References: Message-ID: <44227185.5040703@gmail.com> Teichmeier, Heiko wrote on 23.03.2006 9:11: > Can anyone tell me - exist a public GPG-Keyserver into the internet with > LDAP-protocol as access-way? If this is true, than tell us the > adress(es), please. > ldap://keyserver.pgp.com/ -- Regards OpenPGP Key ID: 0x9E353B56500B8987 Encrypted e-mail preferred. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060323/4566a4ef/signature.pgp From r.post at sara.nl Thu Mar 23 10:26:20 2006 From: r.post at sara.nl (Remco Post) Date: Thu Mar 23 22:23:49 2006 Subject: [GPGOL] No keys found In-Reply-To: <001101c64e5a$399224e0$0300420a@ostling.sverige> References: <001101c64e5a$399224e0$0300420a@ostling.sverige> Message-ID: <442269BC.1030703@sara.nl> Anders Eriksson wrote: >>Why are you using GPG 1.2.1? There have been several security >>bugs detected since then, including a few in the last month; >>you should upgrade to 1.4.2.2 ASAP. >> > > I just did and now WinPT doesn't work! It claims that I have an old version > of GPG. > > "Sorry your GnuPG version is not compatible. You need at least GPG 1.1.9x or > better" > > One would think that 1.4.2.2 is better than 1.1.9x, but ... > you'll need to download the latest beta fot winpt from the sourceforge page, it's much better. > // Anders > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From twoaday at gmx.net Fri Mar 24 07:30:59 2006 From: twoaday at gmx.net (Timo Schulz) Date: Fri Mar 24 07:50:59 2006 Subject: [GPGOL] No keys found In-Reply-To: <442269BC.1030703@sara.nl> References: <001101c64e5a$399224e0$0300420a@ostling.sverige> <442269BC.1030703@sara.nl> Message-ID: <20060324063059.GA1267@daredevil.joesixpack.net> On Thu Mar 23 2006; 10:26, Remco Post wrote: > you'll need to download the latest beta fot winpt from the > sourceforge page, it's much better. You propably meant gforge page because the sourceforge page is not up-to-date. In general the easiest way to download the latest version is http://www.winpt.org. Timo From gnupg-users at emailgoeshere.com Fri Mar 24 15:43:57 2006 From: gnupg-users at emailgoeshere.com (gnupg-users@emailgoeshere.com) Date: Fri Mar 24 16:56:25 2006 Subject: Trouble with gpgsm Message-ID: <442405AD.3080703@emailgoeshere.com> I have my own CA that I use for my mail/web/openldap/etc server. I generated a CA cert, and used this to sign a certificate for the server daemons. All has generally gone well, until I've wanted to use KAddressBook to grab addresses off of my LDAP server. It complains that verification of the certificate failed when it tries to connect with TLS or SSL. I have gpg 1.9 installed (using Gentoo; it's slotted alongside 1.4), and gpg-agent, watchgnupg, Kleopatra, etc. all work fine. However, while I've been able to import my CA certificate and private key and have verified it by adding the appropriate line to trustlist.txt, I cannot seem to import the server certificate that it signed. I continually get the following message: 5 - 2006-03-23 16:58:30 gpgsm[27069]: self-signed certificate has a BAD signature: Bad signature 5 - 2006-03-23 16:58:30 gpgsm[27069]: basic certificate checks failed - not imported OpenSSL will verify the certificate: jeff@scales ~ $ openssl verify -CAfile /etc/ssl/certs/My_CA.pem ./server.crt server.crt: OK And if I re-verify the CA certificate with gpgsm, through Kleopatra, logging level Basic (here's hoping I'm not giving out any information I didn't want to be giving out :-) ): 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- OPTION lc-messages=en_US.utf8 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- HAVEKEY AEDB2E87FEF060315E94B85A187ADB8B147E5D95 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- ISTRUSTED F4B09616C152F40095ECE57792CAEF68569207FD 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 4 - 2006-03-23 17:21:45 gpgsm[27300]: no running dirmngr - starting one [client at fd 6 connected] 6 - 2006-03-23 17:21:45 dirmngr[27301]: permanently loaded certificates: 0 6 - 2006-03-23 17:21:45 dirmngr[27301]: runtime cached certificates: 0 6 - 2006-03-23 17:21:45 dirmngr[27301.0x8081538] DBG: -> OK Dirmngr 0.9.3 at your service 4 - 2006-03-23 17:21:45 gpgsm[27300]: DBG: connection to dirmngr established 6 - 2006-03-23 17:21:45 dirmngr[27301.0x8081538] DBG: <- ISVALID 368B186305A2CD33AE58546032 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- OPTION lc-messages=en_US.utf8 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- HAVEKEY AEDB2E87FEF060315E94B85A187ADB8B147E5D95 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- ISTRUSTED F4B09616C152F40095ECE57792CAEF68569207FD 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 4 - 2006-03-23 17:21:45 gpgsm[27300]: no running dirmngr - starting As you can see my CA certificate is trusted, and I've imported the secret key. I do not have a CRL imported, but I don't think that matters. Now, the relevant parts of the output, logging level guru, when I try to import the certificate signed by my CA: 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- IMPORT 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: signature value: 28 37 3A 73 69 67 2D 76 61 6C 28 33 3A 72 73 61 28 31 3A 73 31 32 38 3A 6D 41 FD BA B2 9A 80 FC C3 1C 80 CA 3A 91 58 69 57 86 7F EA 4D 43 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION ttyname=/dev/pts/2 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION ttytype=xterm 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION lc-ctype=en_US.utf8 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION lc-messages=en_US.utf8 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- INPUT FD=13 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- IMPORT 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: signature value: 28 37 3A 73 69 67 2D 76 61 6C 28 33 3A 72 73 61 28 31 3A 73 31 32 38 3A 6D 41 FD BA B2 9A 80 FC C3 1C 80 CA 3A 91 58 69 57 86 7F EA 4D 43 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7 0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33 5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9 40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8 68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04 F1 32 DE 01 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a BAD signature: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: BEGIN Certificate `self-signing ce 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7 0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33 5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9 40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8 68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04 F1 32 DE 01 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a BAD signature: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: BEGIN Certificate `self-signing ce 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7 0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33 5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9 40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8 68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04 F1 32 DE 01 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a BAD signature: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: BEGIN Certificate `self-signing ce 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7 0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33 