From cpollock at earthlink.net Mon Jan 1 01:01:10 2007 From: cpollock at earthlink.net (Chris) Date: Sun, 31 Dec 2006 18:01:10 -0600 Subject: upgrade errors? Message-ID: <200612311801.22752.cpollock@earthlink.net> I've just upgraded to version 2.0.1 on my MDK10.1 system. After a few problems here and there, lib upgrades, I have it installed and gpg-agent is running. When I started $gpg-agent --daemon this came up: gpg-agent[18666]: Secure memory is not locked into core What does this mean? -- Chris http://learn.to/quote -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061231/3d8bdbee/attachment.pgp From arno. at no-log.org Mon Jan 1 01:30:49 2007 From: arno. at no-log.org (arno.) Date: Mon, 1 Jan 2007 01:30:49 +0100 Subject: gpg-agent: hide my passphrase length Message-ID: <20070101003049.GA17887@localhost.localdomain> Hi, I just discovered gpg-agent and it's useful to type my passphrase less often. Without gpg-agent, when gpg prompts me for a passphrase, it does not display the number of characters I type. But when I enter my passphrase in gpg-agent, a star is displayed for every letter I type (I use pinentry-curses as a backend). So, I feel less secure. It may not be so important, but I don't like it when people can see length of my passwords. I looked for a way to change that behaviour, but found none. Do you known of a solution ? thanks a lot arno -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20070101/aa104ea9/attachment.pgp From bob at rsmits.ca Mon Jan 1 01:54:59 2007 From: bob at rsmits.ca (Robert Smits) Date: Sun, 31 Dec 2006 16:54:59 -0800 Subject: Making Progress, Still having Bad Signatures. In-Reply-To: <4596630A.3080501@schokokeks.org> References: <200612291533.51604.bob@rsmits.ca> <4596630A.3080501@schokokeks.org> Message-ID: <200612311654.59778.bob@rsmits.ca> On Saturday 30 December 2006 05:00, Michael Kallas wrote: > Hi, > > > Here is the discovery. When I look at mail in the sent box in kmail, the > > signatures are marked as good signatures, but the sig id has changed. > > > > The key signature has an id of 0x3E6E37DA when I look in the KGpg key > > management window. When I look at the sent message it's marked with the > > following key: 0xECE5238D3E6E37DA. > > This is exactly the same key, it's just short or long id. > If you want to check keys, short ids are not enough as there can be > doubles. Long ids are practically unique. > > Best wishes > Michael Thanks, Michael, I didn't know they had long and short IDs. -- Bob Smits bob at rsmits.ca From olaf.gellert at intrusion-lab.net Mon Jan 1 14:48:09 2007 From: olaf.gellert at intrusion-lab.net (Olaf Gellert) Date: Mon, 01 Jan 2007 14:48:09 +0100 Subject: Still Bad Signatures - KGPG seems broken In-Reply-To: <200612311121.12703.bob@rsmits.ca> References: <200612311121.12703.bob@rsmits.ca> Message-ID: <45991119.10406@intrusion-lab.net> Robert Smits wrote: > Since I can send a message from the Windows Partition through my ISP and I can > receive it on either my Linux partition or my Windows partition with a good > signature I come to the conclusion that the ISP isn't doing anything bad to > the email, but that it has something to do with what happens to it when I > send it. Well, can't tell for your special case. But there have always been issues with encoding (7 bit / 8 bit) so it might be that your emails encoding differs when you send it from windows or linux (and this may cause some mailer on the way to change the encoding (and destroy your clear- signed messages) or not). > I wonder if anyone else with a similar setup (Suse 10.1/Kmail/Kontact/Kgpg) > can try sending themselves a signed email and see if this problem is systemic > or mine alone. Does this problem only occur when you send to mailing lists? Or does it also occur when you send signed emails to normal recipients? That would give a strong indication on where the error actually happens... Cheers, Olaf -- Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET Senior Researcher, www.intrusion-lab.net PKI - and IDS - Services olaf.gellert at intrusion-lab.net From bob at rsmits.ca Mon Jan 1 18:53:20 2007 From: bob at rsmits.ca (Robert Smits) Date: Mon, 1 Jan 2007 09:53:20 -0800 Subject: Still Bad Signatures - KGPG seems broken In-Reply-To: <45991119.10406@intrusion-lab.net> References: <200612311121.12703.bob@rsmits.ca> <45991119.10406@intrusion-lab.net> Message-ID: <200701010953.20372.bob@rsmits.ca> On Monday 01 January 2007 05:48, Olaf Gellert wrote: > Robert Smits wrote: > > Since I can send a message from the Windows Partition through my ISP and > > I can receive it on either my Linux partition or my Windows partition > > with a good signature I come to the conclusion that the ISP isn't doing > > anything bad to the email, but that it has something to do with what > > happens to it when I send it. > > Well, can't tell for your special case. But there have > always been issues with encoding (7 bit / 8 bit) so it > might be that your emails encoding differs when you send > it from windows or linux (and this may cause some mailer > on the way to change the encoding (and destroy your clear- > signed messages) or not). > Well, it didn't use to be this way. It seems to have broken in the last few months. > > I wonder if anyone else with a similar setup (Suse > > 10.1/Kmail/Kontact/Kgpg) can try sending themselves a signed email and > > see if this problem is systemic or mine alone. > > Does this problem only occur when you send to mailing > lists? Or does it also occur when you send signed emails > to normal recipients? That would give a strong indication > on where the error actually happens... No, it only seems to happen to me. That is, If I send a message to someone else it's normal and the sig is good. But if I send a message to myself, or to a mailing list and I then receive it myself, the sig is marked bad. I can receive signed messages from other people just fine, however. Thanks, Bob -- Bob Smits bob at rsmits.ca From benjamin at py-soft.co.uk Tue Jan 2 01:32:48 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 02 Jan 2007 00:32:48 +0000 Subject: gpg-agent: hide my passphrase length In-Reply-To: <20070101003049.GA17887@localhost.localdomain> References: <20070101003049.GA17887@localhost.localdomain> Message-ID: <4599A830.2000409@py-soft.co.uk> arno. wrote: > Do you known of a solution ? Yes. Download the source and patch it so it does what you want. Ben From jrowan at cox.net Tue Jan 2 11:31:45 2007 From: jrowan at cox.net (John Rowan) Date: Tue, 2 Jan 2007 04:31:45 -0600 Subject: Import PGP Secret Keys Message-ID: I need to import public and private keys created by PGP 8.0. GnuPG allows me to import the PGP keys, but it imports all of them as public keys. I tried to run > gpg --import --allow-secret-key-import " ", but it still imported the PGP private key as a public key in GnuPG. Am I missing something here? Ultimately, I need to be able to read files encrypted by PGP without having to generate new keys to do so. I must use the existing keys. At some point, I will need to also encrypt files using these same keys. Thanks in advance for the help. John From dshaw at jabberwocky.com Tue Jan 2 14:55:46 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 2 Jan 2007 08:55:46 -0500 Subject: Import PGP Secret Keys In-Reply-To: References: Message-ID: <20070102135546.GA8345@jabberwocky.com> On Tue, Jan 02, 2007 at 04:31:45AM -0600, John Rowan wrote: > I need to import public and private keys created by PGP 8.0. GnuPG allows > me to import the PGP keys, but it imports all of them as public keys. I > tried to run > gpg --import --allow-secret-key-import " ", but it > still imported the PGP private key as a public key in GnuPG. Am I missing > something here? It is difficult to answer this, because this is an "impossible" occurance. Public and private keys are not the same, and a private key somehow ending up in the public keyring in GPG would cause it to panic and terminate the process. There are many places where this assertion is enforced. Please check that what you think is happening is really happening. Is the file you are importing really a private key? (gpg --list-packets on the file can help answer this question). Also, note that if you import a secret key (in either PGP or GPG) without the corresponding public key, the program will create a public key from the information in the secret key as a secret key alone is not useful. The end result is both a secret and a public key are imported. David From shavital at mac.com Tue Jan 2 15:16:03 2007 From: shavital at mac.com (Charly Avital) Date: Tue, 02 Jan 2007 09:16:03 -0500 Subject: Import PGP Secret Keys In-Reply-To: References: Message-ID: <459A6923.5060908@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Rowan wrote the following on 1/2/07 5:31 AM: > I need to import public and private keys created by PGP 8.0. GnuPG allows > me to import the PGP keys, but it imports all of them as public keys. I > tried to run > gpg --import --allow-secret-key-import " ", but it > still imported the PGP private key as a public key in GnuPG. Am I missing > something here? Ultimately, I need to be able to read files encrypted by > PGP without having to generate new keys to do so. I must use the existing > keys. At some point, I will need to also encrypt files using these same > keys. Thanks in advance for the help. > > John You might want to try a different order: gpg --allow-secret-key-import --import [filename]. This will not help if when exporting your PGP key(s) from PGP, you did not mark the button or square or whatever appears after you use the Export option, 'Include Private Key(s)'. But- I don't know what gpg version you are running. In man gpg under 1.4.6: - --allow-secret-key-import This is an obsolete option and is not used anywhere. I am running MacOS X 10.4.8, PGP Desktop 9.5.2, and gpg 1.4.6. When I use the "Export" option from the File menu command, I am presented with a sheet (panel) that shows an unmarked small square button 'Include Private Key(s)'. If I mark the button, save the exported file, and use: gpg --import [filename] gpg will import the secret key. Charly KeyOnCard at: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRZpo8iRJoUyU/RYhAQIAiQP+KJSgETZqLbruj1ZMnyeCki5lns99TvQN IeBATyR8xhyT44Vjn2W8y5hsB41dYtUt1Oz+AcjPEpdzhFCZhgeIc5o4xTQxmqEV 3EiHypq3/M+XrSMdDU39YzkkAozn1vLBLcj+JNAhKu6H6F886osRnxLnuuJive5o FfnUdQnbgMg= =m15m -----END PGP SIGNATURE----- From dougb at dougbarton.us Tue Jan 2 19:11:24 2007 From: dougb at dougbarton.us (Doug Barton) Date: Tue, 02 Jan 2007 10:11:24 -0800 Subject: Still Bad Signatures - KGPG seems broken In-Reply-To: <200701010953.20372.bob@rsmits.ca> References: <200612311121.12703.bob@rsmits.ca> <45991119.10406@intrusion-lab.net> <200701010953.20372.bob@rsmits.ca> Message-ID: <459AA04C.1000909@dougbarton.us> Robert Smits wrote: > No, it only seems to happen to me. That is, If I send a message to someone > else it's normal and the sig is good. But if I send a message to myself, or > to a mailing list and I then receive it myself, the sig is marked bad. This is starting to sound like something you might want to bring up with the kmail folks. Doug -- If you're never wrong, you're not trying hard enough From jmoore3rd at bellsouth.net Tue Jan 2 22:38:45 2007 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 02 Jan 2007 16:38:45 -0500 Subject: Import PGP Secret Keys In-Reply-To: References: Message-ID: <459AD0E5.2000308@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 John Rowan wrote: > I need to import public and private keys created by PGP 8.0. GnuPG allows > me to import the PGP keys, but it imports all of them as public keys. I > tried to run > gpg --import --allow-secret-key-import " ", but it > still imported the PGP private key as a public key in GnuPG. Am I missing > something here? Ultimately, I need to be able to read files encrypted by > PGP without having to generate new keys to do so. I must use the existing > keys. At some point, I will need to also encrypt files using these same > keys. Thanks in advance for the help. OK, John; perhaps I'm missing something, BUT, which version of 'GnuPG' are You using? Are You 'Exporting" both the Secret & Public Key to the GnuPG Keyring? You appear to be using Outlook XP and unless you're using the appropriate version of GnuPG that could be the issue. Personally; I require more information about the Installation and parameters being used to offer advice. Now; under the Heading of " Not What I Want to Hear"; might I suggest You switch from Outlook v. 9 to Thunderbird w/Enigmail? Would this change screw up an Enterprise environment? JOHN :-\ Timestamp: Tuesday 02 Jan 2007, 16:37 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7-svn4392: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJFmtDjAAoJEBCGy9eAtCsPf/4H/js+utCVRzNs/05HtQ2I5uTS Y6JCSsZAdoHMNPNtTeXoFcCxNny42OrJcXmHbaUkSMazcIB/KPxClVe4FCzez+9u IZ2DvM1VFuPvda9pSuElbDx+voKO1fy2O9YW1+vyMpDQlj3mhtvAwUUJ7G28+miO bNmgQNSZXigQDyXgbp/6KASpXPQfctw+AsJAnQ0+Cypv8Pto2m3nYBde8At+5DAw AQn5IF9aw+mISEhAmu9m6Xr54p3K/g7GLImyih5Gyrg7Yd2ZF35xYOmwOKv/sj91 n30foPb3aIoyTVHL3pFJaibWMw0XWoV0R2NoJR+av8Q1nxT6qQxPQiYIPvnLdx0= =MsK6 -----END PGP SIGNATURE----- From mailbox at ullrich.martini.name Tue Jan 2 20:03:56 2007 From: mailbox at ullrich.martini.name (Ullrich Martini) Date: Tue, 02 Jan 2007 20:03:56 +0100 Subject: signatures using S-Trust smart card Message-ID: <1167764636.4372.54.camel@luna> Hello, I am trying to perform a digital signature with a S-Trust (card issuer behind some german banks, "Sparkassen") signature card. This is a qualified signature card according to german signature law. Technically, it's a SECCOS card from Giesecke & Devrient. The file system complies to the german ZKA specification which is an evolved version of the "DIN signature card", which finally should be supported by gpgsm through dinsig.c I have successfully installed the card reader so that I can issue gpgsm --learn-card to read the public certificate from the card. I also have started gpg-agent as described in the man page. In order to get the certificate accepted I had to retrieve the S-Trust certificates from their website and get an intermediate certificate which is not published on the website from their email support. So far so good: ullrich at luna:~$ gpgsm --dump-chain 3D21BC85EDA74D98F1AC5A71F426771A150F47BD /home/ullrich/.gnupg/pubring.kbx -------------------------------- Serial number: 01D3241394E9BB63609D0A7A934B1E18 Issuer: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE Subject: 2.5.4.5=#44535630303030303030353632,C=DE,2.5.4.4=#4D617274696E69,2.5.4.42=#556C6C7269636820486F727374204865696E72696368,CN=Dr. Ullrich Martini aka: sha1_fpr: 3D:21:BC:85:ED:A7:4D:98:F1:AC:5A:71:F4:26:77:1A:15:0F:47:BD md5_fpr: 5C:AA:EE:84:5B:56:53:A4:ED:AD:86:E6:DC:E9:AE:CE certid: 2D57C12DE9119FE2AA2F6EF348AEE1DC2626F214.01D3241394E9BB63609D0A7A934B1E18 keygrip: 864314699D78AB3F134A009BDD3FF4F7F2F86779 notBefore: 2006-07-08 00:00:00 notAfter: 2010-12-30 23:59:59 hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption) keyType: 1728 bit RSA subjKeyId: 8816E965BDC22D3CF403B9A6ABE096FA538CB2A5 authKeyId: [none] authKeyId.ki: 0FCA1E5C79E0A2F329B6D285B30B4AB565EC6B52 keyUsage: digitalSignature keyEncipherment dataEncipherment extKeyUsage: clientAuth (suggested) emailProtection (suggested) ipsecUser (suggested) 1.3.6.1.4.1.311.20.2.2 (suggested) policies: 1.3.6.1.4.1.19300.10.2 chainLength: not a CA crlDP: http://onsitecrl-str.s-trust.de/DeutscherSparkassenVerlagGmbHDebitCard/LatestCRL.crl ldap://directory-str.s-trust.de/CN=S-TRUST% 20Authentication%20and%20Encryption%20Root%20CA%202005%3APN,O=Deutscher% 20Sparkassen%20Verlag%20GmbH,L=Stuttgart,ST=Baden-Wuerttemberg% 20(BW),C=DE?certificateRevocationList;binary issuer: none authInfo: 1.3.6.1.5.5.7.48.1 (ocsp) http://ocsp-str.s-trust.de subjInfo: [none] extn: 1.3.6.1.5.5.7.1.1 (authorityInfoAccess) [42 octets] Certified by Serial number: 371918E653547C1AB5B8CB595ADB35B7 Issuer: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE Subject: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE sha1_fpr: BE:B5:A9:95:74:6B:9E:DF:73:8B:56:E6:DF:43:7A:77:BE:10:6B:81 md5_fpr: 04:4B:FD:C9:6C:DA:2A:32:85:7C:59:84:61:46:8A:64 certid: 2D57C12DE9119FE2AA2F6EF348AEE1DC2626F214.371918E653547C1AB5B8CB595ADB35B7 keygrip: F0608EFE3BF31FA253B87E1B1702BAA8EAE4E654 notBefore: 2005-06-22 00:00:00 notAfter: 2030-06-21 23:59:59 hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption) keyType: 2048 bit RSA subjKeyId: 0FCA1E5C79E0A2F329B6D285B30B4AB565EC6B52 authKeyId: [none] authKeyId.ki: 0FCA1E5C79E0A2F329B6D285B30B4AB565EC6B52 keyUsage: certSign crlSign extKeyUsage: [none] policies: [none] chainLength: 0 crlDP: [none] authInfo: [none] subjInfo: [none] looks good. I configured this key as local-user in gpsm.conf. However, then: ullrich at luna:~$ gpgsm -s test.txt > test.sig gpgsm: can't sign using `3D21BC85EDA74D98F1AC5A71F426771A150F47BD': Kein geheimer Schl?ssel (the german error message means "no secret key") Now I'm at loss. Of course, there is no secret key, because it is still on the card. Looks to ma as if gpgsm is missing the fact that this key must be used through the card reader. I checked that that card is still connected. What is wrong here? many thanks in advance, Ullrich P.S.1: my system info: Debian testing, versions are: gpgsm 2.0.0-5.2 gnupg-agent 2.0.0-5.2 pcscd 1.3.2-3 The card reader is Reiner SCT cyberJack e-com class 3 reader. P.S.2: I work for the smart card vendor Giesecke & Devrient and would be willing to contribute with respect to APDUs and smart card file systems. However, it looks to me as if the problem in question here is not located on APDU level but somewhere around gnupg-agent itself or my faulty usage of gpgsm. P.S.3: Does gpgsm know about class 3 readers? There are two certificates on my card, one is to be used with PINs from the PC keyboard ("CSA password") and the other is to be used with PINs entered on the card reader. Only the latter one is acceptable for qualified signatures. It seems to me that certificate in question is of the first kind (judged from looking at the certificate chains). From james.platt at yale.edu Tue Jan 2 23:09:59 2007 From: james.platt at yale.edu (James Platt) Date: Tue, 02 Jan 2007 17:09:59 -0500 Subject: Connecticut DSS Requirements for Electronic Signatures Message-ID: I'm writing some documentation for a particular application I support that uses GPG as a back end for signing documents. This particular implementation is subject to regulation from the Connecticut Department of Social Services (link to the regulations below). While I am confident that my application meets the requirements (especially given the variety of other systems where the vendors have signed off on compliance with this regulation) I want to be sure that my documentation is technically correct for my own satisfaction, if nothing else. I wonder if readers of this list could comment on how they would interpret the application of these rules to the use of GPG. In particular, what would you say is the "unique code?" Is it just the user's private key or is it the private key plus other information stored with it? As I understand it, the main input in generating a key pair is the output of a random number generator. Does information about the user such as their name and email address actually get incorporated into the key in any way or is that information just stored along with it? I would rather not say that the GPG password is part of the unique code because the regulations speak of the unique code as being something which is assigned to the user by the provider (me). That could then be interpreted as meaning that I would have to assign every user a new password every 60 days (requirement 7b). It makes a lot more sense to me to have the users pick their own passwords but maybe I'm taking that part too literally. http://www.ctmedicalprogram.com/bulletin/pb05_50.pdf James Platt C&IS Support Specialist Dermatology, Yale Cancer Center Yale University School of Medicine, New Haven, CT From cpollock at earthlink.net Wed Jan 3 02:55:56 2007 From: cpollock at earthlink.net (Chris) Date: Tue, 2 Jan 2007 19:55:56 -0600 Subject: Still Bad Signatures - KGPG seems broken In-Reply-To: <459AA04C.1000909@dougbarton.us> References: <200612311121.12703.bob@rsmits.ca> <200701010953.20372.bob@rsmits.ca> <459AA04C.1000909@dougbarton.us> Message-ID: <200701021955.56769.cpollock@earthlink.net> On Tuesday 02 January 2007 12:11 pm, Doug Barton wrote: > Robert Smits wrote: > > No, it only seems to happen to me. That is, If I send a message to > > someone else it's normal and the sig is good. But if I send a message to > > myself, or to a mailing list and I then receive it myself, the sig is > > marked bad. > > This is starting to sound like something you might want to bring up > with the kmail folks. Robert, I've missed some of this thread but maybe I can partially help. I too see my sigs as bad when sending to one particular mailing list, the Mandriava Newbie List. I've been told it has to do with the software they use, sympa. My sigs only show as bad if I use OpenPGP/MIME, if I use Inline OpenPGP they show up as good. I still see bad signatures in my sent mail folder mostly on LARTs I've sent out. I'm not sure what causes it, some say it has to do with Kmail. I've not yet gotten around to setting up another mailer though. -- Chris KeyID 0x http://learn.to/quote -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070102/cbbcd054/attachment.pgp From sgarlick at gmail.com Wed Jan 3 01:33:26 2007 From: sgarlick at gmail.com (Simon H. Garlick) Date: Wed, 3 Jan 2007 11:03:26 +1030 Subject: Import PGP Secret Keys In-Reply-To: References: Message-ID: <49aa5b1b0701021633y2ca7ba61kc683d77aca30e4f6@mail.gmail.com> On 1/2/07, John Rowan wrote: > I need to import public and private keys created by PGP 8.0. GnuPG allows > me to import the PGP keys, but it imports all of them as public keys. I > tried to run > gpg --import --allow-secret-key-import " ", but it > still imported the PGP private key as a public key in GnuPG. Am I missing > something here? Ultimately, I need to be able to read files encrypted by > PGP without having to generate new keys to do so. I must use the existing > keys. At some point, I will need to also encrypt files using these same > keys. Thanks in advance for the help. > > John First things first -- are you sure you're exporting the private keys from PGP 8 correctly? I ask because it's something obvious that I've forgotten to do more than once. shg From dshaw at jabberwocky.com Wed Jan 3 04:52:58 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 2 Jan 2007 22:52:58 -0500 Subject: Connecticut DSS Requirements for Electronic Signatures In-Reply-To: References: Message-ID: <20070103035258.GA13200@jabberwocky.com> On Tue, Jan 02, 2007 at 05:09:59PM -0500, James Platt wrote: > I'm writing some documentation for a particular application I support > that uses GPG as a back end for signing documents. This particular > implementation is subject to regulation from the Connecticut > Department of Social Services (link to the regulations below). While > I am confident that my application meets the requirements (especially > given the variety of other systems where the vendors have signed off > on compliance with this regulation) I want to be sure that my > documentation is technically correct for my own satisfaction, if > nothing else. I wonder if readers of this list could comment on how > they would interpret the application of these rules to the use of GPG. I'll preface this by noting that while I have done work similar to this in "fitting" GPG to set regulations, and could reasonably be called an authority on OpenPGP/GPG, obviously I'm not an authority from the Connecticut DSS, or even the Massachusetts one. > In particular, what would you say is the "unique code?" Is it just > the user's private key or is it the private key plus other > information stored with it? The "unique code" is the user's private key, plus the passphrase. > As I understand it, the main input in generating a key pair is the > output of a random number generator. Not exactly true, but true enough. The exact details depend on which signing algorithm you're using. > Does information about the user such as their name and email address > actually get incorporated into the key in any way or is that > information just stored along with it? The name and email address are just stored along with it. They are treated as part of the key for convenience, but are not a factor in the actual crypto math. > I would rather not say that the GPG password is part of the unique > code because the regulations speak of the unique code as being > something which is assigned to the user by the provider (me). That > could then be interpreted as meaning that I would have to assign > every user a new password every 60 days (requirement 7b). It makes > a lot more sense to me to have the users pick their own passwords > but maybe I'm taking that part too literally. I'd say the "unique code" includes the passphrase. It would be hard to argue otherwise as even the example given in the document shows the passphrase being included (requirement 1). That said, I don't see 7b as requiring you to issue each user a new passphrase every 60 days. It is sufficient for you to "ensure passphrases are revised periodically", which would allow for users to change them. The catch here is that there is no facility in OpenPGP for forcing a periodic passphrase change. Since it can't be forced, you may have to trust your users to do this properly. David From vince at totalsense.com Wed Jan 3 05:28:20 2007 From: vince at totalsense.com (Vince Callaway) Date: Tue, 02 Jan 2007 20:28:20 -0800 Subject: Connecticut DSS Requirements for Electronic Signatures In-Reply-To: References: Message-ID: <1167798500.4681.67.camel@vince-laptop> I'm currently reading through the doc. These people are clueless. It been proved over and over that changing passwords often is bad. The reason you ask? People write them down. Just like the people that put a post-it on the back of a debit card with the PIN. I was on the task force that wrote the rules for Washington States Digital Signature Law. One of the reasons the act passed was to keep every little podunk agency from coming up with their own rules and make digital signatures useless. After I read the whole doc I'll give you my opinion. From jrowan at cox.net Wed Jan 3 07:04:38 2007 From: jrowan at cox.net (John Rowan) Date: Wed, 3 Jan 2007 00:04:38 -0600 Subject: Import PGP Secret Keys Message-ID: Thanks for the help guys. I verified with my client and they did not export the key correctly from PGP. All is well now. From bob at rsmits.ca Wed Jan 3 09:07:24 2007 From: bob at rsmits.ca (Robert Smits) Date: Wed, 3 Jan 2007 00:07:24 -0800 Subject: Still Bad Signatures - KGPG seems broken In-Reply-To: <200701021955.56769.cpollock@earthlink.net> References: <200612311121.12703.bob@rsmits.ca> <459AA04C.1000909@dougbarton.us> <200701021955.56769.cpollock@earthlink.net> Message-ID: <200701030007.38475.bob@rsmits.ca> On Tuesday 02 January 2007 17:55, Chris wrote: > On Tuesday 02 January 2007 12:11 pm, Doug Barton wrote: > > Robert Smits wrote: > > > No, it only seems to happen to me. That is, If I send a message to > > > someone else it's normal and the sig is good. But if I send a message > > > to myself, or to a mailing list and I then receive it myself, the sig > > > is marked bad. > > > > This is starting to sound like something you might want to bring up > > with the kmail folks. > > Robert, I've missed some of this thread but maybe I can partially help. I > too see my sigs as bad when sending to one particular mailing list, the > Mandriava Newbie List. I've been told it has to do with the software they > use, sympa. My sigs only show as bad if I use OpenPGP/MIME, if I use Inline > OpenPGP they show up as good. I still see bad signatures in my sent mail > folder mostly on LARTs I've sent out. I'm not sure what causes it, some say > it has to do with Kmail. I've not yet gotten around to setting up another > mailer though. It's not just one mailing list, Chris, it's all the lists I subscribe to, and most of them appear to run mailman. It also happens when I send mail to myself. I've submitted it as a bug to the kde group. Bob. -- Bob Smits bob at rsmits.ca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070103/9dd331f7/attachment.pgp From wk at gnupg.org Wed Jan 3 09:22:15 