From p at sabuleti.net Sun Mar 1 22:30:31 2009 From: p at sabuleti.net (peter) Date: Sun, 01 Mar 2009 21:30:31 +0000 Subject: future proof file encryption In-Reply-To: <877i3aiyni.fsf@wheatstone.g10code.de> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A805B0.5060407@sixdemonbag.org> <49A81414.40509@sixdemonbag.org> <877i3aiyni.fsf@wheatstone.g10code.de> Message-ID: <49AAFE77.2040505@sabuleti.net> I've been amazed by the variety of thoughtful comments since I posted. I've read all those - and a bit more besides. I'm ashamed at my ignorance when I contacted the list last Thursday. I comfort myself with the thought that it's only from ignorance that you can ever feel complete knowledge could be in your grasp. The more you learn, the more it recedes. I'm distrustful of the reliability of anything that has moving parts and paranoid of the Internet (but I suspect some level of paranoia is a prerequisite for hanging out here). Despite that I've become completely reliant on computers. I've also got two children - three and five who absorb my time like sponges. As their childhood slips by I try and capture the odd moment as naturally as I can (I'm no fan of the cheesy grin). The images are raw format from a Nikon. Much as my instincts are for simple, low tech solutions, they're the digital equivalent of negatives. Printing them out isn't really a solution. For the moment, I have no time to work on them. How they look when they come out of the camera is what I use. One day I hope to revisit them - I'm sure I can extract more value from this afternoon's dingy shot of B. peering out of the porthole in the side of a flying boat. The long term safety of these negatives is important to me. My distrust of the reliability of things with moving parts means I run two computers. I can work from either. They're almost mirrors (except one is Suse the other Fedora, one KDE, the other Gnome - [you need a bit of variety to spice things up]). I rsync from one to the other at the end of the day. If I make a mistake on one, then rysync will do its duty and replicate the mistake. The copy on S3 protects me from my own stupidity (and fire, theft...) My paranoia of the Internet makes me want to encrypt these copies (once something's out there, you can never get it back). For the moment I prefer the notion that I don't have to store the key anywhere - just a passphrase in my head - hence the use of symmetric keys. Anyway thanks for your patience and your ideas. When you hear from me again, I hope to be better informed! From wk at gnupg.org Mon Mar 2 09:41:57 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Mar 2009 09:41:57 +0100 Subject: text pinentry In-Reply-To: <1235843033.49a977d981665@webmail.sparq.org> (quick@sparq.org's message of "Sat, 28 Feb 2009 11:43:53 -0600") References: <1235843033.49a977d981665@webmail.sparq.org> Message-ID: <87zlg4gvu2.fsf@wheatstone.g10code.de> On Sat, 28 Feb 2009 18:43, quick at sparq.org said: > Is there any way to get the direct inline text method of passphrase query/ > response for GnuPG 2.x like there was in GnuPG 1.4.9. In other words, no popup > dialog boxes and no curses? gpg2 allows that only for symmetric encryption. The reason is that eventually all public-key crypto involving the private key will be moved to gpg-agent. However, you can control gpg-agent from your application. There is gpg-preset-passphrase and if you need more control, you may want to write your own pinentry. The environment variable PINENTRY_USER_DATA is passed from gpg2 down to the pinentry and provides a way to convey control information to a newly written pinentry. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Mar 2 12:36:48 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Mar 2009 12:36:48 +0100 Subject: gpg-agent does not know --homedir, --batch and --lc-type options In-Reply-To: <20090219170141.GE16630@localhost> (Petr Uzel's message of "Thu, 19 Feb 2009 18:01:41 +0100") References: <20090219170141.GE16630@localhost> Message-ID: <87vdqsgnqn.fsf@wheatstone.g10code.de> On Thu, 19 Feb 2009 18:01, petr.uzel at suse.cz said: > --homedir > --batch Ooops. The code is there but the names are not in the option tables. > --lc-type Spelling error in the manual. It should be --lc-ctype. Fixed in SVN rev 4937. Thanks, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From mwood at IUPUI.Edu Mon Mar 2 15:19:13 2009 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Mon, 2 Mar 2009 09:19:13 -0500 Subject: future proof file encryption In-Reply-To: <49A89571.2070105@sixdemonbag.org> References: <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <61679285041107454815460995173835335060-Webmail@me.com> <7090B60F-6548-4AC2-871B-2F07F6C394FE@jabberwocky.com> <49A89571.2070105@sixdemonbag.org> Message-ID: <20090302141913.GB16868@IUPUI.Edu> On Fri, Feb 27, 2009 at 08:37:53PM -0500, Robert J. Hansen wrote: > For long-term photographic storage, make a print from photographic film > on archival-quality print stock. Also, I'm given to understand that > black and white photographs survive the aging process much better than > color. Silver chemistry is (or, at least, it used to be) much more resistant to decay than color dyes. You still have to be sure that the print has been archivally processed (mainly to wash out all traces of hypo, which otherwise will continue doing the job it has in the process and eat away at the silver grains). You still need to keep it away from atmospheric contaminants when not in use. You can plate the grains using a bath of gold chloride to protect them a little longer. You can use vesicular film rather than silver, if you can still find it, for even longer storage. (Huh, *silver* chemistry is getting harder to find.) Used to be that color photos which had to be preserved for a long time were stored as separation sets: three silver images were made to capture the three primary colors from the image, to be reassembled later and reconstitute the color image using the ordinary dye process. Dunno if it's still done. I'd put my trust in a well-maintained redundant set of digital scans, these days. Most photos won't really need all this fancy treatment; you enjoy 'em while they last, and keep making new ones. The problem is, often we don't understand which ones *should* have special preservation, until it's too late. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Mama don't take my Kodachrome away! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From dshaw at jabberwocky.com Mon Mar 2 17:29:32 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 2 Mar 2009 11:29:32 -0500 Subject: future proof file encryption In-Reply-To: <20090302141913.GB16868@IUPUI.Edu> References: <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <61679285041107454815460995173835335060-Webmail@me.com> <7090B60F-6548-4AC2-871B-2F07F6C394FE@jabberwocky.com> <49A89571.2070105@sixdemonbag.org> <20090302141913.GB16868@IUPUI.Edu> Message-ID: On Mar 2, 2009, at 9:19 AM, Mark H. Wood wrote: > On Fri, Feb 27, 2009 at 08:37:53PM -0500, Robert J. Hansen wrote: >> For long-term photographic storage, make a print from photographic >> film >> on archival-quality print stock. Also, I'm given to understand that >> black and white photographs survive the aging process much better >> than >> color. > > Silver chemistry is (or, at least, it used to be) much more resistant > to decay than color dyes. You still have to be sure that the print > has been archivally processed (mainly to wash out all traces of hypo, > which otherwise will continue doing the job it has in the process and > eat away at the silver grains). You still need to keep it away from > atmospheric contaminants when not in use. You can plate the grains > using a bath of gold chloride to protect them a little longer. You > can use vesicular film rather than silver, if you can still find it, > for even longer storage. (Huh, *silver* chemistry is getting harder > to find.) > > Used to be that color photos which had to be preserved for a long time > were stored as separation sets: three silver images were made to > capture the three primary colors from the image, to be reassembled > later and reconstitute the color image using the ordinary dye > process. Dunno if it's still done. I thought it was more or less dead, but then a new company popped up to do silver YCM separations *generated from a digital scan*. (Speaking about movies here - obviously anyone can generate separations for stills with Photoshop or the like). It's less crazy that it seems on the face of it. The separations have longer life than a backup tape, and you don't need to remaster separations every few years. I still think I'd regard such a thing much as I regard the paper key backups from paperkey: the backup of last resort. > I'd put my trust in a > well-maintained redundant set of digital scans, these days. Me too. I think most people do, these days. The only issue here is that every few years, the scanning technology improves to the point where re-scanning the original (chemical) image becomes worthwhile. So you do need to keep the original around. > Most photos won't really need all this fancy treatment; you enjoy 'em > while they last, and keep making new ones. The problem is, often we > don't understand which ones *should* have special preservation, until > it's too late. Indeed. There is an interesting debate over whether digital photos are too easy to erase. Every now and then, the "unimportant" photo turns out to be needed. For example: http://digitaljournalist.org/issue9807/editorial.htm David From eh1474 at att.com Mon Mar 2 22:02:43 2009 From: eh1474 at att.com (HORNBOSTEL, LIBBY A (ATTSI)) Date: Mon, 2 Mar 2009 16:02:43 -0500 Subject: GPG Shell works but GnuPG commands fail - UPDATE Message-ID: <17C7468560D4B341BC8C89114FE479E4C8CC73@misout7msgusr83.ITServices.sbc.com> Many hours of tinkering has given me a solution. Although I haven't found an explanation for why the GPA product throws a fatal error, I have conquered getting the GnuPG commands to work. I found that the order of the commands and options are significant, and that I needed to surround the directory within "quotes". 'gpg --output C:\DATA\CD.icf --passphrase my_pass --decrypt "C:\DATA\CD.txt" Libby H From jmoore3rd at bellsouth.net Mon Mar 2 22:14:15 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 02 Mar 2009 16:14:15 -0500 Subject: GPG Shell works but GnuPG commands fail - UPDATE In-Reply-To: <17C7468560D4B341BC8C89114FE479E4C8CC73@misout7msgusr83.ITServices.sbc.com> References: <17C7468560D4B341BC8C89114FE479E4C8CC73@misout7msgusr83.ITServices.sbc.com> Message-ID: <49AC4C27.1010902@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 HORNBOSTEL, LIBBY A (ATTSI) wrote: > Many hours of tinkering has given me a solution. > > Although I haven't found an explanation for why the GPA product throws a > fatal error You are using Windows and GPA incompatibility with M$ O/S's is known. JOHN ;) Timestamp: Monday 02 Mar 2009, 16:13 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4925: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJrEwkAAoJEBCGy9eAtCsPf+cH/iUBMTBcbKAgOCxE1WRKVPRd Ue5e1LiV5LxGzTeEcyJxwZaSbEnFPWqOP7phLvV/TNrBpyaeWG53NKTjimMEhKjZ XYR36KPSWXQJ4/z37Co4N5HgX0xK1YhFLrN1QE4oaLnnOcJavAheCrJro85IyYOj 0+PGsJv2GR/itCE+Vyc6ziwHTYtzYY2Fxc6sXmlEdV4hgWl/zT+5u9jlsJfEX5t1 xA71G/PJenLWH34yR3TI0inCfkNKELPYzoZVp/hAYUCsY46EQudvDzxXsFdUFYAp lJiXy9gOXM51cxrkZAJQyScVv3zO2s3jxuLZymuoH6b2RQLXW8x1TwfrMyVka0I= =eGOs -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Mon Mar 2 23:02:52 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 02 Mar 2009 16:02:52 -0600 Subject: GPG Shell works but GnuPG commands fail - UPDATE In-Reply-To: <17C7468560D4B341BC8C89114FE479E4C8CC73@misout7msgusr83.ITServices.sbc.com> References: <17C7468560D4B341BC8C89114FE479E4C8CC73@misout7msgusr83.ITServices.sbc.com> Message-ID: <49AC578C.10609@Mozilla-Enigmail.org> HORNBOSTEL, LIBBY A (ATTSI) wrote: > Many hours of tinkering has given me a solution. > > Although I haven't found an explanation for why the GPA product throws a > fatal error, I have conquered getting the GnuPG commands to work. I > found that the order of the commands and options are significant, and > that I needed to surround the directory within "quotes". > > 'gpg --output C:\DATA\CD.icf --passphrase my_pass --decrypt > "C:\DATA\CD.txt" Instead of quoting the file name, gpg on windows understands forward slashes as directory separators and will "Do the Right Thing(TM)" gpg --output C:/DATA/CD.icf --passphrase my_pass --decrypt C:/DATA/CD.txt Example: F:\>gpg --verify F:/MyDown~1/curl.haxx.se/download/curl-7.19.0.zip.asc gpg: Signature made 09/01/08 09:50:07 using DSA key ID 279D5C91 gpg: requesting key 279D5C91 from hkp server 192.168.0.4 gpg: key 279D5C91: public key "Daniel Stenberg (Haxx) " imported gpg: Total number processed: 1 gpg: imported: 1 gpg: please do a --check-trustdb gpg: Good signature from "Daniel Stenberg (Haxx) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 914C 533D F9B2 ADA2 204F 586D 78E1 1C6B 279D 5C91 If any of the names contain spaces you'll need to use either quotes around the entire name or short names, eg DOCUME~1 for 'Documents and Settings' (DIR/X will give the short names). -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Mar 3 12:45:08 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Mar 2009 12:45:08 +0100 Subject: [Announce] GnuPG 2.0.11 released Message-ID: <87sklug797.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.11. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.9) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL version 3). GnuPG-2 works best on GNU/Linux or *BSD systems. What's New in 2.0.11 ==================== * Fixed a problem in SCDAEMON which caused unexpected card resets. * SCDAEMON is now aware of the Geldkarte. * The SCDAEMON option --allow-admin is now used by default. * GPGCONF now restarts SCdaemon if necessary. * The default cipher algorithm in GPGSM is now again 3DES. This is due to interoperability problems with Outlook 2003 which still can't cope with AES. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.11 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and its mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.11.tar.bz2 (3763k) gnupg-2.0.11.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.10-2.0.11.diff.bz2 (29k) A patch file to upgrade a 2.0.10 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs for GnuPG-2. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.11.tar.bz2 you would use this command: gpg --verify gnupg-2.0.11.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.11.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.11.tar.bz2 and check that the output matches the first line from the following list: 9f71a342c5be686b0dcef082078af693802a558f gnupg-2.0.11.tar.bz2 5cf75b4405ba9ed908b85ef3b614ef06f3a6ab10 gnupg-2.0.10-2.0.11.diff.bz2 Internationalization ==================== GnuPG comes with support for 27 languages. Due to a lot of new and changed strings many translations are not entirely complete. Jedi, Maxim Britov, Jaime Su?rez and Nilg?n Belma Bug?ner have been kind enough to go over their translations and thus the Chinese, German, Russian, Spanish, and Turkish translations are pretty much complete. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. KDE's KMail is the most prominent user of GnuPG-2. In fact it has been developed along with the KMail folks. Mutt users might want to use the configure option "--enable-gpgme" and "set use_crypt_gpgme" in ~/.muttrc to make use of GnuPG-2 to enable S/MIME in addition to a reworked OpenPGP support. The manual is also available online in HTML format at http://www.gnupg.org/documentation/manuals/gnupg/ and in Portable Document Format at http://www.gnupg.org/documentation/manuals/gnupg.pdf . Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, order extensions or support or more general by donating money to the Free Software movement (e.g. http://www.fsfeurope.org/help/donate.en.html). Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. The GnuPG service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Tue Mar 3 17:04:42 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Mar 2009 17:04:42 +0100 Subject: man page typo In-Reply-To: <0EC3CC8A-B51D-4969-A5B9-464E5FF62EE0@me.com> (Joseph Oreste Bruni's message of "Tue, 03 Feb 2009 12:21:36 -0700") References: <0EC3CC8A-B51D-4969-A5B9-464E5FF62EE0@me.com> Message-ID: <878wnmfv8l.fsf@wheatstone.g10code.de> On Tue, 3 Feb 2009 20:21, jbruni at me.com said: > I think the "merge-only" applies to "--import-options," not "-- > keyserver-options." Fixed in SVN. Unfortunately I forgot to browse through my mail folders before releasing 2.0.11. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Mar 3 17:06:51 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Mar 2009 17:06:51 +0100 Subject: GnuPG asks for other card In-Reply-To: <496F60BC.5010805@fsfe.org> (Patrick Kox's message of "Thu, 15 Jan 2009 17:13:48 +0100") References: <496F60BC.5010805@fsfe.org> Message-ID: <874oyafv50.fsf@wheatstone.g10code.de> On Thu, 15 Jan 2009 17:13, patrick_kox at fsfe.org said: > Everything seems to work, but when I want to sign or decrypt something > GPG first asks for the 1st card (the FSFE one) and then after pressing > "c" for about 3 times I can use the OpenPGP card. I don't know which version of gpg you are using. In any case there was a bug in the SCdaemon of 2.0.10 which might be the reason for that. Thus, please test with 2.0.11 and get back to us if you still have problems. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Mar 3 17:11:47 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Mar 2009 17:11:47 +0100 Subject: Copy subkeys to primary key In-Reply-To: <498D56F8.8090603@ushills.co.uk> (Ian Hill's message of "Sat, 07 Feb 2009 09:40:08 +0000") References: <498D56F8.8090603@ushills.co.uk> Message-ID: <87zlg2egcc.fsf@wheatstone.g10code.de> On Sat, 7 Feb 2009 10:40, ian at ushills.co.uk said: > How can I combine them so I have one secret key with both the ELG and > RSA subkeys under the primary key. That is possible but requires some manual work. You need to use gpgsplit to break the keys into its parts and combine them later. Then, you need to create a new key binding signature. It is probably easier to create new subkeys and revoke the old subkeys on the other key. IIRC, David posted a description to this ML some time ago; I don't have a reference handy, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Mar 3 17:17:24 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Mar 2009 17:17:24 +0100 Subject: OpenPGP card not accessible; ctapi-driver option in gpg.conf does the job for me (with cyberjack reader) In-Reply-To: <4992BF11.3050602@abwesend.de> (xri@abwesend.de's message of "Wed, 11 Feb 2009 13:05:37 +0100") References: <4992BF11.3050602@abwesend.de> Message-ID: <87vdqqeg2z.fsf@wheatstone.g10code.de> On Wed, 11 Feb 2009 13:05, xri at abwesend.de said: > I hope I can forward an argument for not dropping (direct?) support for > CT/API readers in GnuPG too soon, as Werner often states (and as the > ctapi-driver option is also marked as deprecated in the gpg man page). Well, I have no immediate plans to drop the support but I can't test the ctAPI driver. Thus you are on your own if you want to use it. > * gpg-agent.conf: disable-scdaemon <--- !! > * gpg.conf: ctapi-driver libctapi-cyberjack.so reader-port 32768 > * gpg.conf: use-agent > > Maybe this can contribute to solve this kind of problem, which other > users might have experienced, too - especially with their Reiner-SCT reader. By disabling the SCdaemon, you use the code included in gpg 1.4. That is the same code as used in scdaemon. The problem you encountered is likely due to problems in Scdaemon 2.0.10 (or earlier). 2.0.11 fixes them for me. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From shavital at mac.com Tue Mar 3 18:17:08 2009 From: shavital at mac.com (Charly Avital) Date: Tue, 03 Mar 2009 12:17:08 -0500 Subject: [Announce] GnuPG 2.0.11 released In-Reply-To: <87sklug797.fsf@wheatstone.g10code.de> References: <87sklug797.fsf@wheatstone.g10code.de> Message-ID: <49AD6614.6020108@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Werner Koch wrote: > Hello! > > We are pleased to announce the availability of a new stable GnuPG-2 > release: Version 2.0.11. > Hi, GnuPG v2.0.11 has been configured as follows: Platform: GNU/Linux (x86_64-linux-gnu) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes (without internal CCID driver) Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) ~$ gpg2 --version gpg (GnuPG) 2.0.11 libgcrypt 1.4.4 Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB $ gpg-agent gpg-agent: gpg-agent running and available Thank you Werner and the Team, Charly Ubuntu 8.10 64bits under VMware (MacOSX 10.5.6) - gpg 1.4.9 - gpg 2.0.11 - - Thunderbird 2.0.19 - Enigmail nightly 0.96a (20090301-0426) - 0xA57A8EFA -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJJrWYRAAoJEM3GMi2FW4Pv50wIALbumqsEvvutQXvAWnNg/iKp qj+n8pyGLevmC7uQXUjHb16hKdsqgH6byhBA0vAr3mAjqve07pSL5TtS58GLWSVp KmY+yf8es1CLM2SJyRySfPrqDsWgUuELxi4blYHacmVefLRYO2fnnd7jVYQi+Why jzYIMz4mUxe4gNTyU1Z5GUZc5Vc90L64945PBiRbB2xSkASfH85mNpgA8x3cDXjU YZenNc+czSf6wG1otgDeTwDjDNptBEnYgaFHcTom8sayhhLXOOoAFBWpojxqXI7w 7wKAEaunu1z9sSfLcdMjRtN3F5QCNO7A0clzm6VZilJ4ItYEk9LANx2ba0nh0s4= =ZdPp -----END PGP SIGNATURE----- From jbruni at me.com Tue Mar 3 18:27:28 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Tue, 03 Mar 2009 10:27:28 -0700 Subject: auto key locate using keyid Message-ID: <77428475326599506900235478394850809828-Webmail@me.com> Is there a way to have GnuPG automatically retrieve a key for encryption similar to the way the "auto-key-locate" feature works, but when specifying a keyid instead of an email address? For example, if someone has a key id, but not a key, I would like gpg to automatically pull the key from my configured key server. Background: This is for an automated batch job. Signed keys are updated into our key server. I would like to be able to skip the step where I need to manually load the new key into the batch processor's keyring every time I receive a new key. Recipients are specified using KeyIDs which are stored in a database table based on a customer ID. From jbruni at me.com Tue Mar 3 22:31:13 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Tue, 03 Mar 2009 14:31:13 -0700 Subject: surrendering one's passphrase to authorities Message-ID: <63B6C107-1520-484F-9069-BBF387251B27@me.com> http://www.theregister.co.uk/2009/03/03/encryption_password_ruling/ Hi List, This article caught my eye. One of the things that I gleaned from the article is that it's obvious that law enforcement (at this level) does not have the ability to brute-force crack PGP encrypted data. Instead, the courts are attempting to force the surrender of the passphrase. Apparently the issue has not yet been settled in the US. How are other countries' courts handling this? -Joe From jhs at berklix.org Tue Mar 3 23:04:54 2009 From: jhs at berklix.org (Julian Stacey) Date: Tue, 03 Mar 2009 23:04:54 +0100 Subject: surrendering one's passphrase to authorities In-Reply-To: Your message "Tue, 03 Mar 2009 14:31:13 MST." <63B6C107-1520-484F-9069-BBF387251B27@me.com> Message-ID: <200903032204.n23M4s7h018116@fire.js.berklix.net> Hi, Reference: > From: Joseph Oreste Bruni > Date: Tue, 03 Mar 2009 14:31:13 -0700 > Message-id: <63B6C107-1520-484F-9069-BBF387251B27 at me.com> Joseph Oreste Bruni wrote: > http://www.theregister.co.uk/2009/03/03/encryption_password_ruling/ > > Hi List, > > This article caught my eye. One of the things that I gleaned from the > article is that it's obvious that law enforcement (at this level) does > not have the ability to brute-force crack PGP encrypted data. Instead, > the courts are attempting to force the surrender of the passphrase. > > Apparently the issue has not yet been settled in the US. How are other > countries' courts handling this? There's about 190 countries in the world. There'll be many national mail lists & webs eg http://ccc.de & forums that discuss encryption politics. Hopefully this list will Not, & stick to just the international technology & ignore the politics & national laws, to keep the traffic down, & keep it internationaly relevant. Not that the politics might not be interesting for a while, but it could easily bloat the list trafffic. Cheers, Julian -- Julian Stacey: BSDUnixLinux C Prog Admin SysEng Consult Munich www.berklix.com Mail plain ASCII text. HTML & Base64 text are spam. www.asciiribbon.org From dshaw at jabberwocky.com Tue Mar 3 23:12:23 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 3 Mar 2009 17:12:23 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <63B6C107-1520-484F-9069-BBF387251B27@me.com> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> Message-ID: <20090303221222.GA1374@jabberwocky.com> On Tue, Mar 03, 2009 at 02:31:13PM -0700, Joseph Oreste Bruni wrote: > http://www.theregister.co.uk/2009/03/03/encryption_password_ruling/ > > Hi List, > > This article caught my eye. One of the things that I gleaned from the > article is that it's obvious that law enforcement (at this level) does > not have the ability to brute-force crack PGP encrypted data. Instead, > the courts are attempting to force the surrender of the passphrase. Well, maybe. It's also possible that law enforcement does have the ability to get into the encrypted data (by some means - I doubt brute force), but does not want the knowledge of that ability to be made public. (Note, incidentally, that this seems to be the "PGP Whole Disk" product, rather than a PGP message, a la OpenPGP.) It's an odd case. Law enforcement *knows* what is on the laptop in this case. They saw it there before the computer was powered down (thus locking the drive). They are arguing over whether the protection against self-incrimination (part of the US Bill of Rights, for those who don't live here) even applies - after all, if law enforcement already knows what is there, revealing the contents does not incriminate. Anyway, I, of course, am not a lawyer. Instead, here is a discussion of this case from someone who is: http://volokh.com/posts/chain_1197670606.shtml David From dshaw at jabberwocky.com Tue Mar 3 23:18:33 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 3 Mar 2009 17:18:33 -0500 Subject: Copy subkeys to primary key In-Reply-To: <87zlg2egcc.fsf@wheatstone.g10code.de> References: <498D56F8.8090603@ushills.co.uk> <87zlg2egcc.fsf@wheatstone.g10code.de> Message-ID: <20090303221833.GB1374@jabberwocky.com> On Tue, Mar 03, 2009 at 05:11:47PM +0100, Werner Koch wrote: > On Sat, 7 Feb 2009 10:40, ian at ushills.co.uk said: > > > How can I combine them so I have one secret key with both the ELG and > > RSA subkeys under the primary key. > > That is possible but requires some manual work. You need to use > gpgsplit to break the keys into its parts and combine them later. Then, > you need to create a new key binding signature. It is probably easier > to create new subkeys and revoke the old subkeys on the other key. > > IIRC, David posted a description to this ML some time ago; I don't have > a reference handy, though. Is this combining two different secret keys (with different subkeys) or combining two copies of the same secret key (with different subkeys)? If we're talking about the same secret key in both cases, you can do it without any signature trickery. 