5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9 40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8 68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04 F1 32 DE 01 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a BAD signature: Bad signature I have no idea what's going on...I hope somebody can help! Thanks, Jeff From wk at gnupg.org Sat Mar 25 17:15:02 2006 From: wk at gnupg.org (Werner Koch) Date: Sat Mar 25 19:57:58 2006 Subject: Change PIN on OpenPGP-Card with Cherry SmartTerminal ST-1044 In-Reply-To: (Joe Smith's message of "Wed, 22 Mar 2006 21:24:35 -0500") References: <4416D099.8070906@discworld.ping.de> <44171054.7060309@discworld.ping.de> <44171469.8040108@discworld.ping.de> <87zmjk7yqy.fsf@wheatstone.g10code.de> Message-ID: <87lkuytsah.fsf@wheatstone.g10code.de> On Wed, 22 Mar 2006 21:24:35 -0500, Joe Smith said: > Could the next revision of the OpenPGP card spec (and the next version of > the primary implemetation) provide > an [optional] command that resets the card to factory condition? (Wipes the We are considering this for a revision of the specs. However this alone does not justify a new specs right now. Salam-Shalom, Werner From peter at digitalbrains.com Mon Mar 27 17:56:35 2006 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon Mar 27 19:26:29 2006 Subject: SCM SPR 532 cardreader pinpad Message-ID: <44282753.16845.10AD004@peter.digitalbrains.com> Hello, I bought an OpenPGP card (from kernelconcepts.de) along with the SCM SPR 532 cardreader, based on the remark in the HOWTO "The pinpad may be used to securely enter the PIN without using the attached computer." In the HOWTO they refer to a patch that is no longer available; I couldn't find it anywhere, but I suspect it's not needed for recent versions anyway. Now, I won't document what I've all tried, since my question is pretty basic and doesn't need a lot of explanation. I found a message on the archive of this userlist: http://lists.gnupg.org/pipermail/gnupg-users/2005-June/026082.html Is this still true that the pinpad can not be used in GnuPG? If it can be used, I'd appreciate a general hint in the right direction, and if I can't figure it out then, I'll be back here with lots of detail :). I must say the way it's phrased in the HOWTO is strange. The SPR 532 is described with "pinpad may be used", and the Kobil KAAN Advanced with "The keyboard is not yet supported by GnuPG". I honestly don't see much difference in practical use when the supporting code in GnuPG is there but not "connected" to the rest of GnuPG in the former case. Greetings, Peter Lebbing. From malte.gell at gmx.de Mon Mar 27 19:52:26 2006 From: malte.gell at gmx.de (Malte Gell) Date: Mon Mar 27 19:52:19 2006 Subject: Trouble with gpgsm In-Reply-To: <442405AD.3080703@emailgoeshere.com> References: <442405AD.3080703@emailgoeshere.com> Message-ID: <200603271952.31290.malte.gell@gmx.de> On Friday 24 March 2006 15:43, gnupg-users@emailgoeshere.com wrote: Hi, > I > cannot seem to import the server certificate that it signed. I > continually get the following message: > > 5 - 2006-03-23 16:58:30 gpgsm[27069]: self-signed certificate has a > BAD signature: Bad signature > 5 - 2006-03-23 16:58:30 gpgsm[27069]: basic certificate checks > failed - not imported > > OpenSSL will verify the certificate: > > jeff@scales ~ $ openssl verify -CAfile /etc/ssl/certs/My_CA.pem > ./server.crt server.crt: OK It is My_CA.pem that you can?t import into the GnuPG system, right? What happens if you try the following: openssl pkcs12 -in My_CA.pem -export -out My_CA.p12 -nocerts -nodes This should result in My_CA.p12 and next gpgsm --call-protect-tool --p12-import --store My_CA.p12 Does this work? Does gpgsm --list-secret-keys list it now? _If_ this worked you can grab the public part from My_CA.pem with an editor, since it is a text file. I took this from a mini-howto that describes how to use GnuPG with X.509 certificates that some email providers offer. hth Malte From wk at gnupg.org Mon Mar 27 21:15:02 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Mar 27 21:16:57 2006 Subject: SCM SPR 532 cardreader pinpad In-Reply-To: <44282753.16845.10AD004@peter.digitalbrains.com> (Peter Lebbing's message of "Mon, 27 Mar 2006 17:56:35 +0200") References: <44282753.16845.10AD004@peter.digitalbrains.com> Message-ID: <87u09jd7ih.fsf@wheatstone.g10code.de> On Mon, 27 Mar 2006 17:56:35 +0200, Peter Lebbing said: > I must say the way it's phrased in the HOWTO is strange. The SPR 532 is > described with "pinpad may be used", and the Kobil KAAN Advanced with That should indicated that I have code to support it. > "The keyboard is not yet supported by GnuPG". I honestly don't see and that that I have not tested it yet. To summarize: There is some code in gnupg but it is not yet ready for general use. The parts which are not yet stable enough is the code to dismiss the pinentry after the PIN has been entered on the reader's pin pad. Shalom-Salam, Werner From dh at ping.de Wed Mar 15 12:04:47 2006 From: dh at ping.de (Daniel Hess) Date: Tue Mar 28 10:42:15 2006 Subject: OpenPGP card and signing In-Reply-To: <20060314224252.GA11976@vorlon.ping.de> References: <20060313234654.GA21493@vorlon.ping.de> <44166F8E.4020401@sara.nl> <20060314224252.GA11976@vorlon.ping.de> Message-ID: <20060315110447.GA8506@rio-grande.ping.de> On Tue, Mar 14, 2006 at 11:42:52PM +0100, Michael Bienia wrote: > > Michael Bienia wrote: > > > does signing with the OpenPGP card only work with SHA1 as digest-algo? > > > > > > With SHA1 and RIPEMD160 gpg asks for the PIN but only SHA1 generates a > > > working signature. Trying RIPEMD160 I get: > > > | gpg: checking created signature failed: bad signature > > > | gpg: signing failed: bad signature > > > | gpg: signing failed: bad signature > > A friend who uses his OpenPGP card with enigmail under windows can > successfully create a RIPEMD160 signature. > I could also create one if I use gpg with pcscd. > > Can someone explain me, why it works if I use gpg with pcscd and not if > I use gpg alone? I have the same problem as Michael. Just while playing with gnupg i've notived, that the problem only occur when gnupg-agent is involved. Using gnupg without the agent creates a valid ripemd160 signiture. Maybe this helps. - Daniel From sebi- at gmx.li Fri Mar 17 14:46:28 2006 From: sebi- at gmx.li (Sebastian) Date: Tue Mar 28 10:42:39 2006 Subject: Is there any GnuPG version which works with Windows Mobile 5.0? Message-ID: <002101c649c9$312f5ec0$fda8a8c0@domsa.local> From karlsen-masur at dfn-cert.de Mon Mar 20 09:52:31 2006 From: karlsen-masur at dfn-cert.de (Reimer Karlsen-Masur, DFN-CERT) Date: Tue Mar 28 10:42:51 2006 Subject: URL returned error: 500 when sending key to server In-Reply-To: <20060320033551.GA2604@wilma.widomaker.com> References: <1142815922.16823.20.camel@lapp31000.local> <20060320033551.GA2604@wilma.widomaker.com> Message-ID: <441E6D4F.7090306@dfn-cert.de> Hi, one of our users run into the same error message... Apparently this could be linked to how some versions of GPG are linked against libcurl. See http://lists.gnu.org/archive/html/sks-devel/2005-08/msg00024.html for a discussion. In our case (pgpkeys.pca.dfn.de) an update to the latest version of SKS fixed the problem. Jason Harris wrote: > On Mon, Mar 20, 2006 at 01:52:01AM +0100, Daniel St?ckner wrote: > >> I created a standard key-pair for my mail-address. When trying to send >> the key to one of the servers with: >> >> gpg -v -v --keyserver subkeys.pgp.net --send-key >> >> I get the following message: >> >> gpg: sending key to hkp server subkeys.pgp.net >> gpgkeys: HTTP post error 22: The requested URL returned error: 500 >> >> It is again and again reproducible. > > 195.113.19.83 (pks.gpg.cz) and 212.247.204.136 (party.nic.se) return this > error for me, the other servers don't. > >> Does that mean "Internal Server Error" as with http? I don't know what >> to do about this or even if I can do anything about this. I haven't >> found any solution here or with google. Any hint greatly appreciated! >> Thanks in advance! > > Hopefully the admins of these servers will check their logs and reply. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), DFN-CERT Services GmbH https://www.dfn-cert.de, +49 40 808077-615 / +49 40 808077-555 (Hotline) PGP RSA/2048, 1A9E4B95, A6 9E 4F AF F6 C7 2C B8 DA 72 F4 5E B4 A4 F0 66 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 7125 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20060320/30319fa1/smime-0001.bin From teun.nijssen at uvt.nl Thu Mar 23 12:33:13 2006 From: teun.nijssen at uvt.nl (Teun Nijssen) Date: Tue Mar 28 10:43:01 2006 Subject: [Fwd:] Public Keyserver with LDAP In-Reply-To: <44226B52.5060402@pre-secure.de> References: <44226B52.5060402@pre-secure.de> Message-ID: <44228779.7020002@uvt.nl> Hi, Olaf Gellert wrote: > This came in on gnupg-users mailinglist, I thought > I should forward it to pgp-keyserver-folks, too. > > Teun, is there still an LDAP server at surfnet? No. When SURFnet moved the cname pgp.surfnet.nl from the very old horowitz.surfnet.nl to the overpowered minsky.surfnet.nl, the ldap server was stopped. SURFnet now only runs an SKS server. On August 29th 2005 I almost became lyric about it: LDAP server: 2005 Jul Aug Sep Oct Nov Dec ADD key ok 2146 6053 Good old horowitz, ADD double 1495 547 a SPARC machine from the era of 150 Mhz processors, Search/get ok 1870413 748012 but with incredibly solid Srch timelim 6848 4312 reliability, was finally Srch sizelim 698 514 shutdown on 29 august 2005. Srch not fnd 607223 354194 Its first boot was in 1996. MODify ok 705 10807 But minsky lives; IPsources 23122 14231 go minsky, go, and do as well as good old horowitz certd down 1h 1h fine machine..... SUN/net down 0 0 Actually, minsky is a good box. Apart from spending 99.3% of its time on GIMPS (currently Iteration 19000000 / 35046623) it reports: SKS server: 2006 Jan Feb Mar Apr May Jun Get requests 641819 560337 Index reqs 6512 7721 Vindex reqs 385799 403711 Stats reqs 262 339 Add requests 2389 2145 DB lookups 1034177 970254 Mails recvd 123218 98208 Error hand req 126176 122417 IPsourcesWWW 17488 19244 Recon as server 34383 28126 Recon as client 38386 34026 Server/net down 0h 0h cheers, teun -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060323/63fb358e/signature.pgp From jeff at emailgoeshere.com Thu Mar 23 23:27:49 2006 From: jeff at emailgoeshere.com (Jeff Mitchell) Date: Tue Mar 28 10:43:05 2006 Subject: Trouble with gpgsm Message-ID: <442320E5.7080107@emailgoeshere.com> I have my own CA that I use for my mail/web/openldap/etc server. I generated a CA cert, and used this to sign a certificate for the server daemons. All has generally gone well, until I've wanted to use KAddressBook to grab addresses off of my LDAP server. It complains that verification of the certificate failed when it tries to connect with TLS or SSL. I have gpg 1.9 installed (using Gentoo; it's slotted alongside 1.4), and gpg-agent, watchgnupg, Kleopatra, etc. all work fine. However, while I've been able to import my CA certificate and private key and have verified it by adding the appropriate line to trustlist.txt, I cannot seem to import the server certificate that it signed. I continually get the following message: 5 - 2006-03-23 16:58:30 gpgsm[27069]: self-signed certificate has a BAD signature: Bad signature 5 - 2006-03-23 16:58:30 gpgsm[27069]: basic certificate checks failed - not imported OpenSSL will verify the certificate: jeff@scales ~ $ openssl verify -CAfile /etc/ssl/certs/My_CA.pem ./server.crt server.crt: OK And if I re-verify the CA certificate with gpgsm, through Kleopatra, logging level Basic (here's hoping I'm not giving out any information I didn't want to be giving out :-) ): 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- OPTION lc-messages=en_US.utf8 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- HAVEKEY AEDB2E87FEF060315E94B85A187ADB8B147E5D95 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- ISTRUSTED F4B09616C152F40095ECE57792CAEF68569207FD 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 4 - 2006-03-23 17:21:45 gpgsm[27300]: no running dirmngr - starting one [client at fd 6 connected] 6 - 2006-03-23 17:21:45 dirmngr[27301]: permanently loaded certificates: 0 6 - 2006-03-23 17:21:45 dirmngr[27301]: runtime cached certificates: 0 6 - 2006-03-23 17:21:45 dirmngr[27301.0x8081538] DBG: -> OK Dirmngr 0.9.3 at your service 4 - 2006-03-23 17:21:45 gpgsm[27300]: DBG: connection to dirmngr established 6 - 2006-03-23 17:21:45 dirmngr[27301.0x8081538] DBG: <- ISVALID 368B186305A2CD33AE58546032 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- OPTION lc-messages=en_US.utf8 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- HAVEKEY AEDB2E87FEF060315E94B85A187ADB8B147E5D95 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: <- ISTRUSTED F4B09616C152F40095ECE57792CAEF68569207FD 5 - 2006-03-23 17:21:45 gpg-agent[26852.0x80882b0] DBG: -> OK 4 - 2006-03-23 17:21:45 gpgsm[27300]: no running dirmngr - starting As you can see my CA certificate is trusted, and I've imported the secret key. I do not have a CRL imported, but I don't think that matters. Now, the relevant parts of the output, logging level guru, when I try to import the certificate signed by my CA: 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- IMPORT 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: signature value: 28 37 3A 73 69 67 2D 76 61 6C 28 33 3A 72 73 61 28 31 3A 73 31 32 38 3A 6D 41 FD BA B2 9A 80 FC C3 1C 80 CA 3A 91 58 69 57 86 7F EA 4D 43 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION ttyname=/dev/pts/2 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION ttytype=xterm 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION lc-ctype=en_US.utf8 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- OPTION lc-messages=en_US.utf8 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- INPUT FD=13 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: -> OK 4 - 2006-03-23 17:25:35 gpgsm[27314.0x8081a58] DBG: <- IMPORT 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: signature value: 28 37 3A 73 69 67 2D 76 61 6C 28 33 3A 72 73 61 28 31 3A 73 31 32 38 3A 6D 41 FD BA B2 9A 80 FC C3 1C 80 CA 3A 91 58 69 57 86 7F EA 4D 43 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7 0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33 5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9 40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8 68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04 F1 32 DE 01 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a BAD signature: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: BEGIN Certificate `self-signing ce 