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 03 Jan 2007 09:22:15 +0100 Subject: Connecticut DSS Requirements for Electronic Signatures In-Reply-To: <1167798500.4681.67.camel@vince-laptop> (Vince Callaway's message of "Tue\, 02 Jan 2007 20\:28\:20 -0800") References: <1167798500.4681.67.camel@vince-laptop> Message-ID: <87mz50pljc.fsf@wheatstone.g10code.de> On Wed, 3 Jan 2007 05:28, vince at totalsense.com said: > It been proved over and over that changing passwords often is bad. The > reason you ask? People write them down. Just like the people that put a > post-it on the back of a debit card with the PIN. With passphrases used to protect private keys there is another argument against the requirement to change a passphrase: The passphrase is designed as failstop measurement in case the private key ever leaks out. Now, if the private key has actually leaked, changing the passphrase won't help because breaking the old passphrase would reveal the same private key. Even worse, if an attacker has access to (say) regular backups of the protected private key, a scheduled passphrase change will make it easier for him to break that protection. The chance that a dictionary attack succeeds gets better if there are more attack targets ultimately revealing the very same private key. Shalom-Salam, Werner From wk at gnupg.org Wed Jan 3 09:51:50 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 03 Jan 2007 09:51:50 +0100 Subject: signatures using S-Trust smart card In-Reply-To: <1167764636.4372.54.camel@luna> (Ullrich Martini's message of "Tue\, 02 Jan 2007 20\:03\:56 +0100") References: <1167764636.4372.54.camel@luna> Message-ID: <87irfopk61.fsf@wheatstone.g10code.de> On Tue, 2 Jan 2007 20:03, mailbox at ullrich.martini.name said: > I am trying to perform a digital signature with a S-Trust (card issuer > behind some german banks, "Sparkassen") signature card. This is a Well S-Trust, one of the qualified CAs who achieved to work around the digital signature law and still being able to create legallay binding digital signatures. Argh. > the german ZKA specification which is an evolved version of the "DIN > signature card", which finally should be supported by gpgsm through > dinsig.c Basically it works. But: Quite some time ago I received a test card and tried to make it work. The problem at that time was that there was no way to get the root certificate for this test card. I had some mail exchange with S-Trust and they send me an NDA to sign. This NDA had terms which would have inhibit me to do any work on qualified signatures for any other issuer. Obviously I didn'd signed it. This was before S-trust went into production. I still hesitate to do any development with real cards as there is the chance that I might accidently sign a document. All other CAs issue test cards under reasonable terms - only S-trust does not. Thus I see no way to support/test them. > Now I'm at loss. Of course, there is no secret key, because it is still > on the card. Looks to ma as if gpgsm is missing the fact that this key > must be used through the card reader. Add debug 2048 debug 1024 to ~/.gnupg/scdaemon.conf and debug 1024 to ~/.gnupg/gpg-agent.conf as well as an appropriate log file[1] and restart gpg-agent[2] > I work for the smart card vendor Giesecke & Devrient and would be > willing to contribute with respect to APDUs and smart card file systems. > However, it looks to me as if the problem in question here is not > located on APDU level but somewhere around gnupg-agent itself or my > faulty usage of gpgsm. Possible. You may contact me privatly for debugging purposes > Does gpgsm know about class 3 readers? There are two certificates on my 2.0.1 has support for SPR532 and KAAN Advanced. It is currently limited to the OpenPGP card. Adding support for other card applications is not too hard, however the specs are not always that clear and there is the risk to burn a card. I have also a cherry keyboard with reader here, but there is a problem with it as the Cherry echoes asterisks to the USB keyboard device and I need to find a way to disable this. Adding support for the Rainer should be easy, however such a device is not in my collection of readers. Salam-Shalom, Werner [1] For logging it is best to add log-file log-file socket:///home/foo/.gnupg/S.log to scdaemon.conf and gpg-agent.conf. Then use watchgnupg --force ~/.gnupg/S.log | tee mylog in another xterm to watch the debug output. [2] To avoid restarting, I use gpg-agent --daemon /bin/sh to get a shell with the gpg-agent environemt setup properly. You may then use gpgsm in this shell. Prefixing the above line with GNUPGHOME=/wherever is also useful if you want to use a certain debug environment (e.g. other config files). Make sure that no other scdaemon is running as scdaemon needs exclusive access to the reader. Using gpg-connect-agent --hex --verbose is useful for direct interaction with the agent/scdaemon. From gct3 at blueyonder.co.uk Wed Jan 3 10:15:35 2007 From: gct3 at blueyonder.co.uk (Graham) Date: Wed, 3 Jan 2007 09:15:35 +0000 Subject: [gnupg-users] Re: Still Bad Signatures - KGPG seems broken In-Reply-To: <200701030007.38475.bob@rsmits.ca> References: <200612311121.12703.bob@rsmits.ca> <459AA04C.1000909@dougbarton.us> <200701021955.56769.cpollock@earthlink.net> <200701030007.38475.bob@rsmits.ca> Message-ID: <20070103091535.66a03dd8@rocker> On Wed, 3 Jan 2007 00:07:24 -0800 Robert Smits wrote: [snipped] > I've submitted it as a bug to the kde group. > > Bob. I get the following message using Claws-Mail: Key 0x33ACF71B not available to verify this signature. Do you have it on a keyserver or webpage that I could get if from? -- Graham -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 243 bytes Desc: not available Url : /pipermail/attachments/20070103/f11b7605/attachment-0001.pgp From mailbox at ullrich.martini.name Thu Jan 4 11:43:30 2007 From: mailbox at ullrich.martini.name (Ullrich Martini) Date: Thu, 04 Jan 2007 11:43:30 +0100 Subject: signatures using S-Trust smart card In-Reply-To: <87irfopk61.fsf@wheatstone.g10code.de> References: <1167764636.4372.54.camel@luna> <87irfopk61.fsf@wheatstone.g10code.de> Message-ID: <1167907410.4366.18.camel@luna> > > > the german ZKA specification which is an evolved version of the "DIN > > signature card", which finally should be supported by gpgsm through > > dinsig.c > > Basically it works. But: Quite some time ago I received a test card > and tried to make it work. The problem at that time was that there > was no way to get the root certificate for this test card. I had some > mail exchange with S-Trust and they send me an NDA to sign. This NDA > had terms which would have inhibit me to do any work on qualified > signatures for any other issuer. Obviously I didn'd signed it. This > was before S-trust went into production. I got the root certificate from their web site and an intermediate certificate by email. It seems that they changed their policy there. However, one has to sign a pretty strange agreement to get the ZKA spec. > I still hesitate to do any development with real cards as there is the > chance that I might accidently sign a document. I would be willing to take this risk. Furthermore, it seems that the key in question is the non-qualified one so it's not a legal signature anyway. > > All other CAs issue test cards under reasonable terms - only S-trust > does not. Thus I see no way to support/test them. > > > Now I'm at loss. Of course, there is no secret key, because it is still > > on the card. Looks to ma as if gpgsm is missing the fact that this key > > must be used through the card reader. > > Add > > debug 2048 > debug 1024 > > to ~/.gnupg/scdaemon.conf and > > debug 1024 > > to ~/.gnupg/gpg-agent.conf as well as an appropriate log file[1] and > restart gpg-agent[2] > This is what happens there: [client at fd 7 connected] 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK Pleased to meet you 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- RESET 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- OPTION display=:0.0 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- OPTION ttyname=/dev/pts/0 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- OPTION ttytype=xterm 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- OPTION lc-ctype=de_DE at euro 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- OPTION lc-messages=de_DE at euro 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- HAVEKEY 864314699D78AB3F134A009BDD3FF4F7F2F86779 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> ERR 67108881 Kein geheimer Schl?ssel 7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- [EOF] [client at fd 7 disconnected] The correct fingerprint of the key to be used is 3D:21:BC:85:ED:A7:4D:98:F1:AC:5A:71:F4:26:77:1A:15:0F:47:BD I do not know how the value 864314... is calculated. It seems that there is no communication with scdaemon. best regards, Ullrich -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil Url : /pipermail/attachments/20070104/cd93e336/attachment.pgp From kara.ml at arcor.de Thu Jan 4 11:59:12 2007 From: kara.ml at arcor.de (Kai Raven) Date: Thu, 04 Jan 2007 11:59:12 +0100 Subject: Error with keyring Message-ID: <459CDE00.4080909@arcor.de> Hi, today, i got error messages, i've never seen before gpg: packet(1) with unknown version 8 gpg: keyring_get_keyblock: read error: invalid packet gpg: keydb_get_keyblock failed: invalid keyring and haven't found something about them in the web. Key operations aren't possible any longer (complete --list-keys, delete a key, encrypt with Enigmail and Thunderbird...) GnuPG version: 1.4.6 under Windows XP Is the whole keyring corrupted or can i do something? Because i have backups of my keys, it's not a problem to use new keyrings ;) -- Ciao Kai Homepage: http://hp.kairaven.de/ Weblog: http://blog.kairaven.de/ From srydzews at gmail.com Thu Jan 4 21:39:31 2007 From: srydzews at gmail.com (Stan Rydzewski) Date: Thu, 4 Jan 2007 15:39:31 -0500 Subject: Rephrasing the question Message-ID: Hello. I am part of a team creating a communcations process by which hospitals would submit files periodically to a government organization in the United States. We were contemplating using GPG as part of this process. A few days ago, one of the hospitals involved stated "The VA requires that all encryption MUST be FIPS140-2 compliant. Do you know if this program is?" Well not only do I not know, I'm not entirely sure how to tell. I asked about this yesterday, but somewhat sketchily. Allow me to elaborate a bit. On the one hand it appears to me that GPG implements algorithms listed here: http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf as regards encryption, hashing, and authentication. But on the other hand GPG itself does not seem to be listed here: http://csrc.nist.gov/cryptval/140-1/1401val2003.htm#329 I'm not sure whether it even makes sense to think that it /could/ be on that list. I know this is all very basic stuff but I'm looking for a little guidance here. In searching the archives (yes, got that part) I can find only a few oblique references to FIPS. --Stan Rydzewski From rjh at sixdemonbag.org Thu Jan 4 21:51:16 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 04 Jan 2007 15:51:16 -0500 Subject: Rephrasing the question In-Reply-To: References: Message-ID: <459D68C4.7070703@sixdemonbag.org> This may not be a useful answer, but it will be an accurate one. :( > "The VA requires that all encryption MUST be FIPS140-2 compliant. Do > you know if this program is?" This question cannot be answered. What does it mean to be 'compliant'? The speaker might be asking whether it implements algorithms specified in FIPS 140-2 (in which case, yes, it does implement many of them). The speaker might be asking whether GnuPG has passed a formal NIST-approved certification process, in which case to my knowledge it hasn't. Once you can figure out from the speaker precisely what they mean by 'FIPS 140-2 compliant', then we can give you a concrete response. But for right now, I'm afraid I'm drawing a blank. Maybe someone else can cast some more light on it. From mk at fsfe.org Fri Jan 5 11:06:58 2007 From: mk at fsfe.org (Matthias Kirschner) Date: Fri, 5 Jan 2007 11:06:58 +0100 Subject: Donations (was: Re: Christmas is upon us again.) In-Reply-To: <4575ED80.4040905@sixdemonbag.org> References: <4575ED80.4040905@sixdemonbag.org> Message-ID: <20070105100657.GI2591@mbwg.de> Dear Robert, long time since you wrote this, but I did not have time to reply earlier. * Robert J. Hansen [2006-12-05 16:06:56 -0600]: [...] > This year, I'm grateful that we have a Free Software implementation of > the OpenPGP protocol. I'm also grateful that the development process is > fairly open and I'm grateful that, by and large, the people in the > community are friendly. > > This year, I'm giving $10 to the Free Software Foundation > (http://www.fsf.org) in the name of the GNU Privacy Guard, as my way of > telling the developers "thanks". First of all, I would like to thank you for your e-mail. I think it is very important that we pay money for Free Software. (There is a good article in German on http://www.linux-magazin.de/Artikel/ausgabe/2002/06/geld/geld.html about this topic.) But considering your motivation ("grateful [... to] have a Free Software implementation of the OpenPGP protocol.") you donated your money to the "wrong" address. IMHO you should have donated to GnuPG directly, give it to Werner as one of the main developers or to g10code (http://www.g10code.de/). IMO you should have another motivation to donate to the FSFs. The Free Software Foundations are working to secure the legal, political and social future of Free Software. That is important for all Free Software projects and companies. So if this work is important for you, you should support the FSFs. There are different options for this: In the US: - if you want to have the focus on the US you should donate to the FSF in Boston (https://www.fsf.org/associate/support_freedom?) - or become an associated member (also on https://www.fsf.org/associate/support_freedom?). In Europe: - if you want to have a European focus you should donate to FSFE (http://www.fsfeurope.org/help/donate.html) - or become a Fellow of FSFE (http://www.fsfe.org/en/about) In Latin America: - if you want to focus on Latin America you should donate to FSFLA (http://www.fsfla.org/) In India: - and the same for India (http://fsf.org.in/). With best wishes, Matze -- Join the Fellowship and protect your freedom! (http://www.fsfe.org) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : /pipermail/attachments/20070105/fd2e2f47/attachment.pgp From wk at gnupg.org Fri Jan 5 12:26:37 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 05 Jan 2007 12:26:37 +0100 Subject: Rephrasing the question In-Reply-To: <459D68C4.7070703@sixdemonbag.org> (Robert J. Hansen's message of "Thu\, 04 Jan 2007 15\:51\:16 -0500") References: <459D68C4.7070703@sixdemonbag.org> Message-ID: <878xghpvde.fsf@wheatstone.g10code.de> On Thu, 4 Jan 2007 21:51, rjh at sixdemonbag.org said: > in FIPS 140-2 (in which case, yes, it does implement many of them). The > speaker might be asking whether GnuPG has passed a formal NIST-approved > certification process, in which case to my knowledge it hasn't. To my knowledge, no FIPS140-2 (or CC) evaluation for GnuPG has been done. Though I know a little bit of CC evaluation, I don't know the rules for such a evaluation to Security Level 1 of FIPS140-2. In general such an evaluations are pretty expensive as a lot woodware has to be produced. Shalom-Salam, Werner From rjh at sixdemonbag.org Fri Jan 5 14:17:26 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 05 Jan 2007 08:17:26 -0500 Subject: Donations In-Reply-To: <20070105100657.GI2591@mbwg.de> References: <4575ED80.4040905@sixdemonbag.org> <20070105100657.GI2591@mbwg.de> Message-ID: <459E4FE6.1090608@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Matthias Kirschner wrote: > But considering your motivation ("grateful [... to] have a Free Software > implementation of the OpenPGP protocol.") you donated your money to the > "wrong" address. IMHO you should have donated to GnuPG directly, give it > to Werner as one of the main developers or to g10code I think you should think your advocacy. Telling someone who's just made a charitable donation "... well, you really should've sent it somewhere else!" is churlish and rude. However, that said: Christmas is a time for donating to charities, not businesses. Making charitable contributions to g10 Code makes about as much sense to me as donating to DaimlerChrysler. The FSF, on the other hand, is a charitable organization and it makes as much sense to donate to them as it does to, say, Oxfam or the World Wildlife Fund. I suspect essentially everyone in the GnuPG community understands my position, and feels that contributing to the FSF is an excellent way to show my gratitude for the work of the GnuPG developers and maintainers. If I'm wrong, I invite people to say so, so that I may be corrected. If I'm right, I invite people to say so, so that you may be corrected. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJFnk/lAAoJELcA9IL+r4EJHRoH/3/jQw9xekwAcCbu5hHHP5yt XW6XClf5bsZT+DIcC/Anys/8zIGgaVodRCnaABbs8JV2XJRQC2HO38jaggPW86W6 GJ9EVOP5ixIYbz2a8JIN0DeoID5+uqr2KOhSSyoBrrSMVl46vuQ1CZeAg8hCoLXm EFfe1NduA1fmVTpzmXrDfEVDa8DMtjGgyiHPbMn5bXTHcE2vrifwQYw+K+zHXf+I T7+lMzBZOHCUd9rtZau6/buEfEiRrrDTG1R3yCA1UOZf56bGfzRzEnFy7Nm1jYJN y2uHSfxiw2THGWHlMtYJn8Xj1BH1scPrpM5kBqodC2Gw/ft5uD52HRQsQBSu0GU= =q8PZ -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Fri Jan 5 14:29:46 2007 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 05 Jan 2007 08:29:46 -0500 Subject: Donations In-Reply-To: <459E4FE6.1090608@sixdemonbag.org> References: <4575ED80.4040905@sixdemonbag.org> <20070105100657.GI2591@mbwg.de> <459E4FE6.1090608@sixdemonbag.org> Message-ID: <459E52CA.5060602@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: > If I'm wrong, I invite people to say so, so that I may be corrected. If > I'm right, I invite people to say so, so that you may be corrected. I believe I understood your motivation in advocating Donations to FSF clearly. Having a Friend at FSFE I can assure You (& everyone) that it is appreciated. That said; as a shareholder I would be very pleased if You also sent a sizable donation to Daimler-Chrysler. :-D JOHN ;) Timestamp: Friday 05 Jan 2007, 08:29 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7-svn4392: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJFnlLFAAoJEBCGy9eAtCsPI4YH/iRLkr8141cdmgvlnl9XaJoI oC1kBjznhyRoHQmooNnqS9RKoyfi91Ca8+7MpY/zaj/6JEWPZsH9xq/Sb37QRY7U y0EvgkRs1gUmd6RTaiOMPwIb6QKT4UNy9vruJkJaxV1301WNLaFNhtbc3bMioGaN z0LoripeYI1U/KHotd/+eTxtrsDHJool8fyYzEnvr9VpDeGbDdXXtcm1w1mbFXig 4snr5bZO+DAQOULkZyic3GAkv1KPwJ8z67JCG2u60JYEpd8fzKI4ZO9UvkBFNmzI OVTjFjMiUXDg/FDgqU6jFKOKf+far1UltqKhQ5jbQ6T4m+81cWeykChiBiDSnmU= =WXWn -----END PGP SIGNATURE----- From wk at gnupg.org Fri Jan 5 14:58:26 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 05 Jan 2007 14:58:26 +0100 Subject: Donations In-Reply-To: <20070105100657.GI2591@mbwg.de> (Matthias Kirschner's message of "Fri\, 5 Jan 2007 11\:06\:58 +0100") References: <4575ED80.4040905@sixdemonbag.org> <20070105100657.GI2591@mbwg.de> Message-ID: <871wm9o9rx.fsf@wheatstone.g10code.de> On Fri, 5 Jan 2007 11:06, mk at fsfe.org said: > But considering your motivation ("grateful [... to] have a Free Software > implementation of the OpenPGP protocol.") you donated your money to the > "wrong" address. IMHO you should have donated to GnuPG directly, give it The problem donating it to the GnuPG project is that there is no way we can use the money. How should we divide it up and by what rules. Shall we start to measure contributions by the number of source code lines or quetions answered on the various lists? I see no way for that. Regarding my company, we prefer to get commercial requests for support, enhancements or other services instead of Chrismas donations. Shalom-Salam, Werner From blueness at gmx.net Fri Jan 5 18:38:42 2007 From: blueness at gmx.net (Mica Mijatovic) Date: Fri, 5 Jan 2007 18:38:42 +0100 Subject: Donations In-Reply-To: <871wm9o9rx.fsf@wheatstone.g10code.de> References: <4575ED80.4040905@sixdemonbag.org> <20070105100657.GI2591@mbwg.de> <871wm9o9rx.fsf@wheatstone.g10code.de> Message-ID: <48781126.20070105183842@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224 Was Fri, 05 Jan 2007, at 14:58:26 +0100, when Werner Koch wrote: > On Fri, 5 Jan 2007 11:06, mk at fsfe.org said: >> But considering your motivation ("grateful [... to] have a Free Software >> implementation of the OpenPGP protocol.") you donated your money to the >> "wrong" address. IMHO you should have donated to GnuPG directly, give it > The problem donating it to the GnuPG project is that there is no way > we can use the money. How should we divide it up and by what rules. > Shall we start to measure contributions by the number of source code > lines or quetions answered on the various lists? I see no way for > that. People who don't know what to do with (donated) money? Appoint me your treasurer and with a small provision the problem is solved. (: - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ Yes, this kid is a bit slow, but with respect to what the party it was, I am happy that he doesn't bark. (Hammer von Troll) -----BEGIN PGP SIGNATURE----- iQCZAwUBRZ6NIAYWnlFQ1cE7AQuIZQQdEfaE/p2lkCBf/yYrvy3luas5C27LJSQu FHMkfgej3OqeSC3Wp1d6Yi6gcdXTQGCDRLihl2pyXQqEQ5MincyHAZJ22nlvKaIK alwQjWexqXKKzjXLq6BqtWphmMCLSwRYRhEfDlcD4PZF4XFM8prRvRENHX89VGmt wKH0dcQwrA2abuv0 =Xuop -----END PGP SIGNATURE----- From blueness at gmx.net Fri Jan 5 18:50:42 2007 From: blueness at gmx.net (Mica Mijatovic) Date: Fri, 5 Jan 2007 18:50:42 +0100 Subject: Donations, FSF as a charitable organization and merry minds of whizdom In-Reply-To: <459E4FE6.1090608@sixdemonbag.org> References: <4575ED80.4040905@sixdemonbag.org> <20070105100657.GI2591@mbwg.de> <459E4FE6.1090608@sixdemonbag.org> Message-ID: <15010414889.20070105185042@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224 Was Fri, 05 Jan 2007, at 08:17:26 -0500, when Robert J. Hansen wrote: > Matthias Kirschner wrote: >> But considering your motivation ("grateful [... to] have a Free >> Software implementation of the OpenPGP protocol.") you donated your >> money to the "wrong" address. IMHO you should have donated to GnuPG >> directly, give it to Werner as one of the main developers or to >> g10code > I think you should think your advocacy. Telling someone who's just > made a charitable donation "... well, you really should've sent it > somewhere else!" is churlish and rude. Hmmm... Axis of Rudeness. "Correct me but it is rude and churlish."[1] > However, that said: > Christmas is a time for donating to charities, not businesses. Making > charitable contributions to g10 Code makes about as much sense to me > as donating to DaimlerChrysler. The FSF, on the other hand, is a > charitable organization and it makes as much sense to donate to them > as it does to, say, Oxfam or the World Wildlife Fund. The FSF is charitable organization??[2] If I had kicked my bucket yesterday I wouldn't know that today. (I just wonder what Stallman would say on this...) Now that made my evening and in the same time explained the Salvation Army melodies, vocabulary and arrangement in announcing the ten bucks donation at the time of Catholic Christmas. (-: > I suspect essentially everyone in the GnuPG community understands my > position, and feels that contributing to the FSF is an excellent way > to show my gratitude for the work of the GnuPG developers and > maintainers. > If I'm wrong, I invite people to say so, so that I may be corrected. If > I'm right, I invite people to say so, so that you may be corrected. I don't know if they allow contributions lesser than or equal to ten bucks to be...err...revoked. Anyway, to the Orthodox Christians here, if any, merry the nearing Christmas, and to the husbands, if any, Merry Wives of Theirs. With or without a ten bucks. (: ____________________ [1] "Disarm yourself so I can attack you safely." [2] I like when a dry technical work is interluded by some slapstick sketch. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ ?ivot dakle HEJE vizija budale u koju si ti obavezan da se u?ivljava?, te da ?ivi? po pravilima ne?ijeg autogenog ko?mara i cerebralnog defekta. (Hammer von Troll) -----BEGIN PGP SIGNATURE----- iQCZAwUBRZ6P8AYWnlFQ1cE7AQsftAQgjouNHIq13aygMYp74A762DgO/RTgvYNE n0dPDcvwJiWV3gkTwnY+4CdfU8VpSf06wUqAnZbGFDEqIQzYuNwA34pY96IyhrPd 8h7TVSQBulv5lIfCoK+BcWmCNP79XIQQw9BAxsItkhz2B2ZOGbxDzAEtNBldr/Le 3w3x3col4KfNS+xb =Xl4+ -----END PGP SIGNATURE----- From linux at thorstenhau.de Fri Jan 5 21:15:00 2007 From: linux at thorstenhau.de (Thorsten Haude) Date: Fri, 5 Jan 2007 21:15:00 +0100 (MET) Subject: Donations In-Reply-To: <871wm9o9rx.fsf@wheatstone.g10code.de> References: <4575ED80.4040905@sixdemonbag.org> <20070105100657.GI2591@mbwg.de> <871wm9o9rx.fsf@wheatstone.g10code.de> Message-ID: <20070105201144.GS2204@eumel.yoo.local> Hi, * Werner Koch wrote (2007-01-05 14:58): >Shall we start to measure contributions by the number of source code >lines [...]? That; would; be; a; really; good; idea!; Thorsten -- War is God's Way to teach geography to Americans. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070105/8a895c3a/attachment.pgp From highspeednodrag at comcast.net Sun Jan 7 05:21:20 2007 From: highspeednodrag at comcast.net (highspeednodrag) Date: Sat, 06 Jan 2007 20:21:20 -0800 Subject: About FIPS Message-ID: <45A07540.2020505@comcast.net> Hi all, I think there was a question earlier about FIPS. "Does the program have a FIPS-140-2 validation?" was the question I believe. If the software/system is not on this list... http://csrc.nist.gov/cryptval/140-1/1401val.htm ...then it's not FIPS validated. Thats it. So... you can't use GPG in any Federal market is the way I interpret this. At least in situations where FIPS validation is required. Any other perspectives on this? I would _like_ to see GPG on the FIPS approval list. hs From robert.wyatt at mail.utexas.edu Sun Jan 7 16:52:55 2007 From: robert.wyatt at mail.utexas.edu (Robert T Wyatt) Date: Sun, 07 Jan 2007 09:52:55 -0600 Subject: About FIPS In-Reply-To: <45A07540.2020505@comcast.net> References: <45A07540.2020505@comcast.net> Message-ID: <45A11757.7000705@mail.utexas.edu> highspeednodrag wrote: > Hi all, > I think there was a question earlier about FIPS. > > > "Does the program have a FIPS-140-2 validation?" was the question I > believe. > > If the software/system is not on this list... > http://csrc.nist.gov/cryptval/140-1/1401val.htm > ...then it's not FIPS validated. Thats it. So... you can't use > GPG in any Federal market is the way I interpret this. At least in > situations where FIPS validation is required. > > Any other perspectives on this? I would _like_ to see GPG on the FIPS > approval list. > > hs I wonder why the enigmail plugin for SeaMonkey asks for my FIPS password every time I open it then? From benjamin at py-soft.co.uk Mon Jan 8 14:18:41 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Mon, 08 Jan 2007 13:18:41 +0000 Subject: About FIPS In-Reply-To: <45A07540.2020505@comcast.net> References: <45A07540.2020505@comcast.net> Message-ID: <45A244B1.1080905@py-soft.co.uk> highspeednodrag wrote: > Any other perspectives on this? I would _like_ to see GPG on the FIPS > approval list. I think it's unlikely due to the cost... Unless, I guess, you're willing to fund it! Ben From jeandavid8 at verizon.net Mon Jan 8 14:47:48 2007 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Mon, 08 Jan 2007 08:47:48 -0500 Subject: Donations In-Reply-To: <20070105201144.GS2204@eumel.yoo.local> References: <4575ED80.4040905@sixdemonbag.org> <20070105100657.GI2591@mbwg.de> <871wm9o9rx.fsf@wheatstone.g10code.de> <20070105201144.GS2204@eumel.yoo.local> Message-ID: <45A24B84.9080409@verizon.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thorsten Haude wrote: > Hi, > > * Werner Koch wrote (2007-01-05 14:58): >> Shall we start to measure contributions by the number of source code >> lines [...]? > > That; > would; > be; > a; > really; > good; > idea!; > I can see you are making a point, One with which I agree. People will conform with whatever measuring system is in place. If you get paid in lines of code, they will generate a lot of lines of code, even if a better program can be written with fewer. If they get paid inversely by memory requirements, they will write small programs. If they get paid by fast programs, they will probably write fast ones. It would be more difficult to pay people by reliability of programs, clearness and simplicity of documentation, etc., but those might be worthwhile criteria. All of which reminds me I forgot to send my contribution to FSF last year. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 08:40:01 up 79 days, 11:13, 3 users, load average: 4.21, 4.13, 4.04 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFokuEPtu2XpovyZoRAkPlAJ0ZXbpotHgiIjoM8W6x7UXIPdehvACgiYT9 2eOI3v2cl9PkDINJ1/JwetQ= =1K8b -----END PGP SIGNATURE----- From jharris at widomaker.com Mon Jan 8 22:44:13 2007 From: jharris at widomaker.com (Jason Harris) Date: Mon, 8 Jan 2007 16:44:13 -0500 Subject: new (2007-01-07) keyanalyze results (+sigcheck) Message-ID: <20070108214410.GA3033@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2007-01-07/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 99c3545b9282668f6e50e74890e67bc1f8ebc3af 14334516 preprocess.keys e3e7d68462d6dbbf71383bb0a575bb433a81579a 8404768 othersets.txt 086bd89b382ba6532d81eedd955b551ffbbd8492 3448178 msd-sorted.tx ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html 56fcb073ab03f3aedb309cc1b8ddcb13acd1777e 2277 keyring_stats 606e68e0dcb4b362dd852bbe07e0dab95ec0eea1 1355746 msd-sorted.txt.bz2 21b18be5dee05cab9bb640ecec9cecab8917c579 26 other.txt 4160c35d15ca41fd299650b797df277af304b2f6 1824164 othersets.txt.bz2 661625913fb3d347d61353b7914c0af835eba914 5816200 preprocess.keys.bz2 58dc706ffd60fa1a8eee431efd5d9f8a46247eda 14559 status.txt d088fc7a16eeec7c42d6042022465fdc35955170 194584 top1000table.html 033ed67b22c71f0ed6fe66740a3e8f1ca7293e0d 29670 top1000table.html.gz ad9f37767dbdaf186e7028670c1fbe6763ffd315 9765 top50table.html 17064c0f17b9d83e4a82ce9e4564ce96d7fbbc1e 2529 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20070108/408b26f4/attachment.pgp From spsebastian at gmail.com Tue Jan 9 03:22:41 2007 From: spsebastian at gmail.com (piukeman) Date: Mon, 8 Jan 2007 18:22:41 -0800 (PST) Subject: New in GPG KEY Problem Message-ID: <8230903.post@talk.nabble.com> I have a little problem, My question is can i recover a private key, or delete it from the server. I have the PASSPHRASE and i still have the email account and i have the public key too. The problem is i format my HD and i lost the KEYRING i did not backup the keyrings so now i am in this problem. What can i do whatsmore i send the key to a server, so i am avaible online, but i can not sign with that key. Again what can i do...... I will appreciate a bit of help. Thanks a lot Piukeman -- View this message in context: http://www.nabble.com/New-in-GPG-KEY-Problem-tf2943510.html#a8230903 Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Tue Jan 9 17:29:37 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 09 Jan 2007 11:29:37 -0500 Subject: New in GPG KEY Problem In-Reply-To: <8230903.post@talk.nabble.com> References: <8230903.post@talk.nabble.com> Message-ID: <45A3C2F1.90002@sixdemonbag.org> piukeman wrote: > My question is can i recover a private key, or delete it from the server. If you lose your private key, there is no way to recover it. If you already created a revocation certificate or appointed a designated revoker, then you can revoke the key which is on the server. Otherwise, you're out of luck. From lenny at aps.org Wed Jan 10 04:45:06 2007 From: lenny at aps.org (Lenny Marks) Date: Tue, 9 Jan 2007 22:45:06 -0500 Subject: --lock-never key corruption with encryption only? Message-ID: <806D3E79-38BB-46E4-8A45-7F0898596E17@aps.org> I'm attempting to use gpg to encrypt account information entered via a web application which will then be emailed to an external site(a single destination). Just to verify my understanding(and please correct me if I'm wrong), in a normal usage scenario, I would use the public key of my email recipient to encrypt the messages. To ensure that the public key being used hasn't been compromised, I would sign it using my private key. This way if someone was to alter the public key, gpg would detect that the signatures don't match during the encryption process and complain. Now to complicate things, my webapp isn't dedicated to me. It's an Apache server that runs as www:www or something like that. So I can't access the webserver user directly. I was thinking that I would use my own account to sign the key and use the --homedir option to point at my .gnupg directory. I was wanted to make that directory group owned by the webserver group(www) and make it group read-only. I was concerned about giving group write access because anyone/process in the webserver group would be able to compromise the keys. > gpg --homedir=/Users/lenny/.gnupg --output test.pgp --encrypt -- recipient myrecipient at somewhere.com $HOME/x.txt gpg: WARNING: unsafe ownership on homedir `/Users/lenny/.gnupg' gpg: failed to create temporary file `/Users/ lenny/.gnupg/.#lk0x5008f0.lennylt.20080': Permission denied gpg: fatal: can't create lock for `/Users/lenny/.gnupg/trustdb.gpg' secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 Now I've been able to get it to work by using the following: > gpg --homedir=/Users/lenny/.gnupg --output test.pgp --encrypt -- no-random-seed-file --lock-never --recipient myrecipient at somewhere.com $HOME/x.txt --no-random-seed-file as far as I can tell only impacts performance (encryption performance?) which I can live with. It won't work without the --lock-never, but I was concerned about using that. The documentation states: Disable locking entirely. This option should be used only in very special environments, where it can be assured that only one process is accessing those files. A bootable floppy with a stand-alone encryption system will probably use this. Improper usage of this option may lead to data and key corruption. It seems that all I need is to read the keys, so do I still need to be concerned about key corruption even if multiple processes may be accessing the files? Thanks, -lenny Lenny Marks Senior Software Engineer American Physical Society lenny at aps.org From gouellette at sirioslp.com Wed Jan 10 19:53:10 2007 From: gouellette at sirioslp.com (* Ouellette, George) Date: Wed, 10 Jan 2007 13:53:10 -0500 Subject: wildcard use in GnuPG Message-ID: <46C0E954EB12DF48A7BABA1A5F1C40320AA652@scmmail.sirioslp.com> All, I am trying to use a wildcard, but the option doesn't seem to be allowed. I want to decrypt a whole folder of files daily, but the file names will change daily. I want to just do something like: gpg -d -o c:\ftpdropfolder\*.pgp c:\savefolder\ I have tried with and without Quotation marks, but it seems GnuPG doesn't support wildcards. Thoughts on solutions? I am trying to automate, so unattended decryption is what I am after. I saw batch decrypt, but it requires individual file names. I am using GnuPG v1.4.6 George From gouellette at sirioslp.com Wed Jan 10 19:53:31 2007 From: gouellette at sirioslp.com (* Ouellette, George) Date: Wed, 10 Jan 2007 13:53:31 -0500 Subject: wildcard use in GnuPG Message-ID: <46C0E954EB12DF48A7BABA1A5F1C40320AA653@scmmail.sirioslp.com> All, I am trying to use a wildcard, but the option doesn't seem to be allowed. I want to decrypt a whole folder of files daily, but the file names will change daily. I want to just do something like: gpg -d -o c:\ftpdropfolder\*.pgp c:\savefolder\ I have tried with and without Quotation marks, but it seems GnuPG doesn't support wildcards. Thoughts on solutions? I am trying to automate, so unattended decryption is what I am after. I saw batch decrypt, but it requires individual file names. I am using GnuPG v1.4.6 George From eleuteri at myrealbox.com Thu Jan 11 00:41:28 2007 From: eleuteri at myrealbox.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=) Date: Thu, 11 Jan 2007 00:41:28 +0100 Subject: wildcard use in GnuPG References: <46C0E954EB12DF48A7BABA1A5F1C40320AA653@scmmail.sirioslp.com> Message-ID: <004b01c73510$d9721630$0602a8c0@enterprise> > I am trying to use a wildcard, but the option doesn't seem to be > allowed. I want to decrypt a whole folder of files daily, but the file > names will change daily. I want to just do something like: gpg is used to a real shell, which expands wildcards. Fortunately you can partly correct this problem at least. > gpg -d -o c:\ftpdropfolder\*.pgp c:\savefolder\ Try something like: for %i in (*.pgp) do gpg --decrypt "%i" then perfect the syntax you need. HTH, --David. From capsthorne at yahoo.co.uk Fri Jan 12 12:15:53 2007 From: capsthorne at yahoo.co.uk (Geoff) Date: Fri, 12 Jan 2007 11:15:53 +0000 Subject: Newbie - compiling gnupg-1.4.6 and GpgSM Message-ID: <20070112111553.b6157315.capsthorne@yahoo.co.uk> Hello, I am trying to update, extend (and actually begin to use), the gpg on this rather old Slackware box (9.1). gnupg-2.0.1 needs some libraries. That is fine, but one of them is libpthread. (I have /lib/libpthread-0.10.so, but no pth-config and I can't persuade .configure to find / use my 0.10.) As I understand it, libpthread is part of libc, and I do not feel competent to disturb my installed libc by upgrading libpthread. So, I fall back on gnupg-1.4.6, which compiles and installs nicely. Then I try to install gpgme-1.0.3. It wants GpgSM version min. 1.9.6. As I understand it (I have googled and searched the archive of this list), GpgSM is now part of gnupg-2.0.1, which I can't have for the reason given above. I have tried to find sources for GpgSM by following the links in old posts on this list to Project ?gypten - but if the sources for GpgSM were ever available there, I can't find them now. Is there somewhere I can find GpgSM sources for my gnupg-1.4.6 / gpgme-1.0.3 please? Any other advice? Thanks, Geoff ___________________________________________________________ Try the all-new Yahoo! Mail. "The New Version is radically easier to use" ? The Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html From capsthorne at yahoo.co.uk Fri Jan 12 15:46:00 2007 From: capsthorne at yahoo.co.uk (Geoff) Date: Fri, 12 Jan 2007 14:46:00 +0000 Subject: Newbie - compiling gnupg-1.4.6 and GpgSM In-Reply-To: <45A7958D.3070602@riseup.net> References: <20070112111553.b6157315.capsthorne@yahoo.co.uk> <45A7958D.3070602@riseup.net> Message-ID: <20070112144600.dcb5ce3c.capsthorne@yahoo.co.uk> On Fri, 12 Jan 2007 12:05:01 -0200 Luis wrote: > AFAIK you can just compile and install GNU Pth, no need > to update Slackware's glibc. Hi Luis, Thank-you for your quick and helpful response. After I wrote to the list I experimented by compiling libpthread and installing into a safe place in my home directory. I put pth-config temporarily into /bin and I was able to compile gnupg-2.0. I have not installed it yet though. I will do that later this evening. I thought that it would probably be safe to run gnupg-2.0.1 against that "safe" libpthread, but it is obviously better and simpler if I can install it system-wide as you seem to have done. > Actually, I have created SlackBuilds for GnuPG 2.x and > all it's dependencies, including libpth. I only tested > these scripts under Slackware 11.0, but you could give > them a try under Slackware 9.1. > > You can find them at: > > http://slack.sarava.org/slackbuilds/dev/libs/libpth/ > http://slack.sarava.org/slackbuilds/dev/libs/libgpg-error/ > http://slack.sarava.org/slackbuilds/dev/libs/libassuan/ > http://slack.sarava.org/slackbuilds/dev/libs/libgcrypt/ > http://slack.sarava.org/slackbuilds/dev/libs/libksba/ > http://slack.sarava.org/slackbuilds/app/crypt/gnupg2/ > > Create and install the packages following the order above > and you shouldn't have any problems regarding > dependencies. Also, these scripts should take care of > downloading the sources (and its signatures), if > necessary. Thank-you very much for that. As I have said, I have built everything now anyway, and so I probably won't need the builds you have helpfully contributed, but if my own builds don't work, I will certainly try them. I will let you know how I get on. Regards, Geoff ___________________________________________________________ All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html From luis at riseup.net Fri Jan 12 15:05:01 2007 From: luis at riseup.net (Luis) Date: Fri, 12 Jan 2007 12:05:01 -0200 Subject: Newbie - compiling gnupg-1.4.6 and GpgSM In-Reply-To: <20070112111553.b6157315.capsthorne@yahoo.co.uk> References: <20070112111553.b6157315.capsthorne@yahoo.co.uk> Message-ID: <45A7958D.3070602@riseup.net> Hi Geoff, Citando Geoff: > Hello, > > I am trying to update, extend (and actually begin to use), > the gpg on this rather old Slackware box (9.1). > > gnupg-2.0.1 needs some libraries. That is fine, but one of > them is libpthread. (I have /lib/libpthread-0.10.so, but no > pth-config and I can't persuade .configure to find / use > my 0.10.) As I understand it, libpthread is part of libc, > and I do not feel competent to disturb my installed libc by > upgrading libpthread. > AFAIK you can just compile and install GNU Pth, no need to update Slackware's glibc. Actually, I have created SlackBuilds for GnuPG 2.x and all it's dependencies, including libpth. I only tested these scripts under Slackware 11.0, but you could give them a try under Slackware 9.1. You can find them at: http://slack.sarava.org/slackbuilds/dev/libs/libpth/ http://slack.sarava.org/slackbuilds/dev/libs/libgpg-error/ http://slack.sarava.org/slackbuilds/dev/libs/libassuan/ http://slack.sarava.org/slackbuilds/dev/libs/libgcrypt/ http://slack.sarava.org/slackbuilds/dev/libs/libksba/ http://slack.sarava.org/slackbuilds/app/crypt/gnupg2/ Create and install the packages following the order above and you shouldn't have any problems regarding dependencies. Also, these scripts should take care of downloading the sources (and its signatures), if necessary. Let me know if/how it works out. Bye. > So, I fall back on gnupg-1.4.6, which compiles and installs > nicely. > > Then I try to install gpgme-1.0.3. It wants GpgSM version > min. 1.9.6. As I understand it (I have googled and searched > the archive of this list), GpgSM is now part of > gnupg-2.0.1, which I can't have for the reason given above. > > I have tried to find sources for GpgSM by following the > links in old posts on this list to Project ?gypten - but if > the sources for GpgSM were ever available there, I can't > find them now. > > Is there somewhere I can find GpgSM sources for my > gnupg-1.4.6 / gpgme-1.0.3 please? > > Any other advice? > > Thanks, > > Geoff > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Luis OpenPGP key: 0xA53D8214 | keyserver.noreply.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 447 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070112/426e2b6a/attachment.pgp From wk at gnupg.org Sun Jan 14 13:34:15 2007 From: wk at gnupg.org (Werner Koch) Date: Sun, 14 Jan 2007 13:34:15 +0100 Subject: Newbie - compiling gnupg-1.4.6 and GpgSM In-Reply-To: <20070112111553.b6157315.capsthorne@yahoo.co.uk> (capsthorne@yahoo.co.uk's message of "Fri\, 12 Jan 2007 11\:15\:53 +0000") References: <20070112111553.b6157315.capsthorne@yahoo.co.uk> Message-ID: <8764b9lrco.fsf@wheatstone.g10code.de> On Fri, 12 Jan 2007 12:15, capsthorne at yahoo.co.uk said: > gnupg-2.0.1 needs some libraries. That is fine, but one of > them is libpthread. (I have /lib/libpthread-0.10.so, but no No, GnuPG does not require libpthread. However some distros seem to distribute a libpthread which is actually a the pthread emulation of Pth. GnuPG is based on the native Pth API and it is not possible to use pthread instead. Even worse, recent Pth versions made soft syscall mapping the default and this conflicts with GnuPG as it assumes the old API. The SVN version does now explicitly request no mapping which solves the problem. > links in old posts on this list to Project ?gypten - but if > the sources for GpgSM were ever available there, I can't > find them now. ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.x Salam-Shalom, Werner From capsthorne at yahoo.co.uk Sun Jan 14 15:30:48 2007 From: capsthorne at yahoo.co.uk (Geoff) Date: Sun, 14 Jan 2007 14:30:48 +0000 Subject: Newbie - compiling gnupg-1.4.6 and GpgSM In-Reply-To: <8764b9lrco.fsf@wheatstone.g10code.de> References: <20070112111553.b6157315.capsthorne@yahoo.co.uk> <8764b9lrco.fsf@wheatstone.g10code.de> Message-ID: <20070114143048.3b33818a.capsthorne@yahoo.co.uk> On Sun, 14 Jan 2007 13:34:15 +0100 Werner Koch wrote: > On Fri, 12 Jan 2007 12:15, capsthorne at yahoo.co.uk said: > > > gnupg-2.0.1 needs some libraries. That is fine, but one > > of them is libpthread. (I > > have /lib/libpthread-0.10.so, but no > > No, GnuPG does not require libpthread. However some > distros seem to distribute a libpthread which is actually > a the pthread emulation of Pth. GnuPG is based on the > native Pth API and it is not possible to use pthread > instead. Even worse, recent Pth versions made soft > syscall mapping the default and this conflicts with GnuPG > as it assumes the old API. > > The SVN version does now explicitly request no mapping > which solves the problem. Thank-you Werner. I was, of course, confused - not for the first time:). I had assumed that anything involving "pth" and threads must be libpthread. I did not appreciate that there was a difference until I looked at the sonames of the gnu-pth libraries I had compiled and realised that they differed from the libpthread ones. Everything appears to be working. The only problem I have had is that I installed Florian Sievers' gnu-crypt, whose configure script identified my gpgme as unthreaded, even though gpgme had found pth and seemed to produce all the necessary libraries. He tells me that he is going to use the unthreaded gpgme by default in future. Whilst I am talking to a developer : (a) The link to gpgme at http://www.gnupg.org/ (en)/download/index.html appears to be outdated. It points to version 1.0.3 (b) it would also be nice if there was a link to pinentry on the download page. It is not listed on freshmeat and I had to hunt around to find it. > > links in old posts on this list to Project ?gypten - > > but if the sources for GpgSM were ever available there, > > I can't find them now. > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.x I thought GpgSm might be in there, but I was worried about the security advisory on the gpupg homepage and decided that I would only install packages from 1.4.6 or 2.0.1. Thanks again for responding .. I live and learn. Regards, Geoff ___________________________________________________________ All New Yahoo! Mail ? Tired of Vi at gr@! come-ons? Let our SpamGuard protect you. http://uk.docs.yahoo.com/nowyoucan.html From caccolangrifata at gmail.com Mon Jan 15 14:53:43 2007 From: caccolangrifata at gmail.com (Emanuele) Date: Mon, 15 Jan 2007 14:53:43 +0100 Subject: can't connect to .gnome2/seahorse-sJsP3M/S.gpg-agent Message-ID: <1168869223.5166.13.camel@clown> What is it? when I encrypt a message (for me to test) and then decrypt it gpg tell me can't connect to .gnome2/seahorse-sJsP3M/S.gpg-agent but the message is decrypted. What's happened? From sven at radde.name Tue Jan 9 17:52:19 2007 From: sven at radde.name (Sven Radde) Date: Tue, 09 Jan 2007 17:52:19 +0100 Subject: New in GPG KEY Problem In-Reply-To: <8230903.post@talk.nabble.com> References: <8230903.post@talk.nabble.com> Message-ID: <45A3C843.6090406@radde.name> Hi! If you have *completely lost* the private key, you are screwed. Only the public key is stored on keyservers and obviously, one cannot recover the private key from that. Without access to the private key, you cannot even designate the public key on the keyserver as invalid (everyone could make such a request). I assume that you did not create a revocation certificate (or at least, that you formatted it along with the private key). The passphrase does not help you at all, as it is only used to encrypt the file containing the private key on your local harddisk. Without the file, the passphrase is useless. Take it as a lesson to make backups of important things from now on ;-/ GnuPG keyrings are very small and can easily go on USB drives, floppy disks, your mobile phone or whatever. You could even *print* them on paper. btw, would be cool to have GnuPG generate a special text output format for the purpose of hardcopy-archiving. It could include additional redundancy / parity information that makes recovering from typing / OCR errors easier. The ASCII output apparently already has some CRC information embedded, but I am not sure whether that is able to give more information beyond "incorrect data". Something like line-checksums to get "error in line xy" would be nice. I realize that this is a rare use-case, though, so don't take this request too serious ;-) cu, Sven From info at webinfo.de Tue Jan 16 14:58:52 2007 From: info at webinfo.de (=?iso-8859-15?Q?Bj=F6rn_Mayer?=) Date: Tue, 16 Jan 2007 14:58:52 +0100 (MET) Subject: signing an verifying data without the need of files Message-ID: Hi, I would like to sign text without first having to create a file where I have to write the text into. --> is it possible to hand the text directly from the standard input? As well I would like to obtain the signature without having to open the created ".asc" file. --> is it possible to redirect the file output to the standard output? Of course, the same questions do occure concerning verification! Currently, I'm writing a Java API for a project of mine and would like to speed up the performance by avoiding slow file operations... Best regards, Bjorn From jmoore3rd at bellsouth.net Tue Jan 16 16:49:35 2007 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 16 Jan 2007 10:49:35 -0500 Subject: signing an verifying data without the need of files In-Reply-To: References: Message-ID: <45ACF40F.7040202@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Bj?rn Mayer wrote: > I would like to sign text without first having to create a file where I > have to write the text into. > --> is it possible to hand the text directly from the standard input? > > As well I would like to obtain the signature without having to open the > created ".asc" file. > --> is it possible to redirect the file output to the standard output? > > Of course, the same questions do occure concerning verification! > Currently, I'm writing a Java API for a project of mine and would like to > speed up the performance > by avoiding slow file operations... You may wish to look into GPGee. The nifty little utility will add appropriate entries to your Rt. Click Context Menu. JOHN ;) Timestamp: Tuesday 16 Jan 2007, 10:49 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7-svn4402: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJFrPQKAAoJEBCGy9eAtCsPvlEH/AjMiaZ3OXOHkqwut7iOYCt5 UlE6eYxfw7aTXQzH9xM5bNu22hlNTl18d3wwicWVy/0/o8s6hpDR5wnAVVN0yYgu IP+Y0XDXjkW74Q8joe3es+QumH0ieyXxIFvysxJCkM2YqG/EHgDKrZbN4ek/toaP oqZrHw6Zdz6NpiwePl6b9QjLEzVUk4NjWwhM2DhFE9DANWvixVuOtZbt0zunTvpV DHltqpjNJ7rzciWYSnZbdI0N4zbAafayvv7aPkAQ//rX+tBeUja61xzN8tbsyXTb 25uitx5wEana4Q3BzaqEBUKMKV89SBEZ1eyKcpD6x9qAil4UScYNNvl3cTdKRqQ= =r4TO -----END PGP SIGNATURE----- From info at webinfo.de Tue Jan 16 17:01:08 2007 From: info at webinfo.de (=?iso-8859-15?Q?Bj=F6rn_Mayer?=) Date: Tue, 16 Jan 2007 17:01:08 +0100 (MET) Subject: signing an verifying data without the need of files In-Reply-To: <45ACF40F.7040202@bellsouth.net> References: <45ACF40F.7040202@bellsouth.net> Message-ID: Hi John, thanks for your reply!! The problem is, that this tool is written in C and is using the GPGME library. I want to write a method for my JavaGPG class and thus would like to know, how this can be done just by using a shell. The reason is, that my Java API simulates shell commands and retrieves the results via redirecting the standard output into particular file descriptors. From here, I can access the results in Java. But anyway, thanks for your reply, in deed it is a pretty nifty utility ;-) Bjorn > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Bj?rn Mayer wrote: > >> I would like to sign text without first having to create a file where >> I >> have to write the text into. >> --> is it possible to hand the text directly from the standard input? >> >> As well I would like to obtain the signature without having to open >> the >> created ".asc" file. >> --> is it possible to redirect the file output to the standard output? >> >> Of course, the same questions do occure concerning verification! >> Currently, I'm writing a Java API for a project of mine and would >> like to >> speed up the performance >> by avoiding slow file operations... > > You may wish to look into GPGee. The nifty little utility will add > appropriate entries to your Rt. Click Context Menu. > > JOHN ;) > Timestamp: Tuesday 16 Jan 2007, 10:49 --500 (Eastern Standard Time) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7-svn4402: (MingW32) > Comment: Public Key at: http://tinyurl.com/8cpho > Comment: Gossamer Spider Web of Trust: http://www.gswot.org > Comment: My Homepage: http://tinyurl.com/yzhbhx > > iQEcBAEBCgAGBQJFrPQKAAoJEBCGy9eAtCsPvlEH/AjMiaZ3OXOHkqwut7iOYCt5 > UlE6eYxfw7aTXQzH9xM5bNu22hlNTl18d3wwicWVy/0/o8s6hpDR5wnAVVN0yYgu > IP+Y0XDXjkW74Q8joe3es+QumH0ieyXxIFvysxJCkM2YqG/EHgDKrZbN4ek/toaP > oqZrHw6Zdz6NpiwePl6b9QjLEzVUk4NjWwhM2DhFE9DANWvixVuOtZbt0zunTvpV > DHltqpjNJ7rzciWYSnZbdI0N4zbAafayvv7aPkAQ//rX+tBeUja61xzN8tbsyXTb > 25uitx5wEana4Q3BzaqEBUKMKV89SBEZ1eyKcpD6x9qAil4UScYNNvl3cTdKRqQ= > =r4TO > -----END PGP SIGNATURE----- > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.432 / Virus Database: 268.16.12/631 - Release Date: > 16.01.2007 08:25 > From info at webinfo.de Tue Jan 16 19:03:56 2007 From: info at webinfo.de (=?iso-8859-15?Q?Bj=F6rn_Mayer?=) Date: Tue, 16 Jan 2007 19:03:56 +0100 (MET) Subject: signing an verifying data without the need of files In-Reply-To: <45AD088D.4040602@radde.name> References: <45ACF40F.7040202@bellsouth.net> <45AD088D.4040602@radde.name> Message-ID: Hi Sven, damn it, I actually didn't know that a Java library accessing GnuPG does exist! Thanks a lot for this hint! I continued trying to make it work with the --clearsign and --texmode command, but I seem to be too stupid! Do you already have some experiences? The command generating a signature for the string "hello" would be more than great!!! Cu, Bj?rn > Hi Bj?rn! > > Bj?rn Mayer schrieb: >> want to write a method for my JavaGPG class > > If you don't know it yet, you may want to have a look at > www.bouncycastle.org. This could save you a lot of you programming time. > > Regarding your question, cleartext-signatures are probably what you > want. These can be fed completely via standadard I/O. > I am not aware that this would be possible with detached signatures. > > cu, Sven > > From wk at gnupg.org Tue Jan 16 19:58:19 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Jan 2007 19:58:19 +0100 Subject: signing an verifying data without the need of files In-Reply-To: (=?utf-8?Q?Bj=C3=B6rn?