1) Export both secret keys into files gpg --export-secret-keys 86ECAC0B > first.gpg gpg --export-secret-keys --secret-keyring secold.gpg 490CC343 > second.gpg 2) Run gpgsplit on the second file. gpgsplit second.gpg 3) Delete the parts you don't want. You only want the subkeys, so delete everything until the first secret subkey packet (i.e. if the first secret subkey is 000004, then delete 000001, 000002, and 000003). 4) Merge the keys: cat first.gpg 00000* > newkey.gpg 5) Delete the current secret key gpg --delete-secret-key 86ECAC0B 6) Bring in the merged key: gpg --import newkey.gpg Obviously, make a backup first! David From gerry.lowry at abilitybusinesscomputerservices.com Tue Mar 3 23:37:54 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Tue, 3 Mar 2009 17:37:54 -0500 Subject: surrendering one's passphrase to authorities References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> Message-ID: <038A83E339EF43A6AD8935D64B91FF53@zentrumvegan> unfortunately, it's likely that certain countries handle this using torture. From rjh at sixdemonbag.org Wed Mar 4 00:26:21 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 03 Mar 2009 18:26:21 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <63B6C107-1520-484F-9069-BBF387251B27@me.com> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> Message-ID: <49ADBC9D.7040006@sixdemonbag.org> Joseph Oreste Bruni wrote: > it's obvious that law enforcement (at this level) does > not have the ability to brute-force crack PGP encrypted data. That capability would literally be worth people's lives. It makes no sense to think that they would reveal that capability just to bag a run-of-the-mill child porn aficionado. It seems rash to draw that conclusion from the offered data. > Apparently the issue has not yet been settled in the US. How are other > countries' courts handling this? For the UK, I believe the Regulation of Investigatory Powers Act (RIPA) is still in effect. Quite a ghastly bill, really. From atom at smasher.org Wed Mar 4 00:04:33 2009 From: atom at smasher.org (Atom Smasher) Date: Wed, 4 Mar 2009 12:04:33 +1300 (NZDT) Subject: surrendering one's passphrase to authorities In-Reply-To: <20090303221222.GA1374@jabberwocky.com> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <20090303221222.GA1374@jabberwocky.com> Message-ID: <20090303230437.69854.qmail@smasher.org> On Tue, 3 Mar 2009, David Shaw wrote: >> This article caught my eye. One of the things that I gleaned from the >> article is that it's obvious that law enforcement (at this level) does >> not have the ability to brute-force crack PGP encrypted data. Instead, >> the courts are attempting to force the surrender of the passphrase. > > Well, maybe. It's also possible that law enforcement does have the > ability to get into the encrypted data (by some means - I doubt brute > force), but does not want the knowledge of that ability to be made > public. =================== i would think the FBI (presuming that they're involved) would be able to brute-force a pass-phrase in less than a year. they have the disk, so in all likelihood the weakest link in the chain is the pass-phrase (and that's assuming that there's no cache/tmp files that are not encrypted). does anyone know details about PGPDisk's string-to-key algorithm(s)? kid porn makes this an interesting edge case, because people (judges and juries included) are more likely to ignore the established protections of the 5th amendment (which, IMHO, should apply even to alleged scum or it's meaningless). my suspicion is that authorities have already decrypted the contents of the disk (unless the guy was using a *really* strong pass-phrase) and the case is being pushed to make a precedent out of "sometimes it's ok to ignore the 5th amendment". -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Religion is what keeps the poor from murdering the rich." -- Napoleon Bonaparte From rjh at sixdemonbag.org Wed Mar 4 00:40:18 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 03 Mar 2009 18:40:18 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <20090303230437.69854.qmail@smasher.org> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <20090303221222.GA1374@jabberwocky.com> <20090303230437.69854.qmail@smasher.org> Message-ID: <49ADBFE2.7020004@sixdemonbag.org> Atom Smasher wrote: > i would think the FBI (presuming that they're involved) would be able to > brute-force a pass-phrase in less than a year. they have the disk, so in > all likelihood the weakest link in the chain is the pass-phrase (and > that's assuming that there's no cache/tmp files that are not encrypted). > does anyone know details about PGPDisk's string-to-key algorithm(s)? Yes. It's the same as the S2K in OpenPGP, last I checked -- which is specifically designed to make brute forcers slow. Let's say the guy has a passphrase with 64 bits of entropy. Assume you have a massively distributed network and some truly cutting-edge math, you could probably do it in two solid years of work. The RC5 project on distributed.net took 18 months to do 64 bits, but RC5 wasn't designed to be very slow to rekey. Now consider just how many 64-bit keys the US government would like to crack. It probably numbers in the millions. Now consider how high this guy's passphrase stands in the to-do list. From richard.ibbotson at gmail.com Wed Mar 4 00:36:11 2009 From: richard.ibbotson at gmail.com (Richard Ibbotson) Date: Tue, 3 Mar 2009 23:36:11 +0000 Subject: surrendering one's passphrase to authorities In-Reply-To: <49ADBC9D.7040006@sixdemonbag.org> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <49ADBC9D.7040006@sixdemonbag.org> Message-ID: <200903032336.11855.richard.ibbotson@gmail.com> On Tuesday 03 March 2009 23:26:21 Robert J. Hansen wrote: > For the UK, I believe the Regulation of Investigatory Powers Act > (RIPA) is still in effect. Quite a ghastly bill, really. Yes. Lot like being tortured ;) -- Richard From richard.ibbotson at gmail.com Wed Mar 4 00:41:40 2009 From: richard.ibbotson at gmail.com (Richard Ibbotson) Date: Tue, 3 Mar 2009 23:41:40 +0000 Subject: surrendering one's passphrase to authorities In-Reply-To: <49ADBC9D.7040006@sixdemonbag.org> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <49ADBC9D.7040006@sixdemonbag.org> Message-ID: <200903032341.40602.richard.ibbotson@gmail.com> On Tuesday 03 March 2009 23:26:21 Robert J. Hansen wrote: > For the UK, I believe the Regulation of Investigatory Powers Act > (RIPA) is still in effect. Quite a ghastly bill, really. Yes. Lot like being tortured ;) -- Richard From John at Mozilla-Enigmail.org Wed Mar 4 01:08:33 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Tue, 03 Mar 2009 18:08:33 -0600 Subject: surrendering one's passphrase to authorities In-Reply-To: <038A83E339EF43A6AD8935D64B91FF53@zentrumvegan> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <038A83E339EF43A6AD8935D64B91FF53@zentrumvegan> Message-ID: <49ADC681.3030904@Mozilla-Enigmail.org> gerry_lowry (alliston ontario canada) wrote: > unfortunately, it's likely that certain countries handle this using torture. Folks on this list have said for years that rubber-hose key extraction is orders of magnitude faster than brute-force computation. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From atom at smasher.org Wed Mar 4 01:11:31 2009 From: atom at smasher.org (Atom Smasher) Date: Wed, 4 Mar 2009 13:11:31 +1300 (NZDT) Subject: surrendering one's passphrase to authorities In-Reply-To: <49ADBFE2.7020004@sixdemonbag.org> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <20090303221222.GA1374@jabberwocky.com> <20090303230437.69854.qmail@smasher.org> <49ADBFE2.7020004@sixdemonbag.org> Message-ID: <20090304001134.333.qmail@smasher.org> On Tue, 3 Mar 2009, Robert J. Hansen wrote: > Yes. It's the same as the S2K in OpenPGP, last I checked -- which is > specifically designed to make brute forcers slow. > > Let's say the guy has a passphrase with 64 bits of entropy. Assume you > have a massively distributed network and some truly cutting-edge math, > you could probably do it in two solid years of work. The RC5 project on > distributed.net took 18 months to do 64 bits, but RC5 wasn't designed to > be very slow to rekey. > > Now consider just how many 64-bit keys the US government would like to > crack. It probably numbers in the millions. > > Now consider how high this guy's passphrase stands in the to-do list. ================== most people don't use pass-phrases that strong. in any case, we're talking about something that can realistically be broken in a reasonable amount of time (compared to several times the age of the universe) using real-world technology, not like trying to crack a messages that was intercepted on the wire, and encrypted with 4096 RSA or a 256bit twofish. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so." -- Douglas Adams, Last Chance to See From dshaw at jabberwocky.com Wed Mar 4 01:21:46 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 3 Mar 2009 19:21:46 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <49ADC681.3030904@Mozilla-Enigmail.org> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <038A83E339EF43A6AD8935D64B91FF53@zentrumvegan> <49ADC681.3030904@Mozilla-Enigmail.org> Message-ID: On Mar 3, 2009, at 7:08 PM, John Clizbe wrote: > gerry_lowry (alliston ontario canada) wrote: >> unfortunately, it's likely that certain countries handle this using >> torture. > > Folks on this list have said for years that rubber-hose key extraction > is orders of magnitude faster than brute-force computation. ... and cue the XKCD: http://www.xkcd.com/538/ David From rjh at sixdemonbag.org Wed Mar 4 01:31:03 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 03 Mar 2009 19:31:03 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <20090304001134.333.qmail@smasher.org> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <20090303221222.GA1374@jabberwocky.com> <20090303230437.69854.qmail@smasher.org> <49ADBFE2.7020004@sixdemonbag.org> <20090304001134.333.qmail@smasher.org> Message-ID: <49ADCBC7.9030000@sixdemonbag.org> Atom Smasher wrote: > most people don't use pass-phrases that strong. Let me see if I have this clear: - He knew he was approaching a border - He knew he had child porn on his system - He knew his laptop might be searched at the border - And you think, knowing all this, he'd use a weak passphrase? > in any case, we're talking about something that can realistically be > broken in a reasonable amount of time If you're talking about a chump who hasn't bothered to think things through, sure. From dshaw at jabberwocky.com Wed Mar 4 01:34:12 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 3 Mar 2009 19:34:12 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <20090303230437.69854.qmail@smasher.org> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <20090303221222.GA1374@jabberwocky.com> <20090303230437.69854.qmail@smasher.org> Message-ID: <3805B663-B29F-428F-AE85-04EA0C0BADB7@jabberwocky.com> On Mar 3, 2009, at 6:04 PM, Atom Smasher wrote: > On Tue, 3 Mar 2009, David Shaw wrote: > >>> This article caught my eye. One of the things that I gleaned from >>> the article is that it's obvious that law enforcement (at this >>> level) does not have the ability to brute-force crack PGP >>> encrypted data. Instead, the courts are attempting to force the >>> surrender of the passphrase. >> >> Well, maybe. It's also possible that law enforcement does have the >> ability to get into the encrypted data (by some means - I doubt >> brute force), but does not want the knowledge of that ability to be >> made public. > =================== > > i would think the FBI (presuming that they're involved) would be > able to brute-force a pass-phrase in less than a year. they have the > disk, so in all likelihood the weakest link in the chain is the pass- > phrase (and that's assuming that there's no cache/tmp files that are > not encrypted). Good point. I was thinking about the session key, which is basically brute forcing proof. The passphrase would indeed be an easier attack. The lawyer discussion I posted (http://volokh.com/posts/chain_1197670606.shtml ) suggests that law enforcement did try to "guess" (his word) the passphrase. Guessing could be anything from trying two or three passphrases before giving up to running a list of common passphrases against it. For all we know, they're still running the passphrase guesser right now. David From dshaw at jabberwocky.com Wed Mar 4 01:58:31 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 3 Mar 2009 19:58:31 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <49ADCBC7.9030000@sixdemonbag.org> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <20090303221222.GA1374@jabberwocky.com> <20090303230437.69854.qmail@smasher.org> <49ADBFE2.7020004@sixdemonbag.org> <20090304001134.333.qmail@smasher.org> <49ADCBC7.9030000@sixdemonbag.org> Message-ID: <20090304005831.GA2886@jabberwocky.com> On Tue, Mar 03, 2009 at 07:31:03PM -0500, Robert J. Hansen wrote: > Atom Smasher wrote: > > most people don't use pass-phrases that strong. > > Let me see if I have this clear: > > - He knew he was approaching a border > - He knew he had child porn on his system > - He knew his laptop might be searched at the border > - And you think, knowing all this, he'd use a weak passphrase? This particular fellow was not necessarily the brightest bulb in the bunch. Remember that he also waived his Miranda rights (for the non US readers: see Wikipedia for the details, but this is the "You have the right to remain silent, etc" speech that you've probably seen on US television and movies), and willingly showed the decrypted disk, child porn and all to the border agents. It was only after his arrest and the accidental re-encryption of the disk did this passphrase issue arise. > > in any case, we're talking about something that can realistically be > > broken in a reasonable amount of time > > If you're talking about a chump who hasn't bothered to think things > through, sure. There is, of course, a dramatic difference between how someone may act when they're setting up their encryption at home and have time to think things through, and how they may act when caught transporting child porn over a border. Even so, there are many things he could have done to try and hide his illegal material *before* approaching the border. David From lurkos.usenet at gmail.com Wed Mar 4 01:58:09 2009 From: lurkos.usenet at gmail.com (Lurkos) Date: Wed, 4 Mar 2009 01:58:09 +0100 Subject: gpgsm key creation problem Message-ID: <75b21f2f0903031658s53146722y87af64eebc79bb8c@mail.gmail.com> I'm new in gpgsm and I would like to test X.509 and S/MIME style encryption. Then I tried the "classical" --gen-key option to generate a new keypair, but this error appears. What's wrong? $ gpgsm --gen-key gpgsm (GnuPG) 2.0.7; Copyright (C) 2007 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA (2) Existing key (3) Existing key from card Your selection? 1 What keysize do you want? (2048) Requested keysize is 2048 bits Possible actions for a RSA key: (1) sign, encrypt (2) sign (3) encrypt Your selection? 1 Enter the X.509 subject name: CN=Test Enter email addresses (end with an empty line): > test at test.invalid > Enter DNS names (optional; end with an empty line): > Enter URIs (optional; end with an empty line): > Parameters to be used for the certificate request: Key-Type: RSA Key-Length: 2048 Key-Usage: sign, encrypt Name-DN: CN=Test Name-Email: test at test.invalid Really create request? (y/N) y Now creating certificate request. This may take a while ... gpgsm: line 1: key generation failed: Unknown IPC command gpgsm: error creating certificate request: Unknown IPC command From dshaw at jabberwocky.com Wed Mar 4 05:58:50 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 3 Mar 2009 23:58:50 -0500 Subject: auto key locate using keyid In-Reply-To: <77428475326599506900235478394850809828-Webmail@me.com> References: <77428475326599506900235478394850809828-Webmail@me.com> Message-ID: On Mar 3, 2009, at 12:27 PM, Joseph Oreste Bruni wrote: > Is there a way to have GnuPG automatically retrieve a key for > encryption similar to the way the "auto-key-locate" feature works, > but when specifying a keyid instead of an email address? For > example, if someone has a key id, but not a key, I would like gpg to > automatically pull the key from my configured key server. This is not currently possible. It seems like it should be (the principle of least surprise dictates that it should work with anything that can be passed to '-r'). Let me think about this a bit. David From wk at gnupg.org Wed Mar 4 10:35:39 2009 From: wk at gnupg.org (Werner Koch) Date: Wed, 04 Mar 2009 10:35:39 +0100 Subject: gpgsm key creation problem In-Reply-To: <75b21f2f0903031658s53146722y87af64eebc79bb8c@mail.gmail.com> (lurkos.usenet@gmail.com's message of "Wed, 4 Mar 2009 01:58:09 +0100") References: <75b21f2f0903031658s53146722y87af64eebc79bb8c@mail.gmail.com> Message-ID: <877i35eil0.fsf@wheatstone.g10code.de> On Wed, 4 Mar 2009 01:58, lurkos.usenet at gmail.com said: > I'm new in gpgsm and I would like to test X.509 and S/MIME style encryption. > Then I tried the "classical" --gen-key option to generate a new > keypair, but this error appears. > What's wrong? > gpgsm: line 1: key generation failed: Unknown IPC command Most likely the gpg-agent is not running or not properly installed. Check the manual on how to do install the gpg-agent. A quick test to see whether the gpg-agent is working is to run gpg-agent without any options. You may want to configure a log file for the gpg-agent to see what is going on. Put these lines into ~/.gnupg/gpg-agent.conf before starting gpg-agent: ====== log-file /somewhere/gpg-agent.log debug 1024 verbose ======= In the log you should see a "GENKEY" command. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Mar 4 10:51:39 2009 From: wk at gnupg.org (Werner Koch) Date: Wed, 04 Mar 2009 10:51:39 +0100 Subject: auto key locate using keyid In-Reply-To: (David Shaw's message of "Tue, 3 Mar 2009 23:58:50 -0500") References: <77428475326599506900235478394850809828-Webmail@me.com> Message-ID: <873adtehuc.fsf@wheatstone.g10code.de> On Wed, 4 Mar 2009 05:58, dshaw at jabberwocky.com said: > This is not currently possible. It seems like it should be (the > principle of least surprise dictates that it should work with anything > that can be passed to '-r'). The reason it works only with mail addresses is that I don't see an application case for anything else. Gpg is most commonly used for email encryption and here you need an email address anyway. --auto-key-locate makes this case easy by retrieving a corresponding key. If you have the case that you need to encrypt to a key which has no email address included or not the one you want, you need some kind of mapping. I usually do this with the group option. Any automatic mapping will be hard to do because there is no clear way to associate a keyid with an email address. For file encryption it should not be too much work to first fetch the key and then use it. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From mwood at IUPUI.Edu Wed Mar 4 15:02:42 2009 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Wed, 4 Mar 2009 09:02:42 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <20090303221222.GA1374@jabberwocky.com> References: <63B6C107-1520-484F-9069-BBF387251B27@me.com> <20090303221222.GA1374@jabberwocky.com> Message-ID: <20090304140242.GA25216@IUPUI.Edu> On Tue, Mar 03, 2009 at 05:12:23PM -0500, David Shaw wrote: > It's an odd case. Law enforcement *knows* what is on the laptop in > this case. They saw it there before the computer was powered down > (thus locking the drive). They are arguing over whether the > protection against self-incrimination (part of the US Bill of Rights, > for those who don't live here) even applies - after all, if law > enforcement already knows what is there, revealing the contents does > not incriminate. I don't quite grasp the nuances of whether entering a password is or is not in itself testimony. But one interesting aspect here is that, until the drive is decrypted, its contents cannot become evidence, and the government is left with only the testimony of the border control officers as to what might be contained in the defendant's property. If the drive cannot be examined by the court, the government's case is somewhat weaker. So that's one non-ulterior motive for wanting the password entered. It matters less, in court, what LE know, than what they can demonstrate. This of course does not dispose of other possible motives. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Friends don't let friends publish revisable-form documents. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From vedaal at hush.com Wed Mar 4 16:38:23 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Wed, 04 Mar 2009 10:38:23 -0500 Subject: surrendering one's passphrase to authorities Message-ID: <20090304153823.548F81A003E@smtp.hushmail.com> >Date: Tue, 3 Mar 2009 19:21:46 -0500 >From: David Shaw >Subject: Re: surrendering one's passphrase to authorities >> Folks on this list have said for years that rubber-hose key >extraction >> is orders of magnitude faster than brute-force computation. > >... and cue the XKCD: http://www.xkcd.com/538/ well, here is another aspect of a 'crypto-nerd's' imagination ;-) : suppose the goal would be to design an encrypted laptop where even authorities willing to use torture, would concede that the contents are not decryptable and that no information would be obtainable by even the most effective torture, how would one go about it? possible suggestion: [1] encrypt the drive to a passphrase and also a smart-card (let's dream and make the smart-card 4k rsa or better ;-) ) (and as long as we're dreaming anyway ... ;-) ) [2] allow the smart-card to be identifiable by the laptop as the correct one, with a unique identifier code when inserted into the laptop [3] enable the smart-card with a data self-erase, and data self- destruct mechanism, but leaving the identifier intact [4] once the smart-card has the self-erase and self-destruct mechanism activated by the bearer, the laptop bearer can surrender the smart-card, the laptop reads it and reports: *** smart-card indentity verified *** *** smart-card passphrase unreadable *** *** smart-card 'Self-Destruct Hardware' (Tm, copyleft GPL) was activated *** smart-card no longer functional *** *** decryption no longer possible *** and while the authorities might be tempted to vengefully harm the bearer, it would be clear that they would be unable to access the laptop through torture vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Become a medical transcriptionist at home, at your own pace. http://tagline.hushmail.com/fc/BLSrjkqfMmf8sLiFIoOZL0LR8m6TVV6xrgEpMB2LlLbSjeejQXO92bUj0q8/ From gerry.lowry at abilitybusinesscomputerservices.com Wed Mar 4 18:05:58 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Wed, 4 Mar 2009 12:05:58 -0500 Subject: surrendering one's passphrase to authorities References: <20090304153823.548F81A003E@smtp.hushmail.com> Message-ID: on vedaal's laptop design ... [5] marry the drive to the motherboard so that removing the drive to another computer would cause the drive to self destruct. [6] design the drive as a secondary only never bootable drive; it's sister drive would carry the O/S and detect any O/S tampering; the data drive would use non standard logical and physical architecture to require specialized drivers in order to be accessed, i.e., no generic access. [7] design the drive to fail if physically opened or probed. [8] design the drive to be not probable by any form of hands off electronic eavesdropping. [9] remove dependency of need [4] destruct activation by any human. [10] destruct the drive immediately if the smart card is yanked out improperly; probably removal should be almost equally brief, example: Ctrl+x, Ctrl+y,Ctrl+z, where x, y, and z are user configurable. [11] find financing for this technology. gerry P.S.: "Cryptonomicon", Neal Stephenson, ISBN: 9780060512804; ISBN10: 0060512806; http://www.harpercollins.com/books/9780060512804/Cryptonomicon/index.aspx The "... crypto-hacker grandson, Randy" character, "is attempting to create ... a place where encrypted data can be stored and exchanged free of repression and scrutiny"; there are some interesting laptop related ideas in the novel; also, the book uses in its plot a deck of cards for passing encrypted messages back and forth undetected; there is also an appendix that describes the algorithm for using the deck of cards; that appendix and algorithm design was created by Bruce Schnier, example: http://www.jera.com/solitaire/ "Solitaire for KJava home page"; especially see http://www.schneier.com/solitaire.html "The Solitaire Encryption Algorithm", version 1.2, 5/26/99. From dshaw at jabberwocky.com Wed Mar 4 19:43:30 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 4 Mar 2009 13:43:30 -0500 Subject: auto key locate using keyid In-Reply-To: <873adtehuc.fsf@wheatstone.g10code.de> References: <77428475326599506900235478394850809828-Webmail@me.com> <873adtehuc.fsf@wheatstone.g10code.de> Message-ID: <20090304184330.GB4055@jabberwocky.com> On Wed, Mar 04, 2009 at 10:51:39AM +0100, Werner Koch wrote: > On Wed, 4 Mar 2009 05:58, dshaw at jabberwocky.com said: > > > This is not currently possible. It seems like it should be (the > > principle of least surprise dictates that it should work with anything > > that can be passed to '-r'). > > The reason it works only with mail addresses is that I don't see an > application case for anything else. Gpg is most commonly used for email > encryption and here you need an email address anyway. --auto-key-locate > makes this case easy by retrieving a corresponding key. GPG does not strongly distinguish between these cases - either way, the message is encrypted to the specified key, however that key is located (by address or by keyid). auto-key-locate grew out of the PKA and CERT feature. When I generalized it for PKA, CERT, and (automatic) LDAP, it grew the ability to query any arbitrary keyserver. To be sure, some of those methods only could