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7 0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33 5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9 40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8 68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04 F1 32 DE 01 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a BAD signature: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: BEGIN Certificate `self-signing ce 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7 0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33 5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9 40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8 68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04 F1 32 DE 01 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a BAD signature: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: BEGIN Certificate `self-signing ce 17 82 B5 AD B5 12 27 AB 2E 19 CE 28 80 1B 06 A4 A3 B7 0C 65 34 11 3A 64 E5 E4 6B AB FB 7C 9B 20 2C 72 DA C6 BC F2 FB 44 D0 33 5E D0 80 9E 51 B7 93 45 2E F1 E3 39 DE 57 EC 91 B2 78 FE DC A0 6A E6 E9 40 C8 F7 7D C7 72 52 AC AA 26 AC F5 1D C3 95 C2 47 7C 1F 60 B3 14 77 D8 68 58 50 10 95 A4 89 E0 44 6A 4A 8B A4 BE 23 CD 29 29 29 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: encoded hash: 00 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10 56 6B 1C C4 5E 93 92 4C ED 67 7C 04 F1 32 DE 01 4 - 2006-03-23 17:25:35 gpgsm[27314]: DBG: gcry_pk_verify: Bad signature 4 - 2006-03-23 17:25:35 gpgsm[27314]: self-signed certificate has a BAD signature: Bad signature I have no idea what's going on...I hope somebody can help! Thanks, Jeff From rjh at sixdemonbag.org Sun Mar 26 15:18:54 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue Mar 28 10:43:10 2006 Subject: Linculti 0.1 Message-ID: <442694BE.7050007@sixdemonbag.org> Feedback from people has so far been generally positive, although karmically negative: just after getting a good grade back on our problem assessment and UI proposal, the laptop with our assessment and proposal on it suffered a hard drive failure. We still have all of the results/feedback/final conclusions; it's just that we only have them in hardcopy now. We're going to be shooting for an April 20 release for those--we have to re-type them. However: we have Occulti working on Linux, OS X and Windows. On Linux and OS X it looks kind of slick (especially on Fedora Core 5), even. Since large parts of the GUI are done, we're releasing what we have so far so that people can stay abreast of our progress. First will come the Linux build, since that's the one we've debugged the most. OS X and Windows builds will be coming in days to come. Please note that this version is barely functional. This is a preview of the Occulti UI; it's not a preview of Occulti functionality. Lots of stuff simply doesn't work yet. Updating keys from keyservers works (but only from the File menu)--but basically nothing else that modifies your keys does. Anyway. Enough said. Download it for yourself at: http://sixdemonbag.org/linculti-0.1.tar.bz2 Of course, you shouldn't trust software that comes without a signature--so grab the detached signature at: http://sixdemonbag.org/linculti-0.1.tar.bz2.asc As a word of warning: Linculti expects to find gpg in one of the usual places: /usr/local/bin, /opt/local/bin, /usr/bin or /opt/bin, checking in that order. If it's not there, expect it to malfunction, maybe even badly. It also expects you to already have a keyring: if you don't, expect it to malfunction, maybe even badly. We welcome all feedback! If you have thoughts on the UI design of it, please send it on to me. Thanks a lot! -- Rob, writing for the Occulti dev team (Jacob, Tristan, and Rob) From r8 at socal.rr.com Thu Mar 16 15:29:51 2006 From: r8 at socal.rr.com (Roger Fischer) Date: Tue Mar 28 10:43:14 2006 Subject: [gpgol] gpgol not working with Outlook 2002] Message-ID: <4419765F.5040306@socal.rr.com> I downloaded gpgol-0.9.3 and tried it on my system Windows XP Professional, Version 2002, Service Pack 2 Outlook 2002 SP3 Version: GnuPG v1.4.2.2 (MingW32) I've got two problems. 1) keymanager button does not work. ("winpt.exe --keymanager" worked with the gdata plugin) 2) gpgol is prompting for passphrase and then decrypting messages properly, but is not displaying the result in the window. I thought it was not working at all, but I enabled the debug log, and as you can see from the excerpt below, it correctly decrypted the message (window text is now ` ... ') but it never displayed the decrypted message. Are there any updates coming out? I saw newer sources on the ftp site, but no binaries. Thanks --------------------- 2604/gpgmsg.cpp:decrypt: message has 0 attachments with 0 signed and 0 encrypted 2604/passphrase_callback_box: enter (uh=`62A427562B04DCE3 My Name ',pi=`62A427562B04DCE3 41B298ED82067C7D 16 0') 2604/passphrase_callback_box: using keyid 0x41B298ED82067C7D 2604/passphrase_callback_box: getting passphrase for 0x41B298ED82067C7D from cache: miss 2604/passphrase_callback_box: sending passphrase ... 2604/passphrase_callback_box: leave 2604/passcache.c:passcache_put: ignoring attempt to add empty entry `41B298ED82067C7D' 2604/decrypt isHtml=0 2604/msgcache_get: cache miss for key: 01C64882BD8D8BD51DF953384A1D85E00283D639DAD4 2604/msgcache_put: new cache key: 01C64882BD8D8BD51DF953384A1D85E00283D639DAD4 2604/found class RichEdit20W 2604/display.cpp:update_display: window handle 0006047C 2604/display.cpp:update_display: window text is now ` Testing out gpgol. Good luck! ' 2604/writing attestation `Verification started at: 3/15/2006 2:50:49 PM Verification result for: [unnamed part] Good signature from: My Name aka: My Name created: 3/15/2006 2:50:09 PM This signature is valid signature state is "green" ' 2604/gpgmsg.cpp:decrypt: leave (rc=0) 2604/ul_release UlRelease(014FCA70) had 2 references 2604/ul_release UlRelease(00E564A8) had 1 references 2604/olflange.cpp:DoCommand: commandID=61536 (0xf060) 2604/olflange.cpp:find_outlook_property: looking for `Close' 2604/olflange.cpp:find_outlook_property: got IDispatch=012CCE00 dispid=61475 2604/olflange.cpp:DoCommand: invoking Close succeeded 2604/olflange.cpp:~CGPGExchExt: cleaning up CGPGExchExt object; context=0x7 (ReadNoteMessage) 2604/olflange.cpp:DoCommand: commandID=136 (0x88) 2604/olflange.cpp:ExchEntryPoint: creating new CGPGExchExt object 2604/olflange.cpp:Install: context=0xc (PropertySheets) flags=0x0 From RStorm at krohne.de Tue Mar 28 11:26:32 2006 From: RStorm at krohne.de (Storm Ralf) Date: Tue Mar 28 12:56:28 2006 Subject: [gpgol] gpgol not working with Outlook 2002] Message-ID: > I've got two problems. > 1) keymanager button does not work. > ("winpt.exe --keymanager" worked with the gdata plugin) This worked for me. Did you configure with the correct path? > 2) gpgol is prompting for passphrase and then decrypting messages > properly, but is not displaying the result in the window. > I thought it was not working at all, but I enabled the debug log, > and as you can see from the excerpt below, it correctly decrypted > the message (window text is now ` ... ') but it never displayed > the decrypted message. I can confirm that. No message display, but log seems ok. I also tried (unsuccessfully) saving and reopening the mail (the CTRL-S trick), which allegedly helped for a similar sounding problem with an old GData plugin version. For me, this prevents usage of the nice looking gpg4win package ... System is the same, albeit DE version: XP SP4, OL 2002 SP3, GnuPG 1.4.3-cvs I encountered it some time before and then joined this list. I was astonished that nobody seems to have reported this before. Then again, i read somewhere that GPGol only supports OL 2003 ... best regards Ralf . HINWEIS: Diese E-Mail kann vertrauliche Informationen beinhalten und ist ausschliesslich fuer die im Verteiler genannten Personen bestimmt. Wenn Sie nicht im Verteiler genannt sind, lesen oder verbreiten Sie diese Informationen NICHT; loeschen Sie bitte diese E-Mail. Unsere ausgehenden E-Mails einschliesslich deren Anlagen werden mit aktuellen Virenscannern geprueft, wir uebernehmen aber keinerlei Garantie dafuer, dass diese E-Mail virenfrei ist. Weiterhin uebernimmt die KROHNE Messtechnik keinerlei Verantwortung fuer einen evtl. Schaden oder Verlust, der sich aus dem Erhalt dieser Nachricht ergibt. Falls nicht ausdruecklich vermerkt, ist diese E-Mail keine gesetzlich bindende Vereinbarung. NOTE: The information transmitted in this email is for the person or entity to which it is addressed: it may contain information that is confidential and/or legally privileged. If you are not the intended recipient, please do not read, use, retransmit or disseminate this information. Although this email and any attachments are believed to be free of any virus, it is the responsibility of the recipient to ensure that they are virus free. No responsibility is accepted by the KROHNE Company for any loss or damage arising from receipt of this message. Furthermore, unless explicitly stated, this email is in no way a legally binding agreement. The views represented in this email do not necessarily represent those of the corporation. From JPClizbe at comcast.net Tue Mar 28 20:24:10 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Mar 28 20:28:55 2006 Subject: Is there any GnuPG version which works with Windows Mobile 5.0? In-Reply-To: <002101c649c9$312f5ec0$fda8a8c0@domsa.local> References: <002101c649c9$312f5ec0$fda8a8c0@domsa.local> Message-ID: <44297F4A.2000108@comcast.net> Sebastian wrote: > > Is there any GnuPG version which works with Windows Mobile 5.0? No one I know who is building GnuPG for Windows systems is targeting WinCE. Vendors of CE hardware are claiming great compliance with desktop software. That said, have you tried the Windows installer? If so, what were your results? -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 668 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060328/3eb27216/signature.pgp From wk at gnupg.org Tue Mar 28 20:49:05 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Mar 28 20:51:47 2006 Subject: [gpgol] gpgol not working with Outlook 2002] In-Reply-To: <4419765F.5040306@socal.rr.com> (Roger Fischer's message of "Thu, 16 Mar 2006 06:29:51 -0800") References: <4419765F.5040306@socal.rr.com> Message-ID: <871wwmbe1q.fsf@wheatstone.g10code.de> On Thu, 16 Mar 2006 06:29:51 -0800, Roger Fischer said: > I downloaded gpgol-0.9.3 and tried it on my system Way too old. You should use the one included in the gpg4win installer: http://www.gpg4win.org. There will very soon be a new release which features PGP/MIME signature verification. If you have access to a Debian GNU/Linux box (or another POSIX system) you may build the latest version of GPGol yourself from the sources as available at ftp://ftp.g10code.com/g10code/gpgol/ . That is not an easy task and thus a safer way is to build the gpg4win installer as decribed on its webpage. There are probably a lot of problems with OL2002 - even OL2003SP1 has severe problems. Shalom-Salam, Werner From r.post at sara.nl Tue Mar 28 20:58:33 2006 From: r.post at sara.nl (Remco Post) Date: Tue Mar 28 20:57:58 2006 Subject: Is there any GnuPG version which works with Windows Mobile 5.0? In-Reply-To: <44297F4A.2000108@comcast.net> References: <002101c649c9$312f5ec0$fda8a8c0@domsa.local> <44297F4A.2000108@comcast.net> Message-ID: <44298759.1050904@sara.nl> John Clizbe wrote: > Sebastian wrote: >> Is there any GnuPG version which works with Windows Mobile 5.0? > > No one I know who is building GnuPG for Windows systems is targeting WinCE. > > Vendors of CE hardware are claiming great compliance with desktop software. > > That said, have you tried the Windows installer? If so, what were your results? > since the xscale cpu found in most wm 5.0 devices is in no way compatible with an ia32 (eg pentium) cpu, this is nonsense. There is some effort on gnupg on wince/wm, but it is nowhere near production ready... more like alpha software. Google is your friend.... > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From johnmoore3rd at joimail.com Tue Mar 28 21:09:36 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Tue Mar 28 21:08:49 2006 Subject: Is there any GnuPG version which works with Windows Mobile 5.0? In-Reply-To: <44298759.1050904@sara.nl> References: <002101c649c9$312f5ec0$fda8a8c0@domsa.local> <44297F4A.2000108@comcast.net> <44298759.1050904@sara.nl> Message-ID: <442989F0.1070103@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Remco Post wrote: > since the xscale cpu found in most wm 5.0 devices is in no way > compatible with an ia32 (eg pentium) cpu, this is nonsense. There is > some effort on gnupg on wince/wm, but it is nowhere near production > ready... more like alpha software. Google is your friend.... My 'gut feeling' is that there will be no significant progress toward integration of GnuPG into PDA's & Smart Phones until there is a Model offered with a Linux O/S. Last I heard, Palm was seriously talking about this. Since then they appear to have jumped into bed with Redmond. (M$) JOHN :( Timestamp: Tuesday 28 Mar 2006, 14:09 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs4081: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJEKYnrAAoJEBCGy9eAtCsPPboIAJLyM2kJZQ02akc8Cn5Y4Ynf nhawnNtVLqFVU/HVhz0Lt8WZUtqOwUXDH1V49HDT2CnGGaIN5YuNgUUgd/TwnBZw 3b+O7QaShJWteJCDCOOVDhT3mRVZFiEBR1cImfUjjS8r33zPMje9114Baa/hfmYg Pzfk1WZqo5Fpz5nHCnqG8Vf8ZI3PEFpnRRZaLGlHZ7oZXBHhQbUuQKKEZvcCX3Fz EZKOSPvdD7NUR0cjZEw8vX3LxLOHPHKiFD45HWyGlPfDwH7n+2DmUKJyNuEOIeYw xDcSgQaB94C8TRz+rg0M+spLboGcAkgFn2gLiWfK7blz0/F7eSDGJgKVjzTU7Ak= =21Id -----END PGP SIGNATURE----- From h-bar at skenbe.net Tue Mar 28 22:01:25 2006 From: h-bar at skenbe.net (Henrik O A Barkman) Date: Tue Mar 28 23:26:17 2006 Subject: Key updating and preferred keyservers Message-ID: <44299615.9080605@skenbe.