= Mayer's message of "Tue\, 16 Jan 2007 17\:01\:08 +0100 \(MET\)") References: <45ACF40F.7040202@bellsouth.net> Message-ID: <87vej6ajec.fsf@wheatstone.g10code.de> On Tue, 16 Jan 2007 17:01, info at webinfo.de said: > thanks for your reply!! The problem is, that this tool is written in C and > is using the GPGME library. I want to write a method for my JavaGPG class A Java binding for GPGME exists: ftp://ftp.gnupg.org/gcrypt/alpha/gnupgjava/ Salam-Shalom, Werner From SeidlS at schneider.com Thu Jan 18 17:59:06 2007 From: SeidlS at schneider.com (SeidlS at schneider.com) Date: Thu, 18 Jan 2007 10:59:06 -0600 Subject: Upgrade from 1.0.4 to 1.4.6 Message-ID: Can anyone help with an upgrade from 1.0.4 to 1.4.6 on AIX. We have installed the new version, but are running into issue with the keys on the existing key rings. We are getting errors that gpg is questions whether the keys actual belongs to the person named in the user ID. We have run the --rebuild-keydb-caches, but are still getting that error. Can anyone provide some input on what we need to do to fix this issue? CBCibmdev04:/export/home/itjobs$ home/itjobs/.gnupg -ear XXXXXXXXX < testfile * gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: XXXXXXXXX: There is no assurance this key belongs to the named user pub 1024g/XXXXXXXXX 2003-02-06 EDI (EDI Test Key) Primary key fingerprint: AAF9 C611 633D FAA0 845A C03F C1D0 10E8 79CD 3074 Subkey fingerprint: 54E4 614C 5CE1 CF8F 45D1 6250 7428 0BD7 7EF1 B88A It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) Thanks Scott Seidl Electronic Communication Services seidls at schneider.com Tel) 920-592-2163 This document, and any attachments therein, contains proprietary and confidential information that may not be disclosed without the prior written permission of Schneider National, Inc. and its subsidiaries. Unauthorized use or misuse of this information and its contents is strictly prohibited. Schneider National, Inc. vigorously protects its rights. From rjh at sixdemonbag.org Thu Jan 18 18:41:10 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Jan 2007 11:41:10 -0600 Subject: Upgrade from 1.0.4 to 1.4.6 In-Reply-To: References: Message-ID: <45AFB136.2070108@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 SeidlS at schneider.com wrote: > existing key rings. We are getting errors that gpg is questions whether > the keys actual belongs to the person named in the user ID. We have run > the --rebuild-keydb-caches, but are still getting that error. Can anyone > provide some input on what we need to do to fix this issue? If you want to do a brute-force-and-ignorance approach, you can add "trust-model always" ... to the end of ~/.gnupg/gpg.conf. Please do this only if you have confidence in all the keys on your keyring. Also, if memory serves GnuPG changed the way it handled options between 1.0.4 and 1.4.6. Configuration options are now stored in ~/.gnupg/gpg.conf, not wherever they were stored before. It might be worth checking to see if your gpg.conf file exists, and if so, what's in it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJFr7E1AAoJELcA9IL+r4EJ3Z0H/3Y7YbF9vDbr9qW2ozEmfpvJ Df+29LebpIWSQUQbJT2ymY95P+iifs6r4lLITRfQ/7Zg5cVadBpt4dxT8bZdF+ff ayd/jGxpFHV0SV02gwDUCyVk4LS7wSFeTNzfjT6WTba9Zap/+5GZR7te0yzlvPmg MCms166hzmlahIkGRK/7v+IkSViOHSDB43HEDDrlnTtMy5IVH4FrXyhscVNBmRy5 rCPNFnyZvY5kbFKlj+Irk7xMB88Adoyghd5UbRTCzYQoH93R2eK6hGhHrvyYJvPH m+/TuPt6bh3OUwlthZgmEhx++08ppW0GAEURvbwzmatplXuqI15pRCwoBsx4yD0= =ptkz -----END PGP SIGNATURE----- From martin at linux-ip.net Thu Jan 18 18:44:42 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Thu, 18 Jan 2007 11:44:42 -0600 Subject: Upgrade from 1.0.4 to 1.4.6 In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Scott, : Can anyone help with an upgrade from 1.0.4 to 1.4.6 on AIX. We : have installed the new version, but are running into issue with : the keys on the existing key rings. We are getting errors that : gpg is questions whether the keys actual belongs to the person : named in the user ID. We have run the --rebuild-keydb-caches, : but are still getting that error. Can anyone provide some input : on what we need to do to fix this issue? It has been several years since I performed the update from the 1.0.4 series to the 1.2.X series (or was it 1.0.6?), but I recall encountering a problem very similar to yours when moving keys from the 1.0.4 series. I believe that you'll want to make sure you have trusted the key ultimately. shell$ gpg --edit-key "$KEYID" Command> trust Command> 5 # -- for ultimate trust of the identified key Command> y # yes, you want to ultimately trust this key shell$ gpg --update-trustdb # -- not strictly required Then try using the key again. Good luck, - -Martin - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFr7IOHEoZD1iZ+YcRAmVsAJ4viY2bvRIfyH5MMNo+iHwGM1FUNgCfbwT8 PJwLX/vIBrejji820OYL6M0= =6dz+ -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Jan 18 19:01:42 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 18 Jan 2007 13:01:42 -0500 Subject: Upgrade from 1.0.4 to 1.4.6 In-Reply-To: References: Message-ID: <20070118180142.GA28550@jabberwocky.com> On Thu, Jan 18, 2007 at 10:59:06AM -0600, SeidlS at schneider.com wrote: > > Can anyone help with an upgrade from 1.0.4 to 1.4.6 on AIX. We have > installed the new version, but are running into issue with the keys on the > existing key rings. We are getting errors that gpg is questions whether > the keys actual belongs to the person named in the user ID. We have run > the --rebuild-keydb-caches, but are still getting that error. Can anyone > provide some input on what we need to do to fix this issue? GPG needs you to tell it which keys are ultimately trusted (i.e. your own keys). Do "gpg --edit (thekey)" enter "trust", and set the trust to "ultimate". Repeat for each of your keys. There is a script ("convert-from-106") that comes in the tools directory of the GPG distribution that automates all this. Just run that and it will do all the work for you. David From calestyo at scientia.net Fri Jan 19 13:10:25 2007 From: calestyo at scientia.net (Christoph Anton Mitterer) Date: Fri, 19 Jan 2007 13:10:25 +0100 Subject: signatures using S-Trust smart card In-Reply-To: <1167907410.4366.18.camel@luna> References: <1167764636.4372.54.camel@luna> <87irfopk61.fsf@wheatstone.g10code.de> <1167907410.4366.18.camel@luna> Message-ID: <45B0B531.7030406@scientia.net> Hi. Have there been any advancements in using these cards? (I'm currently consider to buy one.) Ullrich Martini wrote: > I got the root certificate from their web site and an intermediate > certificate by email. It seems that they changed their policy there. > However, one has to sign a pretty strange agreement to get the ZKA spec. > What was that for an agreement? > it seems that the key > in question is the non-qualified one so it's not a legal signature > anyway. > Do you mean that these are not "real" certificates according to SigG? Best wishes, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: calestyo.vcf Type: text/x-vcard Size: 155 bytes Desc: not available Url : /pipermail/attachments/20070119/d400b78e/attachment.vcf From newsgroups at thomas-huehn.de Fri Jan 19 17:42:13 2007 From: newsgroups at thomas-huehn.de (=?iso-8859-1?Q?Thomas_H=FChn?=) Date: Fri, 19 Jan 2007 17:42:13 +0100 Subject: signatures using S-Trust smart card References: <1167764636.4372.54.camel@luna> <87irfopk61.fsf@wheatstone.g10code.de> <1167907410.4366.18.camel@luna> <45B0B531.7030406__44711.3304086544$1169224483$gmane$org@scientia.net> Message-ID: <87ac0fvuhm.fsf@mid.thomas-huehn.de> Christoph Anton Mitterer writes: >> it seems that the key >> in question is the non-qualified one so it's not a legal signature >> anyway. >> > Do you mean that these are not "real" certificates according to SigG? The S-Trust card contains two certificates: one for "qualifizierte Signaturen" and one for "fortgeschrittene Signaturen". I suppose that's what he is talking about. Thomas From wk at gnupg.org Fri Jan 19 19:03:51 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 19 Jan 2007 19:03:51 +0100 Subject: signatures using S-Trust smart card In-Reply-To: <45B0B531.7030406@scientia.net> (Christoph Anton Mitterer's message of "Fri\, 19 Jan 2007 13\:10\:25 +0100") References: <1167764636.4372.54.camel@luna> <87irfopk61.fsf@wheatstone.g10code.de> <1167907410.4366.18.camel@luna> <45B0B531.7030406@scientia.net> Message-ID: <87d55a7v20.fsf@wheatstone.g10code.de> On Fri, 19 Jan 2007 13:10, calestyo at scientia.net said: > Have there been any advancements in using these cards? (I'm currently > consider to buy one.) Sorry, I had yet no time to look into it. It is still on my short list. Shalom-Salam, Werner From kara.ml at arcor.de Sat Jan 20 12:38:04 2007 From: kara.ml at arcor.de (Kai Raven) Date: Sat, 20 Jan 2007 12:38:04 +0100 Subject: sig-keyserver-url Message-ID: <45B1FF1C.8060209@arcor.de> Hi, can i use all types of strings for the sig-keyserver-url option: sig-keyserver-url x-hkp://minsky.surfnet.nl:11371 sig-keyserver-url http://minsky.surfnet.nl:11371/pks/lookup?op=get&search=0x%S sig-keyserver-url http://hp.kairaven.de/files/kraven.asc or only one of them? -- Ciao Kai Homepage: http://hp.kairaven.de/ Weblog: http://blog.kairaven.de/ From rizwaan at gmail.com Sat Jan 20 14:39:16 2007 From: rizwaan at gmail.com (Rizwan Khan) Date: Sat, 20 Jan 2007 18:39:16 +0500 Subject: C/C++ program to protect file Message-ID: <3e92d58b0701200539n3d9206f8wf29a2c2f95255b12@mail.gmail.com> Hello I need a C/C++ program that should be able to enable password on any readable text file, and when user try to open that file it should first ask for password and then will open that file. I will appreciate, if some one can give me this kind of program i badly need this, Thanks -- Muhammad R!zw?n Kh?n From dshaw at jabberwocky.com Sat Jan 20 17:03:22 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 20 Jan 2007 11:03:22 -0500 Subject: sig-keyserver-url In-Reply-To: <45B1FF1C.8060209@arcor.de> References: <45B1FF1C.8060209@arcor.de> Message-ID: <20070120160321.GB2297@jabberwocky.com> On Sat, Jan 20, 2007 at 12:38:04PM +0100, Kai Raven wrote: > Hi, > > can i use all types of strings for the sig-keyserver-url option: > > sig-keyserver-url x-hkp://minsky.surfnet.nl:11371 This will work fine, as will "hkp://minsky.surfnet.nl". > sig-keyserver-url http://hp.kairaven.de/files/kraven.asc This will work fine as well. > sig-keyserver-url http://minsky.surfnet.nl:11371/pks/lookup?op=get&search=0x%S This one wouldn't. 0x%S isn't a key ID, but if you put a key ID there, it'll work fine too. Basically it works this way when you have automatic key retrieval turned on: if the sig-keyserver-url is a keyserver (i.e. not a full HTTP path), then GPG will do the right thing and try and fetch the key in question (i.e. the one that issued the signature). If it's a full HTTP path, GPG will retrieve it directly. David From kara.ml at arcor.de Sat Jan 20 18:14:47 2007 From: kara.ml at arcor.de (Kai Raven) Date: Sat, 20 Jan 2007 18:14:47 +0100 Subject: sig-keyserver-url In-Reply-To: <20070120160321.GB2297@jabberwocky.com> References: <45B1FF1C.8060209@arcor.de> <20070120160321.GB2297@jabberwocky.com> Message-ID: <45B24E07.8070407@arcor.de> Hi David, thanks for your informations - all questions cleared :) -- Ciao Kai Homepage: http://hp.kairaven.de/ Weblog: http://blog.kairaven.de/ From ml at mareichelt.de Sat Jan 20 18:20:44 2007 From: ml at mareichelt.de (markus reichelt) Date: Sat, 20 Jan 2007 18:20:44 +0100 Subject: C/C++ program to protect file In-Reply-To: <3e92d58b0701200539n3d9206f8wf29a2c2f95255b12@mail.gmail.com> References: <3e92d58b0701200539n3d9206f8wf29a2c2f95255b12@mail.gmail.com> Message-ID: <20070120172044.GC31028@tatooine.rebelbase.local> * Rizwan Khan wrote: > I need a C/C++ program that should be able to enable password on > any readable text file, and when user try to open that file it > should first ask for password and then will open that file. I will > appreciate, if some one can give me this kind of program i badly > need this, wild guess: http://www.lassekolb.info/bfacs.htm -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070120/d249159f/attachment.pgp From alon.barlev at gmail.com Sun Jan 21 21:40:40 2007 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 21 Jan 2007 22:40:40 +0200 Subject: [HELP NEEDED] GnuPG-1.4 IDEA migration to GnuPG-2.0 Message-ID: <9e0cf0bf0701211240k7f6becc8i7b727499acc11448@mail.gmail.com> Hello, Can anyone help some of our (Gentoo) users solving a migration issue they have? http://bugs.gentoo.org/show_bug.cgi?id=159870 The users used IDEA algorithm in GnuPG-1.4, and are unable to use their keys in GnuPG-2.0. The libgcrypt was patched to enable IDEA algorithm. Any help will be appreciated. Best Regards, Alon Bar-Lev. From schneecrash+gnupg-users at gmail.com Sun Jan 21 23:14:18 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Sun, 21 Jan 2007 14:14:18 -0800 Subject: installed pinentry not found by gpg-agent/gpg2 Message-ID: <70f41ba20701211414t46513a69h8f7ae0c54fcd2016@mail.gmail.com> i've built/installed, % glibtool --version ltmain.sh (GNU libtool 1.2361 2007/01/21 16:15:36) 2.1a % pinentry --version pinentry-qt (pinentry) 0.7.3-cvs % gpg --version gpg (GnuPG) 2.0.2-svn4407 on osx 10.4.8. testing as follows, % touch temp.txt % ls temp.txt % gpg -r snowcrash at mydomain.com -e temp.txt % ls temp.txt temp.txt.gpg % gpg -o blah.txt -d temp.txt.gpg You need a passphrase to unlock the secret key for user: "Snowcrash (Snowcrash) " 1024-bit ELG key, ID 034BEA3D, created 2003-08-16 (main key ID A2C3EBC6) gpg: problem with the agent: No pinentry gpg: Invalid passphrase; please try again ... You need a passphrase to unlock the secret key for user: "Snowcrash (Snowcrash) " 1024-bit ELG key, ID 034BEA3D, created 2003-08-16 (main key ID A2C3EBC6) gpg: problem with the agent: No pinentry gpg: Invalid passphrase; please try again ... You need a passphrase to unlock the secret key for user: "Snowcrash (Snowcrash) " 1024-bit ELG key, ID 034BEA3D, created 2003-08-16 (main key ID A2C3EBC6) gpg: problem with the agent: No pinentry gpg: encrypted with 1024-bit ELG key, ID 034BEA3D, created 2003-08-16 "Snowcrash (Snowcrash) " gpg: public key decryption failed: Bad passphrase gpg: decryption failed: No secret key % i'm not sure what to do about the "no pinentry", as it's 'there', % ls -al `which pinentry` lrwxr-xr-x 1 root admin 11 2007-01-21 11:29 /usr/local/bin/pinentry -> pinentry-qt % ls -al `which pinentry-qt` -rwxr-xr-x 1 root admin 2245584 2007-01-21 11:29 /usr/local/bin/pinentry-qt in a standard path location. suggestions? thanks. From jharris at widomaker.com Mon Jan 22 01:43:10 2007 From: jharris at widomaker.com (Jason Harris) Date: Sun, 21 Jan 2007 19:43:10 -0500 Subject: new (2007-01-21) keyanalyze results (+sigcheck) Message-ID: <20070122004310.GA29862@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2007-01-21/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 25cfaaf3d123c576dbef0ff396cf310a615fee72 14377734 preprocess.keys a84a8159d5e90b233974e766f65ada041beb4fb7 8431416 othersets.txt 35843748b06e84a72f096108806c8de5785df403 3465688 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html 318a4add2d7ea0cb87294a88f719dad2701b3455 2278 keyring_stats cf89c12f33d6d90fcc04c9c4d62f609a9864e964 1362433 msd-sorted.txt.bz2 5c1b5ad1f270bf2a1404b5738d77293f7d7872b4 26 other.txt 0b3d5364ae7322b7baa48727ebb98730dba5ba26 1829329 othersets.txt.bz2 a4a6e181d858a76aa5f70104fab9c86a7da4f662 5837219 preprocess.keys.bz2 8fe856c19fb52d19f069ef5d3ac8e738a66eecdc 14632 status.txt ef6388d942e5a4bd550270b995226b23e5cb15e8 194634 top1000table.html c61d92b8f7f8361555d4c578270d37743cccf110 29764 top1000table.html.gz 811ff47a9cc566756426eac42d85d52668f8d851 9781 top50table.html 4e88e0c17120106099cd5845c58fc17b33018d7b 2549 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20070121/ae54726f/attachment.pgp From wk at gnupg.org Mon Jan 22 08:16:38 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 22 Jan 2007 08:16:38 +0100 Subject: installed pinentry not found by gpg-agent/gpg2 In-Reply-To: <70f41ba20701211414t46513a69h8f7ae0c54fcd2016@mail.gmail.com> (schneecrash+gnupg-users@gmail.com's message of "Sun\, 21 Jan 2007 14\:14\:18 -0800") References: <70f41ba20701211414t46513a69h8f7ae0c54fcd2016@mail.gmail.com> Message-ID: <87hcuj350p.fsf@wheatstone.g10code.de> On Sun, 21 Jan 2007 23:14, schneecrash+gnupg-users at gmail.com said: > gpg: problem with the agent: No pinentry Make sure that there is a symlink from pinentry-qt to /usr/bin/pinentry or put a pinentry-program /usr/bin/pinentry-qt into ~/.gnupg/gpg-agent.conf and give gpg-agent a HUP. Shalom-Salam, Werner From schneecrash+gnupg-users at gmail.com Mon Jan 22 08:58:27 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Sun, 21 Jan 2007 23:58:27 -0800 Subject: installed pinentry not found by gpg-agent/gpg2 In-Reply-To: <87hcuj350p.fsf@wheatstone.g10code.de> References: <70f41ba20701211414t46513a69h8f7ae0c54fcd2016@mail.gmail.com> <87hcuj350p.fsf@wheatstone.g10code.de> Message-ID: <70f41ba20701212358y403de9dt83c96cae7fb35671@mail.gmail.com> hi, does it really need to be in /usr/bin? as above, i've installed it purposefully in % ls -al `which pinentry-qt` -rwxr-xr-x 1 root admin 2245584 2007-01-21 11:29 /usr/local/bin/pinentry-qt and, the symlink to it already exists, % ls -al `which pinentry` lrwxr-xr-x 1 root admin 11 2007-01-21 11:29 /usr/local/bin/pinentry -> pinentry-qt and, i already have, % grep pinentry gpg-agent.conf pinentry-program /usr/local/bin/pinentry-qt thanks. From mikmorg at mdmsolutions.org Sat Jan 20 21:57:26 2007 From: mikmorg at mdmsolutions.org (Mikmorg) Date: Sat, 20 Jan 2007 12:57:26 -0800 (PST) Subject: Symmetric encypher with private key decypher Message-ID: <8469208.post@talk.nabble.com> I am looking for a way to use symmetric encryption on a day-to-day basis, using a key-file of some sort to decypher the file. I have decided that using my asymmetric private key in the following way was the best for this, using the following method: dd if=/dev/urandom bs=1024 count=1 | gpg -c --pasphrase-fd=0 -e -r mikmorg "$1" Is there a better way to do the above? By better, I mean standard / portable. This is just an idea I threw together, and hope its the best. If anyone has any ideas for me, I would love to hear them. Also, gpg wouldn't cut-out part of the stdin key from dd (expecting text-only), if it encountered an \r, \n, or \0 character, would it? If thats true, I definitely need to find another method. Thanks, Mike Morgan -- View this message in context: http://www.nabble.com/Symmetric-encypher-with-private-key-decypher-tf3046815.html#a8469208 Sent from the GnuPG - User mailing list archive at Nabble.com. From patrick at mozilla-enigmail.org Mon Jan 22 10:46:16 2007 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Mon, 22 Jan 2007 10:46:16 +0100 Subject: installed pinentry not found by gpg-agent/gpg2 In-Reply-To: <70f41ba20701212358y403de9dt83c96cae7fb35671__18380.8062844493$1169452913$gmane$org@mail.gmail.com> References: <70f41ba20701211414t46513a69h8f7ae0c54fcd2016@mail.gmail.com> <87hcuj350p.fsf@wheatstone.g10code.de> <70f41ba20701212358y403de9dt83c96cae7fb35671__18380.8062844493$1169452913$gmane$org@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 snowcrash+gnupg-users wrote: > hi, > > does it really need to be in /usr/bin? > > as above, i've installed it purposefully in > > % ls -al `which pinentry-qt` > -rwxr-xr-x 1 root admin 2245584 2007-01-21 11:29 /usr/local/bin/pinentry-qt > > and, the symlink to it already exists, > > % ls -al `which pinentry` > lrwxr-xr-x 1 root admin 11 2007-01-21 11:29 /usr/local/bin/pinentry > -> pinentry-qt > > and, i already have, > > % grep pinentry gpg-agent.conf > pinentry-program /usr/local/bin/pinentry-qt Does pinentry-qt work at all? Try to start pinentry-qt from the command line, and if it starts type the following lines on the prompt: SETDESC This is a test GETPIN - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRbSH5ncOpHodsOiwAQI8dgf/R9ZVHD0xjpq2KCDpiUirKq1csnKkJIW0 qTFPpyzU1l4z0AQhAQnYyJM1b99LGercAOpoOfN9oR6iR7CH6uZy8tOOmYT02rbI RQFIfQvtWTQ2fO32l7l/Hy8pPCorkgN0P4CXy/m4JCuCzZWavFmosv7jAWWLF9oO XJdWoDpGsTRNFD+zmBlRFDW+keopqqvk35Avu8syqeKboVMXult+v4GbFtp/RPbX tiUqwBC6eYBRrBh+6wTDIsZRwIRYIL4q9G8zoC18mwVMz+xJtLazwkbICMywjqwA Y/uCMtxQ2LLhf4pUiWNGMRLSbN9axl68xI7khXPIhhg0aC8sjTQV1g== =USg5 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Jan 22 13:50:16 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 22 Jan 2007 07:50:16 -0500 Subject: Symmetric encypher with private key decypher In-Reply-To: <8469208.post@talk.nabble.com> References: <8469208.post@talk.nabble.com> Message-ID: <20070122125016.GE2297@jabberwocky.com> On Sat, Jan 20, 2007 at 12:57:26PM -0800, Mikmorg wrote: > > I am looking for a way to use symmetric encryption on a day-to-day basis, > using a key-file of some sort to decypher the file. I have decided that > using my asymmetric private key in the following way was the best for this, > using the following method: > > dd if=/dev/urandom bs=1024 count=1 | gpg -c --pasphrase-fd=0 -e -r mikmorg > "$1" > > Is there a better way to do the above? By better, I mean standard / > portable. This is just an idea I threw together, and hope its the best. If > anyone has any ideas for me, I would love to hear them. Given the above syntax, how would you decrypt? That is, how are you saving a local copy of the key for later? > Also, gpg wouldn't cut-out part of the stdin key from dd (expecting > text-only), if it encountered an \r, \n, or \0 character, would it? If thats > true, I definitely need to find another method. It'll stop after \n. You can pipe your random key through something that will escape the \n character if you like. David From schneecrash+gnupg-users at gmail.com Mon Jan 22 15:38:49 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Mon, 22 Jan 2007 06:38:49 -0800 Subject: installed pinentry not found by gpg-agent/gpg2 In-Reply-To: References: <70f41ba20701211414t46513a69h8f7ae0c54fcd2016@mail.gmail.com> <87hcuj350p.fsf@wheatstone.g10code.de> <70f41ba20701212358y403de9dt83c96cae7fb35671__18380.8062844493$1169452913$gmane$org@mail.gmail.com> Message-ID: <70f41ba20701220638u75ea4094xecbce17f178c9ad7@mail.gmail.com> hi, > Does pinentry-qt work at all? Try to start pinentry-qt from the command > line, and if it starts type the following lines on the prompt: > > SETDESC This is a test > GETPIN here's what i see, % pinentry-qt OK Your orders please SETDESC This is a test GETPIN OK From alphasigmax at gmail.com Tue Jan 23 05:25:27 2007 From: alphasigmax at gmail.com (Alphax) Date: Tue, 23 Jan 2007 14:55:27 +1030 Subject: Symmetric encypher with private key decypher In-Reply-To: <8469208.post@talk.nabble.com> References: <8469208.post@talk.nabble.com> Message-ID: <45B58E37.3010702@gmail.com> Mikmorg wrote: > I am looking for a way to use symmetric encryption on a day-to-day basis, > using a key-file of some sort to decypher the file. I have decided that > using my asymmetric private key in the following way was the best for this, > using the following method: > I think I sort of get what you are trying to do here: random key -> encrypt data w/ random key | V encrypt key w/ public key ... which is actually what GPG does with bog-standard public key encryption! Or do you want something else? -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 542 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070123/cd701315/attachment.pgp From rjh at sixdemonbag.org Tue Jan 23 06:55:44 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 23 Jan 2007 00:55:44 -0500 Subject: Symmetric encypher with private key decypher In-Reply-To: <45B58E37.3010702@gmail.com> References: <8469208.post@talk.nabble.com> <45B58E37.3010702@gmail.com> Message-ID: <45B5A360.4090306@sixdemonbag.org> Alphax wrote: > ... which is actually what GPG does with bog-standard public key > encryption! Or do you want something else? While I agree with you, I've always wondered: what is the appropriate ISO standard for bogs, and where can I find an ISO-certified supplier of them? From schneecrash+gnupg-users at gmail.com Tue Jan 23 19:03:19 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Tue, 23 Jan 2007 10:03:19 -0800 Subject: pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. Message-ID: <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> i'm building pinentry (v0.7.2 *&* svn/r153) on OSX. on the way to gpg2, i've built as prereqs, libassuan svn/r234 libksba svn/r266 libgpg-error v1.5 libgrcyppt v1.2.3 pth v2.0.7 building each as, ./configure \ --with-prefix=/usr/local \ --enable-shared --enable-static \ --disable-rpath \ --disable-pinentry-gtk --disable-glibtest --disable-gtktest \ --disable-pinentry-curses --disable-ncurses --disable-fallback-curses \ --enable-pinentry-qt --enable-mt \ --disable-embedded \ --with-qt-dir=/usr/local/qt3 \ --with-qt-includes=/usr/local/qt3/include \ --with-qt-libraries=/usr/local/qt3/lib 'make', & 'make install' seem to gp smoothly for both versions, resulting in executables that report, # v0.7.2 % /usr/local/bin/pinentry-qt --version pinentry-qt (pinentry) 0.7.2 # svn/r153 % /usr/local/bin/pinentry-qt --version pinentry-qt (pinentry) 0.7.3-cvs , respectively. on exec/test of v0.7.2, % /usr/local/bin/pinentry-qt OK Your orders please SETDESC This is a test GETPIN OK correctly pops up a PIN-Entry dialog BUT, on exec/test of svn/r153, % /usr/local/bin/pinentry-qt returns, in this case, @ console, "BUS ERROR" and the app crashes. reported in SYSLOG, the corresponding CRASHLOG is, % cat /Library/Logs/CrashReporter/pinentry-qt.crash.log and shown below. any fix? thanks. ------------------------------------------------------------------ ********** Host Name: server Date/Time: 2007-01-23 00:12:10.999 -0800 OS Version: 10.4.8 (Build 8L127) Report Version: 4 Command: pinentry-qt Path: /usr/local/bin/pinentry-qt Parent: tcsh [5401] Version: ??? (???) PID: 3553 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000100 Thread 0 Crashed: 0 pinentry-qt 0x000123c8 assuan_register_command + 40 (assuan-handler.c:247) 1 pinentry-qt 0x00011390 pinentry_loop + 208 (pinentry.c:663) 2 pinentry-qt 0x0000dc74 main + 516 (main.cpp:181) 3 pinentry-qt 0x0000236c _start + 760 4 pinentry-qt 0x00002070 start + 48 Thread 0 crashed with PPC Thread State 64: srr0: 0x00000000000123c8 srr1: 0x000000000200d030 vrsave: 0x0000000000000000 cr: 0x42004422 xer: 0x0000000000000004 lr: 0x00000000000123b0 ctr: 0x0000000000000018 r0: 0x0000000000011390 r1: 0x00000000bfffc8a0 r2: 0x000000000001c070 r3: 0x00000000007ef004 r4: 0x0000000000000100 r5: 0x0000000000016b1c r6: 0x0000000000010e60 r7: 0x0000000000000000 r8: 0x0000000000000000 r9: 0x0000000000000001 r10: 0x0000000000000018 r11: 0x00000000bfffcc04 r12: 0x0000000090002968 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 r16: 0x0000000000000000 r17: 0x0000000000000000 r18: 0x0000000000000000 r19: 0x0000000000000000 r20: 0x0000000000000000 r21: 0x0000000000000000 r22: 0x0000000000016138 r23: 0x000000000001da84 r24: 0x0000000000000000 r25: 0x00000000bfffcaac r26: 0x0000000000000001 r27: 0x0000000000000100 r28: 0x0000000000000001 r29: 0x0000000000016b1c r30: 0x00000000007ef004 r31: 0x00000000000123b0 Binary Images Description: 0x1000 - 0x1bfff pinentry-qt /usr/local/bin/pinentry-qt 0x22f000 - 0x25efff libncurses.5.6.dylib /usr/local/lib/libncurses.5.6.dylib 0x27a000 - 0x282fff libintl.8.dylib /usr/local/lib/libintl.8.dylib 0x29a000 - 0x2acfff libz.1.dylib /usr/local/lib/libz.1.dylib 0x2b0000 - 0x2eafff libssl.0.9.8.dylib /usr/local/ssl/lib/libssl.0.9.8.dylib 0x405000 - 0x4f9fff libiconv.2.dylib /usr/local/lib/libiconv.2.dylib 0x548000 - 0x566fff libpng12.0.dylib /usr/local/lib/libpng12.0.dylib 0x5c4000 - 0x5f3fff libmysqlclient_r.15.dylib /usr/local/mysql/lib/mysql/libmysqlclient_r.15.dylib 0x62e000 - 0x652fff libreadline.5.2.dylib /usr/local/lib/libreadline.5.2.dylib 0x6a1000 - 0x6a6fff libSM.6.dylib /usr/X11R6/lib/libSM.6.dylib 0x6aa000 - 0x6b9fff libICE.6.dylib /usr/X11R6/lib/libICE.6.dylib 0x6c1000 - 0x6cdfff libXext.6.dylib /usr/X11R6/lib/libXext.6.dylib 0x6d3000 - 0x79cfff libX11.6.dylib /usr/X11R6/lib/libX11.6.dylib 0x1008000 - 0x110afff libcrypto.0.9.8.dylib /usr/local/ssl/lib/libcrypto.0.9.8.dylib 0x1177000 - 0x1195fff libpng.3.dylib /usr/local/lib/libpng.3.dylib 0x8fe00000 - 0x8fe51fff dyld 45.3 /usr/lib/dyld 0x90000000 - 0x901bcfff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x90214000 - 0x90219fff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib 0x9021b000 - 0x90268fff com.apple.CoreText 1.0.2 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText 0x90293000 - 0x90344fff ATS /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS 0x90373000 - 0x9072dfff com.apple.CoreGraphics 1.258.38 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics 0x907ba000 - 0x90893fff com.apple.CoreFoundation 6.4.6 (368.27) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation 0x908dc000 - 0x908dcfff com.apple.CoreServices 10.4 (???) /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices 0x908de000 - 0x909e0fff libicucore.A.dylib /usr/lib/libicucore.A.dylib 0x90a3a000 - 0x90abefff libobjc.A.dylib /usr/lib/libobjc.A.dylib 0x90ae8000 - 0x90b58fff com.apple.framework.IOKit 1.4 (???) /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit 0x90b6e000 - 0x90b80fff libauto.dylib /usr/lib/libauto.dylib 0x90b87000 - 0x90e5efff com.apple.CoreServices.CarbonCore 681.7 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore 0x90ec4000 - 0x90f44fff com.apple.CoreServices.OSServices 4.1 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices 0x90f8e000 - 0x90fcffff com.apple.CFNetwork 129.19 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CFNetwork.framework/Versions/A/CFNetwork 0x90fe4000 - 0x90ffcfff com.apple.WebServices 1.1.2 (1.1.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/WebServicesCore.framework/Versions/A/WebServicesCore 0x9100c000 - 0x9108dfff com.apple.SearchKit 1.0.5 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit 0x910d3000 - 0x910fcfff com.apple.Metadata 10.4.4 (121.36) /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata 0x9110d000 - 0x9111bfff libz.1.dylib /usr/lib/libz.1.dylib 0x9111e000 - 0x912d9fff com.apple.security 4.6 (29770) /System/Library/Frameworks/Security.framework/Versions/A/Security 0x913d8000 - 0x913e1fff com.apple.DiskArbitration 2.1 /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration 0x913e8000 - 0x91410fff com.apple.SystemConfiguration 1.8.3 /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration 0x91423000 - 0x9142efff libgcc_s.1.dylib /usr/lib/libgcc_s.1.dylib 0x91433000 - 0x9143bfff libbsm.dylib /usr/lib/libbsm.dylib 0x9143f000 - 0x914bafff com.apple.audio.CoreAudio 3.0.4 /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio 0x914f7000 - 0x914f7fff com.apple.ApplicationServices 10.4 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices 0x914f9000 - 0x91531fff com.apple.AE 1.5 (297) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE 0x9154c000 - 0x91619fff com.apple.ColorSync 4.4.4 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync 0x9166e000 - 0x916fffff com.apple.print.framework.PrintCore 4.6 (177.13) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/PrintCore 0x91746000 - 0x917fdfff com.apple.QD 3.10.21 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD 0x9183a000 - 0x91898fff com.apple.HIServices 1.5.3 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices 0x918c7000 - 0x918e8fff com.apple.LangAnalysis 1.6.1 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LangAnalysis.framework/Versions/A/LangAnalysis 0x918fc000 - 0x91921fff com.apple.FindByContent 1.5 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/FindByContent.framework/Versions/A/FindByContent 0x91934000 - 0x91976fff com.apple.LaunchServices 181 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices 0x91992000 - 0x919a6fff com.apple.speech.synthesis.framework 3.3 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/SpeechSynthesis.framework/Versions/A/SpeechSynthesis 0x919b4000 - 0x919f6fff com.apple.ImageIO.framework 1.5.0 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO 0x91a0c000 - 0x91ad3fff libcrypto.0.9.7.dylib /usr/lib/libcrypto.0.9.7.dylib 0x91b21000 - 0x91b36fff libcups.2.dylib /usr/lib/libcups.2.dylib 0x91b3b000 - 0x91b59fff libJPEG.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib 0x91b5f000 - 0x91bcefff libJP2.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib 0x91be5000 - 0x91be9fff libGIF.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib 0x91beb000 - 0x91c4afff libRaw.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRaw.dylib 0x91c4f000 - 0x91c8cfff libTIFF.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib 0x91c93000 - 0x91cacfff libPng.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib 0x91cb1000 - 0x91cb4fff libRadiance.dylib /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libRadiance.dylib 0x91cb6000 - 0x91cb6fff com.apple.Accelerate 1.2.2 (Accelerate 1.2.2) /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate 0x91cb8000 - 0x91d9dfff com.apple.vImage 2.4 /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage 0x91da5000 - 0x91dc4fff com.apple.Accelerate.vecLib 3.2.2 (vecLib 3.2.2) /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib 0x91e30000 - 0x91e9efff libvMisc.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib 0x91ea9000 - 0x91f3efff libvDSP.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib 0x91f58000 - 0x924e0fff libBLAS.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib 0x92513000 - 0x9283efff libLAPACK.dylib /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib 0x9286e000 - 0x928f6fff com.apple.DesktopServices 1.3.5 /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv 0x92937000 - 0x92b62fff com.apple.Foundation 6.4.6 (567.27) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation 0x92c80000 - 0x92d5efff libxml2.2.dylib /usr/lib/libxml2.2.dylib 0x92d7e000 - 0x92e6cfff libiconv.2.dylib /usr/lib/libiconv.2.dylib 0x92e7e000 - 0x92e9cfff libGL.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib 0x92ea7000 - 0x92f01fff libGLU.dylib /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLU.dylib 0x92f1f000 - 0x92f1ffff com.apple.Carbon 10.4 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon 0x92f21000 - 0x92f35fff com.apple.ImageCapture 3.0 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/ImageCapture.framework/Versions/A/ImageCapture 0x92f4d000 - 0x92f5dfff com.apple.speech.recognition.framework 3.4 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SpeechRecognition.framework/Versions/A/SpeechRecognition 0x92f69000 - 0x92f7efff com.apple.securityhi 2.0 (203) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI 0x92f90000 - 0x93017fff com.apple.ink.framework 101.2 (69) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Ink.framework/Versions/A/Ink 0x9302b000 - 0x93036fff com.apple.help 1.0.3 (32) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Help.framework/Versions/A/Help 0x93040000 - 0x9306dfff com.apple.openscripting 1.2.5 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting 0x93087000 - 0x93096fff com.apple.print.framework.Print 5.2 (192.4) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/Print.framework/Versions/A/Print 0x930a2000 - 0x93108fff com.apple.htmlrendering 1.1.2 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HTMLRendering.framework/Versions/A/HTMLRendering 0x93139000 - 0x93188fff com.apple.NavigationServices 3.4.4 (3.4.3) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/NavigationServices.framework/Versions/A/NavigationServices 0x931b6000 - 0x931d3fff com.apple.audio.SoundManager 3.9 /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CarbonSound.framework/Versions/A/CarbonSound 0x931e5000 - 0x931f2fff com.apple.CommonPanels 1.2.2 (73) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/CommonPanels.framework/Versions/A/CommonPanels 0x931fb000 - 0x93508fff com.apple.HIToolbox 1.4.8 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox 0x93657000 - 0x93663fff com.apple.opengl 1.4.7 /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL 0x94167000 - 0x9422afff com.apple.audio.toolbox.AudioToolbox 1.4.3 /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox 0x9427c000 - 0x9427cfff com.apple.audio.units.AudioUnit 1.4 /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit 0x94775000 - 0x94a44fff com.apple.QuickTime 7.1.3 /System/Library/Frameworks/QuickTime.framework/Versions/A/QuickTime 0x94b07000 - 0x94b78fff libstdc++.6.dylib /usr/lib/libstdc++.6.dylib 0x94beb000 - 0x94c0bfff libmx.A.dylib /usr/lib/libmx.A.dylib 0x97cd5000 - 0x97ce2fff com.apple.agl 2.5.6 (AGL-2.5.6) /System/Library/Frameworks/AGL.framework/Versions/A/AGL 0xb2000000 - 0xb2535fff libqt-mt.3.dylib /usr/local/lib/libqt-mt.3.dylib From shavital at mac.com Tue Jan 23 23:18:58 2007 From: shavital at mac.com (Charly Avital) Date: Wed, 24 Jan 2007 00:18:58 +0200 Subject: pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> References: <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> Message-ID: <45B689D2.3010004@mac.com> snowcrash+gnupg-users wrote the following on 1/23/07 8:03 PM: > i'm building pinentry (v0.7.2 *&* svn/r153) on OSX. > > on the way to gpg2, i've built as prereqs, > > libassuan svn/r234 > libksba svn/r266 > libgpg-error v1.5 > libgrcyppt v1.2.3 > pth v2.0.7 [snip] Could this help? Charly From schneecrash+gnupg-users at gmail.com Tue Jan 23 23:50:11 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Tue, 23 Jan 2007 14:50:11 -0800 Subject: pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <45B689D2.3010004@mac.com> References: <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <45B689D2.3010004@mac.com> Message-ID: <70f41ba20701231450n21bc3d0vcaa6c7d25bc1d3d0@mail.gmail.com> > Could this help? > heh, not really. that's where i _started_ -- been all through those pages. afaict, nothing addresses the 'assuan' problem apparent i'm seeing in the svn src-build, but lacking in the v0.7.2 build, which is ok (mostly ... ) atm, i've rebuilt pinentry v072, config'd as, Pinentry v0.7.2 has been configured as follows: Curses Pinentry: yes GTK+ Pinentry: no GTK+-2 Pinentry: no Qt Pinentry: yes W32 Pinentry: no Fallback to Curses: yes Default Pinentry: pinentry-qt so that, % ls -al /usr/local/bin/pinentry* lrwxr-xr-x 1 root admin 11 Jan 23 14:19 /usr/local/bin/pinentry -> pinentry-qt -rwxr-xr-x 1 root admin 124972 Jan 23 14:19 /usr/local/bin/pinentry-curses -rwxr-xr-x 1 root admin 2262216 Jan 23 14:19 /usr/local/bin/pinentry-qt in TESTING, i see: (1) CASE: pinentry-curses /bin/sh -c '/usr/local/bin/pinentry-curses --lc-ctype=UTF-8' OK Your orders please SETDESC This is a test GETPIN lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x This is a test x x x x PIN: *************___________________________ x x x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj D (my_pass_phrase) OK which is OK (i think ...) BUT, (2) CASE: pinentry-qt /bin/sh -c '/usr/local/bin/pinentry-qt --lc-ctype=UTF-8' OK Your orders please SETDESC This is a test GETPIN pops up a Desktop dialog, http://img168.imageshack.us/img168/8328/pinentryqt018qj.jpg which, unfortunately, cannot grab focus for the field entry. you'll note in the posted image that the form field has a cursor _in_ it, but is 'grayed out'. clicking on it does no good. can't enter a thing ... :-/ From vedaal at hush.com Wed Jan 24 00:27:24 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 23 Jan 2007 18:27:24 -0500 Subject: passphrase for symmetric encryption // ?maximum length Message-ID: <20070123232725.99177DA81F@mailserver7.hushmail.com> truecrypt shows an advisory that the maximum length for a passphrase is 64 characters was curious as to if there is a maximum in gnupg? (have tried 65, and it worked fine, tried the same passphrase with only the first 64 characters, and it did not work, i.e. the longer passphrase isn't simply just truncated at 64) is there a maximum beyond which gnupg will just 'refuse' the passphrase, or is there an effective maximum, where longer passphrases make no difference? tia, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From rjh at sixdemonbag.org Wed Jan 24 03:25:39 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 23 Jan 2007 20:25:39 -0600 Subject: passphrase for symmetric encryption // ?maximum length In-Reply-To: <20070123232725.99177DA81F@mailserver7.hushmail.com> References: <20070123232725.99177DA81F@mailserver7.hushmail.com> Message-ID: <45B6C3A3.20809@sixdemonbag.org> vedaal at hush.com wrote: > or is there an effective maximum, where longer passphrases make no > difference? The effective maximum is when you reach 128 bits of Shannon entropy. Using conversational English, that means about 80 characters of text. (I'm using Shannon's estimate of 1.5 bits per English glyph.) Other languages will have different rates of entropy, and it's fairly easy to use creative punctuation, misspellings, etc., to jack up the per-glyph numbers. From wk at gnupg.org Wed Jan 24 10:43:51 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 24 Jan 2007 10:43:51 +0100 Subject: passphrase for symmetric encryption // ?maximum length In-Reply-To: <20070123232725.99177DA81F@mailserver7.hushmail.com> (vedaal@hush.com's message of "Tue\, 23 Jan 2007 18\:27\:24 -0500") References: <20070123232725.99177DA81F@mailserver7.hushmail.com> Message-ID: <87mz48bvzc.fsf@wheatstone.g10code.de> On Wed, 24 Jan 2007 00:27, vedaal at hush.com said: > is there a maximum beyond which gnupg will just 'refuse' the > passphrase, There should be no such limit. The exception ist hat you may run out of memory. The passphrase is hold in secure memory and during computations 2 or 3 copies need to be stored there. 1000 characters should be no problem but it makes no sense. > or is there an effective maximum, where longer passphrases make no > difference? See Robert's answer. Depending on the choosen cipher you may need more that 128 bits, though. Salam-Shalom, Werner From marcus.brinkmann at ruhr-uni-bochum.de Wed Jan 24 15:47:11 2007 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Wed, 24 Jan 2007 15:47:11 +0100 Subject: [snowcrash+gnupg-users] pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <87irewbvu7.fsf@wheatstone.g10code.de> <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> References: <87irewbvu7.fsf@wheatstone.g10code.de> Message-ID: <8764aw7a8g.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hi, thanks for the report. At first glance, the data in the report doesn't add up to much, unfortunately. The source code hardly changed between 0.7.2 and r153, and not at all in the general area of the crash. Do the other pinentries crash as well? (pinentry-curses has the fewest dependencies). If you send me both executables, I will try to make my luck with the assembler, although PowerPC is not really my platform. But I need the binaries to make at least some sense out of the register state. As of yet I can't even make a good guess to what the problem is, sorry. Thanks, Marcus From thomas.breton at iscio.com Tue Jan 23 23:02:24 2007 From: thomas.breton at iscio.com (Thomas BRETON) Date: Tue, 23 Jan 2007 23:02:24 +0100 Subject: gpgkey2ssh Message-ID: <45B685F0.6000404@iscio.com> Hello, I can't find any documentation on this command. How i can use it. I suppose that it's to use my gpg key for ssh but how? Thanks for any help Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: thomas.breton.vcf Type: text/x-vcard Size: 319 bytes Desc: not available Url : /pipermail/attachments/20070123/6b02918d/attachment.vcf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070123/6b02918d/attachment.pgp From vogel.b at gmail.com Wed Jan 24 17:23:50 2007 From: vogel.b at gmail.com (Bazzz) Date: Wed, 24 Jan 2007 08:23:50 -0800 (PST) Subject: working with bare gpg - how to close the text-block Message-ID: <8563819.post@talk.nabble.com> Since I like to know how things work, I also tried working with gpg from the command line. Much is discribed on the Net and that works. But what I can not find is this: In a commandline box in Windows XP I call the gpg by just typing "gpg" and nothing extra This replies by "gpg: Go ahead and type your message ... " And there it stops. I can keep on typing .. but can't close the text-entering and make the gpg continue. Guess that should work .. but not here. Anyone know which key combination is needed to go further? Running pgp4win on winXP SP2 Thnks, Bas -- View this message in context: http://www.nabble.com/working-with-bare-gpg---how-to-close-the-text-block-tf3082196.html#a8563819 Sent from the GnuPG - User mailing list archive at Nabble.com. From schneecrash+gnupg-users at gmail.com Wed Jan 24 17:49:31 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Wed, 24 Jan 2007 08:49:31 -0800 Subject: [snowcrash+gnupg-users] pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <8764aw7a8g.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <87irewbvu7.fsf@wheatstone.g10code.de> <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <8764aw7a8g.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> hi marcus, On 1/24/07, Marcus Brinkmann wrote: > thanks for the report. hi, well, for the life of me, i do NOT know what's changed (i've been building/rebuilding a lot!), but, atm, both pinentry-qt-svn pinentry-qt-v072 seem to launch correctly, and w/o BusError. i've tried to backtrack my (mis)trials, but simply can't get it to mis-behave again. how i love 'gremlins'! :-/ anyway, outstanding issues that remain: (1) the qt pinentry dialog that pops up still fails to grap mous/keyboard focus correctly. i can't enter a pin into the dialog, and the cancel/ok buttons are nonfunctional. the google-trail leads me to, http://lists.trolltech.com/qt-interest/2006-05/thread00383-0.html When compiled with the X11 version of qt under MacOS it behaves correctly, but when compiled under qt-mac it has the problems described at ... and, http://lists.trolltech.com/qt-interest/2003-03/thread00690-0.html This is a FAQ. Native Mac apps must have an application bundle in order to get a GUI event thread. There are some notes about this in the documentation and the Qt examples build bundles on Mac. which seem to indicated this is a known issue. the apparent fix/workaround is to build pinentry-qt into a 'bundle'. the referenced bundling howto is at, http://doc.trolltech.com/qq/qq09-mac-deployment.html but, after first attempt i've still got the same issues ... investigating further (2) pinentry's --prefix=DIR is NOT repected. i.e., no matter _what_ the setting, 'make install' installs in /usr/local (3) pinentry's 'bundled' assuan src is _old_. it would be nice to be able to cleanly link pinentry-svn against an external/local build of libassuan. atm, though, it's a rather messy (and so far, unsuccessful ...) process. honestly, not sure it will make a difference, other than to consistency of environment ... (4) pinentry-svn build/install complaines about a missing 'doc/version.texi', which does not seem to be in the src tree. cp pinentry-0.7.2/doc/version.texi pinentry-svn/doc/version.texi fixes the problem. please let me know if there's anything i can do on my end to help. thanks! From vogel.b at gmail.com Wed Jan 24 17:52:49 2007 From: vogel.b at gmail.com (Bazzz) Date: Wed, 24 Jan 2007 08:52:49 -0800 (PST) Subject: working with bare gpg - how to close the text-block In-Reply-To: <8563819.post@talk.nabble.com> References: <8563819.post@talk.nabble.com> Message-ID: <8565635.post@talk.nabble.com> Ctrl-Z followed by Enter results in gpg: no valid OpenPGP data found. gpg: processing message failed: eof -- View this message in context: http://www.nabble.com/working-with-bare-gpg---how-to-close-the-text-block-tf3082196.html#a8565635 Sent from the GnuPG - User mailing list archive at Nabble.com. From vogel.b at gmail.com Wed Jan 24 18:02:33 2007 From: vogel.b at gmail.com (Bazzz) Date: Wed, 24 Jan 2007 09:02:33 -0800 (PST) Subject: working with bare gpg - how to close the text-block In-Reply-To: <8563819.post@talk.nabble.com> References: <8563819.post@talk.nabble.com> Message-ID: <8567479.post@talk.nabble.com> gpg -e results in a lot of unreadable signs - like a cloud no option. Maybe it's not meant to be used this way. -- View this message in context: http://www.nabble.com/working-with-bare-gpg---how-to-close-the-text-block-tf3082196.html#a8567479 Sent from the GnuPG - User mailing list archive at Nabble.com. From dshaw at jabberwocky.com Wed Jan 24 18:07:54 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 24 Jan 2007 12:07:54 -0500 Subject: working with bare gpg - how to close the text-block In-Reply-To: <8563819.post@talk.nabble.com> References: <8563819.post@talk.nabble.com> Message-ID: <20070124170754.GA8235@jabberwocky.com> On Wed, Jan 24, 2007 at 08:23:50AM -0800, Bazzz wrote: > > Since I like to know how things work, I also tried working with gpg from the > command line. Much is discribed on the Net and that works. > > But what I can not find is this: > In a commandline box in Windows XP I call the gpg by just typing "gpg" and > nothing extra > This replies by "gpg: Go ahead and type your message ... " > And there it stops. I can keep on typing .. but can't close the > text-entering and make the gpg continue. > Guess that should work .. but not here. > Anyone know which key combination is needed to go further? To go further and accomplish what goal? What are you trying to do? David From schneecrash+gnupg-users at gmail.com Wed Jan 24 18:48:27 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Wed, 24 Jan 2007 09:48:27 -0800 Subject: [snowcrash+gnupg-users] pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> References: <87irewbvu7.fsf@wheatstone.g10code.de> <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <8764aw7a8g.wl%marcus.brinkmann@ruhr-uni-bochum.de> <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> Message-ID: <70f41ba20701240948v53826238h36f5a82449a6bb15@mail.gmail.com> fyi, i found/reproduced the problem with the BusError. it's an artifact of my (failed) attempt(s) to link in _my_ external/local libassuan. namely, if i setenv LDFLAGS "-L/usr/local/lib -lassuan -lncurses -lintl -liconv -F/System/Library/Frameworks -framework Carbon -framework QuickTime -lpng -lz -framework OpenGL -framework AGL" rather than, setenv LDFLAGS "-L/usr/local/lib -lncurses -lintl -liconv -F/System/Library/Frameworks -framework Carbon -framework QuickTime -lpng -lz -framework OpenGL -framework AGL" then the built executable will report 'BusErro' on exec, and crash with, Thread 0 Crashed: 0 pinentry-qt 0x000123c8 assuan_register_command + 40 (assuan-handler.c:247) 1 pinentry-qt 0x00011390 pinentry_loop + 208 (pinentry.c:663) 2 pinentry-qt 0x0000dc74 main + 516 (main.cpp:181) 3 pinentry-qt 0x0000236c _start + 760 4 pinentry-qt 0x00002070 start + 48 without the '-lassuan' in LDFLAGS, no BusError. moving on ... now, having followed the Trolltech instructions for building/deploying a Qt .app on OSX, if @ shell, i, % /usr/local/bin/pinentry-qt.app/Contents/MacOS/pinentry-qt OK Your orders please SETDESC This is a test OK GETPIN this correctly pops up the Qt dialog, but without focus, as previouls mentioned. however, if i now either, % open /usr/local/bin/pinentry-qt.app at shell, or dubl-click on the App in Finder, nothing happens -- no launch of any dialog. :-/ but in Console, i see: pinentry-qt: invalid option -- p pinentry-qt: invalid option -- s pinentry-qt: invalid option -- n pinentry-qt: invalid option -- _ pinentry-qt: invalid option -- 0 pinentry-qt: invalid option -- _ pinentry-qt: invalid option -- 3 pinentry-qt: invalid option -- 1 pinentry-qt: invalid option -- 9 pinentry-qt: invalid option -- 8 pinentry-qt: invalid option -- 1 pinentry-qt: invalid option -- 5 pinentry-qt: invalid option -- 6 pinentry-qt: invalid option -- 9 OK Your orders please no idea abt _this_ yet. suggestions? thanks. From rjh at sixdemonbag.org Wed Jan 24 18:12:06 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 24 Jan 2007 11:12:06 -0600 Subject: working with bare gpg - how to close the text-block In-Reply-To: <8565635.post@talk.nabble.com> References: <8563819.post@talk.nabble.com> <8565635.post@talk.nabble.com> Message-ID: <45B79366.5000603@sixdemonbag.org> Bazzz wrote: > Ctrl-Z followed by Enter results in > > gpg: no valid OpenPGP data found. > gpg: processing message failed: eof Yep. This is exactly what should happen. If you want to manually enter an entire GnuPG message and then hit Ctrl-Z, you'll discover it works fine. Note that due to normal human error rates, you almost certainly don't want to do this. But if you have a bad case of OCD, then go for it. From rjh at sixdemonbag.org Wed Jan 24 17:35:27 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 24 Jan 2007 10:35:27 -0600 Subject: working with bare gpg - how to close the text-block In-Reply-To: <8563819.post@talk.nabble.com> References: <8563819.post@talk.nabble.com> Message-ID: <45B78ACF.2050904@sixdemonbag.org> Bazzz wrote: > Anyone know which key combination is needed to go further? Ctrl-Z is the standard Windows end-of-file symbol, if memory serves. From marcus.brinkmann at ruhr-uni-bochum.de Wed Jan 24 20:38:50 2007 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Wed, 24 Jan 2007 20:38:50 +0100 Subject: [snowcrash+gnupg-users] pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> References: <87irewbvu7.fsf@wheatstone.g10code.de> <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <8764aw7a8g.wl%marcus.brinkmann@ruhr-uni-bochum.de> <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> Message-ID: <874pqg6wqd.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Wed, 24 Jan 2007 08:49:31 -0800, snowcrash+gnupg-users wrote: > (1) the qt pinentry dialog that pops up still fails to grap > mous/keyboard focus correctly. i can't enter a pin into the dialog, > and the cancel/ok buttons are nonfunctional. [...] > which seem to indicated this is a known issue. [...] > but, after first attempt i've still got the same issues ... > investigating further Thanks for researching this, please keep us posted if you find something. > (2) pinentry's --prefix=DIR is NOT repected. > > i.e., no matter _what_ the setting, 'make install' installs in /usr/local Works fine here: ./configure --prefix=/home/marcus/pinentry make install Note that if you want to change the prefix at installation time, you should use DESTDIR: make install DESTDIR=`pwd`/build-a-binary-package > (3) pinentry's 'bundled' assuan src is _old_. > > it would be nice to be able to cleanly link pinentry-svn against an > external/local build of libassuan. atm, though, it's a rather messy > (and so far, unsuccessful ...) process. > > honestly, not sure it will make a difference, other than to > consistency of environment ... Right, we should update it eventually. > (4) pinentry-svn build/install complaines about a missing > 'doc/version.texi', which does not seem to be in the src tree. > > cp pinentry-0.7.2/doc/version.texi pinentry-svn/doc/version.texi > > fixes the problem. To build from the repository, you have to use the "--enable-maintainer-mode" option to configure. Thanks, Marcus From gunnar.schwant at volkswagen.de Wed Jan 24 15:55:50 2007 From: gunnar.schwant at volkswagen.de (Schwant, Gunnar, Dr. (K-GOT-1/1)) Date: Wed, 24 Jan 2007 15:55:50 +0100 Subject: Insecure Memory Warning on HP-UX 11 Message-ID: Hi! We installed GnuPG 1.4.2.2 on HP-UX 11 as released by HP: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber =HPUXIEXP1111 http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber =HPUXIEXP1123 Unfortunately, GnuPG displays a warning about insecure memory: --- gpg: Warning: using insecure memory! --- We tried to fix this by following the advise of the GnuPG FAQ http://www.gnupg.org/(en)/documentation/faqs.html#q6.1 and did setuid(root) permissions on the gpg binary. However, after we did this the problem even got worse. GnuPG now refuses to work at all. I get the following error message: --- gpg: Ohhhh jeeee: ... this is a bug (g10.c:1768:main) secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 Abort --- I have searched the web to find out what this error message is about and got the impression that there appears to be a problem with dropping the suid(root) privs. GnuPG drops root privileges as soon as locked memory is allocated. After dropping the suid(root) privs, the effective and the real user id should be identical. GnuPG performs an extra check to verify this. As this check fails the program displays the above error message and aborts. (See http://lists.gnupg.org/pipermail/gnupg-devel/2005-February/021824.html , http://lists.gnupg.org/pipermail/gnupg-devel/2005-February/021826.html , http://lists.gnupg.org/pipermail/gnupg-devel/2005-February/021827.html , http://lists.gnupg.org/pipermail/gnupg-devel/2005-February/021828.html .) What do you think: Is this a problem which has to be adressed to HP or to the developers of GnuPG? Any help or advise is very appreciated. Many thanks and best regards, Gunnar. From schneecrash+gnupg-users at gmail.com Wed Jan 24 22:03:08 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Wed, 24 Jan 2007 13:03:08 -0800 Subject: [snowcrash+gnupg-users] pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <874pqg6wqd.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <87irewbvu7.fsf@wheatstone.g10code.de> <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <8764aw7a8g.wl%marcus.brinkmann@ruhr-uni-bochum.de> <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> <874pqg6wqd.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <70f41ba20701241303u7953fa92h6faa8bffa7f5dca@mail.gmail.com> hi, > Thanks for researching this, please keep us posted if you find > something. there's already more in a subsequent post ... step-by-step, i suppose :-) > Works fine here: > > ./configure --prefix=/home/marcus/pinentry > make install hrm. something's wrong here, then ... will dig some moer. > you should use DESTDIR: > make install DESTDIR=`pwd`/build-a-binary-package of course. thanks. > > (3) pinentry's 'bundled' assuan src is _old_. > Right, we should update it eventually. ok. > > (4) pinentry-svn build/install complaines about a missing > > 'doc/version.texi', which does not seem to be in the src tree. > To build from the repository, you have to use the > "--enable-maintainer-mode" option to configure. aha. yes. that fixes it. thanks! From schneecrash+gnupg-users at gmail.com Thu Jan 25 01:12:06 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Wed, 24 Jan 2007 16:12:06 -0800 Subject: [snowcrash+gnupg-users] pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <70f41ba20701240948v53826238h36f5a82449a6bb15@mail.gmail.com> References: <87irewbvu7.fsf@wheatstone.g10code.de> <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <8764aw7a8g.wl%marcus.brinkmann@ruhr-uni-bochum.de> <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> <70f41ba20701240948v53826238h36f5a82449a6bb15@mail.gmail.com> Message-ID: <70f41ba20701241612t5b005082qc9ba7e70f1a2ca63@mail.gmail.com> > but in Console, i see: > > pinentry-qt: invalid option -- p > pinentry-qt: invalid option -- s > pinentry-qt: invalid option -- n > pinentry-qt: invalid option -- _ > pinentry-qt: invalid option -- 0 > pinentry-qt: invalid option -- _ > pinentry-qt: invalid option -- 3 > pinentry-qt: invalid option -- 1 > pinentry-qt: invalid option -- 9 > pinentry-qt: invalid option -- 8 > pinentry-qt: invalid option -- 1 > pinentry-qt: invalid option -- 5 > pinentry-qt: invalid option -- 6 > pinentry-qt: invalid option -- 9 > OK Your orders please > > no idea abt _this_ yet. well, this seems to be a result of the OSX Finder passing the PSN (process serial number); in the case above, e.g., "-psn_0_31981569" cref: http://www.kernelthread.com/mac/osx/arch_sys.html to work around THAT, instead of building an OSX bundle with the 'actual' pinentry-qt cp'd into it, i.e., cp -f /usr/local/bin/pinentry-qt pinentry-qt.app/Contents/MacOS/pinentry-qt create, intstead, pinentry-osx.app/Contents/MacOS/pinentry-osx where "pinentry-osx" is a launcher script, e.g., ------------------ #!/bin/sh /bin/sh -c '/usr/local/bin/pinentry-qt \ --no-global-grab \ --lc-ctype=UTF-8' ------------------ this launcher simply ignores the Finder-passed PSN, and directly launches the 'orig' autofoo-built pinentry-qt. now, on dubl-click of the pinentry-osx.app, no more 'odd' error (as above). but, still 'nothin' happens -- i.e., there's no dialog launched. just in Console.log, now, > OK Your orders please and, nothing more. progress? hmm ... From brunij at earthlink.net Thu Jan 25 01:34:32 2007 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Wed, 24 Jan 2007 17:34:32 -0700 Subject: Insecure Memory Warning on HP-UX 11 In-Reply-To: References: Message-ID: <965B84F9-66E3-4698-B2FD-4D0B48C9C7A0@earthlink.net> This is probably an HP packaging problem. I've built GPG on HP-UX 11.11 and it works fine with the setuid-root bit enabled. The only problems I've encountered with older versions of GPG were with regards to libiconv and gettext not being present. Joe On Jan 24, 2007, at 7:55 AM, Schwant, Gunnar, Dr. (K-GOT-1/1) wrote: > Hi! > > We installed GnuPG 1.4.2.2 on HP-UX 11 as released by HP: > > > productNumbe > r=HPUXIEXP1111> > http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do? > productNumber > =HPUXIEXP1111 > > productNumbe > r=HPUXIEXP1123> > http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do? > productNumber > =HPUXIEXP1123 > > Unfortunately, GnuPG displays a warning about insecure memory: > > --- > gpg: Warning: using insecure memory! > --- > > We tried to fix this by following the advise of the GnuPG FAQ > > > http://www.gnupg.org/(en)/documentation/faqs.html#q6.1 > > and did setuid(root) permissions on the gpg binary. However, after > we did > this the > problem even got worse. GnuPG now refuses to work at all. I get the > following error > message: > > --- > gpg: Ohhhh jeeee: ... this is a bug (g10.c:1768:main) > secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 > Abort > --- > > I have searched the web to find out what this error message is > about and got > the > impression that there appears to be a problem with dropping the suid > (root) > privs. > GnuPG drops root privileges as soon as locked memory is allocated. > After dropping the suid(root) privs, the effective and the real > user id > should be > identical. GnuPG performs an extra check to verify this. As this > check fails > the > program displays the above error message and aborts. > > (See > 021824.html> > http://lists.gnupg.org/pipermail/gnupg-devel/2005-February/ > 021824.html , > 021826.html> > http://lists.gnupg.org/pipermail/gnupg-devel/2005-February/ > 021826.html , > 021827.html> > http://lists.gnupg.org/pipermail/gnupg-devel/2005-February/ > 021827.html , > 021828.html> > http://lists.gnupg.org/pipermail/gnupg-devel/2005-February/ > 021828.html .) > > What do you think: Is this a problem which has to be adressed to HP > or to > the developers of GnuPG? > > Any help or advise is very appreciated. > > Many thanks and best regards, > > Gunnar. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20070124/f4eeda2a/attachment-0001.bin From wk at gnupg.org Thu Jan 25 10:58:34 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 25 Jan 2007 10:58:34 +0100 Subject: [snowcrash+gnupg-users] pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <874pqg6wqd.wl%marcus.brinkmann@ruhr-uni-bochum.de> (Marcus Brinkmann's message of "Wed\, 24 Jan 2007 20\:38\:50 +0100") References: <87irewbvu7.fsf@wheatstone.g10code.de> <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <8764aw7a8g.wl%marcus.brinkmann@ruhr-uni-bochum.de> <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> <874pqg6wqd.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <874pqf77hx.fsf@wheatstone.g10code.de> On Wed, 24 Jan 2007 20:38, marcus.brinkmann at ruhr-uni-bochum.de said: > Note that if you want to change the prefix at installation time, you > should use DESTDIR: > > make install DESTDIR=`pwd`/build-a-binary-package FWIW: DESTDIR should only be used if it is not the final destination of the files. If they are to be installed at a different place and symlinks are used to link them to the correct place (e.g. using stow(1)) it is better to use make install prefix=/foo/bla/root GnuPG related packages feature a target stowinstall to make use of stow easier: make stowinstall installs the package at /usr/local/stow/gnupg or dirmngr, libksba, etc. stow needs to be called by hand of course. Salam-Shalom, Werner From wk at gnupg.org Thu Jan 25 11:08:56 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 25 Jan 2007 11:08:56 +0100 Subject: Insecure Memory Warning on HP-UX 11 In-Reply-To: (Gunnar Schwant's message of "Wed\, 24 Jan 2007 15\:55\:50 +0100") References: Message-ID: <87zm875sg7.fsf@wheatstone.g10code.de> On Wed, 24 Jan 2007 15:55, gunnar.schwant at volkswagen.de said: > What do you think: Is this a problem which has to be adressed to HP or to > the developers of GnuPG? Given that other folks are able to install it from source, there seems to be a problem in the package HP distributes. You might want to check the source code of the package to see whether HP changed anything compared to the vanilla GnuPG version. The assertion failure is to make sure that the program does not run with setuid privileges after it has mlocked some memory. Depending on how you use gpg you might not need the extra protection against passwords possible appearing in the swap partition. In this case don't suid(root) gpg but use the option --no-secmem-warning. Shalom-Salam, Werner From vedaal at hush.com Thu Jan 25 17:06:58 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 25 Jan 2007 11:06:58 -0500 Subject: working with bare gpg - how to close the text-block Message-ID: <20070125160658.A3B322284D@mailserver9.hushmail.com> >Message: 1 >Date: Wed, 24 Jan 2007 12:07:54 -0500 >From: David Shaw >Subject: Re: working with bare gpg - how to close the text-block >On Wed, Jan 24, 2007 at 08:23:50AM -0800, Bazzz wrote: >> In a commandline box in Windows XP I call the gpg by just typing >"gpg" and >> nothing extra >> This replies by "gpg: Go ahead and type your message ... " >> And there it stops. I can keep on typing .. but can't close the >> text-entering and make the gpg continue. >> Guess that should work .. but not here. >> Anyone know which key combination is needed to go further? > >To go further and accomplish what goal? i think what he meant to ask, is: "after typing gpg, and realizing that i didn't intent to type in a message, how do i get back to the gnupg prompt, without generating an error message?" ctrl-c vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From hans.ekbrand at gmail.com Thu Jan 25 15:41:48 2007 From: hans.ekbrand at gmail.com (Hans Ekbrand) Date: Thu, 25 Jan 2007 15:41:48 +0100 Subject: trust owner => trust his key? Message-ID: <20070125144148.GJ18374@sqlserver> Hi gnupg-user! I am new to the list. I have used gnupg for quite some time, mostly for signing. I use debian and have installed the package "debian-keyring" which holds the public keys for the debian developers. I have added a directive to .gnupg/gpg.conf to reflect this: keyring /usr/share/keyrings/debian-keyring.gpg Now I trust that these keys are valid (belong the right persons), since debian seems to have good process for establishing that. I don't want to sign these keys myself, since I haven't checked the validity of them. I belive in the validity of them, but I would not to vouch for it. I thought that if I put "Full" owner trust to some of the developers that would make all the keys valid (provided that enough of the developers had signed each others keys). (Based on a large number of emails I have read from debian-developers, I do trust some of them). Putting "Full" owner trust in one person didn't implicate that his key was valid, which come to a suprise to me. To sum up, I have two questions: a) Why does not "Full" owner trust of a person implicate that that persons key is valid? (If he can correctly validate correspondence between other persons and keys why not trust him to do that on his own key too?) b) What should I do for gpg to recognise the keys in debian-keyring as valid (should I sign them myself)? -- Hans Ekbrand (http://sociologi.cjb.net) A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : /pipermail/attachments/20070125/654ba16e/attachment.pgp From sven at radde.name Wed Jan 24 17:55:25 2007 From: sven at radde.name (Sven Radde) Date: Wed, 24 Jan 2007 17:55:25 +0100 Subject: working with bare gpg - how to close the text-block In-Reply-To: <8563819.post@talk.nabble.com> References: <8563819.post@talk.nabble.com> Message-ID: <45B78F7D.5070702@radde.name> Hi! Bazzz schrieb: > This replies by "gpg: Go ahead and type your message ... " > And there it stops. I can keep on typing .. but can't close the > text-entering and make the gpg continue. You need to send the "End of File" character manually. Try "CTRL-Z" "ENTER". But note that when invoking solely "gpg" it expects data to decrypt/verify and there is not much point in typing that manually (but you could use the clipboard to copy&paste an encrypted message there). You could, however, start with "gpg -e" to encrypt a message manually. cu, Sven From dshaw at jabberwocky.com Thu Jan 25 17:49:37 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 25 Jan 2007 11:49:37 -0500 Subject: trust owner => trust his key? In-Reply-To: <20070125144148.GJ18374@sqlserver> References: <20070125144148.GJ18374@sqlserver> Message-ID: <20070125164937.GA15545@jabberwocky.com> On Thu, Jan 25, 2007 at 03:41:48PM +0100, Hans Ekbrand wrote: > Hi gnupg-user! > > I am new to the list. I have used gnupg for quite some time, mostly > for signing. > > I use debian and have installed the package "debian-keyring" which holds the > public keys for the debian developers. > > I have added a directive to .gnupg/gpg.conf to reflect this: > > keyring /usr/share/keyrings/debian-keyring.gpg > > Now I trust that these keys are valid (belong the right persons), > since debian seems to have good process for establishing that. > > I don't want to sign these keys myself, since I haven't checked the > validity of them. I belive in the validity of them, but I would not to > vouch for it. > > I thought that if I put "Full" owner trust to some of the developers > that would make all the keys valid (provided that enough of the > developers had signed each others keys). (Based on a large number of > emails I have read from debian-developers, I do trust some of them). > > Putting "Full" owner trust in one person didn't implicate that his key > was valid, which come to a suprise to me. > > To sum up, I have two questions: > > a) Why does not "Full" owner trust of a person implicate that that > persons key is valid? (If he can correctly validate correspondence > between other persons and keys why not trust him to do that on his > own key too?) Owner trust doesn't mean "I trust this person" or "I trust that this key belongs to the person it seems to". It actually means "I trust this key to sign other keys". If you want to make a key valid, you need to either sign it yourself (you can use 'lsign' if you want to make a local signature that is for your own use, or 'sign' if you want to make the signature publically for anyone to use). Once a key is valid, then its owner trust is taken into account with making keys that it signed also valid. > b) What should I do for gpg to recognise the keys in debian-keyring as > valid (should I sign them myself)? You were on the right track before. Just instead of giving full owner trust to some of the developers, lsign their keys also. David From j.lysdal at gmail.com Thu Jan 25 17:54:32 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Thu, 25 Jan 2007 17:54:32 +0100 Subject: openpgp card problem In-Reply-To: <87zm875sg7.fsf@wheatstone.g10code.de> References: <87zm875sg7.fsf@wheatstone.g10code.de> Message-ID: <45B8E0C8.8030208@gmail.com> For the last 2 hours i have been playing with my new openpgp card and reader, trying to figure out how stuff works. So there are a few questions. Can i restore my public key with only the card? Do i need to backup my "secret key" from my local keyring or can i restore it from my card? In case im asked to type the admin pin, and i dont type anything, but just presses enter, will it result in 1 wrong attempt? (im worried that my broken enter button will send 3 keystrokes, as it sometimes does) Suppose i type the admin pin wrong 2 times, and the third time it is correct, will the "wrong pin" counter reset? - JCL From j.lysdal at gmail.com Thu Jan 25 18:02:01 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Thu, 25 Jan 2007 18:02:01 +0100 Subject: trust owner => trust his key? In-Reply-To: <20070125144148.GJ18374@sqlserver> References: <20070125144148.GJ18374@sqlserver> Message-ID: <45B8E289.6040600@gmail.com> Hans Ekbrand wrote: > > a) Why does not "Full" owner trust of a person implicate that that > persons key is valid? (If he can correctly validate correspondence > between other persons and keys why not trust him to do that on his > own key too?) It will have no effect to set the trust value on a key that does not have a signature from a ultimately trustet key (your key) You can sign the uid?s on their keys with a local signature, such a signature will not be uploaded to keyservers or exportet with the key. > > b) What should I do for gpg to recognise the keys in debian-keyring as > valid (should I sign them myself)? Do a local sig, or if i remember correct, there is an "always trust" option. From jeroen at unfix.org Thu Jan 25 17:42:09 2007 From: jeroen at unfix.org (Jeroen Massar) Date: Thu, 25 Jan 2007 16:42:09 +0000 Subject: trust owner => trust his key? In-Reply-To: <20070125144148.GJ18374@sqlserver> References: <20070125144148.GJ18374@sqlserver> Message-ID: <45B8DDE1.1080002@spaghetti.zurich.ibm.com> Hans Ekbrand wrote: [..] > I don't want to sign these keys myself, since I haven't checked the > validity of them. I belive in the validity of them, but I would not to > vouch for it. There is a very simple way to solve all of this: Get enough signatures so that your key is in the strong set. This will automatically approve of most (if not all) of the Debian keys as they are also in the strong set. To check how 'strong' your key is, and to figure out how to get your key a bit stronger so that it belongs in the strong set check the following URL's and contact folks which are near you. Dropping in at events always has a very good effect on these as there are always some people with a very strong key and in effect in you only need one of those to be fully trusted. http://www.biglumber.com - Key Signing Party central http://pgp.cs.uu.nl - Calculate trust paths. Greets, Jeroen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 311 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070125/5293f13c/attachment-0001.pgp From henry.bremridge at xobie.com Thu Jan 25 21:04:20 2007 From: henry.bremridge at xobie.com (Henry Bremridge) Date: Thu, 25 Jan 2007 20:04:20 +0000 Subject: openpgp card problem In-Reply-To: <45B8E0C8.8030208@gmail.com> References: <87zm875sg7.fsf@wheatstone.g10code.de> <45B8E0C8.8030208@gmail.com> Message-ID: <200701252006.l0PK62vj009359@rs26.luxsci.com> As a newbie who has just started using his card and in the expectation I will be corrected where I am wrong: On Thu, Jan 25, 2007 at 05:54:32PM +0100, J?rgen Lysdal wrote: > For the last 2 hours i have been playing with my new openpgp card and > reader, trying to figure out how stuff works. So there are a few questions. > > Can i restore my public key with only the card? Your public key is public, so why would you need to restore it? > > Do i need to backup my "secret key" from my local keyring or can i > restore it from my card? See http://www.fsfe.org/en/card/howto/subkey_howto -- Henry Thu Jan 25 20:03:15 GMT 2007 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : /pipermail/attachments/20070125/a5ecee95/attachment.pgp From wk at gnupg.org Thu Jan 25 22:44:06 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 25 Jan 2007 22:44:06 +0100 Subject: openpgp card problem In-Reply-To: <45B8E0C8.8030208@gmail.com> (=?utf-8?Q?J=C3=B8rgen?= Lysdal's message of "Thu\, 25 Jan 2007 17\:54\:32 +0100") References: <87zm875sg7.fsf@wheatstone.g10code.de> <45B8E0C8.8030208@gmail.com> Message-ID: <87bqkmok7t.fsf@wheatstone.g10code.de> On Thu, 25 Jan 2007 17:54, j.lysdal at gmail.com said: > Can i restore my public key with only the card? You will be abale to create a key which can be used to decrypt stuff. However it is not possible to exactly re-create the public key because the signatures (including the self-signatures) are not stored on the card. so either send it to a keyserver or keep a local copy soemwhere. It is a good idea to put the key on some webpage and then let the URL field (--edit-key) point to it. > Do i need to backup my "secret key" from my local keyring or can i > restore it from my card? It is just a stub which tells gpg the number of the card so that gpg can ask you to insert the corresponding card. If no key is available, gpg will create that stub automagically from the card. > In case im asked to type the admin pin, and i dont type anything, but > just presses enter, will it result in 1 wrong attempt? No. There is a basic check done to assure that the PIN is at least 6 or 8 (for the Admin-PIN) characters long. This check is done before the PON is send to the card and thus it does not count as a wrong attempt. > Suppose i type the admin pin wrong 2 times, and the third time it is > correct, will the "wrong pin" counter reset? Yes. But you better wait a few minutes to think about your PIN ;-) Shalom-Salam, Werner From j.lysdal at gmail.com Thu Jan 25 23:14:27 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Thu, 25 Jan 2007 23:14:27 +0100 Subject: openpgp card problem In-Reply-To: <87bqkmok7t.fsf@wheatstone.g10code.de> References: <87zm875sg7.fsf@wheatstone.g10code.de> <45B8E0C8.8030208@gmail.com> <87bqkmok7t.fsf@wheatstone.g10code.de> Message-ID: <45B92BC3.6090400@gmail.com> Werner Koch skrev: > It is just a stub which tells gpg the number of the card so that gpg > can ask you to insert the corresponding card. If no key is available, > gpg will create that stub automagically from the card. So, if i have my public key, and the stub is missing, all i have to do is load the card with --card-edit? and im back to normal? One thing that confuses me is the "list" output from the card: pub 1024R/B4EEB7CA 2007-01-25 Jorgen Christiansen Lysdal sec> 1024R/B4EEB7CA created: 2007-01-25 expires: 2009-01-24 card-no: 0001 00000A7A ssb> 1024R/ED5EFA17 created: 2007-01-25 expires: never card-no: 0001 00000A7A It stores the public part of my masterkey but not the subkey? From wk at gnupg.org Fri Jan 26 12:21:02 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 26 Jan 2007 12:21:02 +0100 Subject: openpgp card problem In-Reply-To: <45B92BC3.6090400@gmail.com> (=?utf-8?Q?J=C3=B8rgen?= Lysdal's message of "Thu\, 25 Jan 2007 23\:14\:27 +0100") References: <87zm875sg7.fsf@wheatstone.g10code.de> <45B8E0C8.8030208@gmail.com> <87bqkmok7t.fsf@wheatstone.g10code.de> <45B92BC3.6090400@gmail.com> Message-ID: <871wlinie9.fsf@wheatstone.g10code.de> On Thu, 25 Jan 2007 23:14, j.lysdal at gmail.com said: > So, if i have my public key, and the stub is missing, all i have to do > is load the card with --card-edit? and im back to normal? Yes. --card-status should also be sufficient for this. However --edit-card has the fetch command which retrieved the public key using the stored URL. Some people reported that this feature does not work for them; however I have not yet been abale to duplicate the problem. > pub 1024R/B4EEB7CA 2007-01-25 Jorgen Christiansen Lysdal > > sec> 1024R/B4EEB7CA created: 2007-01-25 expires: 2009-01-24 > card-no: 0001 00000A7A > ssb> 1024R/ED5EFA17 created: 2007-01-25 expires: never > card-no: 0001 00000A7A > > > It stores the public part of my masterkey but not the subkey? You mean that you see pub and then sec and sbb? That seems to be a bug. We use the sec listing fucntion internally because this also displays the number of the card which is useful if the subkeys are stored on different cards. If that disturbs you, please open a bug in at bugs.gnupg.org. Salam-Shalom, Werner From benjamin at py-soft.co.uk Sun Jan 28 13:44:10 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 28 Jan 2007 12:44:10 +0000 Subject: pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <70f41ba20701231450n21bc3d0vcaa6c7d25bc1d3d0@mail.gmail.com> References: <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <45B689D2.3010004@mac.com> <70f41ba20701231450n21bc3d0vcaa6c7d25bc1d3d0@mail.gmail.com> Message-ID: <45BC9A9A.3020402@py-soft.co.uk> snowcrash+gnupg-users wrote: > atm, i've rebuilt pinentry v072, config'd as, On the Mac, I recommend using my -mac version of pinentry, which is based upon v0.7.2. However, gpg2 will probably need patching so that it behaves properly - see http://www.py-soft.co.uk/~benjamin/download/mac-gpg/patch-query.diff Let me know how you get on - I intend to package gpg2 for the Mac when I get time. Take care, Ben From benjamin at py-soft.co.uk Sun Jan 28 13:50:24 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 28 Jan 2007 12:50:24 +0000 Subject: [snowcrash+gnupg-users] pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> References: <87irewbvu7.fsf@wheatstone.g10code.de> <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <8764aw7a8g.wl%marcus.brinkmann@ruhr-uni-bochum.de> <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> Message-ID: <45BC9C10.5070706@py-soft.co.uk> snowcrash+gnupg-users wrote: > which seem to indicated this is a known issue. the apparent > fix/workaround is to build pinentry-qt into a 'bundle'. the > referenced bundling howto is at, > > http://doc.trolltech.com/qq/qq09-mac-deployment.html Unless they've updated that, it was close to useless. You can download the bundle information I compiled for pinentry-qt on the Mac at http://www.py-soft.co.uk/~benjamin/download/index.php?path=mac-gpg%2Fpinentry-qt.app/ Alternatively, try my native pinentry-mac program! Trust me, it's a much better solution. Ben From benjamin at py-soft.co.uk Sun Jan 28 13:59:30 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 28 Jan 2007 12:59:30 +0000 Subject: [snowcrash+gnupg-users] pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <45BC9C10.5070706@py-soft.co.uk> References: <87irewbvu7.fsf@wheatstone.g10code.de> <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <8764aw7a8g.wl%marcus.brinkmann@ruhr-uni-bochum.de> <70f41ba20701240849h5069b23cxec2afb202a99dcd0@mail.gmail.com> <45BC9C10.5070706@py-soft.co.uk> Message-ID: <45BC9E32.3020900@py-soft.co.uk> Benjamin Donnachie wrote: > You can download the bundle information I compiled for pinentry-qt on > the Mac at > http://www.py-soft.co.uk/~benjamin/download/index.php?path=mac-gpg%2Fpinentry-qt.app/ It's been a while since I put this together... I just noticed that if you dig down into the bundle, there's a precompiled version of pinentry-qt for Tiger, but only for PPCs. Ben From benjamin at py-soft.co.uk Sun Jan 28 14:16:15 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 28 Jan 2007 13:16:15 +0000 Subject: [HELP NEEDED] GnuPG-1.4 IDEA migration to GnuPG-2.0 In-Reply-To: <9e0cf0bf0701211240k7f6becc8i7b727499acc11448@mail.gmail.com> References: <9e0cf0bf0701211240k7f6becc8i7b727499acc11448@mail.gmail.com> Message-ID: <45BCA21F.30505@py-soft.co.uk> Alon Bar-Lev wrote: > The users used IDEA algorithm in GnuPG-1.4, and are unable to use > their keys in GnuPG-2.0. Do they /absolutely/ need to use GPG v2? If not, it's probably going to be easier if they go back to using v1.4.x... Ben From schneecrash+gnupg-users at gmail.com Sun Jan 28 17:31:32 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Sun, 28 Jan 2007 08:31:32 -0800 Subject: explain nrsign & lsign? Message-ID: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> hi, i've a 'master', high-strength signing key, "A". i'm using it to tsign another key, "B". i note i can also nrsign(non-revocable)/lsign(non-exportable) "B" with "A". can someone please clearly explain the consequences of doing so? e.g., if i lsign "B" with "A", *which* key, then is made non-exportable? "A" or "B"? i've googled for clarity, but other than the man page -- which doesn't go into much depth -- have yet to find cases/examples. thanks! From dshaw at jabberwocky.com Sun Jan 28 18:19:22 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 28 Jan 2007 12:19:22 -0500 Subject: explain nrsign & lsign? In-Reply-To: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> Message-ID: <20070128171922.GC3166@jabberwocky.com> On Sun, Jan 28, 2007 at 08:31:32AM -0800, snowcrash+gnupg-users wrote: > hi, > > i've a 'master', high-strength signing key, "A". > > i'm using it to tsign another key, "B". > > i note i can also nrsign(non-revocable)/lsign(non-exportable) "B" with "A". > > can someone please clearly explain the consequences of doing so? > > e.g., if i lsign "B" with "A", *which* key, then is made > non-exportable? "A" or "B"? Neither key is made non-exportable. A local signature just means the *signature* is local. So if you lsigned B with A, then exported B (or sent it to a keyserver), the local signature from A would not go along with it. GPG automatically strips off any local signatures on the way out. nrsign, for a non-revocable signature, means pretty much what it seems: a signature that cannot be later revoked. If A nrsigns B, then A can't change his mind later and issue a revocation. David From alon.barlev at gmail.com Sun Jan 28 18:22:48 2007 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 28 Jan 2007 19:22:48 +0200 Subject: [HELP NEEDED] GnuPG-1.4 IDEA migration to GnuPG-2.0 In-Reply-To: <45BCA21F.30505@py-soft.co.uk> References: <9e0cf0bf0701211240k7f6becc8i7b727499acc11448@mail.gmail.com> <45BCA21F.30505@py-soft.co.uk> Message-ID: <9e0cf0bf0701280922m54596b21x10f0258a2ec6ed7d@mail.gmail.com> On 1/28/07, Benjamin Donnachie wrote: > Do they /absolutely/ need to use GPG v2? If not, it's probably going to > be easier if they go back to using v1.4.x... This is the easy way out :) gpg2 should be backward compatible... I would like to make it work too... :) Best Regards, Alon Bar-Lev. From JPClizbe at tx.rr.com Sun Jan 28 18:27:40 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Sun, 28 Jan 2007 11:27:40 -0600 Subject: explain nrsign & lsign? In-Reply-To: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> Message-ID: <45BCDD0C.2000200@tx.rr.com> snowcrash+gnupg-users wrote: > hi, > > i've a 'master', high-strength signing key, "A". > > i'm using it to tsign another key, "B". > > i note i can also nrsign(non-revocable)/lsign(non-exportable) "B" with "A". > > can someone please clearly explain the consequences of doing so? > > e.g., if i lsign "B" with "A", *which* key, then is made > non-exportable? "A" or "B"? > Neither. The *key* is still exportable. it is the signature that is local and not exported. You use a local signature when you wish to sign a UID for your own use but do not wish others to depend on your signature. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070128/2ad27f48/attachment.pgp From schneecrash+gnupg-users at gmail.com Sun Jan 28 18:38:28 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Sun, 28 Jan 2007 09:38:28 -0800 Subject: explain nrsign & lsign? In-Reply-To: <45BCDD0C.2000200@tx.rr.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> Message-ID: <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> hi, > > e.g., if i lsign "B" with "A", *which* key, then is made > > non-exportable? "A" or "B"? > Neither. The *key* is still exportable. it is the signature that is local and not exported. aha. a not-so-subtle distinction :-/ thanks! > You use a local signature when you wish to sign a UID for your own > use but do not wish others to depend on your signature. so, just to be clear ... if my purpose it to impart additional 'confidence' in "B" to _others_, by signing it with "A", then i would *NOT* want to 'lsign', but rather just sign/tsign, *and* publish the pubkey for "A". correct? thanks again! From jmoore3rd at bellsouth.net Sun Jan 28 20:06:43 2007 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sun, 28 Jan 2007 14:06:43 -0500 Subject: explain nrsign & lsign? In-Reply-To: <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> Message-ID: <45BCF443.3080400@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 snowcrash+gnupg-users wrote: > if my purpose it to impart additional 'confidence' in "B" to _others_, > by signing it with "A", then i would *NOT* want to 'lsign', but rather > just sign/tsign, *and* publish the pubkey for "A". > > correct? YES, this would do it; however, proper etiquette would be to *not* send B's Key to the Servers, but rather to returned it 'Signed' to B and let B make any 'publication' decisions/actions. There are folks who are _very_ picky about their Keys being in General Circulation! JOHN :-\ Timestamp: Sunday 28 Jan 2007, 14:06 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7-svn4405: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJFvPRBAAoJEBCGy9eAtCsPxncH/Alj8Z2e+Gq+FU80R6kUOl6X gMh+l7cCvd3NMwXibwXTiDcJoSoecfsaPwxhhPYqyfWacbrPFTPJl/eHd9TlW4fJ fzuuudtwnA59Xftx/v9qmzFLKZaOpXbC9LQegxokKs88LGqhL/DiPX4un4rP/xaG ahYr+ZPM3UnYVGvV/hEUkAuZxZlSwRwf6ZJ8BleGbqMe2r6UBlOxdh6x9hPm9dTt xJk4c4c/xEYqD1iVhdfIg7gVVHgX2iJ+kGcNANaKRP+R0F0SJ86wufTzWrps6YkM 57p2c2UhyNdL+RzgIPX+1dacSMD6HMhe07V+m2iim7gyGv5fSbiL7Dg5TvNo3LQ= =UZgm -----END PGP SIGNATURE----- From schneecrash+gnupg-users at gmail.com Sun Jan 28 20:17:07 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Sun, 28 Jan 2007 11:17:07 -0800 Subject: explain nrsign & lsign? In-Reply-To: <20070128171922.GC3166@jabberwocky.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <20070128171922.GC3166@jabberwocky.com> Message-ID: <70f41ba20701281117n7701d28wd873078843240fae@mail.gmail.com> > > e.g., if i lsign "B" with "A", *which* key, then is made > > non-exportable? "A" or "B"? > > Neither key is made non-exportable. A local signature just means the *signature* is local. nice & clear. thanks. > So if you lsigned B with A, then exported B (or > sent it to a keyserver), the local signature from A would not go along with it. GPG automatically strips off any local signatures on the way > out. now _that_ had not clicked 'til now. thanks. > nrsign, for a non-revocable signature, means pretty much what it > seems: a signature that cannot be later revoked. If A nrsigns B, then > A can't change his mind later and issue a revocation. got it. thanks. From schneecrash+gnupg-users at gmail.com Sun Jan 28 20:20:18 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Sun, 28 Jan 2007 11:20:18 -0800 Subject: explain nrsign & lsign? In-Reply-To: <45BCF443.3080400@bellsouth.net> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> Message-ID: <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> > YES, this would do it; ok. thanks. > however, proper etiquette would be to *not* send > B's Key to the Servers, but rather to returned it 'Signed' to B and let > B make any 'publication' decisions/actions. understood. > There are folks who are > _very_ picky about their Keys being in General Circulation! that said, is there any reason NOT to (or, any advantage to ...): *l*sign "B" with "A", and, therefore, NOT distribute "A" to the keyservers &/or via export -- and, instead, reference the "A" trust-ing-pubkey @ a web page? thanks. From benjamin at py-soft.co.uk Sun Jan 28 20:33:15 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 28 Jan 2007 19:33:15 +0000 Subject: [HELP NEEDED] GnuPG-1.4 IDEA migration to GnuPG-2.0 In-Reply-To: <9e0cf0bf0701280922m54596b21x10f0258a2ec6ed7d@mail.gmail.com> References: <9e0cf0bf0701211240k7f6becc8i7b727499acc11448@mail.gmail.com> <45BCA21F.30505@py-soft.co.uk> <9e0cf0bf0701280922m54596b21x10f0258a2ec6ed7d@mail.gmail.com> Message-ID: <45BCFA7B.30206@py-soft.co.uk> Alon Bar-Lev wrote: >> Do they /absolutely/ need to use GPG v2? If not, it's probably going to >> be easier if they go back to using v1.4.x... > This is the easy way out :) It's the one the gnupg team recommend! > gpg2 should be backward compatible... I would like to make it work > too... :) I understand that IDEA isn't OpenPGP compatible and, besides, the 1.4.x branch will continue to be maintained and developed. Perhaps someone from the devel team would like to comment? Ben From jmoore3rd at bellsouth.net Sun Jan 28 20:49:47 2007 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sun, 28 Jan 2007 14:49:47 -0500 Subject: explain nrsign & lsign? In-Reply-To: <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> Message-ID: <45BCFE5B.5050808@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 snowcrash+gnupg-users wrote: > that said, is there any reason NOT to (or, any advantage to ...): > > *l*sign "B" with "A", and, therefore, NOT distribute "A" to the > keyservers &/or via export -- and, instead, reference the "A" > trust-ing-pubkey @ a web page? There is somewhat constant debate over the best method. Many believe that Email addresses are 'harvested' from the Servers by bots intent on increasing the Spammers database. Many others argue that they haven't been affected by /increased/ Spam and not publishing to the Servers negates the ability to Verify a Sig from a Key not currently existing on the recipients Keyring. When the Key is on the Servers the 'automatic' Key Retrieval options in GnuPG & PGP handle this situation quite nicely. I use both methods. JOHN :-\ Timestamp: Sunday 28 Jan 2007, 14:49 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7-svn4405: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJFvP5ZAAoJEBCGy9eAtCsP3FIH/16WFiom1EAzMTLiowr5XjDP U5DRnqLNnVDhpGZQeSl6N+F95fN9Y5IP12+WrHDXhmrEI4SERJvk7y/TPwG78D55 W2hrgjnp8I5ibRUfzIEkOoxadOz8vrMi3yg1AyPwpYXNBknewg0BhEpwYGfZqX/8 80kNIg00VsW9+y4CZogzsRSC6KryCUQxgHdiFquyret/gmyj3e6+nyc3zQKQP38J jzhel0LyLx05CUBeKc4VsBmNwLuCKu4kGON2liS8Rm2wAFnJzmKehLsYbEgkeduq xiTPcUkjHTojJ+tVkYnf8F00Hwc3Kzb99+FSZ0abRazXQf9fV4bhkDVSZRL1dGg= =gEkF -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Jan 28 21:00:08 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 28 Jan 2007 15:00:08 -0500 Subject: explain nrsign & lsign? In-Reply-To: <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> Message-ID: <20070128200008.GD3166@jabberwocky.com> On Sun, Jan 28, 2007 at 11:20:18AM -0800, snowcrash+gnupg-users wrote: > > YES, this would do it; > > ok. thanks. > > > however, proper etiquette would be to *not* send > > B's Key to the Servers, but rather to returned it 'Signed' to B and let > > B make any 'publication' decisions/actions. > > understood. > > > There are folks who are > > _very_ picky about their Keys being in General Circulation! > > that said, is there any reason NOT to (or, any advantage to ...): > > *l*sign "B" with "A", and, therefore, NOT distribute "A" to the > keyservers &/or via export -- and, instead, reference the "A" > trust-ing-pubkey @ a web page? No, there is no point in doing this as the main point of signing a key is so that GnuPG (or PGP) can use the signature in its trust calculations to decide if a given key is valid or not. If you post your signature values on a web page somewhere (presumably in a human language), GnuPG can't read it and understand it, and so that information is not usable. David From schneecrash+gnupg-users at gmail.com Sun Jan 28 21:15:01 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Sun, 28 Jan 2007 12:15:01 -0800 Subject: explain nrsign & lsign? In-Reply-To: <20070128200008.GD3166@jabberwocky.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <20070128200008.GD3166@jabberwocky.com> Message-ID: <70f41ba20701281215i4081be59x36e537b4d67b2501@mail.gmail.com> > There is somewhat constant debate over the best method. ... > the main point of signing a key is so that GnuPG (or PGP) can > use the signature in its trust calculations ... good info. thanks. last (yeah, sure ...) question, then. does gpg, &/or do the keyservers, require *valid* email addresses for keys? i.e., if my "A" trust-signing key will *never* be used to sign an email, can its assigned/defined address be, e.g., trust_sig at mydomain.local ? will *it*, and sigs/keys for 'real' addresses signed *by* it, be retrievable as such from the keyservers manually and via 'automatic' Key Retrieval options? thanks! From wk at gnupg.org Sun Jan 28 21:22:04 2007 From: wk at gnupg.org (Werner Koch) Date: Sun, 28 Jan 2007 21:22:04 +0100 Subject: [HELP NEEDED] GnuPG-1.4 IDEA migration to GnuPG-2.0 In-Reply-To: <9e0cf0bf0701280922m54596b21x10f0258a2ec6ed7d@mail.gmail.com> (Alon Bar-Lev's message of "Sun\, 28 Jan 2007 19\:22\:48 +0200") References: <9e0cf0bf0701211240k7f6becc8i7b727499acc11448@mail.gmail.com> <45BCA21F.30505@py-soft.co.uk> <9e0cf0bf0701280922m54596b21x10f0258a2ec6ed7d@mail.gmail.com> Message-ID: <87odoikikz.fsf@wheatstone.g10code.de> On Sun, 28 Jan 2007 18:22, alon.barlev at gmail.com said: > This is the easy way out :) > gpg2 should be backward compatible... I would like to make it work too... :) IDEA is not even supported by 1.4 - it is kind of coincidence that there is a way to plugin the IDEA module ;-) Thus there will be no support for IDEA in gpg2 - well maybe in 2010 but I really doubt that at that time anyone will still ask for a 64 bit block cipher. Shalom-Salam, Werner From dshaw at jabberwocky.com Sun Jan 28 21:33:50 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 28 Jan 2007 15:33:50 -0500 Subject: [HELP NEEDED] GnuPG-1.4 IDEA migration to GnuPG-2.0 In-Reply-To: <45BCFA7B.30206@py-soft.co.uk> References: <9e0cf0bf0701211240k7f6becc8i7b727499acc11448@mail.gmail.com> <45BCA21F.30505@py-soft.co.uk> <9e0cf0bf0701280922m54596b21x10f0258a2ec6ed7d@mail.gmail.com> <45BCFA7B.30206@py-soft.co.uk> Message-ID: <20070128203350.GE3166@jabberwocky.com> On Sun, Jan 28, 2007 at 07:33:15PM +0000, Benjamin Donnachie wrote: > Alon Bar-Lev wrote: > >> Do they /absolutely/ need to use GPG v2? If not, it's probably going to > >> be easier if they go back to using v1.4.x... > > This is the easy way out :) > > It's the one the gnupg team recommend! > > > gpg2 should be backward compatible... I would like to make it work > > too... :) > > I understand that IDEA isn't OpenPGP compatible and, besides, the 1.4.x > branch will continue to be maintained and developed. It's not true that IDEA isn't OpenPGP compatible. IDEA is cipher #1 in OpenPGP, and the new RFC does not change that. It is absolutely part of (though an optional part of) OpenPGP. The problem with IDEA is that it is patented, and will be patented for at least 3 more years (the exact end date depends on which country you're in). Without going into endless detail, patented algorithms and the GPL license are not really compatible with each other. Even so, ask if you really need IDEA or not. Unless you have a serious need for PGP 2.x compatibility, IDEA doesn't buy you much. David From jmoore3rd at bellsouth.net Sun Jan 28 21:35:46 2007 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sun, 28 Jan 2007 15:35:46 -0500 Subject: explain nrsign & lsign? In-Reply-To: <70f41ba20701281215i4081be59x36e537b4d67b2501@mail.gmail.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <20070128200008.GD3166@jabberwocky.com> <70f41ba20701281215i4081be59x36e537b4d67b2501@mail.gmail.com> Message-ID: <45BD0922.4090804@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 snowcrash+gnupg-users wrote: > does gpg, &/or do the keyservers, require *valid* email addresses for keys? NO. > > i.e., if my "A" trust-signing key will *never* be used to sign an > email, can its assigned/defined address be, e.g., > > trust_sig at mydomain.local > > ? > > will *it*, and sigs/keys for 'real' addresses signed *by* it, be > retrievable as such from the keyservers manually and via 'automatic' > Key Retrieval options? Sure! The UID listed is not as Important as the Key ID. Of course, if someone ever wanted to Search via email address (the hard way) they may not find it but this will not be an issue in "Real Life" (IMO). JOHN ;) Timestamp: Sunday 28 Jan 2007, 15:35 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7-svn4405: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJFvQkgAAoJEBCGy9eAtCsPfagH/0mU9RGfHuleiFQWubYI0Pon thrE2Vev3//2y8OwHlSbYhrkVDdLP0aNxXpS883yYWObahaOzVjdy7ulX0cBtv+q 81DSJIHsQNm1Fxu/GUswhkq3CuD5OYaqnHcAASIDDJycdaSgKYtDUfFL0zRkJD7z UbE0z7N7R6KkIU3ujWJkRIiNIq2diL4ilgrhYSCfRTAKHv64o0F5uqcymTaWISTV Q6XrsXJI3RY+UFln575OxyIRGSrreSRseTWvEjkcBoGUMXMZPXOHArTO60kSBTsc quzYxMNPEuqivKdWDAteS3+uZypqbcilcTJZ1vD8g5+yAc0euQgieIFa6JS3gdM= =4jhO -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Jan 28 21:37:36 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 28 Jan 2007 15:37:36 -0500 Subject: explain nrsign & lsign? In-Reply-To: <70f41ba20701281215i4081be59x36e537b4d67b2501@mail.gmail.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <20070128200008.GD3166@jabberwocky.com> <70f41ba20701281215i4081be59x36e537b4d67b2501@mail.gmail.com> Message-ID: <20070128203736.GF3166@jabberwocky.com> On Sun, Jan 28, 2007 at 12:15:01PM -0800, snowcrash+gnupg-users wrote: > > There is somewhat constant debate over the best method. ... > > > the main point of signing a key is so that GnuPG (or PGP) can > > use the signature in its trust calculations ... > > good info. thanks. > > last (yeah, sure ...) question, then. > > does gpg, &/or do the keyservers, require *valid* email addresses for keys? > > i.e., if my "A" trust-signing key will *never* be used to sign an > email, can its assigned/defined address be, e.g., > > trust_sig at mydomain.local GPG doesn't care what the email address is. Most keyservers don't care either (with the notable exception of ldap://keyserver.pgp.com which sends a confirmation mail to the address on the key). > will *it*, and sigs/keys for 'real' addresses signed *by* it, be > retrievable as such from the keyservers manually and via 'automatic' > Key Retrieval options? Signatures made by such a key live on other keys, so if those other keys are retrivable, then the signatures come with. Can you explain what you're trying to do? In general, there are good reasons for email addresses being real email addresses, and keys being real keys, and so on. There is a good amount of software here that is designed to help you. If you insist on throwing nails in the gears, the software can't do its job. David From schneecrash+gnupg-users at gmail.com Sun Jan 28 22:16:22 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Sun, 28 Jan 2007 13:16:22 -0800 Subject: explain nrsign & lsign? In-Reply-To: <20070128203736.GF3166@jabberwocky.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <20070128200008.GD3166@jabberwocky.com> <70f41ba20701281215i4081be59x36e537b4d67b2501@mail.gmail.com> <20070128203736.GF3166@jabberwocky.com> Message-ID: <70f41ba20701281316s2e4f88d8n31b56f2ff3acdb3b@mail.gmail.com> john, david, thanks for the clarifications. > Can you explain what you're trying to do? that never hurts, does it. i want to have a 'master' trust key that, e.g., is owned/controlled by my company, -- with strongest-possible, highest-performance encryption (RSA? yes, i know this is a religious debate ...) -- never used for anything other than tsigning other keys -- limited in distribution as much as possible to minimize risk, while still allowing trust to be found/followed for the keys it signs. i'm thinking here, onlyUID="trust_sig at mydomain.local" <-- NOT a real address then, i want to create key "packages" for each employee that consist of -- a 'weaker' DSA email-signing-only key -- a strong ElGamal encrypt-only key -- a strong RSA encrypt-only key -- a 'real' primaryUID="emplayee_name at mydomain.com" -- a trust signature from/by the company -- ability for the employee to add add'l UID's > If you insist on throwing nails in the gears, the software can't do its job. i'm trying rather hard -- by asking all these apparently silly questions -- _not_ to bork the gears, actually. it's not like the docs are terribly enlightening ;-) From sk at intertivity.com Sun Jan 28 21:36:46 2007 From: sk at intertivity.com (Sascha Kiefer) Date: Mon, 29 Jan 2007 00:36:46 +0400 Subject: explain nrsign & lsign? In-Reply-To: <70f41ba20701281215i4081be59x36e537b4d67b2501@mail.gmail.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com><45BCDD0C.2000200@tx.rr.com><70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com><45BCF443.3080400@bellsouth.net><70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com><20070128200008.GD3166@jabberwocky.com> <70f41ba20701281215i4081be59x36e537b4d67b2501@mail.gmail.com> Message-ID: <001e01c7431c$08bfc7c0$7401a8c0@sknb> well, you do not have to apply any email address at all, so you can apply an invalid one as well. > -----Original Message----- > From: gnupg-users-bounces at gnupg.org > [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of > snowcrash+gnupg-users > Sent: Montag, 29. Januar 2007 00:15 > To: gnupg-users at gnupg.org > Subject: Re: explain nrsign & lsign? > > > There is somewhat constant debate over the best method. ... > > > the main point of signing a key is so that GnuPG (or PGP) > can use the > > signature in its trust calculations ... > > good info. thanks. > > last (yeah, sure ...) question, then. > > does gpg, &/or do the keyservers, require *valid* email > addresses for keys? > > i.e., if my "A" trust-signing key will *never* be used to > sign an email, can its assigned/defined address be, e.g., > > trust_sig at mydomain.local > > ? > > will *it*, and sigs/keys for 'real' addresses signed *by* it, > be retrievable as such from the keyservers manually and via > 'automatic' > Key Retrieval options? > > thanks! > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Mon Jan 29 00:06:29 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 28 Jan 2007 18:06:29 -0500 Subject: explain nrsign & lsign? In-Reply-To: <70f41ba20701281316s2e4f88d8n31b56f2ff3acdb3b@mail.gmail.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <20070128200008.GD3166@jabberwocky.com> <70f41ba20701281215i4081be59x36e537b4d67b2501@mail.gmail.com> <20070128203736.GF3166@jabberwocky.com> <70f41ba20701281316s2e4f88d8n31b56f2ff3acdb3b@mail.gmail.com> Message-ID: <20070128230629.GG3166@jabberwocky.com> On Sun, Jan 28, 2007 at 01:16:22PM -0800, snowcrash+gnupg-users wrote: > john, david, > > thanks for the clarifications. > > > Can you explain what you're trying to do? > > that never hurts, does it. > > i want to have a 'master' trust key that, e.g., is owned/controlled by > my company, > > -- with strongest-possible, highest-performance encryption (RSA? > yes, i know this is a religious debate ...) Pick any that GnuPG supports. They're all strong. > -- never used for anything other than tsigning other keys Ok > -- limited in distribution as much as possible to minimize risk, > while still allowing trust to be found/followed for the keys it signs. You limit the distribution of the secret key. You distribute the public key widely as that is what allows trust to be followed. There is no harm in distributing the public key, and no benefit in restricting it. > i'm thinking here, onlyUID="trust_sig at mydomain.local" <-- NOT a real address Why not a real address? What benefit does that give you? > then, i want to create key "packages" for each employee that consist of > > -- a 'weaker' DSA email-signing-only key > -- a strong ElGamal encrypt-only key > -- a strong RSA encrypt-only key > -- a 'real' primaryUID="emplayee_name at mydomain.com" > -- a trust signature from/by the company > -- ability for the employee to add add'l UID's Why two different encrypt-only keys? David From rjh at sixdemonbag.org Mon Jan 29 01:37:20 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 28 Jan 2007 18:37:20 -0600 Subject: explain nrsign & lsign? In-Reply-To: <45BCFE5B.5050808@bellsouth.net> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <45BCFE5B.5050808@bellsouth.net> Message-ID: <98614BAB-88FF-42D2-81A6-CA160AB3AD98@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > There is somewhat constant debate over the best method. Many believe > that Email addresses are 'harvested' from the Servers by bots > intent on > increasing the Spammers database. For whatever it's worth, I consider this one to be very strongly indicated. Consider the address kc0sje @ myemaildomain. It's not exactly one that would be picked at random. The only published way to find that address is to enter my ham radio station ID in at the American Radio Relay League's web page and find "kc0sje @ myemaildomain" as my contact info--and it seems unlikely spammers would harvest from the ARRL. That email address was up on the ARRL's page for a few months before I added it to one of my keys. In under a week, I started getting spams to that email address. There are two obvious ways I can see spammers picking it up. Either (1) they've got a copy of all American amateur radio station IDs and are polling the ARRL's information, one record at a time, to compile them, or (2) they're harvesting addresses off keyservers. Of the two, #2 seems far, far more likely. > Many others argue that they haven't been affected by /increased/ > Spam and > not publishing to the Servers negates the ability to Verify a Sig > from a > Key not currently existing on the recipients Keyring. I agree to this one, too. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFvUHBAAoJELcA9IL+r4EJGu0H/28pD4TwNQ8Sq2V5FJUyUN7c K1zRh2HsUtD7rcXq5+sVFLnQJuhJSpxvOZWGMAedfTcBOb3vD/HEEJ2bq9l9sAfz Hmu8z55fEbRyOuEC0YEaZWOKMgWHy0QmzCE+3A6MWeDDiwcLAXbROjKrl4zoWSeo pbIa3OlyWXR3uNV0V55nSCuLK2/7aRX6ZVpKYawB8jhA50USfav7kxFKgWVUZGUH sc8JPw5vpvRQ4VzMLh3GPBcHp8d8UVWe+dUHHjZ9ew2EqD+VX829r70uU/O3sk8i b8b/XDUayggnsgN9P0bF7YRRK/sfl7/sLZcAtoS5UCiQeN3Qj0ROm2kD+XLFxTQ= =FxU/ -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Mon Jan 29 05:45:52 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Sun, 28 Jan 2007 22:45:52 -0600 Subject: explain nrsign & lsign? In-Reply-To: <45BCFE5B.5050808@bellsouth.net> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <45BCFE5B.5050808@bellsouth.net> Message-ID: <45BD7C00.1080801@tx.rr.com> John W. Moore III wrote: > > There is somewhat constant debate over the best method. Yes, but it seems like it's always the same folks bringing it up when it surfaces; much like a couple other perennial subjects over on PGP-Basics. > Many believe that Email addresses are 'harvested' from the Servers by bots > intent on increasing the Spammers database. Many others argue that they > haven't been affected by /increased/ Spam and not publishing to the Servers > negates the ability to Verify a Sig from a Key not currently existing on the > recipients Keyring. I don't don't why you present these as two opposing camps. Both are valid. The thing is degree. Yes, keys are likely harvested. But I will suggest you'll get /much more/ SPAM from sending a message to this list than you will from publishing an email address on a key and sending it to a keyserver. I created two special purpose keys in early Sept 2004, each with a different address, and sent them to the keyservers. The addresses are not used anywhere for email. Since then one account has received 139 SPAM messages, the other 121 - *total*. That's an average of one SPAM message per account about every 6.5 days, roughly one per week. Those volumes represent about one or two days worth on a couple other accounts. So, yes - harvesting occurs. But its impact is being portrayed way out of proportion to its actual effect. I'd have to conclude that the benefits of having good addresses searchable on the keyservers far outweighs the negligible volume of SPAM that can be traced to actual harvesting. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070128/f283f712/attachment.pgp From bgat at billgatliff.com Mon Jan 29 05:33:51 2007 From: bgat at billgatliff.com (Bill Gatliff) Date: Sun, 28 Jan 2007 22:33:51 -0600 Subject: Future time: --ignore-time-conflict and --ignore-valid-from not working (gpg-1.4.6) Message-ID: <45BD792F.5020008@billgatliff.com> Guys: I have a key that will be imported into a system with no real-time clock. On that machine, the system time gets set to the Epoch at startup, thus the key always looks as though it was created "1169836499 seconds in the future". Is there a way to tell gpg on the target system to ignore the future time concerns with the key? I keep getting this: # gpg --verify --quiet --ignore-time-conflict --ignore-valid-from --batch --no-tty foo.gpg > foo gpg: Signature made Sun Jan 28 05:07:57 2007 UTC using DSA key ID A7E0150C gpg: key A7E0150C was created 1169836499 seconds in the future (time warp or clock problem) gpg: key A7E0150C was created 1169836499 seconds in the future (time warp or clock problem) [pause until keypress] gpg: key A7E0150C was created 1169836496 seconds in the future (time warp or clock problem) gpg: key A7E0150C was created 1169836496 seconds in the future (time warp or clock problem) gpg: key A7E0150C was created 1169836496 seconds in the future (time warp or clock problem) gpg: Good signature from "Bill Gatliff " # Here's the output from --list-keys: # gpg --list-keys //.gnupg/pubring.gpg -------------------- gpg: key A7E0150C was created 1169836242 seconds in the future (time warp or clock problem) gpg: key A7E0150C was created 1169836242 seconds in the future (time warp or clock problem) pub 1024D/A7E0150C 2007-01-26 uid Bill Gatliff sub 2048g/951A8B6F 2007-01-26 A lot of Googling and reading the manpage seems to suggest that the two --ignore- parameters should get me what I'm after, but it doesn't seem to be the case. In particular, I don't want to have to press a key when the warnings are emitted, because this will be an unattended operation. What am I missing? Thanks! b.g. -- Bill Gatliff bgat at billgatliff.com From rjh at sixdemonbag.org Mon Jan 29 07:18:18 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 29 Jan 2007 00:18:18 -0600 Subject: explain nrsign & lsign? In-Reply-To: <45BD7C00.1080801@tx.rr.com> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <45BCFE5B.5050808@bellsouth.net> <45BD7C00.1080801@tx.rr.com> Message-ID: <47C60DC7-A696-4D68-B5B1-F38E979610F1@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > The thing is degree. Yes, keys are likely harvested. But I will > suggest you'll > get /much more/ SPAM from sending a message to this list than you > will from > publishing an email address on a key and sending it to a keyserver. While I agree that in general keyserver harvesting is not a huge problem for the community, we should be wary about thinking it will not become a huge problem for the community. Prudence suggests we consider both alternatives. > Those volumes represent about one or two days worth on a couple > other accounts. This may only mean that there's only one spam syndicate who's harvesting keyservers, whereas the countless numbers of other spammers haven't caught on yet. This could just as easily mean that other spammers have considered the option and decided it's a bad idea for whatever reason, and only one syndicate isn't getting the memo. Hard to say. > So, yes - harvesting occurs. But its impact is being portrayed way > out of > proportion to its actual effect. I'd have to conclude that the > benefits of > having good addresses searchable on the keyservers far outweighs > the negligible > volume of SPAM that can be traced to actual harvesting. The following is anecdotal experience, so it should be taken with a grain of salt. Still, it's worth considering. I spent some time without an email address listed on my key to test out for myself whether it would present a usability issue. Turns out it didn't; putting OpenPGP kluges in my email headers told my recipients my key ID, which made it possible for them to grab my key despite there being no email address associated with it. Ultimately, I decided that since I was already drowning in spam on all of my accounts anyway, the added trouble was insignificant, even if the added benefit was insignificant. I put an email address on my key and decided I wasn't going to worry about it any more, since I didn't see it mattered too much either way. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFvZGqAAoJELcA9IL+r4EJ4wMH/jrMuFsrgDamP+D6LMWHe6iG 2okOO0sk2P2+61RQElCN93YB/Fy2EHquVvs2JbhU6/CuHFrvo7pyrx2WlFCIuNUt L61kTheA09rSpJ2ipRPRKYAlbE2HaXaAXMzO+U65X0zmUSAm+5z8ALdOdLBqa+ey 58ZUciD/yZAejO4oFdALe+C74gkPQXCWFepB9mD+KBh74D1y0UpOnSAAPUicHsOz ThkyZ2yeX1NzSMnXdAMmrlV651zEOC01IkL3f7AFCElZxM0Ha+gGtmijSWN4njBP bwNzVm8AGjJ0POltcR8vPIr2DvPZs9KKPSZ2893CkZlxKFyY8YizPJnoKXq7s/o= =AFUS -----END PGP SIGNATURE----- From wk at gnupg.org Mon Jan 29 08:34:31 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 29 Jan 2007 08:34:31 +0100 Subject: Future time: --ignore-time-conflict and --ignore-valid-from not working (gpg-1.4.6) In-Reply-To: <45BD792F.5020008@billgatliff.com> (Bill Gatliff's message of "Sun\, 28 Jan 2007 22\:33\:51 -0600") References: <45BD792F.5020008@billgatliff.com> Message-ID: <87fy9ujng8.fsf@wheatstone.g10code.de> On Mon, 29 Jan 2007 05:33, bgat at billgatliff.com said: > I have a key that will be imported into a system with no real-time > clock. On that machine, the system time gets set to the Epoch at > startup, thus the key always looks as though it was created "1169836499 Without a real time clock you should be more concerned about true random numbers than _warnings_ like: > gpg: Signature made Sun Jan 28 05:07:57 2007 UTC using DSA key ID A7E0150C > gpg: key A7E0150C was created 1169836499 seconds in the future (time I assume here that such a platform as also other contrainsts than just the RTC. Having good and unpredictbale random numbers is crucial to the security of the key. Creating DSA signatures also requires a good RNG as well as some other subsystems. > A lot of Googling and reading the manpage seems to suggest that the two > --ignore- parameters should get me what I'm after, but it doesn't seem > to be the case. In particular, I don't want to have to press a key when > the warnings are emitted, because this will be an unattended operation. A warning is just a warning and does not aks you to press a key. Salam-Shalom, Werner From bgat at billgatliff.com Mon Jan 29 14:31:32 2007 From: bgat at billgatliff.com (Bill Gatliff) Date: Mon, 29 Jan 2007 07:31:32 -0600 Subject: Future time: --ignore-time-conflict and --ignore-valid-from not working (gpg-1.4.6) In-Reply-To: <87fy9ujng8.fsf@wheatstone.g10code.de> References: <45BD792F.5020008@billgatliff.com> <87fy9ujng8.fsf@wheatstone.g10code.de> Message-ID: <45BDF734.1000900@billgatliff.com> Werner Koch wrote: >On Mon, 29 Jan 2007 05:33, bgat at billgatliff.com said: > > > >>I have a key that will be imported into a system with no real-time >>clock. On that machine, the system time gets set to the Epoch at >>startup, thus the key always looks as though it was created "1169836499 >> >> > >Without a real time clock you should be more concerned about true >random numbers than _warnings_ like: > > Agreed. The key was generated on a machine that does have a clock. The signature is done on a machine with a clock. The machine without the clock just has to verify. >>A lot of Googling and reading the manpage seems to suggest that the two >>--ignore- parameters should get me what I'm after, but it doesn't seem >>to be the case. In particular, I don't want to have to press a key when >>the warnings are emitted, because this will be an unattended operation. >> >> > >A warning is just a warning and does not aks you to press a key. > > Ok. Then I _really_ don't understand why it pauses and waits for a keypress... b.g. -- Bill Gatliff bgat at billgatliff.com From dshaw at jabberwocky.com Mon Jan 29 16:22:18 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 29 Jan 2007 10:22:18 -0500 Subject: explain nrsign & lsign? In-Reply-To: <47C60DC7-A696-4D68-B5B1-F38E979610F1@sixdemonbag.org> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <45BCFE5B.5050808@bellsouth.net> <45BD7C00.1080801@tx.rr.com> <47C60DC7-A696-4D68-B5B1-F38E979610F1@sixdemonbag.org> Message-ID: <20070129152218.GN3166@jabberwocky.com> On Mon, Jan 29, 2007 at 12:18:18AM -0600, Robert J. Hansen wrote: > > The thing is degree. Yes, keys are likely harvested. But I will > > suggest you'll > > get /much more/ SPAM from sending a message to this list than you > > will from > > publishing an email address on a key and sending it to a keyserver. > > While I agree that in general keyserver harvesting is not a huge > problem for the community, we should be wary about thinking it will > not become a huge problem for the community. Prudence suggests we > consider both alternatives. > > > Those volumes represent about one or two days worth on a couple > > other accounts. > > This may only mean that there's only one spam syndicate who's > harvesting keyservers, whereas the countless numbers of other > spammers haven't caught on yet. This could just as easily mean that > other spammers have considered the option and decided it's a bad idea > for whatever reason, and only one syndicate isn't getting the memo. > Hard to say. This is very true. The economics of spam have changed radically over the past few years. At one point, the keyservers could be considered "uninteresting" to the average spammer: lots of invalid addresses mixed in with the good addresses, the annoyance factor of pulling addresses from a keyserver that only returns a small fraction of the entire keyring per search, etc. Nowadays, many spammers aren't using their own bandwidth or CPU. So why *not* hit the keyservers? It costs them essentially nothing. > Ultimately, I decided that since I was already drowning in spam on > all of my accounts anyway, the added trouble was insignificant, even > if the added benefit was insignificant. I put an email address on my > key and decided I wasn't going to worry about it any more, since I > didn't see it mattered too much either way. This was my conclusion as well. David From wk at gnupg.org Mon Jan 29 17:20:20 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 29 Jan 2007 17:20:20 +0100 Subject: explain nrsign & lsign? In-Reply-To: <20070129152218.GN3166@jabberwocky.com> (David Shaw's message of "Mon\, 29 Jan 2007 10\:22\:18 -0500") References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <45BCFE5B.5050808@bellsouth.net> <45BD7C00.1080801@tx.rr.com> <47C60DC7-A696-4D68-B5B1-F38E979610F1@sixdemonbag.org> <20070129152218.GN3166@jabberwocky.com> Message-ID: <873b5t4xff.fsf@wheatstone.g10code.de> On Mon, 29 Jan 2007 16:22, dshaw at jabberwocky.com said: > etc. Nowadays, many spammers aren't using their own bandwidth or CPU. > So why *not* hit the keyservers? It costs them essentially nothing. OTOH, addresses taken from the addressbook as available on the host (== zombie Windows PC) are much more effective than harvesting the web or kyeservers. These local addresses are more certain to actually be used and even better: the recipient of the spam knows the sender. Salam-Shalom, Werner From wk at gnupg.org Mon Jan 29 18:17:31 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 29 Jan 2007 18:17:31 +0100 Subject: pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <45BC9A9A.3020402@py-soft.co.uk> (Benjamin Donnachie's message of "Sun\, 28 Jan 2007 12\:44\:10 +0000") References: <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <45B689D2.3010004@mac.com> <70f41ba20701231450n21bc3d0vcaa6c7d25bc1d3d0@mail.gmail.com> <45BC9A9A.3020402@py-soft.co.uk> Message-ID: <87tzy93g7o.fsf@wheatstone.g10code.de> On Sun, 28 Jan 2007 13:44, benjamin at py-soft.co.uk said: > based upon v0.7.2. However, gpg2 will probably need patching so that it > behaves properly - see > http://www.py-soft.co.uk/~benjamin/download/mac-gpg/patch-query.diff I don't like this. If you really need to be called by sh, pinentry should re-exec itself. What is the reason that you need to be called by sh? I presume sh sets some extra environment variables from a global configiration file. What about integrating the ObjC version into the pinentry package proper? Salam-Shalom, Werner From j.lysdal at gmail.com Mon Jan 29 20:16:41 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Mon, 29 Jan 2007 20:16:41 +0100 Subject: Bug? Message-ID: <45BE4819.6070107@gmail.com> GnuPG 1.4.6 (from gnupg.org) on winxp pro sp2 ---------------------------- "gpg --edit-key PGP Global Directory Verification Key" Gives me this: "gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. pub 2048R/CA57AD7C created: 2004-12-06 expires: never usage: SC trust: full validity: full [ full ] (1). PGP Global Directory Verification Key [ full ] (2) [jpeg image of size 3400] Invalid command (try "help") Invalid command (try "help") Invalid command (try "help") pub 2048R/CA57AD7C created: 2004-12-06 expires: never usage: SC trust: full validity: full [ full ] (1). PGP Global Directory Verification Key [ full ] (2) [jpeg image of size 3400]" Invalid command?? My option file: "personal-cipher-preferences twofish aes256 cast5 blowfish aes192 aes personal-digest-preferences sha256 sha384 sha512 sha1 ripemd160 sha224 s2k-cipher-algo twofish enable-dsa2" I dont get the wired stuff when i specify the key by its id.. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 368 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070129/fc01ad43/attachment.pgp From rjh at sixdemonbag.org Mon Jan 29 20:53:44 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 29 Jan 2007 13:53:44 -0600 Subject: Bug? In-Reply-To: <45BE4819.6070107@gmail.com> References: <45BE4819.6070107@gmail.com> Message-ID: <62D96E01-0BD7-46AD-ACE9-F0B9E1EF954E@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > "gpg --edit-key PGP Global Directory Verification Key" > > Gives me this: [output snipped] This is not a bug. This is the expected behavior. GnuPG is interpreting your command line as "select the first key that matches the string PGP, enter the edit-key menu, and then execute the commands Global, Directory, Verification and Key". Try: gpg --edit-key "PGP Global Directory Verification Key" ... and see if that fixes things for you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFvlDIAAoJELcA9IL+r4EJg00H/22x2H7g5DgCNIcwpnCGtpv6 0z/uPtnTSoYayF4Qjd8DTpHFrB5M66CTw5Ndg0Nc+ZFV59Pb9KIyT+rbSv6shGHO 9fwQ2QuMjT9e8EeacfPnjP92UBsFzA8XOiJPBku2nYGUsmd0+Soe2qW9kCZdE5G7 cIY+r/Dpz2FHU0Ez5cHoW3idLpqGAyF4Lo68SbEgWBgPm0OT/hqmGUdeX6pFo5PQ 1Wmcsed1lTFWv41dSPT5tlRHyiPsmKkPFYqtzXFE+8dtkcYnEV7nPeZTdtHyqW6V MvoNxo+/hO5nM5nHL/htGR86BiaGP3ichHUwqWGsKjn81RXhS4ESZcLRVKWsvvY= =jcjc -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Mon Jan 29 22:13:52 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Mon, 29 Jan 2007 21:13:52 +0000 Subject: pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <87tzy93g7o.fsf@wheatstone.g10code.de> References: <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <45B689D2.3010004@mac.com> <70f41ba20701231450n21bc3d0vcaa6c7d25bc1d3d0@mail.gmail.com> <45BC9A9A.3020402@py-soft.co.uk> <87tzy93g7o.fsf@wheatstone.g10code.de> Message-ID: <45BE6390.4080404@py-soft.co.uk> Werner Koch wrote: > I don't like this. If you really need to be called by sh, pinentry > should re-exec itself. > > What is the reason that you need to be called by sh? I presume sh sets > some extra environment variables from a global configiration file. Otherwise the application bundle isn't read correctly and pinentry cannot grab the keyboard focus etc. Yes it's a hack, but I submitted it to you months ago for comment. > What about integrating the ObjC version into the pinentry package > proper? I gave up when I didn't hear back from you. Ben From wk at gnupg.org Tue Jan 30 08:42:45 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Jan 2007 08:42:45 +0100 Subject: pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <45BE6390.4080404@py-soft.co.uk> (Benjamin Donnachie's message of "Mon\, 29 Jan 2007 21\:13\:52 +0000") References: <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <45B689D2.3010004@mac.com> <70f41ba20701231450n21bc3d0vcaa6c7d25bc1d3d0@mail.gmail.com> <45BC9A9A.3020402@py-soft.co.uk> <87tzy93g7o.fsf@wheatstone.g10code.de> <45BE6390.4080404@py-soft.co.uk> Message-ID: <87d54x0xl6.fsf@wheatstone.g10code.de> On Mon, 29 Jan 2007 22:13, benjamin at py-soft.co.uk said: >> What is the reason that you need to be called by sh? I presume sh sets >> some extra environment variables from a global configiration file. > > Otherwise the application bundle isn't read correctly and pinentry > cannot grab the keyboard focus etc. Yes it's a hack, but I submitted it > to you months ago for comment. Well, that does not answer my actual question. I need to know the mechanism used to locate the applicatiom bundle. Letting the shell decide what pinentry to use is not a good idea - we need to be more specific. In affecting using system() instead of fork/exec is in general a bad idea for security reasons. exec-ing sh with pinentry as argument is similar to using the system() call. As I suggested: If you reall realy want to do that you should let pinentry re-exex itself. This way we don't need to change the GnuPG code. >> What about integrating the ObjC version into the pinentry package >> proper? > > I gave up when I didn't hear back from you. Sorry about that but I can't read or follow-up on all mails. Just keep on asking. Shalom-Salam, Werner From benjamin at py-soft.co.uk Tue Jan 30 13:39:33 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 30 Jan 2007 12:39:33 +0000 Subject: pinentry-qt (svn/r153) crashes on exec @ "assuan_register_command"; v0.7.2 execs no error. In-Reply-To: <87d54x0xl6.fsf@wheatstone.g10code.de> References: <70f41ba20701231003g7d4dec4aj2b54f23fd1eca2f6@mail.gmail.com> <45B689D2.3010004@mac.com> <70f41ba20701231450n21bc3d0vcaa6c7d25bc1d3d0@mail.gmail.com> <45BC9A9A.3020402@py-soft.co.uk> <87tzy93g7o.fsf@wheatstone.g10code.de> <45BE6390.4080404@py-soft.co.uk> <87d54x0xl6.fsf@wheatstone.g10code.de> Message-ID: <45BF3C85.40305@py-soft.co.uk> Werner Koch wrote: > Well, that does not answer my actual question. I need to know the > mechanism used to locate the applicatiom bundle. I'm not an expert with Mac OS and my understanding is that GUI applications require an information bundle. The likes of sh have been modified to ensure that the bundle is correctly processed and the GUI information passed to the OS. Without the bundle information, the application starts beneath all other applications and cannot grab key focus. (Search the cocoa-dev and qt-dev archive for my observations on this). > Letting the shell decide what pinentry to use is not a good idea - > we need to be more specific. In affecting using system() instead > of fork/exec is in general a bad idea for security reasons. > exec-ing sh with pinentry as argument is similar to using the > system() call. The standard c calls that I tried, and some Mac OS specific ones, did not read the application bundle information correctly. Using sh was a hack; a hack that worked for me that no-one else (apart from less than a handful of people) were interested in using. > As I suggested: If you reall realy want to do that you should let > pinentry re-exex itself. This way we don't need to change the GnuPG > code. I like the idea of having pinentry handle the necessary "magic" to get things working... I shall reinvestigate the NSTask Class - it may be the answer I'm looking for. (It's been over six months since I last looked at it). > Sorry about that but I can't read or follow-up on all mails. Just > keep on asking. I approached the macgpg team too, but at the time gpg2 was alpha-ware and no-one seemed that interested in getting it all working on the Mac. I'll see what I can do... but it's a low-priority at the moment. Take care, Ben From DuerbuschT at stlouiscity.com Tue Jan 30 22:07:43 2007 From: DuerbuschT at stlouiscity.com (Tom Duerbusch) Date: Tue, 30 Jan 2007 15:07:43 -0600 Subject: GPG 2.0.1 No passphrase Message-ID: <45BF5F3F020000800000236F@NSS-25.stlouiscity.com> I downloaded and compiled the GPG 2.0.1 release (SLES 9, 64 bit for zSeries). When I do the: gpg2 --gen-key 1 DSA and Elgamal 2048 bits 7 days y yes this is correct My Name My at email.address My comment o ok this is correct But then, it doesn't ask me for a passphrase. It seems to directly go into calculating the key. As in it asks me the question, but doesn't wait for the answer: Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. gpg-agent[3973]: directory `/home/boat1/.gnupg/private-keys-v1.d' created gpg: DBG: connection to agent established gpg-agent[3973]: can't connect server: `ERR 67109133 can't exec `/usr/local/bin/pinentry': No such file or directory' gpg-agent[3973]: can't connect to the PIN entry module: IPC connect call failed gpg-agent[3973]: command get_passphrase failed: No pinentry gpg: problem with the agent: No pinentry You don't want a passphrase - this is probably a *bad* idea! I will do it anyway. You can change your passphrase at any time, using this program with the option "--edit-key". We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Is this an error in the code or am I just not seeing the option that needs to be on the command line? gpg (1.4) does wait for the passphrase. Thanks Tom Duerbusch THD Consulting From info at webinfo.de Wed Jan 31 02:42:48 2007 From: info at webinfo.de (=?iso-8859-15?Q?Bj=F6rn_Mayer?=) Date: Wed, 31 Jan 2007 02:42:48 +0100 (MET) Subject: payload in GenericMessage Message-ID: Hi, I was just asking me the following question: An ACLMessage is sent within a GenericMessage. Also, an envelope as well as a payload are stored within this GenericMessage. Supposed the ACLMessage contains sensitive data - can this data (even if partially) be reconstructed simply with the help of the payload or the envelope, too? What kind of information is stored within this payload? I'm just considering security issues and thus would like to know if it would be enough to encrypt only the ACLMessage but not the payload... I'm thankfull for every single hint, Bjorn From wk at gnupg.org Wed Jan 31 08:45:54 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 31 Jan 2007 08:45:54 +0100 Subject: GPG 2.0.1 No passphrase In-Reply-To: <45BF5F3F020000800000236F@NSS-25.stlouiscity.com> (Tom Duerbusch's message of "Tue\, 30 Jan 2007 15\:07\:43 -0600") References: <45BF5F3F020000800000236F@NSS-25.stlouiscity.com> Message-ID: <87wt33oczx.fsf@wheatstone.g10code.de> On Tue, 30 Jan 2007 22:07, DuerbuschT at stlouiscity.com said: > Is this an error in the code or am I just not seeing the option that Yes, this is a bug. Salam-Shalom, Werner From rocket at heddway.com Wed Jan 31 15:24:12 2007 From: rocket at heddway.com (jason heddings) Date: Wed, 31 Jan 2007 07:24:12 -0700 Subject: GnuPG Newbie Message-ID: <000001c74543$7b64fdd0$6700a8c0@enterprise> I've been searching the lists and Google, but have not found the answer to my question... I apologize if it is well-known. I have a simple little app that wraps the libgcrypt functions to provide a keygen, encrypt, & decrypt functionallity. I'm able to save my keys and use files with base64-encoded S-expressions and things seem to be working well... Now, on to my question: What I'd like to do is save the key as a base64-encoded version of the bits. The trouble I'm having is that I can't seem to figure out how to extract the raw bits of the key from the gcry_sexp_t. I can use the dump & print funcs to see the MPI values, but I just can't seem to get at what I'm going for here. Is it reasonable to simply base64-encode the entire S-expression and use that for key exchange? Any help here would be greatly appreciated... Although I'm familiar with the key creation & encryption algorithms, I'm a bit of a newbie to public & private key representations. --jah From jbruni at mac.com Wed Jan 31 16:42:42 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Wed, 31 Jan 2007 08:42:42 -0700 Subject: import secret subkey Message-ID: <6487F228-D594-4D68-9228-F2E4029F8128@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello all, Back in June of 2005, someone asked if it were possible to import a secret subkey. The reply was that that feature would not be ready with 1.4.2. With 1.4.6, has this feature been made available yet? I've tried and it doesn't seem to work so I was wondering if I just missed an option or something. Joe http://marc.theaimsgroup.com/?l=gnupg-users&m=111935024705156&w=2 -----BEGIN PGP SIGNATURE----- iQEVAwUBRcC491GV1jrNVRjHAQhLRgf7BXY4/yRlvdra9/WFn5kbvV5AKHRAPRa+ NGN9+jOGe/SWz+xxah9G1XOH0L59H8+zobkKCSIzG579fiy0+ox0HPvVrOHfc2ZZ 5nlHl0njx2QQgOpF9Ra3ulieHEd4QgfH/E9HKgdMULQ/2r71RnGQbqR3tSEkv80Y BFNMjkuRBr8f2ZHt/BLhaqc/5SOgSzmBl4sI6N3ELju73ifZpmGr8R05yaaEGWH+ Jk3NIQ0e7mdXeL77419Fa4l2knMj9b2dSYgl7BhquxvgswF8Bid2hRFn91yo7WVx jCoQbeC8D73yPK0kNqYjFoQtjMakJygYu+xF7P9z8/42nEN2g3DwrA== =dz07 -----END PGP SIGNATURE----- From jmarugan at alumnos.upm.es Tue Jan 30 10:52:26 2007 From: jmarugan at alumnos.upm.es (Juan =?iso-8859-1?Q?Marug=E1n?=) Date: Tue, 30 Jan 2007 10:52:26 +0100 Subject: New command line language parameter Message-ID: <200701300956.l0U9u38R019043@edison.ccupm.upm.es> Hello. I use gpg a lot everyday, it's a great tool. I'm going to explain my situation, so perhaps you can help me. I'm quite sure there are a lot of people in the same case. I'm spanish and I like to use spanish versions of the applications that I use every day when they're available. In my computer under Windows XP I have the 1.4.6 GPG version with the "Lang" key in the registry, under "HKEY_CURRENT_USER\Software\GNU\GnuPG" pointing to the spanish language file and everything works great in spanish, but if I copy my GnuPG installation folder to a pendrive or USB HD in order to run it from other computer different than mine (my laptop, a friend's computer, cyber-coffe, etc), everything still working great, but in the target computer the gpg registry key is not present, or what is worst, is pointing to another different folder because another version of GPG is installed, and all the program turns to english again or some other language deppending on the possible installed version and the compatibilities with mine. My request for the next version of GNUPG is that it will be great if a command line parameter can overrride that language registry key configuration, as the "HomeDir" key can be overriden with the --homedir parameter. In that case, people will be able to call the program or create for example a .bat file so they can run the pgp.exe program in the desired home folder and desired language in any computer with or without the registry keys. For example (sign_verify.bat): ---Begining of .bat file ---------------------------------- @echo off cls echo Verifying... %1\gpg.exe --homedir %2 --langfile %1\gnupg.nls\es.mo --verify %3 ---End of .bat file --------------------------------------- Where: --langfile can be the name of the new parameter %1 is the .bat parameter with the installation folder of GnuPG %2 is the .bat parameter with the ring's path %3 is the .bat parameter with the file going to be verifyied The call could be something like: sign_verify c:\gnupg h:\docs\gnupg\rings c:\mail.txt With this new parameter you can have another advantage and is the possibility of running several diferent versions of GnuPG in the same machine. Now all of them will look for the language files in the same pointed folder by the registry. With this new parameter you can run issolated any future version in order to test or whatever you need. While this can be done, does anyone know how to forze the language settings without using the registry? Thanks in advance to everybody From wk at gnupg.org Wed Jan 31 18:50:43 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 31 Jan 2007 18:50:43 +0100 Subject: import secret subkey In-Reply-To: <6487F228-D594-4D68-9228-F2E4029F8128@mac.com> (Joseph Oreste Bruni's message of "Wed\, 31 Jan 2007 08\:42\:42 -0700") References: <6487F228-D594-4D68-9228-F2E4029F8128@mac.com> Message-ID: <873b5rm6fg.fsf@wheatstone.g10code.de> On Wed, 31 Jan 2007 16:42, jbruni at mac.com said: > With 1.4.6, has this feature been made available yet? I've tried and > it doesn't seem to work so I was wondering if I just missed an option > or something. I don't think so. You might want to put an entry into the BTS. > http://marc.theaimsgroup.com/?l=gnupg-users&m=111935024705156&w=2 [BTW, it would be nice to give the message-id and not just an URL. If you are offline you will then be able to read the message from the local mail foldrs without a lot of searching.] Shalom-Salam, Werner From jbruni at mac.com Wed Jan 31 21:35:06 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Wed, 31 Jan 2007 12:35:06 -0800 Subject: import secret subkey In-Reply-To: <873b5rm6fg.fsf@wheatstone.g10code.de> References: <6487F228-D594-4D68-9228-F2E4029F8128@mac.com> <873b5rm6fg.fsf@wheatstone.g10code.de> Message-ID: <50F28279-0110-1000-ACA4-0BDCA3513656-Webmail-10019@mac.com> It appears that an entry already exists for this issue as "issue 318". It was closed as "resolved" with the message: "Won't be changed, GnuPG 2 will eventually use an entirely different scheme to manage secret keys." Should I create a new issue or can you just re-open the existing issue? Joe On Wednesday, January 31, 2007, at 11:15AM, "Werner Koch" wrote: >On Wed, 31 Jan 2007 16:42, jbruni at mac.com said: > >> With 1.4.6, has this feature been made available yet? I've tried and >> it doesn't seem to work so I was wondering if I just missed an option >> or something. > >I don't think so. You might want to put an entry into the BTS. > >> http://marc.theaimsgroup.com/?l=gnupg-users&m=111935024705156&w=2 > >[BTW, it would be nice to give the message-id and not just an URL. > If you are offline you will then be able to read the message from the > local mail foldrs without a lot of searching.] > > >Shalom-Salam, > > Werner > > > From wk at gnupg.org Wed Jan 31 22:09:20 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 31 Jan 2007 22:09:20 +0100 Subject: import secret subkey In-Reply-To: <50F28279-0110-1000-ACA4-0BDCA3513656-Webmail-10019@mac.com> (Joseph Oreste Bruni's message of "Wed\, 31 Jan 2007 12\:35\:06 -0800") References: <6487F228-D594-4D68-9228-F2E4029F8128@mac.com> <873b5rm6fg.fsf@wheatstone.g10code.de> <50F28279-0110-1000-ACA4-0BDCA3513656-Webmail-10019@mac.com> Message-ID: <87zm7y7vjz.fsf@wheatstone.g10code.de> On Wed, 31 Jan 2007 21:35, jbruni at mac.com said: > Should I create a new issue or can you just re-open the existing issue? Please reopen it and briefly explain why it is useful. BTW, 2.0.2 has just been release. However, we need to release a new libgrypt to fix a bug on PPC Macs. Salam-Shalom, Werner From dshaw at jabberwocky.com Wed Jan 31 22:19:33 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 31 Jan 2007 16:19:33 -0500 Subject: explain nrsign & lsign? In-Reply-To: <873b5t4xff.fsf@wheatstone.g10code.de> References: <70f41ba20701280831u272a7b93q483f299fe3c0a7ae@mail.gmail.com> <45BCDD0C.2000200@tx.rr.com> <70f41ba20701280938n7513185fs93aa2dabbb2e37ca@mail.gmail.com> <45BCF443.3080400@bellsouth.net> <70f41ba20701281120v4cae9f5blc8cb8ed4a90266e6@mail.gmail.com> <45BCFE5B.5050808@bellsouth.net> <45BD7C00.1080801@tx.rr.com> <47C60DC7-A696-4D68-B5B1-F38E979610F1@sixdemonbag.org> <20070129152218.GN3166@jabberwocky.com> <873b5t4xff.fsf@wheatstone.g10code.de> Message-ID: <20070131211933.GD27765@jabberwocky.com> On Mon, Jan 29, 2007 at 05:20:20PM +0100, Werner Koch wrote: > On Mon, 29 Jan 2007 16:22, dshaw at jabberwocky.com said: > > > etc. Nowadays, many spammers aren't using their own bandwidth or CPU. > > So why *not* hit the keyservers? It costs them essentially nothing. > > OTOH, addresses taken from the addressbook as available on the host > (== zombie Windows PC) are much more effective than harvesting the web > or kyeservers. These local addresses are more certain to actually be > used and even better: the recipient of the spam knows the sender. Indeed. It is also possible that the keyservers aren't being targeted specifically as keyservers, but rather that people have links to keyserver searches out there, and the spammers are just using a crawler that happens to follow that link. Some keyservers don't obfuscate their search results. David