work with an email address. PKA, CERT, and automatic LDAP rely on an email address to find the key. There is no concept of a keyid there. Keyservers, however, can accept either one. (CERT actually allows for keyids in the protocol too, but GPG doesn't implement that part). So, assuming "auto-key-locate hkp://keys.gnupg.net" (or similar), the surprise is that this works: gpg -r the-address at example.com -e the-file.txt But this does not: gpg -r 0x12345678 -e the-file.txt You can even extend the use case to stuff like: auto-key-locate ldap://my-company-keyserver hkp://keys.gnupg.net ldap://keyserver.pgp.com And they will be tried in order until one of them succeeds. While most keyservers synch, a local company keyserver likely would not, and things like PGP's global directory can't synch by their nature. David From dshaw at jabberwocky.com Wed Mar 4 20:36:01 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 4 Mar 2009 14:36:01 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <20090304153823.548F81A003E@smtp.hushmail.com> References: <20090304153823.548F81A003E@smtp.hushmail.com> Message-ID: <20090304193601.GC4055@jabberwocky.com> On Wed, Mar 04, 2009 at 10:38:23AM -0500, vedaal at hush.com wrote: > >Date: Tue, 3 Mar 2009 19:21:46 -0500 > >From: David Shaw > >Subject: Re: surrendering one's passphrase to authorities > > >> Folks on this list have said for years that rubber-hose key > >extraction > >> is orders of magnitude faster than brute-force computation. > > > >... and cue the XKCD: http://www.xkcd.com/538/ > > > well, here is another aspect of a 'crypto-nerd's' imagination ;-) : > > suppose the goal would be to design an encrypted laptop where even > authorities willing to use torture, would concede that the contents > are not decryptable and that no information would be obtainable by > even the most effective torture, > how would one go about it? Why do you assume they wouldn't torture you anyway? ("Reveal your backups to us!" "I didn't keep backups!" "We don't believe you!") After a news story like this, there is often a thread about technical solutions to the problem (more encryption, better key management, using hidden partitions that decrypt to pictures of puppies and flowers instead of the illegal content when a different passphrase is given, etc). I suspect things would go rather like this: http://www.mail-archive.com/cryptography at metzdowd.com/msg10391.html David From John at Mozilla-Enigmail.org Wed Mar 4 20:40:09 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 04 Mar 2009 13:40:09 -0600 Subject: surrendering one's passphrase to authorities In-Reply-To: References: <20090304153823.548F81A003E@smtp.hushmail.com> Message-ID: <49AED919.7020905@Mozilla-Enigmail.org> gerry_lowry (alliston ontario canada) wrote: > on vedaal's laptop design ... > > [5] marry the drive to the motherboard so that removing the drive > to another computer would cause the drive to self destruct. > > [6] design the drive as a secondary only never bootable drive; > it's sister drive would carry the O/S and detect any O/S > tampering; the data drive would use non standard > logical and physical architecture to require specialized > drivers in order to be accessed, i.e., no generic access. > > [7] design the drive to fail if physically opened or probed. > > [8] design the drive to be not probable by any form of hands off > electronic eavesdropping. > > [9] remove dependency of need [4] destruct activation by any human. > > [10] destruct the drive immediately if the smart card is yanked out > improperly; probably removal should be almost equally brief, example: > Ctrl+x, Ctrl+y,Ctrl+z, where x, y, and z are user configurable. > > [11] find financing for this technology. > > gerry > > P.S.: "Cryptonomicon", Neal Stephenson, ISBN: 9780060512804; ISBN10: 0060512806; > http://www.harpercollins.com/books/9780060512804/Cryptonomicon/index.aspx > The "... crypto-hacker grandson, Randy" character, "is attempting to create ... a > place where encrypted data can be stored and exchanged free of repression and scrutiny"; > there are some interesting laptop related ideas in the novel; also, the book uses in > its plot a deck of cards for passing encrypted messages back and forth undetected; > there is also an appendix that describes the algorithm for using the deck of cards; > that appendix and algorithm design was created by Bruce Schnier, example: > http://www.jera.com/solitaire/ "Solitaire for KJava home page"; especially see > http://www.schneier.com/solitaire.html "The Solitaire Encryption Algorithm", version 1.2, 5/26/99. This is being heavily discussed over on the [Cryptography] list (Judge orders defendant to decrypt PGP-protected laptop). Perry Metzger, the list moderator, shared a very apt insight: The judge doesn't "need" to know the difference to beyond any doubt. If the judge thinks you're holding out, you go to jail for contempt. Geeks expect, far too frequently, that courts operate like Turing machines, literally interpreting the laws and accepting the slightest legal "hack" unconditionally without human consideration of the impact of the interpretation. This is not remotely the case. I'll repeat: the law is not like a computer program. Courts operate on reasonableness standards and such, not on literal interpretation of the law. If it is obvious to you and me that a disk has multiple encrypted views, then you can't expect that a court will not be able to understand this and take appropriate action, like putting you in a cage. This is also a VERY narrowly defined decision, based on what the defendant already showed ICE (US Customs) officers at the border. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From felipe.alvarez at gmail.com Wed Mar 4 23:01:53 2009 From: felipe.alvarez at gmail.com (Felipe Alvarez) Date: Thu, 5 Mar 2009 08:01:53 +1000 Subject: gpg-agent acting funny Message-ID: Hi all. I'm new here, so please be gentle =). I've read the information about getting gpg-agent to work. I don't use X, but I login remotely with ssh (publickey authentication). My gpg-agent is acting funny. after ssh login, I get this error -- felipe at suse-amd:~> gpg-agent gpg-agent[32408]: can't connect to `/home/felipe/.gnupg/S.gpg-agent': No such file or directory gpg-agent: can't connect to the agent: Invalid value passed to IPC -- Here is a copy of my ~/.profile -- felipe at suse-amd:~> cat .profile # Sample .profile for SuSE Linux # rewritten by Christian Steinruecken # # This file is read each time a login shell is started. # All other interactive shells will only read .bashrc; this is particularly # important for language settings, see below. test -z "$PROFILEREAD" && . /etc/profile || true # Most applications support several languages for their output. # To make use of this feature, simply uncomment one of the lines below or # add your own one (see /usr/share/locale/locale.alias for more codes) # This overwrites the system default set in /etc/sysconfig/language # in the variable RC_LANG. # #export LANG=de_DE.UTF-8 # uncomment this line for German output #export LANG=fr_FR.UTF-8 # uncomment this line for French output #export LANG=es_ES.UTF-8 # uncomment this line for Spanish output # Some people don't like fortune. If you uncomment the following lines, # you will have a fortune each time you log in ;-) #if [ -x /usr/bin/fortune ] ; then # echo # /usr/bin/fortune # echo #fi export PATH=$PATH:/usr/sbin:/sbin if test -f $HOME/.gnupg/.gpg-agent-info && kill -0 $(cut -d: -f 2 $HOME/.gnupg/.gpg-agent-info) 2>/dev/null; then GPG_AGENT_INFO=$(cat $HOME/.gnupg/.gpg-agent-info) export GPG_AGENT_INFO else eval $(/usr/bin/gpg-agent --sh --daemon --write-env-file $HOME/.gnupg/.gpg-agent-info) fi -- I am using gpg 2.0.10, and opensuse 11.0. Does anyone know what I am doing wrong? -- felipe at suse-amd:~> ls -l .gnupg/ total 32 -rw------- 1 felipe users 7818 2009-02-23 05:02 gpg.conf drwx------ 2 felipe users 4096 2009-02-23 05:03 private-keys-v1.d -rw------- 1 felipe users 2485 2009-02-23 06:54 pubring.gpg -rw------- 1 felipe users 2485 2009-02-23 06:44 pubring.gpg~ -rw------- 1 felipe users 600 2009-02-28 21:06 random_seed -rw------- 1 felipe users 1363 2009-02-23 05:17 secring.gpg -rw------- 1 felipe users 1360 2009-02-23 06:54 trustdb.gpg -- Thanks for reading! Felipe -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Wed Mar 4 23:46:38 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 04 Mar 2009 17:46:38 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <20090304193601.GC4055@jabberwocky.com> References: <20090304153823.548F81A003E@smtp.hushmail.com> <20090304193601.GC4055@jabberwocky.com> Message-ID: <49AF04CE.20100@sixdemonbag.org> David Shaw wrote: > I suspect things would go rather like this: > http://www.mail-archive.com/cryptography at metzdowd.com/msg10391.html Perry is an optimist. It's considerably worse than he makes it out to be. Judges are not idiots. They are very well-trained and have a great deal of experience at the discovery of truth through Socratic and/or adversarial questioning. They are also rather dispassionate, which stems from the tremendous amount of human evil they come into contact with on a regular basis. Juries, on the other hand... In the American system (and many other systems borrowing from the British Common Law tradition), the judge is the arbiter of law, but the jury is the arbiter of fact. If the judge has any doubt as to whether there's an encrypted volume on the drive, the judge is probably not going to bother putting the accused in jail on a contempt charge. The judge is going to say, "the existence or nonexistence of material on that drive is a question of fact for the jury to sort out." And once the judge says that, you're rolling the dice with twelve plain, average, human beings -- which is to say, most of them will be technologically illiterate with little or no college education or grasp of formal reasoning. If you look at those twelve men and women and start to explain about deniable systems and perfect forward secrecy and every other crypto innovation you've thought of to keep you out of trouble, the jury won't understand a word of it. Not a word. They _will_, however, understand that you're blowing smoke up their ass. This is a mistake you will only ever get to make once. From dshaw at jabberwocky.com Thu Mar 5 00:31:26 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 4 Mar 2009 18:31:26 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <49AF04CE.20100@sixdemonbag.org> References: <20090304153823.548F81A003E@smtp.hushmail.com> <20090304193601.GC4055@jabberwocky.com> <49AF04CE.20100@sixdemonbag.org> Message-ID: <20090304233126.GA5075@jabberwocky.com> On Wed, Mar 04, 2009 at 05:46:38PM -0500, Robert J. Hansen wrote: > David Shaw wrote: > > I suspect things would go rather like this: > > http://www.mail-archive.com/cryptography at metzdowd.com/msg10391.html > > Perry is an optimist. It's considerably worse than he makes it out to be. > > Judges are not idiots. They are very well-trained and have a great deal > of experience at the discovery of truth through Socratic and/or > adversarial questioning. They are also rather dispassionate, which > stems from the tremendous amount of human evil they come into contact > with on a regular basis. > > Juries, on the other hand... > > In the American system (and many other systems borrowing from the > British Common Law tradition), the judge is the arbiter of law, but the > jury is the arbiter of fact. > > If the judge has any doubt as to whether there's an encrypted volume on > the drive, the judge is probably not going to bother putting the accused > in jail on a contempt charge. The judge is going to say, "the existence > or nonexistence of material on that drive is a question of fact for the > jury to sort out." > > And once the judge says that, you're rolling the dice with twelve plain, > average, human beings -- which is to say, most of them will be > technologically illiterate with little or no college education or grasp > of formal reasoning. Indeed, and also (in the US at least), the attorneys for each side can (to a limited degree that varies from situation to situation) remove people from the "potential juror" list after interviewing them (a "Voir Dire" challenge). Frequently, one side or the other will remove a juror with actual knowledge about the subject matter being covered in court. This makes sense from their perspective, as they would rather the juror is a blank slate, only knowing what the lawyer says on the subject, and not bring any of their own knowledge and opinions. So if you're relying on a cryptography defense, your chance of finding a juror who has any idea what you're talking about or has any means to evaluate your statements is actually lower than it would be if you picked random people off the street. David From rjh at sixdemonbag.org Thu Mar 5 03:17:01 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 04 Mar 2009 21:17:01 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <20090304233126.GA5075@jabberwocky.com> References: <20090304153823.548F81A003E@smtp.hushmail.com> <20090304193601.GC4055@jabberwocky.com> <49AF04CE.20100@sixdemonbag.org> <20090304233126.GA5075@jabberwocky.com> Message-ID: <49AF361D.1090403@sixdemonbag.org> David Shaw wrote: > Indeed, and also (in the US at least), the attorneys for each side > can (to a limited degree that varies from situation to situation) > remove people from the "potential juror" list after interviewing them > (a "Voir Dire" challenge). Voir dire is the name given to the interview process, not to the strikings. A striking can be "for cause" (a juror who says they can't be impartial, for instance) or for no reason at all in what's called a "peremptory challenge." It is unlawful to use peremptory challenges to shape the racial or religious composition of the jury, but as long as you're not doing that, you can strike whoever you like for whatever reason you like. > Frequently, one side or the other will remove a juror with actual > knowledge about the subject matter being covered in court. This > makes sense from their perspective, as they would rather the juror is > a blank slate, only knowing what the lawyer says on the subject, and > not bring any of their own knowledge and opinions. It's even worse than that. A year ago I was given a jury summons. The first case, I survived challenges for cause. They asked if anyone could describe a millimeter. I raised my hand, they called on me and I gave them the SI definition. I was promptly peremptoried. Plaintiff's counsel didn't just want to avoid people with subject matter knowledge. Counsel wanted to avoid anyone who knew anything about basic physics, and they used the metric system as a test to see who had any background in physics. The next trial was a sexual abuse case with some very hideous particulars. Defense counsel asked everyone what probability we gave that her client was guilty. One woman said 70%, since she was a schoolteacher and she knew how many layers of bureaucracy were involved in getting a sex abuse case to trial. One man said at least 50%, since otherwise it was a lot of work and taxpayer money for nothing. I refused to answer the question. I explained the question had improper foundations. Probability is based on prior observations of identical phenomena. I didn't know anything about the defendant or the particulars of his crime, so there was no probability I could assign. He either did it or he didn't, and I was willing to help determine which it was -- but I would not attach a probability to his guilt or innocence. The woman who said 70% and the man who said 50% were both seated on the jury. I wasn't. It's true that lawyers will remove a juror with actual knowledge about the subject matter -- but more than that, lawyers will remove jurors with actual knowledge. If you show an ability to think critically and independently, the lawyers will move heaven and earth to remove you from the jury pool. A critical and independent thinker will go their own way in the trial. That makes them wild cards. No lawyer wants a wild card in the jury pool. They want people who can be led to a conclusion. From faramir.cl at gmail.com Thu Mar 5 05:20:53 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 05 Mar 2009 01:20:53 -0300 Subject: Question about using additional keyrings Message-ID: <49AF5325.8060607@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Well, I followed the tutorial that shows how to use just subkeys (without the main key), in order to keep the main key a bit safer than usual. But that made me play a bit with the GPGShell options for GPG, and managed to make it work, allowing to easily access my "whole" keys, and to switch to subkeys after using them. The "magic" is done by adding the following line to gpg.conf: secret-keyring z:\gpghome\secring.gpg (that's the location of the secring that has the unedited keys) But my question is: what does that line do? When it is in gpg.conf, do I have the 2 secrings at the same time, or it replaces the usage of the keyring located in gpghome with the one on my z drive? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJr1MlAAoJEMV4f6PvczxAaWwIAISUN7q6KWBHn69oI7AWvJfH fAjFLiYw6kkU7XPXpQNFfUHtUJJ89Rjxa0Jr+r8TRj7oJ3Su2O+40c0sWeYylUU9 N3Akwvcg2FFuRGAY0HW7U52WpyBr+ViwqAR8Bj1stHcVql2k4oBxYdaAxQGBUmKp FZlVUwj8N7qrLAa7eBqpL6kaOXNDgAeIR+a+H52lBSJ34Yc0iKottwv8pJb+ctTL /FBpEMs3P4bBVoP+55pgJJ2Jl+9vcu68AB5yKOkc7jtB38KPaJ2249feDqZqGDgv +xzm6iX/slaURsu6GzWhjqLkcjT/8ajpudcisp0q9qHlkb39fYu8i14aGd4llic= =INlE -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Mar 5 05:39:54 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 4 Mar 2009 23:39:54 -0500 Subject: surrendering one's passphrase to authorities In-Reply-To: <49AF361D.1090403@sixdemonbag.org> References: <20090304153823.548F81A003E@smtp.hushmail.com> <20090304193601.GC4055@jabberwocky.com> <49AF04CE.20100@sixdemonbag.org> <20090304233126.GA5075@jabberwocky.com> <49AF361D.1090403@sixdemonbag.org> Message-ID: <51E23696-F4F8-41D3-8F4A-E308C1B2A400@jabberwocky.com> On Mar 4, 2009, at 9:17 PM, Robert J. Hansen wrote: > David Shaw wrote: >> Indeed, and also (in the US at least), the attorneys for each side >> can (to a limited degree that varies from situation to situation) >> remove people from the "potential juror" list after interviewing them >> (a "Voir Dire" challenge). > > Voir dire is the name given to the interview process, not to the > strikings. As I've said, I am not a lawyer, but the term "Voir dire challenge" did, in fact, come from a real lawyer who I discussed my half-written email with before sending it. Simply Googling the term shows it in rather common use. > It's true that lawyers will remove a juror with actual knowledge about > the subject matter -- but more than that, lawyers will remove jurors > with actual knowledge. If you show an ability to think critically and > independently, the lawyers will move heaven and earth to remove you > from > the jury pool. It's not quite that simple. My lawyer friend indicates that this can cut both ways. If one lawyer thought they had a very strong case, they might actually want a smart or knowledgeable person on the jury, going with the idea that this person would be able to explain the complex issues to the rest of the jury. Which of course may cause the opposing attorney to challenge that person. And so on, and around and around. This is why jury consultants make the big bucks. We're now rather off-topic for GPG (and especially for a list that serves more than the US). Let's let this thread go, please. David From dshaw at jabberwocky.com Thu Mar 5 06:02:21 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 5 Mar 2009 00:02:21 -0500 Subject: Question about using additional keyrings In-Reply-To: <49AF5325.8060607@gmail.com> References: <49AF5325.8060607@gmail.com> Message-ID: On Mar 4, 2009, at 11:20 PM, Faramir wrote: > Well, I followed the tutorial that shows how to use just subkeys > (without the main key), in order to keep the main key a bit safer than > usual. But that made me play a bit with the GPGShell options for GPG, > and managed to make it work, allowing to easily access my "whole" > keys, > and to switch to subkeys after using them. The "magic" is done by > adding > the following line to gpg.conf: > > secret-keyring z:\gpghome\secring.gpg > (that's the location of the secring that has the unedited keys) > > But my question is: what does that line do? When it is in gpg.conf, do > I have the 2 secrings at the same time, or it replaces the usage of > the > keyring located in gpghome with the one on my z drive? Here's how it works: GPG allows for multiple public keyrings (via "keyring") and multiple secret keyrings (via "secret-keyring"). The default public keyring is $GNUPGHOME/pubring.gpg. The default secret keyring is $GNUPGHOME/secring.gpg. Any keyrings, public or secret, that you add are in addition to those defaults. If you don't want the defaults to be present at all, use --no-default-keyring. Thus in your case, you have two secret keyrings, unless there is a -- no-default-keyring somewhere or $GNUPGHOME/secring.gpg does not exist. David From faramir.cl at gmail.com Thu Mar 5 06:32:02 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 05 Mar 2009 02:32:02 -0300 Subject: Question about using additional keyrings In-Reply-To: References: <49AF5325.8060607@gmail.com> Message-ID: <49AF63D2.2040305@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David Shaw escribi?: >> secret-keyring z:\gpghome\secring.gpg >> (that's the location of the secring that has the unedited keys) >> >> But my question is: what does that line do? When it is in gpg.conf, do >> I have the 2 secrings at the same time, or it replaces the usage of the >> keyring located in gpghome with the one on my z drive? > > Here's how it works: GPG allows for multiple public keyrings (via > "keyring") and multiple secret keyrings (via "secret-keyring"). The > default public keyring is $GNUPGHOME/pubring.gpg. The default secret > keyring is $GNUPGHOME/secring.gpg. Any keyrings, public or secret, that > you add are in addition to those defaults. If you don't want the > defaults to be present at all, use --no-default-keyring. > > Thus in your case, you have two secret keyrings, unless there is a > --no-default-keyring somewhere or $GNUPGHOME/secring.gpg does not exist. Ok, and if I also add another pubring file, and I download a public key, where would it be stored? In the default keyring, or in the additional one? By the way, I think there is an option in GPGShell to add the - --no-default-keyring option Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJr2PRAAoJEMV4f6PvczxAQC0IAKlFSNnrlAzCtZjP3p3mDvoD N0U2/y8S8u+DtwgNs6bITJHFBrHQCPQ2uPEXf9GRYcBTBE9rOe2kuRFoEExFU91r fFCa1XkEB9+H6xWEwYA1f1OVdJG4GKArmYJ77PKaxkfIqIFTjzJsYm6u2s3n+c1/ FjkOd7I/jQXNFCdP0JRe0/4LzCuEZE7JXcxhNuTk8PEcgJa28NuYwNIfQDU//jRb JkKYfyzLKh/KCkd0Zs6dfckl+X8hr4Y2fiRqcNVtYyF5rsOgvRxj3/jHE9uJ5+GK kKKi5ChDY7z///ErLS0hlM2v3UxmkFE9ZXTeype5wn2XtH7rOpFBSHEttI7CVCk= =LjMN -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Mar 5 06:50:09 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 5 Mar 2009 00:50:09 -0500 Subject: Question about using additional keyrings In-Reply-To: <49AF63D2.2040305@gmail.com> References: <49AF5325.8060607@gmail.com> <49AF63D2.2040305@gmail.com> Message-ID: On Mar 5, 2009, at 12:32 AM, Faramir wrote: > David Shaw escribi?: > >>> secret-keyring z:\gpghome\secring.gpg >>> (that's the location of the secring that has the unedited keys) >>> >>> But my question is: what does that line do? When it is in >>> gpg.conf, do >>> I have the 2 secrings at the same time, or it replaces the usage >>> of the >>> keyring located in gpghome with the one on my z drive? >> >> Here's how it works: GPG allows for multiple public keyrings (via >> "keyring") and multiple secret keyrings (via "secret-keyring"). The >> default public keyring is $GNUPGHOME/pubring.gpg. The default secret >> keyring is $GNUPGHOME/secring.gpg. Any keyrings, public or secret, >> that >> you add are in addition to those defaults. If you don't want the >> defaults to be present at all, use --no-default-keyring. >> >> Thus in your case, you have two secret keyrings, unless there is a >> --no-default-keyring somewhere or $GNUPGHOME/secring.gpg does not >> exist. > > Ok, and if I also add another pubring file, and I download a public > key, where would it be stored? In the default keyring, or in the > additional one? The first one that is writable. If you want to force it to be written to a particular keyring, use the "primary-keyring" command instead of just "keyring". David From faramir.cl at gmail.com Thu Mar 5 07:46:04 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 05 Mar 2009 03:46:04 -0300 Subject: Question about using additional keyrings In-Reply-To: References: <49AF5325.8060607@gmail.com> <49AF63D2.2040305@gmail.com> Message-ID: <49AF752C.2050205@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David Shaw escribi?: >> Ok, and if I also add another pubring file, and I download a public >> key, where would it be stored? In the default keyring, or in the >> additional one? > > The first one that is writable. If you want to force it to be written > to a particular keyring, use the "primary-keyring" command instead of > just "keyring". Ok.. the first time I added the additional keyrings, I added a private and a public keyring, and since both were writable, it seems the public key was stored in the additional one... now I know the reason. Thanks, now understand it better. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJr3UrAAoJEMV4f6PvczxAoSgIAK5UnZ5LAh2YPBjSNRzn6JUd fMhJWF9OlmQnTky8C0u8gKWcscN7R9IbZ8Jrzw4cSPtFYvGyixX4fb7u0ihkS3pu s9xNHB/pAxRool/+suxrybbND0higcTyMtL/lk9zN+BKwk6q0BwNy+HgBVZeGZWv XXNOHf5A6c29jW3z/XTPWi+/1hFQWDSedirEdPoYfXD0RWvULAcOlaRlC5l5GdW2 Aa4/qGDhx29VKSxQemwU/MN6ce3F1dJXXlskLRBQxeYelBKquMHFXTL9gn1mSDYK wiPQLU7D2LhMoUh6aR2/vq/qB9yu915Uq0QKXhUlRTsSN7z4shwNCmUg00mRevg= =Kqoi -----END PGP SIGNATURE----- From lists_de at zemisch.de Thu Mar 5 10:48:41 2009 From: lists_de at zemisch.de (Dirk Zemisch) Date: Thu, 05 Mar 2009 10:48:41 +0100 Subject: Import all keys from signatures Message-ID: <49AF9FF9.3030205@zemisch.de> Hi, i'm just had some trouble with my keyrings and after all recovery etc. a lot of keys I earlier received are gone. But a lot of them are named in the sigs of my own key. Is there a possibility to read out all key-IDs from the sigs and import the related keys from a keyserver? Maybe someone here wrote a script or so? I'm using WinXP and Ubuntu on the same keyring, so OS is not really relevant. Thanks in advance! Dirk From felipe.alvarez at gmail.com Thu Mar 5 10:22:29 2009 From: felipe.alvarez at gmail.com (Felipe Alvarez) Date: Thu, 5 Mar 2009 19:22:29 +1000 Subject: trying to understand UID and subkeys Message-ID: Me again. Sorry to sound newbish. I've googled, but I haven't found anything quite as detailed enough for me to grasp the 'whole forest' (so to speak). My question is regarding 'subkeys.' Let me know if I am getting the wording/terminology incorrect. I understand that when I 'gen-key' I create a 'signing' key (to identify tampering/modification) and an 'encryption' key (shouldn't this be a DEcryption key? Wouldn't I use this for DEcrypting docs encrypted with my public key? But I digress). I am also able to add extra UIDs to my public key, so I can have, say 4 different email addresses, all attached to the same public key. Does this mean I have several SIGNING keys, or several DEcryption keys? How do other people use my extra UIDs? Can they pick one to use for encryption, and I must use the "twin" (private) key matching that UID to decrypt it? Why would I want to create new 'subkeys?' Of what benefit to have, say 5 subkeys belonging to one (master)(private)(signing) key? What do the letters to the right of the words "usage" mean? (S,C,A,E) I can only guess |S|ign, |E|ncrypt, .... ############################################################## felipe at cheetah:/tmp/gpg-kWzpHj> gpg --edit boyd gpg (GnuPG) 2.0.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024D/48C1382F created: 2000-08-19 expires: never usage: SCA trust: unknown validity: unknown sub 1024g/02B5A402 created: 2000-08-19 expires: never usage: E [ unknown] (1). Colin Boyd Command> ############################################################## Sorry if this sounds elementary/trivial. I am new to PKI, and encryption, etc. I have read through GNUPG gettingstarted manual, and been reading this list for nearly 1 week. If I have more questions, I hope you don't mind I ask them here. Thank you Felipe -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Thu Mar 5 15:10:20 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 5 Mar 2009 09:10:20 -0500 Subject: trying to understand UID and subkeys In-Reply-To: References: Message-ID: <97E0DBA9-E04C-47FD-8416-8D54813F2404@jabberwocky.com> On Mar 5, 2009, at 4:22 AM, Felipe Alvarez wrote: > > Me again. Sorry to sound newbish. I've googled, but I haven't found > anything quite as detailed enough for me to grasp the 'whole > forest' (so to speak). My question is regarding 'subkeys.' Let me > know if I am getting the wording/terminology incorrect. > > I understand that when I 'gen-key' I create a 'signing' key (to > identify tampering/modification) and an 'encryption' key (shouldn't > this be a DEcryption key? Wouldn't I use this for DEcrypting docs > encrypted with my public key? But I digress). > > I am also able to add extra UIDs to my public key, so I can have, > say 4 different email addresses, all attached to the same public > key. Does this mean I have several SIGNING keys, or several > DEcryption keys? Neither. It means you have 4 different ways other people can find your key. An OpenPGP key is made up of a pile of keys (a primary key plus some number of subkeys) and a pile of user IDs. Any of the user IDs can be used to locate the key as a whole. Sometimes people set different preferences (essentially hints to the sender on how to encrypt data) on different user IDs, but the key that they encrypt to, and thus the key that you decrypt with, remains the same. > Why would I want to create new 'subkeys?' Of what benefit to have, > say 5 subkeys belonging to one (master)(private)(signing) key? One reason is to have different keys for different purposes. You can have one subkey for encryption, one subkey for signing, and leave your primary key for certification. This lets you do tricks like keeping your primary key offline. This is useful as the primary key is the most "valuable" key (since it can make more subkeys), so protecting it is a good idea. > What do the letters to the right of the words "usage" mean? > (S,C,A,E) I can only guess |S|ign, |E|ncrypt, .... (S)ign: sign some data (like a file) (C)ertify: sign a key (this is called certification) (A)uthenticate: authenticate yourself to a computer (for example, logging in) (E)ncrypt: encrypt data David From dshaw at jabberwocky.com Thu Mar 5 15:28:41 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 5 Mar 2009 09:28:41 -0500 Subject: Import all keys from signatures In-Reply-To: <49AF9FF9.3030205@zemisch.de> References: <49AF9FF9.3030205@zemisch.de> Message-ID: <38C61021-6AAD-47BE-A919-8F76A270AFC8@jabberwocky.com> On Mar 5, 2009, at 4:48 AM, Dirk Zemisch wrote: > Hi, > > i'm just had some trouble with my keyrings and after all recovery > etc. a > lot of keys I earlier received are gone. > > But a lot of them are named in the sigs of my own key. Is there a > possibility to read out all key-IDs from the sigs and import the > related > keys from a keyserver? Maybe someone here wrote a script or so? > > I'm using WinXP and Ubuntu on the same keyring, so OS is not really > relevant. Sure. On the Ubuntu system, do this: gpg --recv-keys `gpg --with-colons --list-sigs YOUR-KEY-ID-HERE | egrep '^sig' | cut -d: -f5 | uniq` David From gerry.lowry at abilitybusinesscomputerservices.com Thu Mar 5 18:14:24 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Thu, 5 Mar 2009 12:14:24 -0500 Subject: trying to understand UID and subkeys References: <97E0DBA9-E04C-47FD-8416-8D54813F2404@jabberwocky.com> Message-ID: David Shaw wrote, in part: You can have one subkey for encryption, one subkey for signing, and leave your primary key for certification. This lets you do tricks like keeping your primary key offline. This is useful as the primary key is the most "valuable" key (since it can make more subkeys), Question # 1: does primary key here mean "primary PUBLIC key"? Question # 2: without the pass phrase, how can one make more subkeys? Question # 3: what determines that a key is a "primary" key? (is it because --gen-key was used instead of --edit-key?) Question # 4: by offline, do you mean not on a keyserver? (versus not on your local hard disk?) Thank you. Gerry (Lowry) From dshaw at jabberwocky.com Thu Mar 5 18:23:05 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 5 Mar 2009 12:23:05 -0500 Subject: trying to understand UID and subkeys In-Reply-To: References: <97E0DBA9-E04C-47FD-8416-8D54813F2404@jabberwocky.com> Message-ID: <20090305172305.GA9011@jabberwocky.com> On Thu, Mar 05, 2009 at 12:14:24PM -0500, gerry_lowry (alliston ontario canada) wrote: > David Shaw wrote, in part: > > You can have one subkey for encryption, one subkey for signing, and > leave your primary key for certification. > > This lets you do tricks like keeping your primary key offline. > > This is useful as the primary key is the most "valuable" key (since it can make more subkeys), > > Question # 1: does primary key here mean "primary PUBLIC key"? No. Primary secret key. There is no risk in keeping a primary public key online. It's public already. > Question # 2: without the pass phrase, how can one make more subkeys? You cannot. To make more subkeys you need both the passphrase and the primary secret key. > Question # 3: what determines that a key is a "primary" key? > (is it because --gen-key was used instead of --edit-key?) Essentially, yes. --gen-key always makes a primary key. If you accept the default, it also makes you a single subkey. You can add more subkeys to it later via --edit-key. > Question # 4: by offline, do you mean not on a keyserver? > (versus not on your local hard disk?) By offline I mean not even on your local hard disk. Offline, say, on a USB flash disk, or a CD-R. David From jbruni at me.com Thu Mar 5 19:11:52 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Thu, 05 Mar 2009 11:11:52 -0700 Subject: trying to understand UID and subkeys In-Reply-To: References: <97E0DBA9-E04C-47FD-8416-8D54813F2404@jabberwocky.com> Message-ID: <96608085626038507563261934854384838233-Webmail@me.com> On Thursday, March 05, 2009, at 10:14AM, "gerry_lowry (alliston ontario canada)" wrote: >David Shaw wrote, in part: > > You can have one subkey for encryption, one subkey for signing, and > leave your primary key for certification. > > This lets you do tricks like keeping your primary key offline. > > This is useful as the primary key is the most "valuable" key (since it can make more subkeys), > >Question # 1: does primary key here mean "primary PUBLIC key"? > >Question # 2: without the pass phrase, how can one make more subkeys? > >Question # 3: what determines that a key is a "primary" key? > (is it because --gen-key was used instead of --edit-key?) > >Question # 4: by offline, do you mean not on a keyserver? > (versus not on your local hard disk?) > Hi Gerry, When someone is referring to a "key" they are typically referring to a "key pair" -- both public and private. Your primary key and various subkeys are all keypairs. Public keys are used for encryption and verifying digital signatures. Private keys are used for decryption, creating digital signatures, and for signing other keys. A subkey (keypair) that is flagged for encryption will have both public and private components. Joe From wk at gnupg.org Fri Mar 6 11:17:20 2009 From: wk at gnupg.org (Werner Koch) Date: Fri, 06 Mar 2009 11:17:20 +0100 Subject: Import all keys from signatures In-Reply-To: <38C61021-6AAD-47BE-A919-8F76A270AFC8@jabberwocky.com> (David Shaw's message of "Thu, 5 Mar 2009 09:28:41 -0500") References: <49AF9FF9.3030205@zemisch.de> <38C61021-6AAD-47BE-A919-8F76A270AFC8@jabberwocky.com> Message-ID: <87prgvarbj.fsf@wheatstone.g10code.de> On Thu, 5 Mar 2009 15:28, dshaw at jabberwocky.com said: > gpg --recv-keys `gpg --with-colons --list-sigs YOUR-KEY-ID-HERE | > egrep '^sig' | cut -d: -f5 | uniq` For keys with a lot of signatures you better do: gpg --with-colons --list-sigs YOUR-KEY-ID-HERE | \ egrep '^sig' | cut -d: -f5 | sort | uniq | xargs gpg --recv-keys This is because the number of arguments on the command line is limited. On Gnu/Linux this limit is pretty large but on other systems if might be just a few k. You can so the same with awk of course: gpg --with-colons --list-sigs YOUR-KEY-ID-HERE | \ awk -F: '/^sig/ {print $5}' | sort -u | xargs gpg --recv-keys (I was a bit curious whether uniq is still required and found out that POSIX indeed requires sort to support the -u flag.) Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From satyanarayana.pulipaka1 at pepsico.com Wed Mar 4 17:35:26 2009 From: satyanarayana.pulipaka1 at pepsico.com (Pulipaka, Satyanarayana {PEP}) Date: Wed, 4 Mar 2009 10:35:26 -0600 Subject: Installable file HP-Unix Message-ID: <53E880784C437C42936DBB5AB616D9751648C9D327@PEPWMV00073.corp.pep.pvt> Hi, I want to deploy GPG on HP-UX Itanium platform. Am little confused where can I found the installable version of this. Could any one of you please let me know? Best regards, Satya From shavital at mac.com Fri Mar 6 16:29:49 2009 From: shavital at mac.com (Charly Avital) Date: Fri, 06 Mar 2009 10:29:49 -0500 Subject: GnuPG 2.0.11 released In-Reply-To: <87sklug797.fsf@wheatstone.g10code.de> References: <87sklug797.fsf@wheatstone.g10code.de> Message-ID: <49B1416D.2030408@mac.com> Werner Koch wrote the following on 3/3/09 6:45 AM: > Hello! > > We are pleased to announce the availability of a new stable GnuPG-2 > release: Version 2.0.11. [...] > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, administering the > servers, spreading the word or answering questions on the mailing > lists. > > > Happy Hacking, > > The GnuPG Team Compiled from source under System Version: Mac OS X 10.5.6 (9G55) Kernel Version: Darwin 9.6.0, with Benjamin Donnachie's native pinentry-mac. Thank you GnuPG Team. Charly MacOS 10.5.6 - MacBook Intel C2Duo "Aluminum Late 2008"- GnuPG 1.4.9 - GPG2 2.0.11 - Thunderbird 2.0.0.19 +Enigmail 0.95.7 - Apple's Mail+GPGMail 1.2.0 (v56), PGP key: 0xA57A8EFA From jbruni at me.com Fri Mar 6 20:56:23 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Fri, 06 Mar 2009 12:56:23 -0700 Subject: Installable file HP-Unix In-Reply-To: <53E880784C437C42936DBB5AB616D9751648C9D327@PEPWMV00073.corp.pep.pvt> References: <53E880784C437C42936DBB5AB616D9751648C9D327@PEPWMV00073.corp.pep.pvt> Message-ID: On Mar 4, 2009, at 9:35 AM, Pulipaka, Satyanarayana {PEP} wrote: > Hi, > I want to deploy GPG on HP-UX Itanium platform. Am little > confused where can I found the installable version of this. > Could any one of you please let me know? > > Best regards, > > Satya I've checked the various HP-UX porting sites and I can't seem to find a pre-built depot file for you to install. There might be some lingering crypto export issues that HP doesn't want to deal with. You could trying building GnuPG from the source code, which is what I did. From shavital at mac.com Fri Mar 6 20:57:31 2009 From: shavital at mac.com (Charly Avital) Date: Fri, 06 Mar 2009 14:57:31 -0500 Subject: GnuPG 2.0.11 released - redux. In-Reply-To: <87sklug797.fsf@wheatstone.g10code.de> References: <87sklug797.fsf@wheatstone.g10code.de> Message-ID: <49B1802B.8070400@mac.com> Werner Koch wrote the following on 3/3/09 6:45 AM: > Hello! > > We are pleased to announce the availability of a new stable GnuPG-2 > release: Version 2.0.11. [...] > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, administering the > servers, spreading the word or answering questions on the mailing > lists. > > > Happy Hacking, > > The GnuPG Team Compiled from source under System Version: Mac OS X 10.5.6 (9G55) Kernel Version: Darwin 9.6.0, with Benjamin Donnachie's native pinentry-mac. Thank you GnuPG Team. Thank you, Benjamin Donnachie! Charly MacOS 10.5.6 - MacBook Intel C2Duo "Aluminum Late 2008"- GnuPG 1.4.9 - GPG2 2.0.11 - Thunderbird 2.0.0.19 +Enigmail 0.95.7 - Apple's Mail+GPGMail 1.2.0 (v56), PGP key: 0xA57A8EFA From thomas at bohnomat.de Fri Mar 6 22:16:30 2009 From: thomas at bohnomat.de (Thomas Bohn) Date: Fri, 6 Mar 2009 22:16:30 +0100 Subject: Just one gpg-agent Message-ID: <20090306211629.GA2274@proton.bohnomat.de> I currently try to get the gpg-agent to start just one time and not to get one more gpg-agent session each time I log in, but it doesn't work. Even the hint in the gpg-agent man page won't work, I still get more than one gpg-agent process and more than one gpg-agent directory. Thomas From kloecker at kde.org Fri Mar 6 22:35:49 2009 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Fri, 06 Mar 2009 22:35:49 +0100 Subject: Just one gpg-agent In-Reply-To: <20090306211629.GA2274@proton.bohnomat.de> References: <20090306211629.GA2274@proton.bohnomat.de> Message-ID: <200903062235.50063@thufir.ingo-kloecker.de> On Friday 06 March 2009, Thomas Bohn wrote: > I currently try to get the gpg-agent to start just one time and not > to get one more gpg-agent session each time I log in, but it doesn't > work. > > Even the hint in the gpg-agent man page won't work, I still get more > than one gpg-agent process and more than one gpg-agent directory. I suppose we are talking about Linux or some Unix derivative. I run the following two commands on session start: ===== killall gpg-agent 2>/dev/null eval "$(gpg-agent --daemon --default-cache-ttl 36000)" ===== Since I'm using KDE they are in a file called start-gpg-agent.sh that I've put into ~/.kde/env. Before that I used a custom ~/.xsession script. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From dougb at dougbarton.us Sat Mar 7 00:06:35 2009 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 06 Mar 2009 15:06:35 -0800 Subject: Just one gpg-agent In-Reply-To: <200903062235.50063@thufir.ingo-kloecker.de> References: <20090306211629.GA2274@proton.bohnomat.de> <200903062235.50063@thufir.ingo-kloecker.de> Message-ID: <49B1AC7B.3000200@dougbarton.us> I have a slightly more sophisticated gpg-agent script that has worked well for me with a variety of window managers: -------------------------------------------------------------------- #!/bin/sh PATH=/bin:/usr/bin:/usr/local/bin test -e ${HOME}/.gpg-agent-info && unlink ${HOME}/.gpg-agent-info killall -0 gpg-agent 2>/dev/null running=$? if [ "$running" -eq 0 ]; then killall gpg-agent sleep 1 killall -0 gpg-agent 2>/dev/null && killall -9 gpg-agent fi [ "$1" = "stop" ] && exit 0 eval `gpg-agent --enable-ssh-support --daemon --write-env-file` exit 0 -------------------------------------------------------------------- I then have the following in my .xsession file so that all of my windows inherit the necessary stuff: unset GPG_AGENT_INFO SSH_AUTH_SOCK SSH_AGENT_PID ${HOME}/.bin/gpg-agent.sh if [ -r "${HOME}/.gpg-agent-info" ]; then . ${HOME}/.gpg-agent-info export GPG_AGENT_INFO SSH_AUTH_SOCK SSH_AGENT_PID fi hope this helps, Doug From dmdm00 at yahoo.com Sat Mar 7 11:28:13 2009 From: dmdm00 at yahoo.com (dmdm) Date: Sat, 7 Mar 2009 02:28:13 -0800 (PST) Subject: gpg messages error after signing Message-ID: <22386253.post@talk.nabble.com> When I sign a message that contains a gpg key what happens is that the key has the '-' missing at top and bottom of key. its ok before its signed .(see example below) - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) - -----END PGP PUBLIC KEY BLOCK----- -- View this message in context: http://www.nabble.com/gpg-messages-error-after-signing-tp22386253p22386253.html Sent from the GnuPG - User mailing list archive at Nabble.com. From dshaw at jabberwocky.com Sat Mar 7 14:25:34 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 7 Mar 2009 08:25:34 -0500 Subject: gpg messages error after signing In-Reply-To: <22386253.post@talk.nabble.com> References: <22386253.post@talk.nabble.com> Message-ID: <9CBFDE34-AFDD-462B-B9EE-31F0CD375800@jabberwocky.com> On Mar 7, 2009, at 5:28 AM, dmdm wrote: > > When I sign a message that contains a gpg key what happens is that > the key > has the '-' > missing at top and bottom of key. its ok before its signed .(see > example > below) That is a normal part of OpenPGP called "dash escaping". Basically, since your signature itself starts with a dash (as part of "-----BEGIN PGP SIGNED MESSAGE-----") any other dashes, such as those surrounding your key that you're including in the signed message, need to be escaped so the message parser does not get confused. The way this is done is to append a "- " (a dash and a space) to the beginning of each dash. Just verify the message to check the signature, and what comes out of the verification step has all the escaping removed so you can use the key you included. David From dmdm00 at yahoo.com Sun Mar 8 09:00:50 2009 From: dmdm00 at yahoo.com (dmdm) Date: Sun, 8 Mar 2009 00:00:50 -0800 (PST) Subject: gpg messages error after signing In-Reply-To: <9CBFDE34-AFDD-462B-B9EE-31F0CD375800@jabberwocky.com> References: <22386253.post@talk.nabble.com> <9CBFDE34-AFDD-462B-B9EE-31F0CD375800@jabberwocky.com> Message-ID: <22395706.post@talk.nabble.com> Thanks for your post. I wonder if I might ask for an example please useing perhaps this line in the example -----BEGIN PGP SIGNED MESSAGE----- thankyou dmdm David Shaw wrote: > > On Mar 7, 2009, at 5:28 AM, dmdm wrote: > >> >> When I sign a message that contains a gpg key what happens is that >> the key >> has the '-' >> missing at top and bottom of key. its ok before its signed .(see >> example >> below) > > That is a normal part of OpenPGP called "dash escaping". Basically, > since your signature itself starts with a dash (as part of "-----BEGIN > PGP SIGNED MESSAGE-----") any other dashes, such as those surrounding > your key that you're including in the signed message, need to be > escaped so the message parser does not get confused. The way this is > done is to append a "- " (a dash and a space) to the beginning of each > dash. > > Just verify the message to check the signature, and what comes out of > the verification step has all the escaping removed so you can use the > key you included. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/gpg-messages-error-after-signing-tp22386253p22395706.html Sent from the GnuPG - User mailing list archive at Nabble.com. From laurent.jumet at skynet.be Sun Mar 8 09:21:32 2009 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Sun, 08 Mar 2009 10:21:32 +0200 Subject: gpg messages error after signing In-Reply-To: <22395706.post@talk.nabble.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello dmdm ! dmdm wrote: > I wonder if I might ask for an example please useing perhaps this line in > the example The answer given to you is exact. Each generation answer adds a "- ", and depending what soft you are using, you can go back in generations asking several times to Decrypt the same message. Each time you ask Decrypt, you go back one generation of keys and signatures. By this way, you can include a public key in a message and sign the whole. First generation of Decrypt/Verify shows you "Good signature from X", second generation allows you to include the public key in your keyring and be sure it's recommended by the sender. > -----BEGIN PGP SIGNED MESSAGE----- > thankyou > dmdm > David Shaw wrote: >> >> On Mar 7, 2009, at 5:28 AM, dmdm wrote: >> >>> >>> When I sign a message that contains a gpg key what happens is that >>> the key >>> has the '-' >>> missing at top and bottom of key. its ok before its signed .(see >>> example >>> below) >> >> That is a normal part of OpenPGP called "dash escaping". Basically, >> since your signature itself starts with a dash (as part of "-----BEGIN >> PGP SIGNED MESSAGE-----") any other dashes, such as those surrounding >> your key that you're including in the signed message, need to be >> escaped so the message parser does not get confused. The way this is >> done is to append a "- " (a dash and a space) to the beginning of each >> dash. >> >> Just verify the message to check the signature, and what comes out of >> the verification step has all the escaping removed so you can use the >> key you included. >> >> David - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iHEEAREDADEFAkmzgb8qGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BMT4AAoLz9lAc5mRaJqnHdJXTtuYPLxdWVAKDS 7GnFl5ntkCTLtZOuLzZdHQEUHg== =APmB -----END PGP SIGNATURE----- From shavital at netvision.net.il Fri Mar 6 17:19:13 2009 From: shavital at netvision.net.il (Charly Avital) Date: Fri, 06 Mar 2009 11:19:13 -0500 Subject: GnuPG 2.0.11 released - redux. In-Reply-To: <87sklug797.fsf@wheatstone.g10code.de> References: <87sklug797.fsf@wheatstone.g10code.de> Message-ID: <49B14D01.2090803@netvision.net.il> Werner Koch wrote the following on 3/3/09 6:45 AM: > Hello! > > We are pleased to announce the availability of a new stable GnuPG-2 > release: Version 2.0.11. [...] > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, administering the > servers, spreading the word or answering questions on the mailing > lists. > > > Happy Hacking, > > The GnuPG Team Compiled from source under System Version: Mac OS X 10.5.6 (9G55) Kernel Version: Darwin 9.6.0, with Benjamin Donnachie's native pinentry-mac. Thank you GnuPG Team. Thank you, Benjamin Donnachie! Charly MacOS 10.5.6 - MacBook Intel C2Duo "Aluminum Late 2008"- GnuPG 1.4.9 - GPG2 2.0.11 - Thunderbird 2.0.0.19 +Enigmail 0.95.7 - Apple's Mail+GPGMail 1.2.0 (v56), PGP key: 0xA57A8EFA From sangeethath at gmail.com Wed Mar 11 13:23:01 2009 From: sangeethath at gmail.com (sangeethat) Date: Wed, 11 Mar 2009 05:23:01 -0700 (PDT) Subject: How to create a keyring Message-ID: <22454001.post@talk.nabble.com> I want to create keyring. Anyone kindly tell me how to create keyring or suggest me some documentation for the above. I want to get detailed knowledge of this.I need this for creating Release.gpg file for my repository. Thank u. -- View this message in context: http://www.nabble.com/How-to-create-a-keyring-tp22454001p22454001.html Sent from the GnuPG - User mailing list archive at Nabble.com. From wk at gnupg.org Wed Mar 11 16:31:48 2009 From: wk at gnupg.org (Werner Koch) Date: Wed, 11 Mar 2009 16:31:48 +0100 Subject: How to create a keyring In-Reply-To: <22454001.post@talk.nabble.com> (sangeethath@gmail.com's message of "Wed, 11 Mar 2009 05:23:01 -0700 (PDT)") References: <22454001.post@talk.nabble.com> Message-ID: <87y6vculcr.fsf@wheatstone.g10code.de> On Wed, 11 Mar 2009 13:23, sangeethath at gmail.com said: > I want to create keyring. Anyone kindly tell me how to create keyring or gpg creates the keyring on the fly. The keyrings ~/.gnupg/{sec,pub}ring.gpg are properties of gpg and should not be accessed by other tools. Use the --export command to create the specified interchange format of the keys and the --import command to import those into gpg. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From icrf.ml at gmail.com Wed Mar 11 21:15:20 2009 From: icrf.ml at gmail.com (Andrew Flerchinger) Date: Wed, 11 Mar 2009 16:15:20 -0400 Subject: gpg doesn't fail on target file existing when decrypting Message-ID: I'm in windows trying to run gpg (GnuPG) 1.4.9 (Gpg4win 1.1.4) in batch mode, completely non-interactive. I can encrypt a file like this: gpg --passphrase **PASS** --trust-model always --batch --output "test.txt.pgp" --sign --recipient **RECIP** --encrypt "test.txt" and it runs fine. If I do it a second time and the output file exists, it exits with a non-zero error code. Passing in --yes overwrites the file and success is returned. So far, so good. When I decrypt a file, I use a very similar command: gpg --passphrase **PASS** --trust-model always --batch --output "test.txt" --decrypt "test.txt.pgp" It mostly works fine. If the output file doesn't exist, it creates it properly. If it does exist and I add --yes, it overwrites it properly. My problem is when I don't tell it to overwrite and the target exists, it looks like it properly decrypted the file, except it does nothing. The return code is still zero and the output looks exactly the same as when the file doesn't exist and it creates it. I'm trying to figure out if I'm doing something wrong, it's a bug, or if the intended behavior is not the same between encryption and decryption. If I remove --batch from either encrypt or decrypt, both prompt me for a replacement file name. I was assuming both would fail given the option. Can anyone shed some light on this for me? Thanks. Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From felipe.alvarez at gmail.com Thu Mar 12 11:08:35 2009 From: felipe.alvarez at gmail.com (Felipe Alvarez) Date: Thu, 12 Mar 2009 20:08:35 +1000 Subject: trying to understand UID and subkeys In-Reply-To: <97E0DBA9-E04C-47FD-8416-8D54813F2404@jabberwocky.com> References: <97E0DBA9-E04C-47FD-8416-8D54813F2404@jabberwocky.com> Message-ID: On Fri, Mar 6, 2009 at 12:10 AM, David Shaw wrote: >> What do the letters to the right of the words "usage" mean? (S,C,A,E) I >> can only guess |S|ign, |E|ncrypt, .... > > (S)ign: sign some data (like a file) > (C)ertify: sign a key (this is called certification) > (A)uthenticate: authenticate yourself to a computer (for example, logging > in) > (E)ncrypt: encrypt data > > David > > "S" means this key permits the owner to sign things "C" means that "I (felipe) have signed this key" ?? "E" means owner can encrypt to himself ?? From vedaal at hush.com Thu Mar 12 17:18:34 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 12 Mar 2009 12:18:34 -0400 Subject: gpg doesn't fail on target file existing when decrypting Message-ID: <20090312161834.441D4118041@smtp.hushmail.com> Andrew Flerchinger icrf.ml at gmail.com wrote on Wed Mar 11 21:15:20 CET 2009 : > My problem is when I don't tell it to overwrite > and the target exists, it looks like it > properly decrypted the file, > except it does nothing >I'm trying to figure out if I'm doing something wrong, no, you're doing everything correctly >it's a bug, no, it's just not telling you that it overwrote it to test this, save "test.txt" as "originaltest.txt" change the text of "test.txt" after you encrypted it, and save it as "test.text" and also as "changedtest.ext" now use your commands to decrypt you will see that when you now open "test.txt" it will be the same as your original (i.e. "originaltest.txt") if gnupg 'did nothing' it would be the same as "changedtest.txt" vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click for quality replacement window deals and save! http://tagline.hushmail.com/fc/BLSrjkqfaqWn87hYaT2noI7UHq15QMdzE7mClayZwCCoOuxIoFTX3NsWTEM/ From faramir.cl at gmail.com Thu Mar 12 17:40:42 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 12 Mar 2009 13:40:42 -0300 Subject: trying to understand UID and subkeys In-Reply-To: References: <97E0DBA9-E04C-47FD-8416-8D54813F2404@jabberwocky.com> Message-ID: <49B93B0A.5010007@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Felipe Alvarez escribi?: > On Fri, Mar 6, 2009 at 12:10 AM, David Shaw wrote: >>> What do the letters to the right of the words "usage" mean? (S,C,A,E) I >>> can only guess |S|ign, |E|ncrypt, .... >> (S)ign: sign some data (like a file) >> (C)ertify: sign a key (this is called certification) >> (A)uthenticate: authenticate yourself to a computer (for example, logging >> in) >> (E)ncrypt: encrypt data >> >> David ... > "S" means this key permits the owner to sign things > "C" means that "I (felipe) have signed this key" ?? No, it means you can use it to sign other keys, yours or from other people. > "E" means owner can encrypt to himself ?? It means you can encrypt and decrypt things... to yourself, or to other people (of course you can't decrypt things encrypted to other people). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJuTsKAAoJEMV4f6PvczxATCgH/2DsBtYnOwtK+dFb9v8Getix czTPuf/cvZn600TSLyzsodCRKZJyyX/eNWT+gH5fjjNhx9Z9g+w/zUScomgLfW// N3ZgO81273VQc0+8oe23+Pqwn1Ph5syQ+Jque275cwlWWc9RlKqb4+NUOx+Dr6wF gEL9CyGz81sP6AjQeKnNawrSn6q23XGQh8/jgbqmgLN9rDnHqtkW/wljF41AxTcF IVrAvytHtWK7eeePRFRDaKLQxb0W5YX9GHetHq+5N/Q1kBPz3mDDOxu1y06YJBmU 3XMeliohaU1VV8WtzTj/jSo7sViYcL+OyppzVUW4wkQZHFwkmWdGX3Tt2u6Xghs= =YbVD -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Mar 12 17:55:13 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 12 Mar 2009 12:55:13 -0400 Subject: trying to understand UID and subkeys In-Reply-To: References: <97E0DBA9-E04C-47FD-8416-8D54813F2404@jabberwocky.com> Message-ID: <20090312165512.GA1054@jabberwocky.com> On Thu, Mar 12, 2009 at 08:08:35PM +1000, Felipe Alvarez wrote: > On Fri, Mar 6, 2009 at 12:10 AM, David Shaw wrote: > >> What do the letters to the right of the words "usage" mean? (S,C,A,E) I > >> can only guess |S|ign, |E|ncrypt, .... > > > > (S)ign: sign some data (like a file) > > (C)ertify: sign a key (this is called certification) > > (A)uthenticate: authenticate yourself to a computer (for example, logging > > in) > > (E)ncrypt: encrypt data > > > > David > > > > > > "S" means this key permits the owner to sign things Yes. > "C" means that "I (felipe) have signed this key" ?? "C" means this key permits the owner to certify keys (either your own or someone elses). > "E" means owner can encrypt to himself ?? "E" means the key can be used to encrypt, period. It doesn't matter if that is you or someone else. David From comp.ogz at gmail.com Fri Mar 13 16:17:29 2009 From: comp.ogz at gmail.com (Oguz Yarimtepe) Date: Fri, 13 Mar 2009 17:17:29 +0200 Subject: differenece between gpg -s and gpg -se Message-ID: <1236957459.20281.24.camel@ELK1655> Hi, I was trying to see a binary file which is signed as below: gpg -s -r "some user" file gpg --verify file, verifies the file. But signing also compressed the file so to recover to the orginal binary file i need to use --decrypt. So what is the differenece between gpg -se and gpg -s? -s parameter is also encyrping, right? The outputs of these two files are differenet, though. I was planning to sign and verify the binary, because verification happens faster than decryption. So how can i sign a binary and again verify it without creating a detached sign? From gordian.klein at gmx.de Fri Mar 13 17:44:18 2009 From: gordian.klein at gmx.de (Gordian Klein) Date: Fri, 13 Mar 2009 17:44:18 +0100 Subject: pam_poldi like functionality on windows Message-ID: <49BA8D62.8000507@gmx.de> Hello, im looking for a way to logon on to my Windows pc using my openpgp card. On Linux there is pam_poldi, but i didnt find anything for Windows yet. Is there such a thing? Regards, Gordian Klein From sinancan at gmail.com Fri Mar 13 17:46:40 2009 From: sinancan at gmail.com (Sinan Can =?UTF-8?B?xLBtYW1vxJ9sdQ==?=) Date: Fri, 13 Mar 2009 18:46:40 +0200 Subject: differenece between gpg -s and gpg -se In-Reply-To: <1236957459.20281.24.camel__19429.3187153109$1236959330$gmane$org@ELK1655> References: <1236957459.20281.24.camel__19429.3187153109$1236959330$gmane$org@ELK1655> Message-ID: <20090313184640.459f74ca@sinan.imamoglu.org> On 2009-03-13, Oguz Yarimtepe wrote: > So what is the differenece between gpg -se and gpg -s? -s parameter is > also encyrping, right? The outputs of these two files are differenet, > though. -s sign -se = -s -e = sign & encrypt -s is not encrypting. You either make a detached signature or produce a file which contains both the original data and the signature, which is the compressed file you mentioned. > I was planning to sign and verify the binary, because verification > happens faster than decryption. So how can i sign a binary and again > verify it without creating a detached sign? The alternatives are either a detached signature or the compressed file. I cannot think of another alternative. Why don't you want a detached signature? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From suno.ano at sunoano.org Sun Mar 15 23:55:07 2009 From: suno.ano at sunoano.org (Suno Ano) Date: Sun, 15 Mar 2009 23:55:07 +0100 Subject: gnupg vs. gnupg2 Message-ID: <87eiwy2y7o.fsf@sunoano.org> Hi folks, I have been a happy gpg user on Debian for years now. Now I have got a few question regarding the differences of gpg vs. gpg2. Here is what I know because the docu tells me - compared to gpg, gpg2 is modular and aimed at the desktop - judging from the man pages both provide the exact same feature set ... yes? - both can be used with auxiliary goodies like for example gpg-agent Here what I would like to know but neither the gpg website, google, wikipedia #gnupg nor the man pages answered my question - besides the afore mentioned differences like monolitic vs modular architecture, what else is different? Well, gpg2 provides support for MIME types as I figured ... what else? - is gpg2 considered prime time ready? - there is one utterly annoying fact with gpg2 which is the graphical windows which keep poping up http://i43.tinypic.com/154yb04.png How can I get rid of them and have the behavior of gpg which just stays in the shell? Is it me or is it really that hard to find those questions answered anywhere e.g. man pages? From suno.ano at sunoano.org Mon Mar 16 01:16:16 2009 From: suno.ano at sunoano.org (Suno Ano) Date: Mon, 16 Mar 2009 01:16:16 +0100 Subject: gnupg vs. gnupg2 Message-ID: <87y6v61fvz.fsf@sunoano.org> Hi folks, I have been a happy gpg user on Debian for years now. Now I have got a few question regarding the differences of gpg vs. gpg2. Here is what I know because the docu tells me - Compared to gpg, gpg2 is modular and aimed at the desktop - judging from the man pages both provide the exact same feature set. Yes? - Both can be used with auxiliary goodies like for example gpg-agent Here what I would like to know but neither the gpg website, google, wikipedia #gnupg nor the man pages answered my question - Besides the afore mentioned differences like monolitic vs modular architecture, what else is different? Well, gpg2 provides support for MIME types as I figured ... What else? - Is gpg2 considered prime time ready? - There is one utterly annoying fact with gpg2 which is the graphical windows which keep poping up http://i43.tinypic.com/154yb04.png How can I get rid of them and have the behavior of gpg which just stays in the shell? Is it me or is it really that hard to find those questions answered anywhere e.g. man pages? From rjh at sixdemonbag.org Mon Mar 16 03:05:42 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 15 Mar 2009 22:05:42 -0400 Subject: gnupg vs. gnupg2 In-Reply-To: <87eiwy2y7o.fsf@sunoano.org> References: <87eiwy2y7o.fsf@sunoano.org> Message-ID: <49BDB3F6.5080306@sixdemonbag.org> Suno Ano wrote: > - besides the afore mentioned differences like monolitic vs modular > architecture, what else is different? Well, gpg2 provides support for > MIME types as I figured ... what else? GnuPG 2 is somewhat larger and provides S/MIME support and gpg-agent. That's really about it. > - is gpg2 considered prime time ready? According to Werner, yes. Me, I wouldn't call GnuPG 2 for Windows ready for prime time. Over on Enigmail we see a fair number of GnuPG 2 for Windows problems -- or have historically; we haven't had much lately. > - there is one utterly annoying fact with gpg2 which is the graphical > windows which keep poping up http://i43.tinypic.com/154yb04.png How > can I get rid of them and have the behavior of gpg which just stays > in the shell? Can't answer this one, since I use 1.4. From tmz at pobox.com Mon Mar 16 03:19:03 2009 From: tmz at pobox.com (Todd Zullinger) Date: Sun, 15 Mar 2009 22:19:03 -0400 Subject: gnupg vs. gnupg2 In-Reply-To: <87eiwy2y7o.fsf@sunoano.org> References: <87eiwy2y7o.fsf@sunoano.org> Message-ID: <20090316021903.GS19175@inocybe.teonanacatl.org> Suno Ano wrote: > - there is one utterly annoying fact with gpg2 which is the graphical > windows which keep poping up http://i43.tinypic.com/154yb04.png How > can I get rid of them and have the behavior of gpg which just stays > in the shell? You can use the curses pinentry program. The prompt is due to gpg2 using gpg-agent. In ~/.gnupg/gpg-agent.conf, add: pinentry-program /usr/bin/pinentry-curses You may also need to set GPG_TTY in your shell init file as well. For example, in ~/.bashrc: export GPG_TTY=`tty` Give info gnupg 'Invoking GPG-AGENT' a read. I found that helpful a while back. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If at first you don't succeed, try management. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From wk at gnupg.org Mon Mar 16 08:59:15 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 16 Mar 2009 08:59:15 +0100 Subject: gnupg vs. gnupg2 In-Reply-To: <49BDB3F6.5080306@sixdemonbag.org> (Robert J. Hansen's message of "Sun, 15 Mar 2009 22:05:42 -0400") References: <87eiwy2y7o.fsf@sunoano.org> <49BDB3F6.5080306@sixdemonbag.org> Message-ID: <87k56p7vak.fsf@wheatstone.g10code.de> On Mon, 16 Mar 2009 03:05, rjh at sixdemonbag.org said: > GnuPG 2 is somewhat larger and provides S/MIME support and > gpg-agent. That's really about it. Plus extended smartcard support. > According to Werner, yes. Me, I wouldn't call GnuPG 2 for Windows > ready for prime time. Over on Enigmail we see a fair number of GnuPG > 2 for Windows problems -- or have historically; we haven't had much > lately. The last annoyance I know about is that while importing pkcs#12 the pinentry does not put itself into the foreground but keeps blinking in the task bar until clicked. >> - there is one utterly annoying fact with gpg2 which is the graphical >> windows which keep poping up http://i43.tinypic.com/154yb04.png How >> can I get rid of them and have the behavior of gpg which just stays >> in the shell? gpg asks you for a passphrase, it uses this popup window (the pinentry) for this. Either enter the passphrase or click cancel if you don't want to cancel the current operation. This is the same as with gpg1 which ask you via a console prompt for the passphrase. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From icrf.ml at gmail.com Mon Mar 16 14:10:31 2009 From: icrf.ml at gmail.com (Andrew Flerchinger) Date: Mon, 16 Mar 2009 09:10:31 -0400 Subject: gpg doesn't fail on target file existing when decrypting In-Reply-To: <20090312161834.441D4118041@smtp.hushmail.com> References: <20090312161834.441D4118041@smtp.hushmail.com> Message-ID: On Thu, Mar 12, 2009 at 12:18 PM, wrote: > Andrew Flerchinger icrf.ml at gmail.com > wrote on Wed Mar 11 21:15:20 CET 2009 : > > > My problem is when I don't tell it to overwrite > > and the target exists, it looks like it > > properly decrypted the file, > > except it does nothing > > >I'm trying to figure out if I'm doing something wrong, > > no, you're doing everything correctly > > >it's a bug, > > no, > it's just not telling you that it overwrote it > > > to test this, > > save "test.txt" as "originaltest.txt" > > change the text of "test.txt" after you encrypted it, and save it > as "test.text" > and also as "changedtest.ext" > > now use your commands to decrypt > > you will see that when you now open "test.txt" > it will be the same as your original (i.e. "originaltest.txt") > > if gnupg 'did nothing' > it would be the same as "changedtest.txt" > > > vedaal > But it is. If I pass in --yes, it does indeed overwrite as I'd expect. If I don't, it does NOT overwrite the file. The data in the file stays the same and the altered date on the file does not change. It doesn't overwrite, which is as expected, it's just not telling me there was a problem with decryption like it does when I'm encrypting something. Are you seeing that behavior? GPG is always overwriting on decryption, even without --yes? Thanks for the reply (and sorry, vedaal, if you got this twice, my first didn't include the mailing list). Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From vedaal at hush.com Mon Mar 16 17:10:21 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Mon, 16 Mar 2009 12:10:21 -0400 Subject: gpg doesn't fail on target file existing when decrypting Message-ID: <20090316161023.0EDC728046@smtp.hushmail.com> Andrew Flerchinger icrf.ml at gmail.com wrote on Mon Mar 16 14:10:31 CET 2009 : > If I pass in --yes, it does indeed overwrite as I'd > If I don't, it does NOT overwrite the file. > it's just not telling me there was a problem with > decryption like it does when I'm encrypting something. there isn't a problem with decrypting, gnupg asks if you want to overwrite, and if you answer no (N) then it asks you where you want the file to be written to here is what i get when i try it (on windows) without the --yes option : c:\gnupg>gpg --passphrase aaaa1 --output c:\q.txt --decrypt c:\q.txt.gpg :pubkey enc packet: version 3, algo 1, keyid 7DC4274AF9015496 data: [2047 bits] gpg: public key is F9015496 You need a passphrase to unlock the secret key for user: "aaaa1 " 2048-bit RSA key, ID F9015496, created 2005-12-01 gpg: encrypted with 2048-bit RSA key, ID F9015496, created 2005-12- 01 "aaaa1 " gpg: TWOFISH encrypted data :compressed packet: algo=1 :literal data packet: mode b (62), created 1236869352, name="q.txt", raw data: 3 bytes gpg: original file name='q.txt' File `c:\q.txt' exists. Overwrite? (y/N) n Enter new filename: Enter new filename: c:\q2.txt gpg: decryption okay gpg: session key: `10:6EB46AC795C6CCB418116E50DDFDC8CBD3D345761C2759DD5223E8D5D30923DC ' n.b. i use the options of 'verbose verbose', so gnupg gives a lot more information than what you might be used to seeing here it is again without the 'verbose' options: c:\gnupg>gpg --passphrase aaaa1 --output c:\q.txt --decrypt c:\q.txt.gpg You need a passphrase to unlock the secret key for user: "aaaa1 " 2048-bit RSA key, ID F9015496, created 2005-12-01 gpg: encrypted with 2048-bit RSA key, ID F9015496, created 2005-12- 01 "aaaa1 " File `c:\q.txt' exists. Overwrite? (y/N) y gpg: session key: `10:6EB46AC795C6CCB418116E50DDFDC8CBD3D345761C2759DD5223E8D5D30923DC ' c:\gnupg> so, does gnupg prompt you to 'overwrite' if you don't use the --yes option ? vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click to replace your roof - modern technology. http://tagline.hushmail.com/fc/BLSrjkqfVeHljhxoDr3jzvpPFptCL3JglXsrLIhZsdQXvB48wr7WwuSpB5W/ From icrf.ml at gmail.com Mon Mar 16 19:48:25 2009 From: icrf.ml at gmail.com (Andrew Flerchinger) Date: Mon, 16 Mar 2009 14:48:25 -0400 Subject: gpg doesn't fail on target file existing when decrypting In-Reply-To: <20090316161023.0EDC728046@smtp.hushmail.com> References: <20090316161023.0EDC728046@smtp.hushmail.com> Message-ID: On Mon, Mar 16, 2009 at 12:10 PM, wrote: > Andrew Flerchinger icrf.ml at gmail.com > wrote on Mon Mar 16 14:10:31 CET 2009 : > > > > If I pass in --yes, it does indeed overwrite as I'd > > If I don't, it does NOT overwrite the file. > > > it's just not telling me there was a problem with > > decryption like it does when I'm encrypting something. > > > there isn't a problem with decrypting, > > gnupg asks if you want to overwrite, > and if you answer no (N) > then it asks you where you want the file to be written to > > here is what i get when i try it (on windows) without the --yes > option : > > > c:\gnupg>gpg --passphrase aaaa1 --output c:\q.txt --decrypt > c:\q.txt.gpg > :pubkey enc packet: version 3, algo 1, keyid 7DC4274AF9015496 > data: [2047 bits] > gpg: public key is F9015496 > > You need a passphrase to unlock the secret key for > user: "aaaa1 " > 2048-bit RSA key, ID F9015496, created 2005-12-01 > > gpg: encrypted with 2048-bit RSA key, ID F9015496, created 2005-12- > 01 > "aaaa1 " > gpg: TWOFISH encrypted data > :compressed packet: algo=1 > :literal data packet: > mode b (62), created 1236869352, name="q.txt", > raw data: 3 bytes > gpg: original file name='q.txt' > File `c:\q.txt' exists. Overwrite? (y/N) n > Enter new filename: > Enter new filename: c:\q2.txt > gpg: decryption okay > gpg: session key: > `10:6EB46AC795C6CCB418116E50DDFDC8CBD3D345761C2759DD5223E8D5D30923DC > ' > > n.b. > i use the options of 'verbose verbose', > so gnupg gives a lot more information than what you might be used > to seeing > > here it is again without the 'verbose' options: > > c:\gnupg>gpg --passphrase aaaa1 --output c:\q.txt --decrypt > c:\q.txt.gpg > > You need a passphrase to unlock the secret key for > user: "aaaa1 " > 2048-bit RSA key, ID F9015496, created 2005-12-01 > > gpg: encrypted with 2048-bit RSA key, ID F9015496, created 2005-12- > 01 > "aaaa1 " > File `c:\q.txt' exists. Overwrite? (y/N) y > gpg: session key: > `10:6EB46AC795C6CCB418116E50DDFDC8CBD3D345761C2759DD5223E8D5D30923DC > ' > > c:\gnupg> > > > so, > does gnupg prompt you to 'overwrite' if you don't use the --yes > option ? > > > vedaal > Yes, I do see that behavior. The primary difference is that I never want it to prompt me for anything, since I'm writing a headless wrapper. Try including the --batch parameter, which suppresses any interaction. I can't find any indication that it failed to overwrite the destination by return code or program output. It works just fine when encrypting, though, which is what has me confused. I can work around it (mostly, the operation won't be atomic, but it's probably close enough for me), but the inconsistency between encrypt/decrypt gave me pause. Thanks. Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From dougb at dougbarton.us Mon Mar 16 22:17:45 2009 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 16 Mar 2009 14:17:45 -0700 Subject: gpg doesn't fail on target file existing when decrypting In-Reply-To: References: <20090316161023.0EDC728046@smtp.hushmail.com> Message-ID: <49BEC1F9.709@dougbarton.us> Andrew Flerchinger wrote: > Yes, I do see that behavior. The primary difference is that I never want > it to prompt me for anything, since I'm writing a headless wrapper. What you're suggesting isn't "safe" in any case. What I would do in your situation is the following: 1. Use mktemp to safely create a new, unique file 2. Send the decryption output to that file 3. Test if the "real" file exists, and if so unlink it 4. mv $newfile $realfilename hth, Doug From awerner at glocalnet.net Mon Mar 16 22:21:50 2009 From: awerner at glocalnet.net (Alf Wernersson) Date: Mon, 16 Mar 2009 22:21:50 +0100 Subject: GnuPG and Windows XP Home Message-ID: <49BEC2EE.4070104@glocalnet.net> I'm trying to install GPG on my Laptop running XP Home. After the install process I run CMD and write "GPG --version". This seems to be OK. After that I write "GPG --list-keys and receive following message: gpg: checking the trustdb Assertion failed: keyblock->pkttype == PKT_PUBLIC_KEY, file /home/wk/src/gpg4win11/build/gpg4win-1.1.4/src/playground/build/gnupg-1.4.9/g10/keyring.c, line 1387 This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. Does not GPG4win support Windows XP? Any suggestions? /Alf From icrf.ml at gmail.com Mon Mar 16 22:48:18 2009 From: icrf.ml at gmail.com (Andrew Flerchinger) Date: Mon, 16 Mar 2009 17:48:18 -0400 Subject: gpg doesn't fail on target file existing when decrypting In-Reply-To: <49BEC1F9.709@dougbarton.us> References: <20090316161023.0EDC728046@smtp.hushmail.com> <49BEC1F9.709@dougbarton.us> Message-ID: On Mon, Mar 16, 2009 at 5:17 PM, Doug Barton wrote: > > Andrew Flerchinger wrote: > > Yes, I do see that behavior. The primary difference is that I never want > > it to prompt me for anything, since I'm writing a headless wrapper. > > What you're suggesting isn't "safe" in any case. What I would do in > your situation is the following: > > 1. Use mktemp to safely create a new, unique file > 2. Send the decryption output to that file > 3. Test if the "real" file exists, and if so unlink it > 4. mv $newfile $realfilename > > > hth, > > Doug You're right, I could do that to make my work-around act atomic. Or are you saying that even the functional encrypt behavior isn't "safe?" I'm assuming that's essentially what gpg is already doing. I guess I'm still trying to determine the reason for the inconsistent behavior between encryption and decryption functions. If it's a bug, I'd like to report it. If it's a design decision, I'd like to know the rationale behind why. If it's something else, I'd love to be surprised. Thanks. Andrew From dougb at dougbarton.us Mon Mar 16 22:59:56 2009 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 16 Mar 2009 14:59:56 -0700 Subject: gpg doesn't fail on target file existing when decrypting In-Reply-To: References: <20090316161023.0EDC728046@smtp.hushmail.com> <49BEC1F9.709@dougbarton.us> Message-ID: <49BECBDC.8050700@dougbarton.us> Andrew Flerchinger wrote: > On Mon, Mar 16, 2009 at 5:17 PM, Doug Barton wrote: >> Andrew Flerchinger wrote: >>> Yes, I do see that behavior. The primary difference is that I never want >>> it to prompt me for anything, since I'm writing a headless wrapper. >> What you're suggesting isn't "safe" in any case. What I would do in >> your situation is the following: >> >> 1. Use mktemp to safely create a new, unique file >> 2. Send the decryption output to that file >> 3. Test if the "real" file exists, and if so unlink it >> 4. mv $newfile $realfilename >> >> >> hth, >> >> Doug > > You're right, I could do that to make my work-around act atomic. Or > are you saying that even the functional encrypt behavior isn't "safe?" For typical command line use by a real person I think it's just fine. If I were doing a script that used gpg in an unattended fashion I'd do the same thing for encrypt as I suggested for decrypt above. > I'm assuming that's essentially what gpg is already doing. Don't assume. Test. Depending on what you're using it for (and in what environment) the bar is much, much higher for programs (including scripts) that run in an automated environment than for those that run with real human interaction. Not that humans always make the right choices by any stretch. > I guess I'm still trying to determine the reason for the inconsistent > behavior between encryption and decryption functions. You're approaching this problem from the standpoint of unattended usage, which is not how the current command line behavior was intended. Doug From John at Mozilla-Enigmail.org Mon Mar 16 23:48:52 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 16 Mar 2009 17:48:52 -0500 Subject: GnuPG and Windows XP Home In-Reply-To: <49BEC2EE.4070104@glocalnet.net> References: <49BEC2EE.4070104@glocalnet.net> Message-ID: <49BED754.3070805@Mozilla-Enigmail.org> Alf Wernersson wrote: > I'm trying to install GPG on my Laptop running XP Home. After the > install process I run CMD and write "GPG --version". This seems to be > OK. After that I write "GPG --list-keys and receive following message: > Does not GPG4win support Windows XP? Any suggestions? I haven't used the new gpg4win 1.1.4 but GnuPG 1.4.9 works fine on XP. ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe.sig Since you issued --list-keys, I assume you already have keyring files, right? Do you have them where gpg is expecting them? 'gpg --version' will tell you where gpg expects to find keys. If you copied over keyrings, did you also copy the trustdb? Without know how you installed things and populated keyrings, all we can do is guess at problems and solutions. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From stef at caunter.ca Tue Mar 17 02:49:42 2009 From: stef at caunter.ca (Stefan Caunter) Date: Mon, 16 Mar 2009 21:49:42 -0400 Subject: multiple DER formatted export Message-ID: Apologies for this not being specific to the gnupg list, but could I possibly ask if anyone knows if it was ever possible to export multiple certs in DER format? In http://www.intevation.de/roundup/aegypten/msg433 Werner states that there is no standard for doing so. I am sure I used to do this with Windows Internet Explorer 5.x, but Windows Certificate Store will no longer export all certs as a .crt DER file, only a single cert as cert.der. Firefox as well. OpenSSL does not convert pkcs7 bundles to PEM for use on a unix system. Apple keychain gives me them all as a usable PEM that I can run c_rehash on, but this is not surprising. I'm rewriting http://lynx.isc.org/current/README.sslcerts and want to recommend more than one way to pull a commercially available cert bundle for non-commercial software. Stefan Caunter http://caunter.ca/contact.html From jbruni at me.com Tue Mar 17 05:20:23 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Mon, 16 Mar 2009 21:20:23 -0700 Subject: multiple DER formatted export In-Reply-To: References: Message-ID: On Mar 16, 2009, at 6:49 PM, Stefan Caunter wrote: > Apologies for this not being specific to the gnupg list, but could I > possibly ask if anyone knows if it was ever possible to export > multiple certs in DER format? > > In http://www.intevation.de/roundup/aegypten/msg433 Werner states that > there is no standard for doing so. > > I am sure I used to do this with Windows Internet Explorer 5.x, but > Windows Certificate Store will no longer export all certs as a .crt > DER file, only a single cert as cert.der. Firefox as well. OpenSSL > does not convert pkcs7 bundles to PEM for use on a unix system. > > Apple keychain gives me them all as a usable PEM that I can run > c_rehash on, but this is not surprising. I'm rewriting > http://lynx.isc.org/current/README.sslcerts and want to recommend more > than one way to pull a commercially available cert bundle for > non-commercial software. > > Stefan Caunter > http://caunter.ca/contact.html I doubt that you were able to export certificates directly in DER format in Windows without having them in some sort of container format such as PKCS#12. That is, with more than one certificate per file. PEM is actually just DER encoded in Base64 and bracketed with BEGIN and END delimiters. This is why you can have more than one object in a PEM file. PKCS#12 also support more than one object per file and it has been the standard way of transporting certs in Windows. The file extensions would be either .PFX or .P12. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2557 bytes Desc: not available URL: From awerner at glocalnet.net Tue Mar 17 09:14:53 2009 From: awerner at glocalnet.net (Alf Wernersson) Date: Tue, 17 Mar 2009 09:14:53 +0100 Subject: GnuPG and Windows XP Home In-Reply-To: <49BED754.3070805@Mozilla-Enigmail.org> References: <49BEC2EE.4070104@glocalnet.net> <49BED754.3070805@Mozilla-Enigmail.org> Message-ID: <49BF5BFD.9090001@glocalnet.net> John Clizbe skrev: > Alf Wernersson wrote: >> I'm trying to install GPG on my Laptop running XP Home. After the >> install process I run CMD and write "GPG --version". This seems to be >> OK. After that I write "GPG --list-keys and receive following message: > >> Does not GPG4win support Windows XP? Any suggestions? > > I haven't used the new gpg4win 1.1.4 but GnuPG 1.4.9 works fine on XP. > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.9.exe.sig > > Since you issued --list-keys, I assume you already have keyring files, > right? > > Do you have them where gpg is expecting them? > 'gpg --version' will tell you where gpg expects to find keys. > > If you copied over keyrings, did you also copy the trustdb? > > Without know how you installed things and populated keyrings, all we can > do is guess at problems and solutions. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Thanks for Your answer John, I will try to explain my problem in detail. I'm myself is using GPG, Thunderbird and Enigmail. I want to use GPG4Win to communicate with a friend using Windows. To be able to tell him how to use it I tried to install on a Laptop using Windows XP Home. As I have problems I have installed and uninstalled a couple of times. After last uninstall I also deleted all keys for GPG from registry and finished with a reboot. The install process of GPG4Win seems to be normal. After the install I tried to use GPA to create a Keypair for a new user and import my public key. Starting GPA I get a message box telling me: "Fatal Error in GPGME library (invoked from file /home/wk/src/gpg4win11/build/gpg4win-1.1.4/src/playground/build/gpa-0.8.0/srd/confdialog.c, line 1447): Unsupported protocol The application will be terminated" As GPA depends on GPG I want to first determinate if GPG works. Therefore I tried some commands from the commandline. I don't think there is old keyringfiles left on the laptop but I'm not sure. Do You have any suggestions how I can go on? /Alf From bo.berglund at agiusa.com Tue Mar 17 13:24:40 2009 From: bo.berglund at agiusa.com (Bo Berglund) Date: Tue, 17 Mar 2009 13:24:40 +0100 Subject: Using GPG in embedded applications? Message-ID: <400243DC98304BEA981DF04DC63DF278@agiusa.com> Is it possible to use GPG encryption in embedded applications? I would like to protect data passing from a PC over to an embedded computer unit via an unsecure channel (TCP/IP or USB) such that when it passes in the transfer line it will be GPG encrypted. The idea is to have the PC program encrypt a fairly large chunk of data using the embedded unit's public key and then send the result over the channel into the embedded application. Inside this (protected) hardware the secret key would be used to decode the data, then some processing would be done whereupon the resulting data is again GPG encrypted now with the public key of the PC program and sent back over the channel. Finally the PC program would decode the data and further process it. To do this I figured I would have to use the encryption/decryption kernel in the GPG package both in the PC and on the embedded application hardware. So I would need to be able to: 1) Include the sourcecode of the relevant part of GPG into my PC application. 2) Include the same in the embedded hardware program. Is this at all possible and how do I retrieve and identify the needed sourcefiles in GPG? BosseB From email at sven-radde.de Tue Mar 17 14:00:18 2009 From: email at sven-radde.de (Sven Radde) Date: Tue, 17 Mar 2009 14:00:18 +0100 Subject: OT: file operations atomicity (was: Re: Re: gpg doesn't fail on target file existing when decrypting) In-Reply-To: References: <20090316161023.0EDC728046@smtp.hushmail.com> <49BEC1F9.709@dougbarton.us> Message-ID: <49BF9EE2.10407@sven-radde.de> Hi! Andrew Flerchinger schrieb: >> 1. Use mktemp to safely create a new, unique file >> 2. Send the decryption output to that file >> 3. Test if the "real" file exists, and if so unlink it >> 4. mv $newfile $realfilename >> > You're right, I could do that to make my work-around act atomic. Be careful, this is not necessarily atomic. You're assuming transactions where no such thing exists. If the system crashes in the wrong moment, you would have the real file unlinked and the renaming has not yet taken place. It might even be the case that the tempfile is not even persisted to disc. I am not making this up, see for example the current discussion about the EXT4 data loss issue: cu, Sven From wk at gnupg.org Tue Mar 17 13:57:48 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 17 Mar 2009 13:57:48 +0100 Subject: GnuPG and Windows XP Home In-Reply-To: <49BF5BFD.9090001@glocalnet.net> (Alf Wernersson's message of "Tue, 17 Mar 2009 09:14:53 +0100") References: <49BEC2EE.4070104@glocalnet.net> <49BED754.3070805@Mozilla-Enigmail.org> <49BF5BFD.9090001@glocalnet.net> Message-ID: <87d4cg5msz.fsf@wheatstone.g10code.de> On Tue, 17 Mar 2009 09:14, awerner at glocalnet.net said: > "Fatal Error in GPGME library > (invoked from file > /home/wk/src/gpg4win11/build/gpg4win-1.1.4/src/playground/build/gpa-0.8.0/srd/confdialog.c, > line 1447): > Unsupported protocol Please re-install and also select the "gnupg2" component. It seems we need to release 1.1.5 to solve this more and more common problem. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dshaw at jabberwocky.com Tue Mar 17 14:04:47 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 17 Mar 2009 09:04:47 -0400 Subject: Using GPG in embedded applications? In-Reply-To: <400243DC98304BEA981DF04DC63DF278@agiusa.com> References: <400243DC98304BEA981DF04DC63DF278@agiusa.com> Message-ID: On Mar 17, 2009, at 8:24 AM, Bo Berglund wrote: > > Is it possible to use GPG encryption in embedded applications? > I would like to protect data passing from a PC over to an embedded > computer unit via an unsecure channel (TCP/IP or USB) such that when > it passes in the transfer line it will be GPG encrypted. > The idea is to have the PC program encrypt a fairly large chunk of > data using the embedded unit's public key and then send the result > over the channel into the embedded application. > > Inside this (protected) hardware the secret key would be used to > decode the data, then some processing would be done whereupon the > resulting data is again GPG encrypted now with the public key of the > PC program and sent back over the channel. > Finally the PC program would decode the data and further process it. > > To do this I figured I would have to use the encryption/decryption > kernel in the GPG package both in the PC and on the embedded > application hardware. > > So I would need to be able to: > 1) Include the sourcecode of the relevant part of GPG into my PC > application. > > 2) Include the same in the embedded hardware program. > > Is this at all possible and how do I retrieve and identify the > needed sourcefiles in GPG? In terms of legality - this is legal, but you must follow the license. GPG is licensed under the GPL. See http://www.gnu.org/licenses/gpl.html for all the fine details (especially the FAQ there), but in general, if you want to include bits and pieces of GPG in your application, you must be prepared to release your application (both the PC side and embedded side) under the same terms as GPG. In terms of engineering - is this really what you want? If your goal is to encrypt over an insecure channel, see OpenSSL or GnuTLS. If your goal is to encrypt using a library of encryption code, see libgcrypt or OpenSSL. Libgcrypt, in particular, contains the same crypto code as GPG (and more), packaged as a library, thus saving you the bother of extracting it. Note also that the licensing of these packages are different than GPG, which may be of help as well. David From icrf.ml at gmail.com Tue Mar 17 14:50:08 2009 From: icrf.ml at gmail.com (Andrew Flerchinger) Date: Tue, 17 Mar 2009 09:50:08 -0400 Subject: gpg doesn't fail on target file existing when decrypting In-Reply-To: <49BECBDC.8050700@dougbarton.us> References: <20090316161023.0EDC728046@smtp.hushmail.com> <49BEC1F9.709@dougbarton.us> <49BECBDC.8050700@dougbarton.us> Message-ID: On Mon, Mar 16, 2009 at 5:59 PM, Doug Barton wrote: > You're approaching this problem from the standpoint of unattended > usage, which is not how the current command line behavior was intended. > > > Doug > Okay, I can work around it in a satisfactory fashion. My personal problem is solved. Now, assuming that --batch is supposed to make gpg run in an unattended fashion, as documentation indicates, and behavior differs in this case between encrypt and decrypt, is there any reason this isn't a bug (albeit very minor) that should be reported? If so, should I start with the gnupg-devel mailing list, or create an account with the bug tracking system and create there? Thank you all for your help. Andrew From Malcolm.Holland at fnis.com Tue Mar 17 20:25:29 2009 From: Malcolm.Holland at fnis.com (Holland, Malcolm) Date: Tue, 17 Mar 2009 14:25:29 -0500 Subject: GNUPG Message-ID: I'm looking for instructions for upgrading GNUPG. Does anyone know where I can find this? Malcolm Holland 901-523-5271 malcolm.holland at fnis.com _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _____________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From vm.vinay at gmail.com Wed Mar 18 12:54:12 2009 From: vm.vinay at gmail.com (Vinay M) Date: Wed, 18 Mar 2009 17:24:12 +0530 Subject: gpg: WARNING Message-ID: Hi, When I run command "gpg --verify " I get the below mentioned warning. gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. 1. I want to avoid this warning. How do I do that ? 2. Is this avoidable if I go with a trusted signature? 3. What does this warning exactly mean ? Thanks, Vinay -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists_de at zemisch.de Wed Mar 18 18:28:30 2009 From: lists_de at zemisch.de (Dirk Zemisch) Date: Wed, 18 Mar 2009 18:28:30 +0100 Subject: gpg: WARNING In-Reply-To: References: Message-ID: <49C12F3E.4060204@zemisch.de> Vinay M wrote: > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > 1. I want to avoid this warning. How do I do that ? Sign the key the file is signed by. > 2. Is this avoidable if I go with a trusted signature? Is the file signed by you or by another? Where you will go with your signature? > 3. What does this warning exactly mean ? That without trust for the key which was used for signing the file you do not really know if the sender is really the one it seemed. Regards! Dirk -- From dave.smith at st.com Wed Mar 18 18:04:04 2009 From: dave.smith at st.com (David SMITH) Date: Wed, 18 Mar 2009 17:04:04 +0000 Subject: gpg: WARNING In-Reply-To: References: Message-ID: <20090318170404.GT12513@bristol.st.com> On Wed, Mar 18, 2009 at 05:24:12PM +0530, Vinay M wrote: > Hi, > > When I run command "gpg --verify " I get the below mentioned > warning. > > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > > 1. I want to avoid this warning. How do I do that ? > 2. Is this avoidable if I go with a trusted signature? > 3. What does this warning exactly mean ? It means that you haven't signed the key that you are using to check the signature, and GnuPG isn't able to validate the key with your web-of-trust. Going back to basics for a moment... You have got this signed file from somewhere. You have also obtained the key which claims to be from the sender. You might have got the key from a public keyserver, or possibly from somewhere else. How do you know that the key really is owned by the person it claims? Anyone can upload a key to a keyserver claiming to be from anyone. I could upload a key to a keyserver with the id "president at whitehouse.gov" and you would then download it. You need to build yourself a web-of-trust by doing some keysigning. I suggest reading the GNU Privacy Handbook, on the GnuPG website, and if you still have questions, come back and ask... -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2 Almondsbury | Work Email: Dave.Smith at st.com BRISTOL, BS32 4SQ | Home Email: David.Smith at ds-electronics.co.uk From dougb at dougbarton.us Wed Mar 18 19:51:56 2009 From: dougb at dougbarton.us (Doug Barton) Date: Wed, 18 Mar 2009 11:51:56 -0700 Subject: OT: file operations atomicity In-Reply-To: <49BF9EE2.10407@sven-radde.de> References: <20090316161023.0EDC728046@smtp.hushmail.com> <49BEC1F9.709@dougbarton.us> <49BF9EE2.10407@sven-radde.de> Message-ID: <49C142CC.9010205@dougbarton.us> Sven Radde wrote: > Hi! > > Andrew Flerchinger schrieb: >>> 1. Use mktemp to safely create a new, unique file >>> 2. Send the decryption output to that file >>> 3. Test if the "real" file exists, and if so unlink it >>> 4. mv $newfile $realfilename >>> >> You're right, I could do that to make my work-around act atomic. > > Be careful, this is not necessarily atomic. You're assuming transactions > where no such thing exists. I noticed that you were replying to Andrew, but FWIW I very carefully avoided using the word "atomic" in my post, for good reason. > If the system crashes in the wrong moment, you would have the real file > unlinked and the renaming has not yet taken place. It might even be the > case that the tempfile is not even persisted to disc. True, although you're talking millisecond timing it could happen. OTOH, if untrusted users are allowed on the system the old "symlink a harmless file to an important file so that the latter can be splattered by an automated process" is a long-known vulnerability that can easily be defended against. On the _other_ other hand, I left out the whole discussion about "What is your threat model?" and, "What is the value of the data relative to the amount of work you're willing to spend protect it?" It's also worth noting that even if the new decrypted file is lost before the old decrypted file is replaced, it's likely that you still have the clear original to work from so we're not talking about a catastrophic data loss. If we were concerned about destroying the clear original immediately after the new encrypted version is created then you would at minimum want to get the new version onto the same file system as the old one before you started removing things. > I am not making this up ... I believe you. :) My purpose was more to get the OP thinking in terms of better procedures for an automated process, and to try to point out that the current behavior of gnupg doesn't seem to be a bug. hth, Doug From jmoore3rd at bellsouth.net Wed Mar 18 20:06:21 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Wed, 18 Mar 2009 15:06:21 -0400 Subject: gpg: WARNING In-Reply-To: <20090318170404.GT12513@bristol.st.com> References: <20090318170404.GT12513@bristol.st.com> Message-ID: <49C1462D.7060600@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 David SMITH wrote: >> 1. I want to avoid this warning. How do I do that ? >> 2. Is this avoidable if I go with a trusted signature? >> 3. What does this warning exactly mean ? > > It means that you haven't signed the key that you are using to check the > signature, and GnuPG isn't able to validate the key with your web-of-trust. If You desire the 'Full Monty' Educational Course on 'WoT' [Web of Trust] then either stick around or ask specifically about it. Since I suspect You really just want the 'quick & dirty' Answers to the above Questions; here they are: 1. Add this single line to Your gpg.conf trust-model always The addition of this line [---trust-model-always from Command Line] will effectively 'tell' GPG that You have trust in _every_ Key in Your Keyring and therefore to suppress an unnecessary Warning. 2. Answer = YES 3.) See Quote from David Smith above. HTH JOHN ;) Timestamp: Wednesday 18 Mar 2009, 15:06 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4950: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJwUYrAAoJEBCGy9eAtCsPRzoH/3ABMvzj/kIrFSWBDlN3MGOq HgMdj93FAEKW48QuRUf5/eOlVWm/gaaVpJwpo1dgCCbcXMcF6KMEGkACPdExOrv8 sP+ornOBIxQWyMerpvPO8GcoJxKcawHDgkmWbsMlJxzBFdrQcVOUbDUjEHGt+nYS ZCd7i1JSQRV4YNLE1hMvn0VkMLjSSt5UyvO9v/BCqSAYY858yPQ28m1Ssz5Fs+Ic Q4f2M/r+UEjlQM4YoUy69QKUqI8UmSBwsRn6S8qoV4DpJkGS20Z2kjbAqUSAaNd4 1rt5KCw9IH5JKRwF4IzN79LT39n5puXFnPtBnnezZXzfHx/G9HPdn7XgmyOrhfw= =3zGS -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Mar 18 22:58:46 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 18 Mar 2009 17:58:46 -0400 Subject: GNUPG In-Reply-To: References: Message-ID: <49C16E96.6050906@sixdemonbag.org> Holland, Malcolm wrote: > I'm looking for instructions for upgrading GNUPG. Does anyone know > where I can find this? Unfortunately, we are not mind-readers here. At the very least we'd need to know your operating system and your current version of GnuPG. Most upgrades are painless, but upgrading from very old systems can have a snag or two. From icrf.ml at gmail.com Wed Mar 18 23:01:35 2009 From: icrf.ml at gmail.com (Andrew Flerchinger) Date: Wed, 18 Mar 2009 18:01:35 -0400 Subject: OT: file operations atomicity In-Reply-To: <49C142CC.9010205@dougbarton.us> References: <20090316161023.0EDC728046@smtp.hushmail.com> <49BEC1F9.709@dougbarton.us> <49BF9EE2.10407@sven-radde.de> <49C142CC.9010205@dougbarton.us> Message-ID: On Wed, Mar 18, 2009 at 2:51 PM, Doug Barton wrote: > My purpose was more to get the OP thinking in terms > of better procedures for an automated process, and to try to point out > that the current behavior of gnupg doesn't seem to be a bug. > > > hth, > > Doug > That's still what I'm confused about. What is a reason for, under the same conditions, intentionally making encrypt throw an error but making decrypt pass on as successful? Why wouldn't it be consistent? Andrew From gordian.klein at gmx.de Thu Mar 19 00:10:18 2009 From: gordian.klein at gmx.de (Gordian Klein) Date: Thu, 19 Mar 2009 00:10:18 +0100 Subject: gpgme on windows Message-ID: <49C17F5A.7080809@gmx.de> Hello, i want to use gpgme with Visual Studio on Windows. Therefore i downloaded gpg4win and now succesfully use the libgpgme-11.dll from it with VS. But i have some trouble with the password callback function. It looks like this: static gpgme_error_t passphrase_cb (void *hook, const char *uid_hint, const char *passphrase_info, int prev_was_bad, int fd) It gets called successfully but i dont know how to write to fd. Because unistd.h does not exist on Windows and so write() is not avilable i used write from Windows . But that did crash the programm with this line of code from write.c: _VALIDATE_CLEAR_OSSERR_RETURN((fh >= 0 && (unsigned)fh < (unsigned)_nhandle), EBADF, -1); In this case fd was 148 and _nhandle 32. I also tried converting fd somehow to a FILE but it didnt work neither. Whats my Problem here? Im stuck.. Thank you for any suggestions. Regards, Gordian From f.schwind at chili-radiology.com Thu Mar 19 09:14:57 2009 From: f.schwind at chili-radiology.com (Florian Schwind) Date: Thu, 19 Mar 2009 09:14:57 +0100 Subject: gpgme on windows In-Reply-To: <49C17F5A.7080809@gmx.de> References: <49C17F5A.7080809@gmx.de> Message-ID: <49C1FF01.1090406@chili-radiology.com> Gordian Klein wrote: > Hello, > > i want to use gpgme with Visual Studio on Windows. > Therefore i downloaded gpg4win and now succesfully use the > libgpgme-11.dll from it with VS. > But i have some trouble with the password callback function. > It looks like this: > > static gpgme_error_t passphrase_cb (void *hook, > const char *uid_hint, > const char *passphrase_info, > int prev_was_bad, > int fd) > > It gets called successfully but i dont know how to write to fd. > Because unistd.h does not exist on Windows and so write() is not > avilable i used write from Windows . But that did crash the > programm with this line of code from write.c: > > _VALIDATE_CLEAR_OSSERR_RETURN((fh >= 0 && (unsigned)fh < > (unsigned)_nhandle), EBADF, -1); > In this case fd was 148 and _nhandle 32. > > I also tried converting fd somehow to a FILE but it didnt work neither. > > Whats my Problem here? Im stuck.. Try something like this: int translate_fd(int fd, int for_write) { #ifdef WIN32 int x; if (fd == -1) { return -1; } x = _open_osfhandle ((long)fd, for_write ? 1 : 0); if (x == -1) { printf("Failed to translate osfhandle %p\n", (void *) fd); } return x; #else /*!WIN32 */ return fd; #endif } http://msdn.microsoft.com/en-us/library/bdts1c9x(VS.71).aspx > Thank you for any suggestions. > > Regards, > Gordian Best Regards Florian From gordian.klein at gmx.de Thu Mar 19 11:34:08 2009 From: gordian.klein at gmx.de (Gordian Klein) Date: Thu, 19 Mar 2009 11:34:08 +0100 Subject: gpgme on windows In-Reply-To: <49C1FF01.1090406@chili-radiology.com> References: <49C17F5A.7080809@gmx.de> <49C1FF01.1090406@chili-radiology.com> Message-ID: <49C21FA0.8070209@gmx.de> > Try something like this: > > int translate_fd(int fd, int for_write) { > #ifdef WIN32 > int x; > > if (fd == -1) { > return -1; > } > > x = _open_osfhandle ((long)fd, for_write ? 1 : 0); > if (x == -1) { > printf("Failed to translate osfhandle %p\n", (void *) fd); > } > return x; > #else /*!WIN32 */ > return fd; > #endif > } > > http://msdn.microsoft.com/en-us/library/bdts1c9x(VS.71).aspx Hello, thank you! That did it. I figured fd is a System Handle on a Windows machine, and so i could use WriteFile((HANDLE)fd, ....) directly. Again, thank you :-) Regards, Grdian From gordian.klein at gmx.de Thu Mar 19 18:24:37 2009 From: gordian.klein at gmx.de (Gordian Klein) Date: Thu, 19 Mar 2009 18:24:37 +0100 Subject: gpgme on windows In-Reply-To: <49C21FA0.8070209@gmx.de> References: <49C17F5A.7080809@gmx.de> <49C1FF01.1090406@chili-radiology.com> <49C21FA0.8070209@gmx.de> Message-ID: <49C27FD5.50909@gmx.de> Hello, now i have another question concerning gpgme and Windows. As i said in the previous post i do dynamically link my application with Visual Studio against the gpgme-11.dll from the gpg4win project. Is it somehow possible to statically link gpgme with Visual Studio? What whould i have to do to get it done? I found an old project called mygpgme that does compile in VS, but it is really old and id like to use the current version of gpgme.. Is it possible to build a static library with mingw or cygwin that i can link against with VS? Regards, Gordian From rfransix at comcast.net Thu Mar 19 22:43:50 2009 From: rfransix at comcast.net (rfransix at comcast.net) Date: Thu, 19 Mar 2009 21:43:50 +0000 (UTC) Subject: make of libgcrypt on aix 4.3.2.0 failing Message-ID: <1778149280.7048941237499030528.JavaMail.root@sz0046a.emeryville.ca.mail.comcast.net> Hi, ./configure --disable-asm runs to success, the make fails with mpi/asm errors. Any help? is this a known bug? Much appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ggroenhoff at ggf-controls.de Thu Mar 19 19:38:30 2009 From: ggroenhoff at ggf-controls.de (Gert Groenhoff) Date: Thu, 19 Mar 2009 19:38:30 +0100 Subject: W2000: GnuPG interactive Message-ID: <49C29126.6090700@ggf-controls.de> Hi, I understood, if I use pgp without input file, I can enter the string to encrypt manually (over stdin). But how to finish the input?? Or generally: Where can I find a manual, how to use gpg interactive? thanks Gert From f.schwind at chili-radiology.com Fri Mar 20 13:33:37 2009 From: f.schwind at chili-radiology.com (Florian Schwind) Date: Fri, 20 Mar 2009 13:33:37 +0100 Subject: gpgme on windows In-Reply-To: <49C27FD5.50909@gmx.de> References: <49C17F5A.7080809@gmx.de> <49C1FF01.1090406@chili-radiology.com> <49C21FA0.8070209@gmx.de> <49C27FD5.50909@gmx.de> Message-ID: <49C38D21.7030203@chili-radiology.com> Gordian Klein wrote: > Is it possible to build a static library with mingw or cygwin that i can > link against with VS? Have a look at: http://clbianco.altervista.org/gnupg/eng/gnupg.html I don't think this is a complete tutorial, but I managed to compile gpgme after a few days :-). When you finished to compile gnupg on windows, it should only be a matter of another few days to compile a static gpgme library. I can not lead you thru the whole process because there is a lot of try-and-error involved. It would be nice if there was more windows gpgme support... Best Regards Florian From wk at gnupg.org Fri Mar 20 14:59:15 2009 From: wk at gnupg.org (Werner Koch) Date: Fri, 20 Mar 2009 14:59:15 +0100 Subject: gpgme on windows In-Reply-To: <49C27FD5.50909@gmx.de> (Gordian Klein's message of "Thu, 19 Mar 2009 18:24:37 +0100") References: <49C17F5A.7080809@gmx.de> <49C1FF01.1090406@chili-radiology.com> <49C21FA0.8070209@gmx.de> <49C27FD5.50909@gmx.de> Message-ID: <87bprw2t3g.fsf@wheatstone.g10code.de> On Thu, 19 Mar 2009 18:24, gordian.klein at gmx.de said: > Is it possible to build a static library with mingw or cygwin that i can > link against with VS? No, the Microsoft C compiler requires a newer version of the Microsoft C runtime library than the one supported by mingw. This will lead to a lot of nasty problems, so you better don't do that. The different CRTs are also the reason why we provide a gpgme_free function to release memory allocated and returned by gpgme. Frankly I don't see a reason to use a static library. Only the DLL allows to hide symbols and have some ABI vesioning. Let me also note that you need to release the full source code of your application including all required tools if you link statically. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Fri Mar 20 15:02:50 2009 From: wk at gnupg.org (Werner Koch) Date: Fri, 20 Mar 2009 15:02:50 +0100 Subject: W2000: GnuPG interactive In-Reply-To: <49C29126.6090700@ggf-controls.de> (Gert Groenhoff's message of "Thu, 19 Mar 2009 19:38:30 +0100") References: <49C29126.6090700@ggf-controls.de> Message-ID: <877i2k2sxh.fsf@wheatstone.g10code.de> On Thu, 19 Mar 2009 19:38, ggroenhoff at ggf-controls.de said: > I understood, if I use pgp without input file, I can enter the string > to encrypt manually (over stdin). > But how to finish the input?? In the Windows shell you use Ctrl-Z to terminate the input. However typing the text is not a very useful mode of operation. > Or generally: Where can I find a manual, how to use gpg interactive? gpg is a command line tool and there is nothing special in its use. You just need to learn the basics of interaction with the Windows command line interpreter (cmd.exe). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From chaz at chaz6.com Tue Mar 24 14:47:01 2009 From: chaz at chaz6.com (Chris Hills) Date: Tue, 24 Mar 2009 14:47:01 +0100 Subject: TPK Archival Message-ID: Hi I am looking for a tool that to export a GPG private key to a Data Matrix 2d barcode for long-term archival. I have been searching but have yet to find any existing software to do this. I have looked at PaperKey but it only produces an ascii representation which is not optimized for machine-reading. My preferred output formats are PDF/EPS/SVG. If such software does not already exist, I would appreciate a pointer on how to make something myself, perhaps using the binary output from PaperKey. Apologies if this has been discussed before but I could not find anything relevant. Regards, Chris Hills From dshaw at jabberwocky.com Tue Mar 24 17:06:13 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 24 Mar 2009 12:06:13 -0400 Subject: TPK Archival In-Reply-To: References: Message-ID: <20090324160612.GA85275@jabberwocky.com> On Tue, Mar 24, 2009 at 02:47:01PM +0100, Chris Hills wrote: > I am looking for a tool that to export a GPG private key to a Data > Matrix 2d barcode for long-term archival. I have been searching but have > yet to find any existing software to do this. I have looked at PaperKey > but it only produces an ascii representation which is not optimized for > machine-reading. My preferred output formats are PDF/EPS/SVG. If such > software does not already exist, I would appreciate a pointer on how to > make something myself, perhaps using the binary output from PaperKey. Try something like this. To encode: gpg --export-secret-key (thekey) | paperkey --output-type raw | dmtxwrite -e8 -f pdf > my_pdf_file.pdf You can pass pdf, eps, svg, etc, to the -f option. Use 'dmtxwrite -l' to get a list of all supported image formats. To decode: dmtxread -N1 my_pdf_file.pdf | paperkey --pubring ~/.gnupg/pubring.gpg > my_new_secret_key.gpg dmtxread and dmtxwrite are part of the very clever libdmtx package at http://www.libdmtx.org/ I've actually been toying with building Data Matrix support directly into paperkey (using libdmtx), but it's not clear what the point is when dmtxread and dmtxwrite are so easy to use. David From chaz at chaz6.com Tue Mar 24 17:47:03 2009 From: chaz at chaz6.com (Chris Hills) Date: Tue, 24 Mar 2009 17:47:03 +0100 Subject: TPK Archival In-Reply-To: <20090324160612.GA85275__26089.1855498359$1237911056$gmane$org@jabberwocky.com> References: <20090324160612.GA85275__26089.1855498359$1237911056$gmane$org@jabberwocky.com> Message-ID: On 24/03/09 17:06, David Shaw wrote: > Try something like this. > > To encode: > > gpg --export-secret-key (thekey) | paperkey --output-type raw | dmtxwrite -e8 -f pdf> my_pdf_file.pdf > > You can pass pdf, eps, svg, etc, to the -f option. Use 'dmtxwrite -l' > to get a list of all supported image formats. > > To decode: > > dmtxread -N1 my_pdf_file.pdf | paperkey --pubring ~/.gnupg/pubring.gpg> my_new_secret_key.gpg > > dmtxread and dmtxwrite are part of the very clever libdmtx package at > http://www.libdmtx.org/ > > I've actually been toying with building Data Matrix support directly > into paperkey (using libdmtx), but it's not clear what the point is > when dmtxread and dmtxwrite are so easy to use. > > David Thanks David, that is exactly what I was looking for. For some reason after I compiled libdmtx 0.7 the PDF and SVG formats are not available, but I can manage with PNG. Regards, Chris Hills From chaz at chaz6.com Tue Mar 24 17:55:15 2009 From: chaz at chaz6.com (Chris Hills) Date: Tue, 24 Mar 2009 17:55:15 +0100 Subject: TPK Archival In-Reply-To: References: <20090324160612.GA85275__26089.1855498359$1237911056$gmane$org@jabberwocky.com> Message-ID: On 24/03/09 17:47, Chris Hills wrote: > Thanks David, that is exactly what I was looking for. For some reason > after I compiled libdmtx 0.7 the PDF and SVG formats are not available, > but I can manage with PNG. Scratch that; SVG output does work, it is just not listed by `dmtxwrite -l`. Trying to use PDF on the other hand gives 'dmtxwrite: Illegal format "pdf"'. From dshaw at jabberwocky.com Tue Mar 24 18:06:40 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 24 Mar 2009 13:06:40 -0400 Subject: TPK Archival In-Reply-To: References: <20090324160612.GA85275__26089.1855498359$1237911056$gmane$org@jabberwocky.com> Message-ID: <20090324170640.GB85275@jabberwocky.com> On Tue, Mar 24, 2009 at 05:55:15PM +0100, Chris Hills wrote: > On 24/03/09 17:47, Chris Hills wrote: >> Thanks David, that is exactly what I was looking for. For some reason >> after I compiled libdmtx 0.7 the PDF and SVG formats are not available, >> but I can manage with PNG. > > Scratch that; SVG output does work, it is just not listed by `dmtxwrite > -l`. Trying to use PDF on the other hand gives 'dmtxwrite: Illegal > format "pdf"'. dmtxwrite uses ImageMagick for some image processing, so whatever file formats ImageMagick can handle on your platform, dmtxwrite can handle as well. FWIW, I'm on Fedora 10 (ImageMagick 6.4.0.10) and I have PDF, SVG, and PNG (and a few dozen others). David From chaz at chaz6.com Wed Mar 25 16:57:31 2009 From: chaz at chaz6.com (Chris Hills) Date: Wed, 25 Mar 2009 16:57:31 +0100 Subject: TPK Archival In-Reply-To: <20090324170640.GB85275__41411.2638835379$1237914635$gmane$org@jabberwocky.com> References: <20090324160612.GA85275__26089.1855498359$1237911056$gmane$org@jabberwocky.com> <20090324170640.GB85275__41411.2638835379$1237914635$gmane$org@jabberwocky.com> Message-ID: On 24/03/09 18:06, David Shaw wrote: > dmtxwrite uses ImageMagick for some image processing, so whatever file > formats ImageMagick can handle on your platform, dmtxwrite can handle > as well. > > FWIW, I'm on Fedora 10 (ImageMagick 6.4.0.10) and I have PDF, SVG, and > PNG (and a few dozen others). I grabbed an up to date copy (6.5.0-6) and now I have a lot more file formats available - including PDF. Thanks for the help! From niknot at gmail.com Thu Mar 26 06:53:59 2009 From: niknot at gmail.com (Nik N) Date: Thu, 26 Mar 2009 05:53:59 +0000 Subject: Using GPG in embedded applications? In-Reply-To: <400243DC98304BEA981DF04DC63DF278@agiusa.com> References: <400243DC98304BEA981DF04DC63DF278@agiusa.com> Message-ID: <328a5cf40903252253r4c6876f9v1aaf00ddfad54715@mail.gmail.com> On Tue, Mar 17, 2009 at 12:24 PM, Bo Berglund wrote: > ... > The idea is to have the PC program encrypt a fairly large chunk of data using the embedded unit's public key and then send the result over the channel into the embedded application. > > Inside this (protected) hardware the secret key would be used to decode the data, then some processing would be done whereupon the resulting data is again GPG encrypted now with the public key of the PC program and sent back over the channel. > Finally the PC program would decode the data and further process it. > I am trying to understand your threat model: If the attacker has access only to the channel but not to the two communicating devices, a simpler, symmetrical-cipher-only solution would suffice. If, on the other hand, the attacher has access to either device, isn't it reasonable to assume he'd be able to pry the decryption (private) key and decrypt the data (flowing in at least one direction)? Nik N. From felipe.alvarez at gmail.com Thu Mar 26 10:51:15 2009 From: felipe.alvarez at gmail.com (Felipe Alvarez) Date: Thu, 26 Mar 2009 19:51:15 +1000 Subject: cloudy understanding of asymmetric cryptography Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Someone today shook my understanding of asymmetric ciphers. _Bob performs symmetric encryption on message with_ _key "K" (generated randomly). He then encrypts "K" _ _with Alice's public key, and sends both the symetrically _ _encrypted message and asymmetrically encrypted key to Alice_ Is this what happens during most/some/all of public-key communications? I had always thought that the message is encrypted with public key, and decrypted with secret key. I was not aware that key "K" was encrypted with public key, but message encrypted with __symmetric_cipher__. To help my understanding a little futher, if this does not always occur, or does not usually occur, when does it occur (not occur)? Using what ciphers (algorithms)? I was unable to find adequate explanations online. Thanks Felipe -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknLT9sACgkQbm5xe/LPYKKywwCfZoz8b5XOW4EoSy+m6r/xIgli rtcAn3Lb3cwzLL036BjOO5259rNhWFW5 =b2iF -----END PGP SIGNATURE----- From bo.berglund at agiusa.com Thu Mar 26 10:54:52 2009 From: bo.berglund at agiusa.com (Bo Berglund) Date: Thu, 26 Mar 2009 10:54:52 +0100 Subject: Using GPG in embedded applications? In-Reply-To: <328a5cf40903252253r4c6876f9v1aaf00ddfad54715@mail.gmail.com> References: <400243DC98304BEA981DF04DC63DF278@agiusa.com> <328a5cf40903252253r4c6876f9v1aaf00ddfad54715@mail.gmail.com> Message-ID: The threat mode is concerning the hacking of PC based software. We want to place a vital part of the processing of data on a unit consisting of a microcontroller device which we design and build ourselves. It is not possioble for a hacker to actually intercept the processing done on board this unit, but he would probably be able to hook into the transfer of data between the PC and the unit (USB or serial). So we want to encrypt the data stream. And of course the PC software can simply be attached to a debugger and traced through.... So now if there is a key pair used with a secret key embedded in the microcontroller code and the public key in the PC software the PC can encrypt the data set before transferring to the device using the device's public key. Then the device can decode it and then perform its processing after which it will encrypt it using some key before sending the data back. By using its own secret key to encode the result it would be possible to decode with the public key and the PC would get the processed data back for further processing. But by using a key pair also for the PC it would be even more difficult to break, because then the device would encrypt using the public key of the PC when sending back and the PC would decrypt using its "secret" key. Of course the PC secret key would not be protected against debugger tracing, but since the debugger cannot see the public key in the device it cannot find out how the data should be formatted in a pirated device to mimick our device. Should work to deter hacking, I believe. But the problem is how to implement encrypting/decrypting on the microcontroller device.... Best Regards, Bo Berglund -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Nik N Sent: Thursday, March 26, 2009 6:54 AM To: Gnupg-users at gnupg.org Subject: Re: Using GPG in embedded applications? On Tue, Mar 17, 2009 at 12:24 PM, Bo Berglund wrote: > ... > The idea is to have the PC program encrypt a fairly large chunk of data using the embedded unit's public key and then send the result over the channel into the embedded application. > > Inside this (protected) hardware the secret key would be used to decode the data, then some processing would be done whereupon the resulting data is again GPG encrypted now with the public key of the PC program and sent back over the channel. > Finally the PC program would decode the data and further process it. > I am trying to understand your threat model: If the attacker has access only to the channel but not to the two communicating devices, a simpler, symmetrical-cipher-only solution would suffice. If, on the other hand, the attacher has access to either device, isn't it reasonable to assume he'd be able to pry the decryption (private) key and decrypt the data (flowing in at least one direction)? Nik N. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From dave.smith at st.com Thu Mar 26 11:08:22 2009 From: dave.smith at st.com (David SMITH) Date: Thu, 26 Mar 2009 10:08:22 +0000 Subject: cloudy understanding of asymmetric cryptography In-Reply-To: References: Message-ID: <20090326100822.GY25774@bristol.st.com> On Thu, Mar 26, 2009 at 07:51:15PM +1000, Felipe Alvarez wrote: > _Bob performs symmetric encryption on message with_ > _key "K" (generated randomly). He then encrypts "K" _ > _with Alice's public key, and sends both the symetrically _ > _encrypted message and asymmetrically encrypted key to Alice_ > > Is this what happens during most/some/all of public-key > communications? I had always thought that the message is encrypted > with public key, and decrypted with secret key. I was not aware that > key "K" was encrypted with public key, but message encrypted with > __symmetric_cipher__. Yes, this is what normally happens with typical usage of gpg. It's called a "hybrid" cipher system. I believe that the reason is that symmetric ciphers are usually more efficient on computing power than asymmetric ones, so you don't really want to be encrypting/decrypting lots of data with an asymmetric cipher. > To help my understanding a little futher, if this does not always > occur, or does not usually occur, when does it occur (not occur)? > Using what ciphers (algorithms)? Typical usage for gpg will be ElGamal for the asymmetric public/private key bit, and AES for the symmetric cipher. -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2 Almondsbury | Work Email: Dave.Smith at st.com BRISTOL, BS32 4SQ | Home Email: David.Smith at ds-electronics.co.uk -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From sk at intertivity.com Thu Mar 26 11:12:24 2009 From: sk at intertivity.com (Sascha Kiefer) Date: Thu, 26 Mar 2009 14:12:24 +0400 Subject: cloudy understanding of asymmetric cryptography In-Reply-To: References: Message-ID: <046401c9adfb$5d2c4a30$1784de90$@com> Yes, that is right. Asymmetric encryption is a slow process. Encrypting the whole message would take forever. So, symmetric keys a quite small, that's why the described technique is used. Cheers, Sascha -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Felipe Alvarez Sent: Donnerstag, 26. M?rz 2009 13:51 To: gnupg-users Subject: cloudy understanding of asymmetric cryptography -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Someone today shook my understanding of asymmetric ciphers. _Bob performs symmetric encryption on message with_ _key "K" (generated randomly). He then encrypts "K" _ _with Alice's public key, and sends both the symetrically _ _encrypted message and asymmetrically encrypted key to Alice_ Is this what happens during most/some/all of public-key communications? I had always thought that the message is encrypted with public key, and decrypted with secret key. I was not aware that key "K" was encrypted with public key, but message encrypted with __symmetric_cipher__. To help my understanding a little futher, if this does not always occur, or does not usually occur, when does it occur (not occur)? Using what ciphers (algorithms)? I was unable to find adequate explanations online. Thanks Felipe -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknLT9sACgkQbm5xe/LPYKKywwCfZoz8b5XOW4EoSy+m6r/xIgli rtcAn3Lb3cwzLL036BjOO5259rNhWFW5 =b2iF -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From dave.smith at st.com Thu Mar 26 11:15:00 2009 From: dave.smith at st.com (David SMITH) Date: Thu, 26 Mar 2009 10:15:00 +0000 Subject: cloudy understanding of asymmetric cryptography In-Reply-To: References: Message-ID: <20090326101500.GZ25774@bristol.st.com> On Thu, Mar 26, 2009 at 07:51:15PM +1000, Felipe Alvarez wrote: > I was unable to find adequate explanations online. http://www.gnupg.org/gph/en/manual/x209.html -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2 Almondsbury | Work Email: Dave.Smith at st.com BRISTOL, BS32 4SQ | Home Email: David.Smith at ds-electronics.co.uk -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From email at sven-radde.de Thu Mar 26 11:17:22 2009 From: email at sven-radde.de (Sven Radde) Date: Thu, 26 Mar 2009 11:17:22 +0100 Subject: cloudy understanding of asymmetric cryptography In-Reply-To: References: Message-ID: <49CB5632.9020403@sven-radde.de> Hi! Felipe Alvarez schrieb: > Someone today shook my understanding of asymmetric ciphers. > > _Bob performs symmetric encryption on message with_ > _key "K" (generated randomly). He then encrypts "K" _ > _with Alice's public key, and sends both the symetrically _ > _encrypted message and asymmetrically encrypted key to Alice_ > > Is this what happens during most/some/all of public-key > communications? Yes. It's called a "hybrid cryptosystem" and is exactly what is done in virtually all practical implementations (SSL, OpenPGP, ...). The main reason is that asymmetric operations are hugely inefficient so that you do not want to encrypt 1GB of data with RSA. Another reason: "K" could be separately encrypted with Alice's, Bob's and Carol's key which allows several recipients for an encrypted message without having to encrypt the message itself several times. HTH, Sven From felipe.alvarez at gmail.com Thu Mar 26 11:27:45 2009 From: felipe.alvarez at gmail.com (Felipe Alvarez) Date: Thu, 26 Mar 2009 20:27:45 +1000 Subject: cloudy understanding of asymmetric cryptography In-Reply-To: <49CB5632.9020403@sven-radde.de> References: <49CB5632.9020403@sven-radde.de> Message-ID: On Thu, Mar 26, 2009 at 8:17 PM, Sven Radde wrote: > Hi! > > Felipe Alvarez schrieb: >> Someone today shook my understanding of asymmetric ciphers. >> >> _Bob performs symmetric encryption on message with_ >> _key "K" (generated randomly). He then encrypts "K" _ >> _with Alice's public key, and sends both the symetrically _ >> _encrypted message and asymmetrically encrypted key to Alice_ >> >> Is this what happens during most/some/all of public-key >> communications? > Yes. It's called a "hybrid cryptosystem" and is exactly what is done in > virtually all practical implementations (SSL, OpenPGP, ...). > The main reason is that asymmetric operations are hugely inefficient so > that you do not want to encrypt 1GB of data with RSA. > > Another reason: "K" could be separately encrypted with Alice's, Bob's > and Carol's key which allows several recipients for an encrypted message > without having to encrypt the message itself several times. > > HTH, Sven > I learned a lot thanks for explaining it so quickly and easily. I had thought that the entire message was encrypted with (say) RSA! Is there a way to "force" gpg to encrypt an entire message with (example) RSA (just for time-testing purposes?) Felipe From aheinlein at gmx.com Thu Mar 26 14:43:08 2009 From: aheinlein at gmx.com (Andreas Heinlein) Date: Thu, 26 Mar 2009 14:43:08 +0100 Subject: cloudy understanding of asymmetric cryptography In-Reply-To: References: <49CB5632.9020403@sven-radde.de> Message-ID: <49CB866C.30501@gmx.com> Felipe Alvarez schrieb: > On Thu, Mar 26, 2009 at 8:17 PM, Sven Radde wrote: > >> Hi! >> >> Felipe Alvarez schrieb: >> >>> Someone today shook my understanding of asymmetric ciphers. >>> >>> _Bob performs symmetric encryption on message with_ >>> _key "K" (generated randomly). He then encrypts "K" _ >>> _with Alice's public key, and sends both the symetrically _ >>> _encrypted message and asymmetrically encrypted key to Alice_ >>> >>> Is this what happens during most/some/all of public-key >>> communications? >>> >> Yes. It's called a "hybrid cryptosystem" and is exactly what is done in >> virtually all practical implementations (SSL, OpenPGP, ...). >> The main reason is that asymmetric operations are hugely inefficient so >> that you do not want to encrypt 1GB of data with RSA. >> >> Another reason: "K" could be separately encrypted with Alice's, Bob's >> and Carol's key which allows several recipients for an encrypted message >> without having to encrypt the message itself several times I think the latter is the more important point nowadays. I do not believe doing complete RSA encryption would take too long on modern hardware for reasonable file sizes. But if you encrypted a file of 10MB to 10 recipients this way, it would become around 100MB in size. > I learned a lot thanks for explaining it so quickly and easily. I had > thought that the entire message was encrypted with (say) RSA! Is there > a way to "force" gpg to encrypt an entire message with (example) RSA > (just for time-testing purposes?) > Felipe No, I don't think that's possible. Bye, Andreas From jrhendri at maine.rr.com Thu Mar 26 12:39:18 2009 From: jrhendri at maine.rr.com (Jim Hendrick) Date: Thu, 26 Mar 2009 07:39:18 -0400 Subject: cloudy understanding of asymmetric cryptography In-Reply-To: Message-ID: <20090326113919.NLCT25595.hrndva-omta02.mail.rr.com@homefor3xonccj> Yup - you got it. Symmetric encryption is *way* faster (that's a technical term :-) than asymmetric. Hence the slower version is used to exchange a random key that is then used to handle the encryption/decryption of the data. Algorithms are implementation dependent but it is common to use 3DES for the symmetric. -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Felipe Alvarez Sent: Thursday, March 26, 2009 5:51 AM To: gnupg-users Subject: cloudy understanding of asymmetric cryptography -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Someone today shook my understanding of asymmetric ciphers. _Bob performs symmetric encryption on message with_ _key "K" (generated randomly). He then encrypts "K" _ _with Alice's public key, and sends both the symetrically _ _encrypted message and asymmetrically encrypted key to Alice_ Is this what happens during most/some/all of public-key communications? I had always thought that the message is encrypted with public key, and decrypted with secret key. I was not aware that key "K" was encrypted with public key, but message encrypted with __symmetric_cipher__. To help my understanding a little futher, if this does not always occur, or does not usually occur, when does it occur (not occur)? Using what ciphers (algorithms)? I was unable to find adequate explanations online. Thanks Felipe -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknLT9sACgkQbm5xe/LPYKKywwCfZoz8b5XOW4EoSy+m6r/xIgli rtcAn3Lb3cwzLL036BjOO5259rNhWFW5 =b2iF -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From l_pat_s at hotmail.com Fri Mar 27 02:36:40 2009 From: l_pat_s at hotmail.com (Pat Somerville) Date: Thu, 26 Mar 2009 21:36:40 -0400 Subject: What will GnuPG 1.4.5 do with soft returns within a public key? Other questions. Message-ID: Hi. I use PGP (Pretty Good Privacy) 8.0.2 in Windows XP Home Edition. My friend uses GnuPG (Gnu Privacy Guard), perhaps still version 1.4.5 and I guess in Windows XP. After a hard-drive replacement I discovered that I had saved his GnuPG public key in a .doc file on a Recordable Compact Disc (CD-R) I burned. I imported his public key into PGPkeys somehow from that file. Opening that file in Word Perfect 9 and making formatting characters visible I could see backwards-paragraph-looking symbols at the ends of lines for soft returns for end-of-line "wraparounds" of long lines. Question 1. What would GnuPG 1.4.5 do with a soft-return character like this? Would it treat it as a character and not ignore it or extract it or ignore it? That is would the addition of soft returns to a public key "mess up" decryptions using GnuPG 1.4.5? Answers may involve looking at the source code for GnuPG 1.4.5. I opened that .doc file in Windows XP's program WordPad and saved it as a "Text Document - MS DOS" (Microsoft Disk Operating System) "Format" file type with a txt extension. Just before the last step of that process, I received the notice reading, "You are about to save the document in a Text-Only format, which will remove all formatting." After clicking a "Yes" button to that, I noticed that some short lines lengthened. So I surmise that those soft returns were probably deleted in generating the .txt file containing the public key, something I liked to happen. However, test decryptions made from encryptions making use of both the .doc and .txt versions of a public key were both successful. So I conclude that PGP 8.0.2 and PGP 6.02i extracted or ignored the soft returns; that is the soft returns were of no consequence in encryptions in PGP 8.0.2 and decryptions in PGP 6.02i. Question 2. What about spaces? Will GnuPG 1.4.5 and PGP 8.0.2 ignore them in a public key? I understand that GnuPG is written in the computer language C and partly in Assembly Language. Question 3. If I wanted to see the code for the reading of a public key in GnuPG 1.4.5, where would I find it both on the Internet and in what file and section of the code? Question 4. Back to my friend's failure to decrypt my PGP-encrypted message, can you imagine a Windows-XP update updating a Windows file and thereby making GnuPG 1.4.5 on such a computer suddenly a non-working program? I imagined such a possibility and suggested that if my friend fails to decrypt a message in a test, that he uninstall GnuPG 1.4.5 and install GnuPG 1.4.9, which might havve been built to handle more-current Windows files. Does anyone want to agree or disagree with any of my thinking here? I cannot yet completely rule out the simple possibility of my friend missing something or making a mistake in typing GnuPG commands as an explanation for his failure to decrypt my PGP-encrypted message. Thanks in advance for anyone taking the time to reply to me. -------------- next part -------------- An HTML attachment was scrubbed... URL: From grover at sitepark.com Fri Mar 27 15:47:27 2009 From: grover at sitepark.com (Christoph =?ISO-8859-1?Q?Gr=F6ver?