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there a way to run refresh-keys WITHOUT honoring preferred keyserver records? Every now and then I need to update an entire keyring from one specific keyserver, and since some of the keys involved has preferred keyserver records it usually turns into running refresh-keys followed by locating the un-updated key ID's in the scrollback, and then run recv-keys for those keys. Something like "gpg --keyserver company.keyserver --refresh-keys - --no-preferred-keyserver" would make this procedure much easier. - -- $\hbar$ -- http://skenbe.net/h-bar/ -- OpenPGP key ID 0x60D02095 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEKZYVQbA0YmDQIJURAgLsAJ9yYJN6h7CDfKESZ2gq+fkgA18w2wCgl7n/ b3zitJlsrzCxo3e3LMrxTks= =5HZT -----END PGP SIGNATURE----- From gpg-0 at ml.turing-complete.org Tue Mar 28 23:37:16 2006 From: gpg-0 at ml.turing-complete.org (Nicolas Rachinsky) Date: Tue Mar 28 23:36:31 2006 Subject: Key updating and preferred keyservers In-Reply-To: <44299615.9080605@skenbe.net> References: <44299615.9080605@skenbe.net> Message-ID: <20060328213716.GA37045@mid.pc5.i.0x5.de> * Henrik O A Barkman [2006-03-28 22:01 +0200]: > Is there a way to run refresh-keys WITHOUT honoring preferred keyserver > records? man gpg: --keyserver-options parameters [...] honor-keyserver-url When using --refresh-keys, if the key in question has a preferred keyserver set, then use that pre- ferred keyserver to refresh the key from. Defaults to yes. HTH, Nicolas -- http://www.rachinsky.de/nicolas From dshaw at jabberwocky.com Tue Mar 28 23:46:02 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Mar 28 23:45:33 2006 Subject: Key updating and preferred keyservers In-Reply-To: <44299615.9080605@skenbe.net> References: <44299615.9080605@skenbe.net> Message-ID: <20060328214602.GB28776@jabberwocky.com> On Tue, Mar 28, 2006 at 10:01:25PM +0200, Henrik O A Barkman wrote: > > Is there a way to run refresh-keys WITHOUT honoring preferred keyserver > records? > > Every now and then I need to update an entire keyring from one specific > keyserver, and since some of the keys involved has preferred keyserver > records it usually turns into running refresh-keys followed by locating > the un-updated key ID's in the scrollback, and then run recv-keys for > those keys. > > Something like "gpg --keyserver company.keyserver --refresh-keys > --no-preferred-keyserver" would make this procedure much easier. gpg --keyserver-options no-honor-keyserver-url --refresh-keys Of course, the owners of those keys did presumably set a preferred keyserver URL because they wanted you getting their keys from the preferred keyserver... David From johnmoore3rd at joimail.com Tue Mar 28 23:47:12 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Tue Mar 28 23:57:52 2006 Subject: Key updating and preferred keyservers In-Reply-To: <44299615.9080605@skenbe.net> References: <44299615.9080605@skenbe.net> Message-ID: <4429AEE0.1000101@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Henrik O A Barkman wrote: > Something like "gpg --keyserver company.keyserver --refresh-keys > --no-preferred-keyserver" would make this procedure much easier. >From the Manual: honor-keyserver-url When using --refresh-keys, if the key in question has a preferred keyserver set, then use that pre- ferred keyserver to refresh the key from. Defaults to yes. So, under (within the line 'Keyserver-options' in gpg.conf) try adding: no-honor-keyserver-url This should disable the preferred Keyserver and refresh from your chosen one. JOHN ;) Timestamp: Tuesday 28 Mar 2006, 16:45 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs4081: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJEKa7AAAoJEBCGy9eAtCsP/YYH/ixSEQDS5N4VNgHHrWKizGQy NjlAEVHW0rIk/wkSTgKHoB/NzECxiJ6Bpx3CfZyojuwX/pgu3BKZKOS5n1pPVpIv z+hwXuhxGXhgf3Rv+LHkOrX40ex+uCh+ZOQ5ZajZ2Ok5wER2SiO6jzascoW3mJBu Po81Lk8JVsXoI8bsxZNtKt2W0SS/35hY9ZezlG1f+9dnJ8v2umbwCUUJ9NZhHbCq C2xWdDOkKi8id8SBzSrd7WbKtI5RRc49V0obK3O3ebZEXrqKruDJrqhup+9sMr1e 5V7dm7iPSD9Vf2NYLQAM2KcSONXWCVuj5j3S+26HmcaVX8gDg2OqiR6n6ALT1ZQ= =yw3x -----END PGP SIGNATURE----- From johnmoore3rd at joimail.com Wed Mar 29 00:02:13 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Wed Mar 29 00:01:30 2006 Subject: no-honor-keyserver-url Message-ID: <4429B265.4040309@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David makes a very good point! The possibility strongly exists that an individual has requested a /specific/ Keyserver for refreshing or downloading their Key because they have control of their Key that way. They may *not* wish that their Key be exposed to the 'gossip Servers' and would be irritated. JOHN :-\ Timestamp: Tuesday 28 Mar 2006, 17:02 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs4081: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJEKbJjAAoJEBCGy9eAtCsP4kUH/0UNRfQdT71YDYG6cwkq27Yn nDsN/bR92LpfMRgXw9e+mHiVEV5Kn4JyyIzYy0/Ll5rz6moB0h9F8zkSnlXwphWu Qikyq9AyF8UQXWNqdR61cuWu2G8Bl+XiXBOBqJpOzsgD/PMfUxsw+W7XyO2FO2jy OdrqMZ9XakrgEqxGncb4Ut1GvAC0YduD193zcONV1++9qoraCLgbbRmIHy6b4bOX mmgzpv/nnkD3VHJxxsUHBy2CeppnYekRMGCAA/qKaGB10HW1WtgkIRRPW8GqMiwu rf7MQGu5gMwwK7PrBKzg0vg+oorQ4wjLV+k6tyLGHOuu8I/eNPZzVg0C7Pp1bn0= =2hp1 -----END PGP SIGNATURE----- From jimmy at kaplowitz.org Wed Mar 29 01:58:22 2006 From: jimmy at kaplowitz.org (Jimmy Kaplowitz) Date: Wed Mar 29 02:56:30 2006 Subject: Remote use of keys on smartcard via gnupg-agent? Message-ID: <20060328235822.GA25698@mail.kaplowitz.org> Hi, I know that gnupg-agent can allow remote use of OpenPGP keys on a locally-connected smartcard machine to authenticate an ssh connection from one remote machine to another. Access to the OpenPGP keys is forwarded over the first ssh connection to the GPG agent as necessary, without actually transfering the keys over the wire. (Please correct me if I misunderstand this.) What I'd like to do is forward access to those keys from the local machine to a remote machine, but instead of using them to authenticate ssh, I'd like to use them to sign or decrypt messages on the remote machine, with a remote copy of gpg talking to the forwarded gpg-agent just as it would talk to a non-forwarded copy on that machine. Is there a way to do this, or can it be added? I currently access my email via mutt over SSH, and therefore my private key is currently stored on that remote server. I am fully aware how bad of an idea this is, and so if what I ask above is possible, I plan to move my private key to a secure offline location, put subkeys on a smartcard that I take with me, and forward access to them over SSH to the remote email server for routine use. Hopefully I'm not the only one who wants this. Thanks. - Jimmy Kaplowitz jimmy@kaplowitz.org From gnupg at raphael.poss.name Wed Mar 29 10:20:04 2006 From: gnupg at raphael.poss.name (=?ISO-8859-1?Q?Rapha=EBl_Poss?=) Date: Wed Mar 29 10:19:49 2006 Subject: Is there any GnuPG version which works with Windows Mobile 5.0? In-Reply-To: <442989F0.1070103@joimail.com> References: <002101c649c9$312f5ec0$fda8a8c0@domsa.local> <44297F4A.2000108@comcast.net> <44298759.1050904@sara.nl> <442989F0.1070103@joimail.com> Message-ID: <442A4334.4050402@raphael.poss.name> John W. Moore III wrote: > My 'gut feeling' is that there will be no significant progress toward > integration of GnuPG into PDA's & Smart Phones until there is a Model > offered with a Linux O/S. Last I heard, Palm was seriously talking > about this. Since then they appear to have jumped into bed with > Redmond. (M$) Actually you already have a number of PDAs in Europe and Japan with Linux-embedded and either Opie (Qt) or GPE (Gtk) for the user environment, but I do not know of any development effort to make a GUI for gnupg on these (although the command-line version does already work). Greets, -- Raphael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060329/213907fa/signature-0001.pgp From alex at bofh.net.pl Wed Mar 29 11:18:20 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Wed Mar 29 11:18:17 2006 Subject: Is there any GnuPG version which works with Windows Mobile 5.0? In-Reply-To: <442989F0.1070103@joimail.com> References: <002101c649c9$312f5ec0$fda8a8c0@domsa.local> <44297F4A.2000108@comcast.net> <44298759.1050904@sara.nl> <442989F0.1070103@joimail.com> Message-ID: <20060329091820.GK3349@hell.pl> On Tue, Mar 28, 2006 at 02:09:36PM -0500, John W. Moore III wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Remco Post wrote: > > > since the xscale cpu found in most wm 5.0 devices is in no way > > compatible with an ia32 (eg pentium) cpu, this is nonsense. There is > > some effort on gnupg on wince/wm, but it is nowhere near production > > ready... more like alpha software. Google is your friend.... > > My 'gut feeling' is that there will be no significant progress toward > integration of GnuPG into PDA's & Smart Phones until there is a Model > offered with a Linux O/S. Last I heard, Palm was seriously talking > about this. Since then they appear to have jumped into bed with > Redmond. (M$) If you need OpenPGP for mobile, Mobile PGP is execllent. From gnupg at raphael.poss.name Wed Mar 29 11:26:08 2006 From: gnupg at raphael.poss.name (=?ISO-8859-1?Q?Rapha=EBl_Poss?=) Date: Wed Mar 29 11:25:31 2006 Subject: Remote use of keys on smartcard via gnupg-agent? In-Reply-To: <20060328235822.GA25698@mail.kaplowitz.org> References: <20060328235822.GA25698@mail.kaplowitz.org> Message-ID: <442A52B0.7030607@raphael.poss.name> Hi Jimmy, Jimmy Kaplowitz wrote: > I currently access my email via mutt over SSH, and therefore my private > key is currently stored on that remote server. I am fully aware how bad > of an idea this is, and so if what I ask above is possible, I plan to > move my private key to a secure offline location, put subkeys on a > smartcard that I take with me, and forward access to them over SSH to > the remote email server for routine use. Hopefully I'm not the only one > who wants this. People who are serious about security would probably like to have the crypto done by the smartcard itself, or at least the computer they are sitting in front of. Therefore a better setup would be to have the encrypted data transmitted from your distant ssh host to your local host for decryption, and decrypted data sent back to your ssh host for use (or just viewed locally). If you are just using mutt in your remote ssh shell, you could configure manually something along these lines: 1. connect to your remote ssh host using remote port forwarding, with -R4242:localhost:4242 2. on your local host, run something like this in an interactive shell: while true; do nc -l 4242 | gpg ; done 3. configure your remote mutt to send the encrypted data to port 4242 on the same host, so that it gets forwarded back via your ssh connection. This way your local gpg will get its input from the remote mutt. I did not test this, but you get the idea. -- Raphael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060329/70ca3973/signature.pgp From jimmy at kaplowitz.org Wed Mar 29 11:45:46 2006 From: jimmy at kaplowitz.org (Jimmy Kaplowitz) Date: Wed Mar 29 11:45:02 2006 Subject: Remote use of keys on smartcard via gnupg-agent? In-Reply-To: <442A52B0.7030607@raphael.poss.name> References: <20060328235822.GA25698@mail.kaplowitz.org> <442A52B0.7030607@raphael.poss.name> Message-ID: <20060329094546.GE29775@mail.kaplowitz.org> Hi Rapha?l, On Wed, Mar 29, 2006 at 11:26:08AM +0200, Rapha?l Poss wrote: > People who are serious about security would probably like to have the > crypto done by the smartcard itself, or at least the computer they are > sitting in front of. Therefore a better setup would be to have the > encrypted data transmitted from your distant ssh host to your local host > for decryption, and decrypted data sent back to your ssh host for use > (or just viewed locally). Isn't that basically what gpg-agent does already for ssh authentication? If I sit at machine A with a smartcard plugged in, connect to machine B with an authentication key from the smartcard, and then try to connect from machine B to machine C, that same authentication key on the smartcard will be available despite it not being stored on either machine B or machine C. The request will be tunneled by gpg-agent over ssh, and the password prompt and cryptographic interaction with the key will happen locally on machine A. Am I misunderstanding how that works? If not, I'm just asking for the same ability to forward access to keys over ssh but use them remotely (such as on machine B or C) for any GPG signing and decryption, as well as ssh authentication. If I understand this right, the crypto happens on the smartcard in any case. > 1. connect to your remote ssh host using remote port forwarding, with > -R4242:localhost:4242 [...] > while true; do nc -l 4242 | gpg ; done [...] > 3. configure your remote mutt to send the encrypted data to port 4242 on > the same host, so that it gets forwarded back via your ssh connection. Sometimes I use gpg remotely on the command line, and even within mutt, there are many different commands it might want to issue to gpg. There are also other programs I might want to start using, like a console password manager, that would also want to access the gpg key. This seems like a very clumsy way to do what gpg-agent already does very well on the local machine for signing/decrypting/authenticating and on remote machines for authenticating. I just want to equalize its capabilities on remote machines with those on local machines, while keeping the private-key crypto local to the smartcard as it already is with gpg-agent. Still, thanks for giving a first stab at a solution. Hopefully we'll be able to figure out something, whether or not involving code changes. - Jimmy Kaplowitz jimmy@kaplowitz.org From h-bar at skenbe.net Wed Mar 29 18:24:11 2006 From: h-bar at skenbe.net (Henrik O A Barkman) Date: Wed Mar 29 18:23:53 2006 Subject: Key updating and preferred keyservers In-Reply-To: <20060328214602.GB28776@jabberwocky.com> References: <44299615.9080605@skenbe.net> <20060328214602.GB28776@jabberwocky.com> Message-ID: <442AB4AB.5040406@skenbe.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> Something like "gpg --keyserver company.keyserver --refresh-keys >> >> --no-preferred-keyserver" would make this procedure much easier. > > > > gpg --keyserver-options no-honor-keyserver-url --refresh-keys Thanks. > > Of course, the owners of those keys did presumably set a preferred > > keyserver URL because they wanted you getting their keys from the > > preferred keyserver... Yes, I am aware of the possible conflict of interest between what the sender/author of any kind of data would want the reciever to do with the data and what the reciever would like to do with the data. Still, I need to keep one keyring updated from one non-public keyserver. - -- $\hbar$ -- http://skenbe.net/h-bar/ -- OpenPGP key ID 0x60D02095 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEKrSrQbA0YmDQIJURAr5XAJ4lU4IdDIGjJDDcrA7k14bE5g0EMQCeJ0Nc ntNRLI/qvh1BnZ1T0QXn2r8= =cQ56 -----END PGP SIGNATURE----- From pmvfunds at yahoo.com Wed Mar 29 23:03:35 2006 From: pmvfunds at yahoo.com (phil) Date: Wed Mar 29 23:03:17 2006 Subject: is clearsigned text also vulnerable to recent injection of unsigned data problem ? Message-ID: <20060329210335.47121.qmail@web38409.mail.mud.yahoo.com> Hi, A quick question regarding the recently discovered vulnerability to the injection of unsigned data : From dshaw at jabberwocky.com Thu Mar 30 00:08:12 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Mar 30 00:07:36 2006 Subject: is clearsigned text also vulnerable to recent injection of unsigned data problem ? In-Reply-To: <20060329210335.47121.qmail@web38409.mail.mud.yahoo.com> References: <20060329210335.47121.qmail@web38409.mail.mud.yahoo.com> Message-ID: <20060329220812.GE1001@jabberwocky.com> On Wed, Mar 29, 2006 at 01:03:35PM -0800, phil wrote: > Hi, > > A quick question regarding the recently discovered > vulnerability to the injection of unsigned data : > > >From the description, it wasn't completely clear to me > whether this vulnerability also applied to > verification of clearsigned text. Does it? It doesn't. Here's the story: * It doesn't apply to signed software tarballs (detached signatures) * It doesn't apply to PGP/MIME signed email messages (which are detached signatures under the hood) * It doesn't apply to clearsigned messages * It might apply to sign+encrypted PGP/MIME messages and sign+encrypted messages in general (though note your attacker in this case may be the person who encrypted the message...) * It might apply to unencrypted-but-binary-signed messages (essentially signed+encrypted without the encryption - generally not used much). David From saschainlondon at gmx.net Thu Mar 30 01:18:40 2006 From: saschainlondon at gmx.net (saschainlondon@gmx.net) Date: Thu Mar 30 02:56:15 2006 Subject: Retrieving public key from smartcard Message-ID: <26233.1143674320@www094.gmx.net> Hi everyone, I am using one of these g10code/PPC OpenPGP cards. Works (nearly) perfectly at home (where I created my keypair). Now I would like to use the card with another PC. Unfortunately I have only my OpenPGP card and no copy of my public key. How is it possible to retrieve the public key from the card and set up GnuPG to work with this card that is already set up (I do not want to create a new key pair!) Any help appreciated! Thanks very much! Sascha -- "Feel free" mit GMX FreeMail! Monat für Monat 10 FreeSMS inklusive! http://www.gmx.net From wk at gnupg.org Thu Mar 30 12:39:51 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Mar 30 12:42:02 2006 Subject: Retrieving public key from smartcard In-Reply-To: <26233.1143674320@www094.gmx.net> (saschainlondon@gmx.net's message of "Thu, 30 Mar 2006 01:18:40 +0200 (MEST)") References: <26233.1143674320@www094.gmx.net> Message-ID: <878xqs6wso.fsf@wheatstone.g10code.de> On Thu, 30 Mar 2006 01:18:40 +0200 (MEST), saschainlondon said: > How is it possible to retrieve the public key > from the card and set up GnuPG to work with > this card that is already set up (I do not > want to create a new key pair!) The public key is not on the card due to space issue. You should get it from a keyserver or another location. The URL data object on the card is very handy for that. Enter the URL used to get your public key and then run gpg --card-edit and enter the command "fetch". Salam-Shalom, Werner From saschainlondon at gmx.net Fri Mar 31 00:45:10 2006 From: saschainlondon at gmx.net (saschainlondon@gmx.net) Date: Fri Mar 31 00:44:52 2006 Subject: Retrieving public key from smartcard References: <878xqs6wso.fsf@wheatstone.g10code.de> Message-ID: <10388.1143758710@www064.gmx.net> Thanks for that quick response! > The public key is not on the card due to space issue. You should get > it from a keyserver or another location. The URL data object on the > card is very handy for that. Enter the URL used to get your public > key and then run gpg --card-edit and enter the command "fetch". I didn't send my public key to a keyserver right after creation. Fortunatly, a friend of mine had a copy of my public key. Isn't it possible to create the public key again with the card? (Assume I didn't send the public key to anywhere/anyone and have only my smartcard!) If it isn't possible a short note should be added to the documentation to remind everyone to backup the public key immediately after creation. Kind regards -- "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail From wk at gnupg.org Fri Mar 31 10:12:47 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Mar 31 10:17:07 2006 Subject: Retrieving public key from smartcard In-Reply-To: <10388.1143758710@www064.gmx.net> (saschainlondon@gmx.net's message of "Fri, 31 Mar 2006 00:45:10 +0200 (MEST)") References: <878xqs6wso.fsf@wheatstone.g10code.de> <10388.1143758710@www064.gmx.net> Message-ID: <874q1f58xs.fsf@wheatstone.g10code.de> On Fri, 31 Mar 2006 00:45:10 +0200 (MEST), saschainlondon said: > Isn't it possible to create the public key again with the card? > (Assume I didn't send the public key to anywhere/anyone and have only my > smartcard!) No. For example my key is a bit larger than 64k and that is far too much to save on a smartcard. IT is named public key for a reasons; it should be on some public or semi-public space - without that it is useless. > If it isn't possible a short note should be added to the documentation to > remind everyone to backup the public key immediately after creation. It is not about a backup. However we should clarify that the card only holds the secret key and that it is not possible to re-generate the public key (with user ids etc.) from it. Salam-Shalom, Werner From r.post at sara.nl Thu Mar 30 12:14:56 2006 From: r.post at sara.nl (Remco Post) Date: Fri Mar 31 17:21:43 2006 Subject: gpg-agent Message-ID: <442BAFA0.6070702@sara.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, well, I've been using gpg-agent (gpg v 1.9.20) on both macos and linux for some time now withj my openpgp smartcard. Everything seems to be fairly stable, though I one did experience a crash of gpg-agent on linux. I do have some questions: the GPG_AGENT_INFO envirunment variable contains a process id. I use gpg-agent with a default-socket location. After the crash and subsequent restart everything continued to work, is the pid part of the GPG_INFO var ignored? And in that case, could I just set it to an arbitrary value in the wrapper-script I build for enigmail? (not that I really care). Will that part be removed in a future relase? Though I have some cache-ttl set for both gpg as ssh use, this doesn't seem to work for use with a openpgp smartcard. Collegues do tell me that caching does work with on disk keys. Is this some misfeature/bug or just work in progress? Does anybody have a build of gnupg 1.9.20 for windows(XP) ? I'd like to test gpg-agent with putty. I do have a windows workstation available at work, but no build environment... - -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint: 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iQCVAwUBRCuvmCrZkcVehrp5AQJoLAQAjU9nSCHfkUiYA9mRb2aLjgsWfLsCouW2 ONrIjX86mQPiCWLjo7UVVmMrlwu9qzhHD6l+WGC1HmtMv0s5ixbALXd7Iqo04psB syr7Eb63CtN3Nnv8L9ctG4AXHE2t9FTJAek4wZvow2CWQTNlCgI53kAYKA9KHjfZ /amBoUPz6Go= =3IMH -----END PGP SIGNATURE----- From pg at futureware.at Wed Mar 29 23:58:19 2006 From: pg at futureware.at (Philipp =?iso-8859-1?q?G=FChring?=) Date: Mon Apr 3 10:18:09 2006 Subject: renewing of expired signatures Message-ID: <200603292358.22537.pg@futureware.at> Hi, GnuPG has problems renewing expired signatures on keys, when the old signature (that already expired) is still on the key. The old expired signature is still on the key, and a new signature isn?t done when trying to renew it. The workaround is to manually remove the old signature before creating a new signature. Is this a bug or an intended feature? Best regards, Philipp G?hring