=) Date: Fri, 27 Mar 2009 15:47:27 +0100 Subject: Signing all outgoing mails on MTA, not on MUA Message-ID: <20090327154727.4d0fef88@aeshna.sitepark.local> Hello List, We'd like to be able to sign all our outgoing mails. But not on each client system, which would mean everyone has to install some plugin or gpg-aware mail client, but on the mailserver itself. This way nobody has to think about it and signing works transparently for everyone. We would have one key for all, like a corporate key. Is this possible ? I understand we will have to parse and rebuild the mime structure for this ? What do you think ? Thank you for your time, Bye -- Christoph Groever, grover at sitepark.com From cbabcock at kolonelpanic.com Fri Mar 27 16:56:14 2009 From: cbabcock at kolonelpanic.com (Chris Babcock) Date: Fri, 27 Mar 2009 08:56:14 -0700 Subject: Signing all outgoing mails on MTA, not on MUA In-Reply-To: <20090327154727.4d0fef88@aeshna.sitepark.local> References: <20090327154727.4d0fef88@aeshna.sitepark.local> Message-ID: <20090327085614.28c1ee3f@mail.asciiking.com> On Fri, 27 Mar 2009 15:47:27 +0100 Christoph Gr?ver wrote: > This way nobody has to think about it and signing works transparently > for everyone. We would have one key for all, like a corporate key. You may want to ask legal how they feel about adding nonrepudiation automatically to every message. If you had a system where you could make a meaningful assertion about the identity of a mail originator and you could secure a key without using a passphrase then you might use OpenPGP to make that assertion by operating GnuPG in batch mode. It's much more likely, however, that the type of identity you wish to assert is not compatible with the OpenPGP model and that the security infrastucture is inadequate to make that assertion meaningfully. Think, for example, about key signing. Who would be qualified to verify that the key is connected with the identity in any meaningful way? The corporate value of public key cryptography is much more readily attained using DKIM. Milter setup and key management for signing DKIM mail is pretty straight forward. You place your key in Text records in DNS. That establishes a meaningful connection between the identity of the sender (or at least ownership of the mail server) and the owner of the domain. Setting up DKIM with Postfix was at least as easy as setting up GPG with Claws and it makes an identity assertion that is appropriate for a server environment. Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 489 bytes Desc: not available URL: From harakiri_23 at yahoo.com Fri Mar 27 16:54:25 2009 From: harakiri_23 at yahoo.com (Harakiri) Date: Fri, 27 Mar 2009 08:54:25 -0700 (PDT) Subject: Signing all outgoing mails on MTA, not on MUA In-Reply-To: <20090327154727.4d0fef88@aeshna.sitepark.local> Message-ID: <88089.89703.qm@web52205.mail.re2.yahoo.com> You are better off buying a comerical product, parsing e-mails specific for PGP (except pgp/mime) is not an easy task and frankly, without very good knowledge of eml standards (or richtext outlook msg format files) you will not achieve anything good gnupg will just do the signing for you, there is no mime parser - that is your task - and its a though one --- On Fri, 3/27/09, Christoph Gr?ver wrote: > From: Christoph Gr?ver > Subject: Signing all outgoing mails on MTA, not on MUA > To: gnupg-users at gnupg.org > Date: Friday, March 27, 2009, 10:47 AM > Hello List, > > We'd like to be able to sign all our outgoing mails. > > But not on each client system, which would mean everyone > has to install > some plugin or gpg-aware mail client, but on the mailserver > itself. > > This way nobody has to think about it and signing works > transparently > for everyone. We would have one key for all, like a > corporate key. > > Is this possible ? I understand we will have to parse and > rebuild the > mime structure for this ? > > What do you think ? > > Thank you for your time, > > Bye > > -- > Christoph Groever, grover at sitepark.com > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From steve at srevilak.net Sat Mar 28 16:51:34 2009 From: steve at srevilak.net (Steve Revilak) Date: Sat, 28 Mar 2009 11:51:34 -0400 (EDT) Subject: Signing all outgoing mails on MTA, not on MUA In-Reply-To: <20090327085614.28c1ee3f@mail.asciiking.com> References: <20090327154727.4d0fef88@aeshna.sitepark.local> <20090327085614.28c1ee3f@mail.asciiking.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 grover> We'd like to be able to sign all our outgoing mails. grover> But not on each client system, which would mean everyone has grover> to install some plugin or gpg-aware mail client, but on the grover> mailserver itself. grover> This way nobody has to think about it and signing works grover> transparently for everyone. We would have one key for all, grover> like a corporate key. cbabcock> The corporate value of public key cryptography is much more cbabcock> readily attained using DKIM. Milter setup and key management cbabcock> for signing DKIM mail is pretty straight forward. You place cbabcock> your key in Text records in DNS. That establishes a cbabcock> meaningful connection between the identity of the sender (or cbabcock> at least ownership of the mail server) and the owner of the cbabcock> domain. Setting up DKIM with Postfix was at least as easy as cbabcock> setting up GPG with Claws and it makes an identity assertion cbabcock> that is appropriate for a server environment. I agree with Chris -- this seems like a good application for DKIM. In addition to non-repudiation, some email service providers will be much less likely to categorize DKIM-signed messages as spam (if that kind of thing matters to you.) One DKIM implementation I've used is . dkim-milter is very straightforward to set up with sendmail, and I know of people who've used it with postfix (configured as a mail filter.) Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) iEYEARECAAYFAknOR4kACgkQX7YJI4BuyDSrnQCfQ3HjyT2VSwqaw6Hx0QrPyrUu 6Z0AoKi2PIMJG1h/kpyKPeP9lJ9y3gM/ =9O3c -----END PGP SIGNATURE----- From hs2412 at gmail.com Sun Mar 29 07:09:28 2009 From: hs2412 at gmail.com (Hardeep Singh) Date: Sun, 29 Mar 2009 10:39:28 +0530 Subject: offtopic: need help from Mac owner Message-ID: Hi All I need someone with a Safari browser to test something for me: it wont take more than 3 min. I have a webpage that unjumbles words, and which is somewhat popular. I am building a new version which is AJAX based and the prototype is ready. I have tested it on Opera, IE, Firefox (on Windows and Linux) but do not have a way to test on Safari. Please do the following: 1. Navigate to http://unjumble.seeingwithc.org/unjumx.php. 2. In the text box, enter 'llarec' (without quotes) and press enter. A wait icon should be shown, and afterwards 'caller' should be displayed. 3. In the text box, enter 'otalt' and this time, instead of pressing enter - press the Unjumble button. Same thing should happen, 'lotta' should be displayed. In no case should the form reload. Please let me know what happens. Regards Hardeep Singh http://blog.Hardeep.name From jbruni at me.com Sun Mar 29 08:47:41 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Sat, 28 Mar 2009 23:47:41 -0700 Subject: offtopic: need help from Mac owner In-Reply-To: References: Message-ID: <0F4C8C9D-86A0-4925-8CE1-3312E641D737@me.com> On Mar 28, 2009, at 10:09 PM, Hardeep Singh wrote: > I have tested it on Opera, IE, Firefox (on Windows and Linux) > but do not have a way to test on Safari. Why not just download the Windows version of Safari and test it yourself? From shavital at mac.com Sun Mar 29 11:51:23 2009 From: shavital at mac.com (Charly Avital) Date: Sun, 29 Mar 2009 05:51:23 -0400 Subject: offtopic: need help from Mac owner In-Reply-To: References: Message-ID: <49CF449B.9020708@mac.com> Hardeep Singh wrote the following on 3/29/09 1:09 AM: > Hi All > > I need someone with a Safari browser to test something for me: it wont > take more than 3 min. > > I have a webpage that unjumbles words, and which is somewhat popular. > I am building a new version which is AJAX based and the prototype is > ready. I have tested it on Opera, IE, Firefox (on Windows and Linux) > but do not have a way to test on Safari. Please do the following: > > 1. Navigate to http://unjumble.seeingwithc.org/unjumx.php. > 2. In the text box, enter 'llarec' (without quotes) and press enter. A > wait icon should be shown, and afterwards 'caller' should be > displayed. > 3. In the text box, enter 'otalt' and this time, instead of pressing > enter - press the Unjumble button. Same thing should happen, 'lotta' > should be displayed. > > In no case should the form reload. Please let me know what happens. > > Regards > Hardeep Singh > http://blog.Hardeep.name It works perfectly as you indicated: - first press enter llarec becomes caller - write otalt in the text field, press Unjumble, lotta shows without the form having reloaded. Thanks for the URL, it might help me unjumble the IHT "Word Jumble" :-) Regards, MacOS 10.5.6 - MacBook Intel C2Duo "Aluminum Late 2008"- GnuPG 1.4.9 - GPG2 2.0.11 - Thunderbird 2.0.0.21 +Enigmail 0.95.7 - Apple's Mail+GPGMail 1.2.0 (v56), PGP key: 0xA57A8EFA From kloecker at kde.org Sun Mar 29 12:11:09 2009 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun, 29 Mar 2009 12:11:09 +0200 Subject: offtopic: need help from Mac owner In-Reply-To: References: Message-ID: <200903291211.13624@thufir.ingo-kloecker.de> On Sunday 29 March 2009, Hardeep Singh wrote: > Hi All > > I need someone with a Safari browser to test something for me: it > wont take more than 3 min. > > I have a webpage that unjumbles words, and which is somewhat popular. > I am building a new version which is AJAX based and the prototype is > ready. I have tested it on Opera, IE, Firefox (on Windows and Linux) > but do not have a way to test on Safari. Please do the following: > > 1. Navigate to http://unjumble.seeingwithc.org/unjumx.php. > 2. In the text box, enter 'llarec' (without quotes) and press enter. > A wait icon should be shown, and afterwards 'caller' should be > displayed. > 3. In the text box, enter 'otalt' and this time, instead of pressing > enter - press the Unjumble button. Same thing should happen, 'lotta' > should be displayed. > > In no case should the form reload. Please let me know what happens. FWIW, it also works (as described above) with Konqueror 3.5.9. But it fails to unjumble "setec astronomy". :-) Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From simon at ist-schlau.de Sun Mar 29 20:57:36 2009 From: simon at ist-schlau.de (Simon Ferber) Date: Sun, 29 Mar 2009 20:57:36 +0200 Subject: GnuPG with pcsc-lite, scdaemon segfaults Message-ID: <49CFC4A0.6040500@ist-schlau.de> Hello list, I installed an fresh amd64 system with gnupg and smartcard support. When pcsc-lite is started, I can see following in the logs: Mar 29 20:51:13 [pcscd] ifdhandler.c:1249:init_driver() DriverOptions: 0x0000 Mar 29 20:51:13 [pcscd] ifdhandler.c:77:IFDHCreateChannelByName() lun: 0, device: usb:046a/003e:libusb:004:002 Mar 29 20:51:13 [pcscd] ccid_usb.c:233:OpenUSBByName() Manufacturer: Ludovic Rousseau (ludovic.rousseau at free.fr) Mar 29 20:51:13 [pcscd] ccid_usb.c:243:OpenUSBByName() ProductString: Generic CCID driver v1.3.1 Mar 29 20:51:13 [pcscd] ccid_usb.c:249:OpenUSBByName() Copyright: This driver is protected by terms of the GNU Lesser General Public License version 2.1, or (at your option) any later version. Mar 29 20:51:13 [pcscd] ccid_usb.c:397:OpenUSBByName() Found Vendor/Product: 046A/003E (Cherry SmartTerminal ST-2XXX) Mar 29 20:51:13 [pcscd] ccid_usb.c:399:OpenUSBByName() Using USB bus/device: 004/002 Mar 29 20:51:13 [pcscd] ccid_usb.c:752:get_data_rates() IFD does not support GET_DATA_RATES request: Broken pipe Mar 29 20:51:13 [pcscd] ifdhandler.c:271:IFDHGetCapabilities() lun: 0, tag: 0xFAE Mar 29 20:51:13 [pcscd] ifdhandler.c:313:IFDHGetCapabilities() Reader supports 1 slot(s) Mar 29 20:51:18 [pcscd] ifdhandler.c:841:IFDHPowerICC() lun: 0, action: PowerUp Mar 29 20:51:18 [pcscd] eventhandler.c:431:EHStatusHandlerThread() Card inserted into Cherry SmartTerminal ST-2XXX (00000aa4) 00 00 Mar 29 20:51:18 [pcscd] Card ATR: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 Mar 29 20:51:21 [pcscd] eventhandler.c:358:EHStatusHandlerThread() Card Removed From Cherry SmartTerminal ST-2XXX (00000aa4) 00 00 As you can see, it find the reader and recognises the insertion of an card. Well, no matter, which options I give to gnupg, I get an segfault in the logs: Mar 29 20:52:43 [kernel] gnupg-pcsc-wrap[21763]: segfault at 0 ip 0000000000000000 sp 00007fffc815e0d8 error 14 in gnupg-pcsc-wrapper[400000+87000] Or when I try to start scdaemon, it segfault again: ray ~ # scdaemon --debug-all --pcsc-driver /usr/lib/libpcsclite.so.1.0.0 --server scdaemon[21766]: Optionen werden aus '/root/.gnupg/scdaemon.conf' gelesen scdaemon[21766]: Handhabungsroutine f?r fd -1 gestartet Speicherzugriffsfehler I tried several versions of gnupg and pcsc-lite. But always it segfaults. :-/ Any idea? Oh, btw, now I use: Kernel 2.6.28 gpg 2.0.11 libgcrypt 1.4.4 pcsc-lite 1.4.2 I ran out of ideas... Kind regards, Simon From grover at sitepark.com Mon Mar 30 01:13:26 2009 From: grover at sitepark.com (Christoph =?ISO-8859-1?Q?Gr=F6ver?=) Date: Mon, 30 Mar 2009 01:13:26 +0200 Subject: Signing all outgoing mails on MTA, not on MUA In-Reply-To: <88089.89703.qm@web52205.mail.re2.yahoo.com> References: <20090327154727.4d0fef88@aeshna.sitepark.local> <88089.89703.qm@web52205.mail.re2.yahoo.com> Message-ID: <20090330011326.6514172c@aeshna.sitepark.local> Hello Harakiri, > You are better off buying a comerical product, parsing e-mails > specific for PGP (except pgp/mime) is not an easy task and frankly, > without very good knowledge of eml standards (or richtext outlook msg > format files) you will not achieve anything good > > gnupg will just do the signing for you, there is no mime parser - > that is your task - and its a though one > Yes, definitely, Harakiri. I already found out. I started to implement a parsing and signing feature with a filtering script, which works in very simple cases, but fails in any of the more complex ones. Since we will not want to buy anything, I guess the DKIM suggested by the others will be the way to go. Thank you for your answer. -- Christoph Gr?ver, grover at sitepark.com From grover at sitepark.com Mon Mar 30 01:22:48 2009 From: grover at sitepark.com (Christoph =?ISO-8859-1?Q?Gr=F6ver?=) Date: Mon, 30 Mar 2009 01:22:48 +0200 Subject: Signing all outgoing mails on MTA, not on MUA In-Reply-To: References: <20090327154727.4d0fef88@aeshna.sitepark.local> <20090327085614.28c1ee3f@mail.asciiking.com> Message-ID: <20090330012248.2008d282@aeshna.sitepark.local> Am Sat, 28 Mar 2009 11:51:34 -0400 (EDT) schrieb Steve Revilak : Hello Chris, Hello Steve, Thank you for your suggestions. From the quick glance I had at the wikipedia page of DKIM, that thing will be the right thing for us, I think. I will have to convince the management, of course .... and you never know what path they follow ;-). Greetings, -- Christoph Gr?ver, grover at sitepark.com From lurkos.usenet at gmail.com Mon Mar 30 00:54:07 2009 From: lurkos.usenet at gmail.com (Lurkos) Date: Sun, 29 Mar 2009 22:54:07 +0000 (UTC) Subject: gpgsm key creation problem References: <75b21f2f0903031658s53146722y87af64eebc79bb8c@mail.gmail.com> <877i35eil0.fsf__26766.9478118934$1236160072$gmane$org@wheatstone.g10code.de> Message-ID: <20090329225407.4063.55365.XPN@L622132.user.x-privat.org> First of all excuse me for the long delay. You can find the information requested below. I hope this is enough. Thanks! *Werner Koch* wrote: >> I'm new in gpgsm and I would like to test X.509 and S/MIME style encryption. >> Then I tried the "classical" --gen-key option to generate a new >> keypair, but this error appears. >> What's wrong? >> >> gpgsm: line 1: key generation failed: Unknown IPC command > Most likely the gpg-agent is not running or not properly installed. > Check the manual on how to do install the gpg-agent. $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=8.04 DISTRIB_CODENAME=hardy DISTRIB_DESCRIPTION="Ubuntu 8.04.2" # apt-get install gnupg-agent $ apt-cache policy gpgsm gnupg-agent gpgsm: Installed: 2.0.7-1 Candidate: 2.0.7-1 Version table: *** 2.0.7-1 0 500 http://it.archive.ubuntu.com hardy/main Packages 100 /var/lib/dpkg/status gnupg-agent: Installed: 2.0.7-1 Candidate: 2.0.7-1 Version table: *** 2.0.7-1 0 500 http://it.archive.ubuntu.com hardy/main Packages 100 /var/lib/dpkg/status > A quick test to see whether the gpg-agent is working is to run > gpg-agent without any options. > You may want to configure a log file for the gpg-agent to see what is > going on. Put these lines into ~/.gnupg/gpg-agent.conf before starting > gpg-agent: > ====== > log-file /somewhere/gpg-agent.log > debug 1024 > verbose > ======= > In the log you should see a "GENKEY" command. This the transcription of the output which I obtained. lurkos at laptop:~$ LANG=en_US.UTF-8 lurkos at laptop:~$ export LANG lurkos at laptop:~$ cat .gnupg/gpg-agent.conf log-file /tmp/gpg-agent.log debug 1024 verbose lurkos at laptop:~$ gpg-agent --daemon GPG_AGENT_INFO=/tmp/gpg-lkV8GJ/S.gpg-agent:3922:1; export GPG_AGENT_INFO; lurkos at laptop:~$ gpg-agent gpg-agent: gpg-agent running and available gpg-agent: secmem usage: 0/32768 bytes in 0 blocks lurkos at laptop:~$ gpgsm --gen-key gpgsm (GnuPG) 2.0.7; Copyright (C) 2007 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA (2) Existing key (3) Existing key from card Your selection? 1 What keysize do you want? (2048) Requested keysize is 2048 bits Possible actions for a RSA key: (1) sign, encrypt (2) sign (3) encrypt Your selection? 1 Enter the X.509 subject name: CN=Test Enter email addresses (end with an empty line): > test at mail.invalid > Enter DNS names (optional; end with an empty line): > Enter URIs (optional; end with an empty line): > Parameters to be used for the certificate request: Key-Type: RSA Key-Length: 2048 Key-Usage: sign, encrypt Name-DN: CN=Test Name-Email: test at mail.invalid Really create request? (y/N) y Now creating certificate request. This may take a while ... gpgsm: line 1: key generation failed: No pinentry gpgsm: error creating certificate request: No pinentry lurkos at laptop:~$ cat /tmp/gpg-agent.log gpg-agent[1702.0] DBG: -> OK Pleased to meet you 2009-03-30 00:38:31 gpg-agent[2703] listening on socket `/tmp/gpg-cAKKBI/S.gpg-agent' 2009-03-30 00:38:31 gpg-agent[2787] handler 0x8097e38 for fd 9 started gpg-agent[2787.9] DBG: -> OK Pleased to meet you gpg-agent[2787.9] DBG: <- AGENT_ID gpg-agent[2787.9] DBG: -> ERR 67109139 Comando IPC sconosciuto gpg-agent[2787.9] DBG: <- [EOF] 2009-03-30 00:38:31 gpg-agent[2787] handler 0x8097e38 for fd 9 terminated 2009-03-30 00:38:51 gpg-agent[3057] listening on socket `/tmp/gpg-0eJXxA/S.gpg-agent' 2009-03-30 00:38:58 gpg-agent[2787] handler 0x8097e38 for fd 9 started gpg-agent[2787.9] DBG: -> OK Pleased to meet you gpg-agent[2787.9] DBG: <- BYE gpg-agent[2787.9] DBG: -> OK closing connection 2009-03-30 00:38:58 gpg-agent[2787] handler 0x8097e38 for fd 9 terminated 2009-03-30 00:39:16 gpg-agent[2787] handler 0x8097e38 for fd 9 started gpg-agent[2787.9] DBG: -> OK Pleased to meet you gpg-agent[2787.9] DBG: <- RESET gpg-agent[2787.9] DBG: -> OK gpg-agent[2787.9] DBG: <- OPTION display=:0.0 gpg-agent[2787.9] DBG: -> OK gpg-agent[2787.9] DBG: <- OPTION ttyname=/dev/pts/0 gpg-agent[2787.9] DBG: -> OK gpg-agent[2787.9] DBG: <- OPTION ttytype=xterm gpg-agent[2787.9] DBG: -> OK gpg-agent[2787.9] DBG: <- OPTION lc-ctype=it_IT.UTF-8 gpg-agent[2787.9] DBG: -> OK gpg-agent[2787.9] DBG: <- OPTION lc-messages=it_IT.UTF-8 gpg-agent[2787.9] DBG: -> OK gpg-agent[2787.9] DBG: <- RESET gpg-agent[2787.9] DBG: -> OK gpg-agent[2787.9] DBG: <- GENKEY gpg-agent[2787.9] DBG: -> INQUIRE KEYPARAM gpg-agent[2787.9] DBG: <- D (6:genkey(3:rsa(5:nbits4:2048))) gpg-agent[2787.9] DBG: <- END 2009-03-30 00:39:16 gpg-agent[2787] starting a new PIN Entry 2009-03-30 00:39:16 gpg-agent[2787] can't connect to the PIN entry module: IPC connect call failed 2009-03-30 00:39:16 gpg-agent[2787] command genkey failed: Nessun pinentry disponibile gpg-agent[2787.9] DBG: -> ERR 67108949 Nessun pinentry disponibile gpg-agent[2787.9] DBG: <- [EOF] 2009-03-30 00:39:16 gpg-agent[2787] handler 0x8097e38 for fd 9 terminated 2009-03-30 00:42:35 gpg-agent[2787] parent process died - shutting down 2009-03-30 00:42:35 gpg-agent[2787] gpg-agent (GnuPG) 2.0.7 stopped 2009-03-30 00:42:35 gpg-agent[2787] secmem usage: 0/32768 bytes in 0 blocks 2009-03-30 00:42:46 gpg-agent[3357] listening on socket `/tmp/gpg-NLC81b/S.gpg-agent' 2009-03-30 00:42:46 gpg-agent[3441] handler 0x8097e38 for fd 9 started gpg-agent[3441.9] DBG: -> OK Pleased to meet you gpg-agent[3441.9] DBG: <- AGENT_ID gpg-agent[3441.9] DBG: -> ERR 67109139 Comando IPC sconosciuto gpg-agent[3441.9] DBG: <- [EOF] 2009-03-30 00:42:46 gpg-agent[3441] handler 0x8097e38 for fd 9 terminated 2009-03-30 00:44:06 gpg-agent[3921] listening on socket `/tmp/gpg-lkV8GJ/S.gpg-agent' 2009-03-30 00:44:11 gpg-agent[3441] handler 0x8097e38 for fd 9 started gpg-agent[3441.9] DBG: -> OK Pleased to meet you gpg-agent[3441.9] DBG: <- BYE gpg-agent[3441.9] DBG: -> OK closing connection 2009-03-30 00:44:11 gpg-agent[3441] handler 0x8097e38 for fd 9 terminated 2009-03-30 00:44:33 gpg-agent[3441] handler 0x8097e38 for fd 9 started gpg-agent[3441.9] DBG: -> OK Pleased to meet you gpg-agent[3441.9] DBG: <- RESET gpg-agent[3441.9] DBG: -> OK gpg-agent[3441.9] DBG: <- OPTION display=:0.0 gpg-agent[3441.9] DBG: -> OK gpg-agent[3441.9] DBG: <- OPTION ttyname=/dev/pts/0 gpg-agent[3441.9] DBG: -> OK gpg-agent[3441.9] DBG: <- OPTION ttytype=xterm gpg-agent[3441.9] DBG: -> OK gpg-agent[3441.9] DBG: <- OPTION lc-ctype=en_US.UTF-8 gpg-agent[3441.9] DBG: -> OK gpg-agent[3441.9] DBG: <- OPTION lc-messages=en_US.UTF-8 gpg-agent[3441.9] DBG: -> OK gpg-agent[3441.9] DBG: <- RESET gpg-agent[3441.9] DBG: -> OK gpg-agent[3441.9] DBG: <- GENKEY gpg-agent[3441.9] DBG: -> INQUIRE KEYPARAM gpg-agent[3441.9] DBG: <- D (6:genkey(3:rsa(5:nbits4:2048))) gpg-agent[3441.9] DBG: <- END 2009-03-30 00:44:33 gpg-agent[3441] starting a new PIN Entry 2009-03-30 00:44:33 gpg-agent[3441] can't connect to the PIN entry module: IPC connect call failed 2009-03-30 00:44:33 gpg-agent[3441] command genkey failed: Nessun pinentry disponibile gpg-agent[3441.9] DBG: -> ERR 67108949 Nessun pinentry disponibile gpg-agent[3441.9] DBG: <- [EOF] 2009-03-30 00:44:34 gpg-agent[3441] handler 0x8097e38 for fd 9 terminated -- Lurkos From wk at gnupg.org Mon Mar 30 18:46:14 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 30 Mar 2009 18:46:14 +0200 Subject: GnuPG with pcsc-lite, scdaemon segfaults In-Reply-To: <49CFC4A0.6040500@ist-schlau.de> (Simon Ferber's message of "Sun, 29 Mar 2009 20:57:36 +0200") References: <49CFC4A0.6040500@ist-schlau.de> Message-ID: <87y6unufft.fsf@wheatstone.g10code.de> On Sun, 29 Mar 2009 20:57, simon at ist-schlau.de said: > Mar 29 20:52:43 [kernel] gnupg-pcsc-wrap[21763]: segfault at 0 ip > 0000000000000000 sp 00007fffc815e0d8 error 14 in > gnupg-pcsc-wrapper[400000+87000] As a quick test, run gnupg-pcsc-wrapper --verbose 1 and check whether it segfaults as well (Terminate it with Ctrl-C). That binary might be installed at /usr/libexec/ or /usr/lib/. If this does not work, create a core dump and run gdb on it to get a backtrace. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From simon at ist-schlau.de Tue Mar 31 22:06:31 2009 From: simon at ist-schlau.de (Simon Ferber) Date: Tue, 31 Mar 2009 22:06:31 +0200 Subject: GnuPG with pcsc-lite, scdaemon segfaults In-Reply-To: <87y6unufft.fsf@wheatstone.g10code.de> References: <49CFC4A0.6040500@ist-schlau.de> <87y6unufft.fsf@wheatstone.g10code.de> Message-ID: <49D277C7.5030600@ist-schlau.de> Hello Werner, gnupg-pcsc-wrapper --verbose 1 segfaults too. I don't know, if I did it right, but here is a backtrace: gdb /usr/libexec/gnupg-pcsc-wrapper --core core --batch --quiet -ex thread apply all bt full -ex quit warning: core file may not match specified executable file. Core was generated by `/usr/libexec/gnupg-pcsc-wrapper --verbose 1'. Program terminated with signal 11, Segmentation fault. [New process 13335] #0 0x0000000000000000 in ?? () Thread 1 (process 13335): #0 0x0000000000000000 in ?? () No symbol table info available. #1 0x00007fab4ae7271f in __pthread_initialize_minimal_internal () from /lib/libpthread.so.0 No symbol table info available. #2 0x00007fab4ae71e59 in _init () from /lib/libpthread.so.0 No symbol table info available. #3 0x00007fab4b494fe0 in ?? () from /usr/lib/libpcsclite.so No symbol table info available. #4 0x0000000000436eeb in call_init () No symbol table info available. #5 0x0000000000437075 in _dl_init () No symbol table info available. #6 0x0000000000415180 in dl_open_worker () No symbol table info available. #7 0x00000000004136f6 in _dl_catch_error () No symbol table info available. ---Type to continue, or q to quit--- #8 0x0000000000414a55 in _dl_open () No symbol table info available. #9 0x0000000000404dfc in dlopen_doit () No symbol table info available. #10 0x00000000004136f6 in _dl_catch_error () No symbol table info available. #11 0x0000000000405061 in _dlerror_run () No symbol table info available. #12 0x0000000000404d7e in __dlopen () No symbol table info available. #13 0x00000000004007de in main (argc=, argv=0x7fff534c0128) at pcsc-wrapper.c:318 last_argc = api_number = 8388608 c = Is it useful or do I have to use different options? Regards Simon Werner Koch schrieb: > On Sun, 29 Mar 2009 20:57, simon at ist-schlau.de said: > > >> Mar 29 20:52:43 [kernel] gnupg-pcsc-wrap[21763]: segfault at 0 ip >> 0000000000000000 sp 00007fffc815e0d8 error 14 in >> gnupg-pcsc-wrapper[400000+87000] >> > > As a quick test, run > > gnupg-pcsc-wrapper --verbose 1 > > and check whether it segfaults as well (Terminate it with Ctrl-C). That > binary might be installed at /usr/libexec/ or /usr/lib/. If this does > not work, create a core dump and run gdb on it to get a backtrace. > > > Shalom-Salam, > > Werner > > From c.whoami at gmail.com Sun Mar 29 21:37:32 2009 From: c.whoami at gmail.com (Chrys M) Date: Sun, 29 Mar 2009 21:37:32 +0200 Subject: default symmetric algorithm used for private key Message-ID: <3f58ee9b0903291237y3e9af9cbg2855a0ed0b0e18b9@mail.gmail.com> Hello, I am trying to find out which is the default algorithm that GPG uses to encrypt my private key with the passphrase provided. Is there a command that I can use? Thank you very much Chrys p.s Please cc to me the emails because I am not subscribed to the mailing list. -------------- next part -------------- An HTML attachment was scrubbed... URL: