From vedaal at hush.com Fri May 1 02:01:06 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 30 Apr 2009 20:01:06 -0400 Subject: Selecting cipher to generate a key pair Message-ID: <20090501000106.CCDC51A003A@smtp.hushmail.com> >Is it possible to select a specific cipher, such as >Triple-DES or Blowfish, to use to generate a key pair? if, by selection, you mean to choose that cipher as the one protecting your secret key, then yes use the following options: --expert --s2k-cipher-algo name (either Blowfish or 3DES, or any other one you wish) n.b. [1] a key generated this way will still be able to use any cipher while decrypting or encrypting a pgp message [2] do not add '--s2k-cipher-algo name' to your gpg.conf, unless you want all symmetric messages (not encrypted to a Public Key) to be the same as the cipher of your secret key vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Save big on Stock Trading Fees. Click Now! http://tagline.hushmail.com/fc/BLSrjkqa2gbQZjvQvfwfqPj2p6No8bU1TUERhp1RsUquoWLdpYh4lrVcPGA/ From dshaw at jabberwocky.com Fri May 1 04:57:12 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 30 Apr 2009 22:57:12 -0400 Subject: New results against SHA-1 Message-ID: http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf There is not much hard information yet, but the two big quotes are "SHA-1 collisions now 2^52" and "Practical collisions are within resources of a well funded organisation." David From allen.schultz at gmail.com Fri May 1 05:08:41 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Thu, 30 Apr 2009 21:08:41 -0600 Subject: Selecting cipher to generate a key pair In-Reply-To: <20090501000106.CCDC51A003A@smtp.hushmail.com> References: <20090501000106.CCDC51A003A@smtp.hushmail.com> Message-ID: <49FA67B9.8070708@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 vedaal at hush.com wrote: > (either Blowfish or 3DES, or any other one you wish) What's the default to encrypting/hashing the secret key? And how good is it? Allen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn6Z7kACgkQV5r3Eu55xjanrACfVimubOHp5KgXJGEg1elOoTml jisAn1OYTpLp8Dz9V6Ld/ppp9gL4OpXS =o0AU -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri May 1 06:13:49 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 01 May 2009 00:13:49 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FA67B9.8070708@gmail.com> References: <20090501000106.CCDC51A003A@smtp.hushmail.com> <49FA67B9.8070708@gmail.com> Message-ID: <49FA76FD.4040501@sixdemonbag.org> Allen Schultz wrote: > What's the default to encrypting/hashing the secret key? And how good is it? CAST5-128. It's hard to talk about how good it is. Cryptography is an intensively mathematical discipline, and most people are not very well-equipped to discuss those details. Ultimately, it would be like arguing whether King Kong or Godzilla is better at urban destruction. Biologists can argue until the cows come home which one would be better and why, but from the perspective of your average inhabitant of Tokyo or New York City the answer is, "Who cares? Get out of town _right now_!" >From the perspective of the overwhelming majority of OpenPGP users, CAST5-128 does the job just fine. The only instances I'm aware of in which CAST5-128 doesn't do the job well are ones where bureaucratic rules require specific algorithms, and CAST5-128 isn't on that checklist. That's a bureaucratic failing, though, not a failing of CAST5-128. From atom at smasher.org Fri May 1 05:58:47 2009 From: atom at smasher.org (Atom Smasher) Date: Fri, 1 May 2009 15:58:47 +1200 (NZST) Subject: New results against SHA-1 In-Reply-To: References: Message-ID: <20090501035849.7658.qmail@smasher.org> On Thu, 30 Apr 2009, David Shaw wrote: > http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf > > There is not much hard information yet, but the two big quotes are > "SHA-1 collisions now 2^52" and "Practical collisions are within > resources of a well funded organisation." =================== so... when is the open-pgp spec moving beyond SHA1 hashes to identify public keys? what's next? will it have to be a bigger hash? -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Workers of the World, Unite! You have nothing to lose but your chains." -- Karl Marx, 1848 From cathy.smith at pnl.gov Fri May 1 18:08:44 2009 From: cathy.smith at pnl.gov (Smith, Cathy) Date: Fri, 1 May 2009 09:08:44 -0700 Subject: Selecting cipher to generate a key pair In-Reply-To: <255999BBAD1AEE4EA6AA193F66611642AEAA0A@EMAIL03.pnl.gov> References: <255999BBAD1AEE4EA6AA193F66611642AEAA0A@EMAIL03.pnl.gov> Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA1C@EMAIL03.pnl.gov> My apologies to the group. I meant to say gpg --gen-key I have a customer who can not accept our pgp public key. They are asking for a specific cipher to be used in generating the public key. After some reading yesterday, it seemed that gpg might be the solution. I don't have any experience with gpg, and limited pgp experience. Regards, Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.smith at pnl.gov -----Original Message----- From: Smith, Cathy Sent: Thursday, April 30, 2009 2:54 PM To: 'gnupg-users at gnupg.org' Subject: Selecting cipher to generate a key pair Is it possible to select a specific cipher, such as Triple-DES or Blowfish, to use to generate a key pair? I've read email posted in the archives, and FAQ that indicates this is possible. I don't see an option to do that just running pgp --gen-key Thanks. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.smith at pnl.gov From vedaal at hush.com Fri May 1 20:41:04 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Fri, 01 May 2009 14:41:04 -0400 Subject: Selecting cipher to generate a key pair Message-ID: <20090501184105.0963820040@smtp.hushmail.com> "Smith, Cathy" wrote on Date: 2009-05-01 16:08:44 : >I have a customer who can not accept our pgp public key. >They are asking for a specific cipher to be used in generating the public key. this sounds like there might be a 'problem' ... there are people who 'can' use 'any' cipher, but prefer a particular one, or have a company policy to use a specific one, e.g . AES-256 or 3DES and there are people whose programs can use only 'one' cipher, and no others at the risk of taking 'wild guesses' ;-) the only situations i can think of where a person 'cannot' accept anything other than one cipher are: [1] a die-hard pgp 2.x user who needs a v3 key using IDEA (yes, they still exist, but probably won't survive the move to 64 bit systems) [2] a company that is bound by some standard to use AES or 3DES (i can't imagine any company really insisting on 'only Blowfish' and nothing else ;-) ) [ anyway, it was 'cracked on 24' and shown on network tv to have a 'backdoor' ;-) ] {please excuse the 'semi-off' geek humor, blowfish has 'no' backdoor and is still quite secure, no matter what hollywood writers say ;-)) } if you have situation [1], you are out of luck using any current gnupg or pgp, (there was a post on how to do this with an older gnupg version, but it would be much simpler to just use pgp2.x to generate it) if you have situation [2], it is much easier, temporarily put the following 2 lines in your gpg.conf expert s2k-cipher-algo name ('name' is the name of the cipher your client wants) then save your gpg.conf and run gpg --gen-key the key will be generated with the cipher your client wants if this still doesn't help, then please post 'exactly' what you need done vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click to learn about options trading and get the latest information. http://tagline.hushmail.com/fc/BLSrjkqecvgtaqxBQoBwCwuiy1xiCJDJ0xgdXq4JeQ5VIifkutIcKtAkaYI/ From cathy.smith at pnl.gov Fri May 1 23:42:26 2009 From: cathy.smith at pnl.gov (Smith, Cathy) Date: Fri, 1 May 2009 14:42:26 -0700 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FA76FD.4040501@sixdemonbag.org> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> Is there a brief explanation available as to how the cipher is used in generating the private/public keys? It seems this is separate from the cipher that is chosen to encrypt my data. Thanks. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.smith at pnl.gov -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Robert J. Hansen Sent: Thursday, April 30, 2009 9:14 PM To: Allen Schultz Cc: gnupg-users Subject: Re: Selecting cipher to generate a key pair Allen Schultz wrote: > What's the default to encrypting/hashing the secret key? And how good is it? CAST5-128. It's hard to talk about how good it is. Cryptography is an intensively mathematical discipline, and most people are not very well-equipped to discuss those details. Ultimately, it would be like arguing whether King Kong or Godzilla is better at urban destruction. Biologists can argue until the cows come home which one would be better and why, but from the perspective of your average inhabitant of Tokyo or New York City the answer is, "Who cares? Get out of town _right now_!" >From the perspective of the overwhelming majority of OpenPGP users, CAST5-128 does the job just fine. The only instances I'm aware of in which CAST5-128 doesn't do the job well are ones where bureaucratic rules require specific algorithms, and CAST5-128 isn't on that checklist. That's a bureaucratic failing, though, not a failing of CAST5-128. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From rjh at sixdemonbag.org Sat May 2 00:57:34 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 01 May 2009 18:57:34 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> Message-ID: <49FB7E5E.9060101@sixdemonbag.org> Smith, Cathy wrote: > Is there a brief explanation available as to how the cipher is used in > generating the private/public keys? It seems this is separate from the > cipher that is chosen to encrypt my data. rjh at chronicles:~$ gpg --enable-dsa2 --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) If you choose #1, you will be using, by default, DSA as a signature algorithm, AES256 as a general-purpose message encryption algorithm, Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm. None of these algorithms are actually used to generate the private/public keys, though. The private and public keys are just numbers. GnuPG generates those numbers from a cryptographically secure pseudorandom number generator, then subjects the numbers to a battery of mathematical tests to make sure the keys are safe to use. Is it possible for you to tell us what algorithms your correspondent expects you to use? Knowing that might help us out quite a bit. From cathy.smith at pnl.gov Sat May 2 01:04:41 2009 From: cathy.smith at pnl.gov (Smith, Cathy) Date: Fri, 1 May 2009 16:04:41 -0700 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FB7E5E.9060101@sixdemonbag.org> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> The customer stated that he can accept a public key generated with either Blowfish or Triple-DES. I wasn't sure what he needed because all I've dealt with in generating a key pair before is selecting the DSA or RSA option. Our PGP version doesn't offer the DSA and Elgamal option. I've sent him a GnuPG-generated key, and asked him to find out if they are using GnuPG. I haven't heard from him today. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.smith at pnl.gov -----Original Message----- From: Robert J. Hansen [mailto:rjh at sixdemonbag.org] Sent: Friday, May 01, 2009 3:58 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: > Is there a brief explanation available as to how the cipher is used in > generating the private/public keys? It seems this is separate from > the cipher that is chosen to encrypt my data. rjh at chronicles:~$ gpg --enable-dsa2 --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) If you choose #1, you will be using, by default, DSA as a signature algorithm, AES256 as a general-purpose message encryption algorithm, Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm. None of these algorithms are actually used to generate the private/public keys, though. The private and public keys are just numbers. GnuPG generates those numbers from a cryptographically secure pseudorandom number generator, then subjects the numbers to a battery of mathematical tests to make sure the keys are safe to use. Is it possible for you to tell us what algorithms your correspondent expects you to use? Knowing that might help us out quite a bit. From rjh at sixdemonbag.org Sat May 2 01:21:40 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 01 May 2009 19:21:40 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> Message-ID: <49FB8404.7000600@sixdemonbag.org> Smith, Cathy wrote: > The customer stated that he can accept a public key generated with > either Blowfish or Triple-DES. I wasn't sure what he needed because all > I've dealt with in generating a key pair before is selecting the DSA or > RSA option. Our PGP version doesn't offer the DSA and Elgamal option. It probably does, actually; PGP just, for marketing reasons, calls it Diffie-Hellman/DSS. (Long story, but yes, they're the exact same thing.) That said, your customer does not appear to understand how GnuPG or PGP work. _All_ OpenPGP-conformant applications (GnuPG, PGP, and others) can handle 3DES; and 3DES has absolutely nothing to do with how you generate your public key. From cathy.smith at pnl.gov Sat May 2 01:31:10 2009 From: cathy.smith at pnl.gov (Smith, Cathy) Date: Fri, 1 May 2009 16:31:10 -0700 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FB8404.7000600@sixdemonbag.org> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> I agree that with the lack of understanding. It's been difficult to get specific information from the customer. I don't have the option of saying it's their problem. The GnuPG was a guess after I read something about specifying the cipher algorithm. The customer said they have a proprietary implementation that only supports Blowfish or 3DES for the key. I'm still trying to find out exactly what that means. I've talked to the folks here at work who understand these things better than I, and all have shook their head. I appreciate your assistance. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.smith at pnl.gov -----Original Message----- From: Robert J. Hansen [mailto:rjh at sixdemonbag.org] Sent: Friday, May 01, 2009 4:22 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: > The customer stated that he can accept a public key generated with > either Blowfish or Triple-DES. I wasn't sure what he needed because > all I've dealt with in generating a key pair before is selecting the > DSA or RSA option. Our PGP version doesn't offer the DSA and Elgamal option. It probably does, actually; PGP just, for marketing reasons, calls it Diffie-Hellman/DSS. (Long story, but yes, they're the exact same thing.) That said, your customer does not appear to understand how GnuPG or PGP work. _All_ OpenPGP-conformant applications (GnuPG, PGP, and others) can handle 3DES; and 3DES has absolutely nothing to do with how you generate your public key. From rjh at sixdemonbag.org Sat May 2 01:39:19 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 01 May 2009 19:39:19 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> Message-ID: <49FB8827.1070102@sixdemonbag.org> Smith, Cathy wrote: > The customer said they have a proprietary implementation that only > supports Blowfish or 3DES for the key. I'm still trying to find out > exactly what that means. Okay, that much makes sense now. I would suggest adding: cipher-algo 3DES ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and not one I'd generally recommend; however, the downsides are pretty minimal. Then encrypt a message using their public key and send it on to them. If they can read it, great. If they can't, then the problem is their proprietary implementation of OpenPGP is shoddy. Incidentally, if your customer is a telecommunications firm, I think I may know the implementation they're using and some of its more egregious misfeatures. Other than that one and PGP Corporation's offering, though, I have no experience with proprietary OpenPGP offerings. From cathy.smith at pnl.gov Sat May 2 01:41:03 2009 From: cathy.smith at pnl.gov (Smith, Cathy) Date: Fri, 1 May 2009 16:41:03 -0700 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FB8827.1070102@sixdemonbag.org> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> <49FB8827.1070102@sixdemonbag.org> Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAA57@EMAIL03.pnl.gov> Thanks. I'll try that. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.smith at pnl.gov -----Original Message----- From: Robert J. Hansen [mailto:rjh at sixdemonbag.org] Sent: Friday, May 01, 2009 4:39 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: > The customer said they have a proprietary implementation that only > supports Blowfish or 3DES for the key. I'm still trying to find out > exactly what that means. Okay, that much makes sense now. I would suggest adding: cipher-algo 3DES ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and not one I'd generally recommend; however, the downsides are pretty minimal. Then encrypt a message using their public key and send it on to them. If they can read it, great. If they can't, then the problem is their proprietary implementation of OpenPGP is shoddy. Incidentally, if your customer is a telecommunications firm, I think I may know the implementation they're using and some of its more egregious misfeatures. Other than that one and PGP Corporation's offering, though, I have no experience with proprietary OpenPGP offerings. From jmoore3rd at bellsouth.net Sat May 2 01:49:22 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 01 May 2009 19:49:22 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FB8827.1070102@sixdemonbag.org> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> <49FB8827.1070102@sixdemonbag.org> Message-ID: <49FB8A82.4010609@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: > Smith, Cathy wrote: >> The customer said they have a proprietary implementation that only >> supports Blowfish or 3DES for the key. I'm still trying to find out >> exactly what that means. > > Okay, that much makes sense now. > > I would suggest adding: > > cipher-algo 3DES > > ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and > not one I'd generally recommend; however, the downsides are pretty > minimal. Then encrypt a message using their public key and send it on > to them. If they can read it, great. If they can't, then the problem > is their proprietary implementation of OpenPGP is shoddy. Riddle Me this, Robert; _if_ "The Customer" has a requirement that 3DES must be used [and they are associating it with their Key] then wouldn't this mean that the *only* preference broadcast by their Key is 3DES? If this is the case then wouldn't GPG automatically select this cipher algorithm by default as the only compatible one between the two parties? :-\ JOHN ;) Timestamp: Friday 01 May 2009, 19:49 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ+4qAAAoJEBCGy9eAtCsP3o8H/ja6jCWz1bYjjTNXbhLzd5OE BIgvdlCCsR0Nrm4VY5jGXiOPbk9NYse/43F/DZyQQyyowuRBj3whtpUx6Ueacy+o u5R6skOdk5AG+HKPVwQ4Zgb4LZhl1Fu4VxOOxWXSW01MnJoxVdtwpj5ylZU5vC7C EtytAK4HOh1DuQLQYLICupYXhK4TvnbeDRR9s2n6s9n+q1JXFpOEIk5w5d1iJfOk vn2p8TQ9PrTkMFxweA9gbNoTesH9U5tqmXockb1Mp6JoUz1n56pPWLCyWMxub6f2 GyQNc17RZ/J5qwiY+qK+Mf1L1ONJO3y2zCJfJQxqL0MpODaZFYiOyr3Ws9tVafU= =A7I6 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat May 2 01:59:22 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 01 May 2009 19:59:22 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FB8A82.4010609@bellsouth.net> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> <49FB8827.1070102@sixdemonbag.org> <49FB8A82.4010609@bellsouth.net> Message-ID: <49FB8CDA.2070306@sixdemonbag.org> John W. Moore III wrote: > Riddle Me this, Robert; _if_ "The Customer" has a requirement that > 3DES must be used [and they are associating it with their Key] then > wouldn't this mean that the *only* preference broadcast by their Key > is 3DES? You're assuming the customer's key is correctly advertising their preferences. If their proprietary implemention is a shoddy one, then maybe it advertises capabilities they don't really have. > If this is the case then wouldn't GPG automatically select this > cipher algorithm by default as the only compatible one between the > two parties? You'd hope so, yes -- but I think we might want to consider the possibility the customer's implementation is terribly broken. From faramir.cl at gmail.com Sat May 2 02:34:50 2009 From: faramir.cl at gmail.com (Faramir) Date: Fri, 01 May 2009 20:34:50 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FB8A82.4010609@bellsouth.net> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> <49FB8827.1070102@sixdemonbag.org> <49FB8A82.4010609@bellsouth.net> Message-ID: <49FB952A.8050408@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John W. Moore III escribi?: ... > Riddle Me this, Robert; _if_ "The Customer" has a requirement that 3DES > must be used [and they are associating it with their Key] then wouldn't > this mean that the *only* preference broadcast by their Key is 3DES? If > this is the case then wouldn't GPG automatically select this cipher > algorithm by default as the only compatible one between the two parties? Yes, I was thinking the same thing... But don't forget the customer can handle Blowfish too (but GPG can handle it too, so the question remains the same). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+5UqAAoJEMV4f6PvczxAjCsH/RhAjA+2N62EnIetXz2PXQoS dOxLLIVmOB0eDKdm/E2lP2rb5Wtn2T6AESyDjlgNS+YviUeiMdmmN7uwaiEkmr0d RFBlqnTrs3OwlGzgR4mP9hx6MHQZo7+7rb1/9BwxWv9oOrD6Zelts5MbKHvn1DnW JPFi+lLP8CenkvDsB6XThv5tCavNXaVGFnE6gC2tUqmhQsCNqo5MB0LAPiNjpmPw hSybaPXEOboD3zZrVX1Wyl0+oZ8r1Q/DHrn6mSfoo14KmxVujoKcPxwyw1i0cNEN +59G0RlRmDsyNtDRy0Z8k29sgDNyRZGgqOKoI7mJ2HKkWQcOsvW4RPsLpnCj5T4= =ekv7 -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sat May 2 02:31:27 2009 From: faramir.cl at gmail.com (Faramir) Date: Fri, 01 May 2009 20:31:27 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FB8827.1070102@sixdemonbag.org> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> <49FB8827.1070102@sixdemonbag.org> Message-ID: <49FB945F.2010704@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: > Smith, Cathy wrote: >> The customer said they have a proprietary implementation that only >> supports Blowfish or 3DES for the key. I'm still trying to find out >> exactly what that means. > > Okay, that much makes sense now. > > I would suggest adding: > > cipher-algo 3DES But... isn't GPG expected to recognise the preferences (or capabilities) in the customer's key and use the right algo automatically? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+5RfAAoJEMV4f6PvczxAWw8IAJ5sC1DHLeG+AujAPlCw2OUV LhsgMuPpA/fc5A4UpA4fuZMAWdKYS/xhFiJ8c/aLTJrK3CToCXaR9NVdJLMzNNaq cRISV2Qfe8HVxVttVyk2pDIUHFxt6yIvAn8BomC6MDu2Mo/VUwm9WcUfdR4nsspI jetzKZmxKLpckpoOCTW7IHNpD83LGsyksPI5hJq5AMHfcHIWGelTYGeyeFnUdQaN o9c42ibDx/GjInzRWxt+9JtY9wqGzLfHopdDvxTPGpm9r+PnZ/qxJeIdGB7UJjcj JvC/c7QSLQ8CvAbuPGYl6c7ZaM6/IsZKeBifxkZwaxfr/epkWqDBvcK3KUZLe38= =XEB/ -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sat May 2 02:36:54 2009 From: faramir.cl at gmail.com (Faramir) Date: Fri, 01 May 2009 20:36:54 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FB8CDA.2070306@sixdemonbag.org> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> <49FB8827.1070102@sixdemonbag.org> <49FB8A82.4010609@bellsouth.net> <49FB8CDA.2070306@sixdemonbag.org> Message-ID: <49FB95A6.1050704@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: > John W. Moore III wrote: >> Riddle Me this, Robert; _if_ "The Customer" has a requirement that >> 3DES must be used [and they are associating it with their Key] then >> wouldn't this mean that the *only* preference broadcast by their Key >> is 3DES? > > You're assuming the customer's key is correctly advertising their > preferences. If their proprietary implemention is a shoddy one, then > maybe it advertises capabilities they don't really have. Ahh... Ok, that explains it. Is it possible to change the preferences (edit the public key) without having the private key? Or maybe to set a rule somewhere to force gpg to use Blowfish or 3DES, but just for that specific customer? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+5WmAAoJEMV4f6PvczxAuskH/iM7aDpvm5ijLT/HPKpdQheO lJdXl5LOe20uWQDYg3enkFGtOBsaAq9z2kvvmQfV2aSpll90M3QBTjk7hPk1iQfp FqkZe/G6L2ato7QbO+hb4yrQXhjJrgUI52CH5LAr1BjaOauVJO7TTLwHzxIg37c9 R6ojXoZitwjLo5kKvWHewg+WGaBCjZIfx6oPaLLSG2Ehw2cyGtl2NwPX5t7mlakW A6CYL5mZ4XtyDw5D/jbFpddQl3Y8LDeliw9li52C5E1K1hOgjdtwUL/UXDJ6CiKS 8iVbwqXmp384tVTqZHsWpgpx56/dsovErmUVkd9jZbfeOjLnlBsdkDG79E/YUzg= =7mDX -----END PGP SIGNATURE----- From subs at christiantena.net Fri May 1 23:53:06 2009 From: subs at christiantena.net (Philip) Date: Fri, 01 May 2009 22:53:06 +0100 Subject: questions: no input file, and pascal programming Message-ID: <49FB6F42.5000804@christiantena.net> Hi I have some questions about gpg 1. using gpg command line, can I pass data to be encrypted to gpg that isn't in a file? For example if I want to encrypt "Mary had a little lamb" to a an asc file but I don't want to put that text onto the hard drive unencrypted first. 2. is there something like gpgme that can be used easily for pascal programmers? Personally I use freepascal and I just want to be able to select a key, encrypt and decrypt from within my program. If anyone knows of any opensource pascal programs that use gnupg it would be appreciated. thanks, Philip From John at Mozilla-Enigmail.org Sat May 2 03:52:56 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Fri, 01 May 2009 20:52:56 -0500 Subject: questions: no input file, and pascal programming In-Reply-To: <49FB6F42.5000804@christiantena.net> References: <49FB6F42.5000804@christiantena.net> Message-ID: <49FBA778.5010304@Mozilla-Enigmail.org> Philip wrote: > Hi > I have some questions about gpg > 1. using gpg command line, can I pass data to be encrypted to gpg that > isn't in a file? For example if I want to encrypt "Mary had a little > lamb" to a an asc file but I don't want to put that text onto the hard > drive unencrypted first. gpg will behave as a pipe or if given no input, quietly wait for you to type something in. > 2. is there something like gpgme that can be used easily for pascal > programmers? > Personally I use freepascal and I just want to be able to select a key, > encrypt and decrypt from within my program. > If anyone knows of any opensource pascal programs that use gnupg it > would be appreciated. Pascal bindings should exist for the current gpgme, I've just not found them. I've worked with one pascal program that used gpgme bindings but it was code before gpgme API changed. I'd love to find updated bindings and save myself the effort of updating the old ones -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From webmaster at felipe1982.com Sat May 2 09:06:13 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Sat, 2 May 2009 17:06:13 +1000 Subject: gnupg 1.2.6 Message-ID: <200905021706.22037.webmaster@felipe1982.com> My web host has gnupg 1.2.6 on their machines. I often SSH into it when I am not at home on my gnulinux box. Anything I should be concerned about when using this version? the two key pairs I made (DSS signing, ELG encryption) were made on gnupg 2.0.9, and transfered (and imported) to this host via SSH. Felipe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 258 bytes Desc: This is a digitally signed message part. URL: From subs at christiantena.net Sat May 2 09:35:08 2009 From: subs at christiantena.net (Philip) Date: Sat, 02 May 2009 08:35:08 +0100 Subject: questions: no input file, and pascal programming In-Reply-To: <49FBA778.5010304@Mozilla-Enigmail.org> References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> Message-ID: <49FBF7AC.8090705@christiantena.net> I found that if I just type "gpg" I get this "gpg: Go ahead and type your message ..." which looks promising but I can't find any documentation on how to use it. Also this works in linux "echo Mary had a little lamb|gpg --yes -eat -o test.txt.gpg -r [keyid]" but I don't know how to do something similar in dos/windows thanks, Philip John Clizbe wrote: > Philip wrote: >> Hi >> I have some questions about gpg >> 1. using gpg command line, can I pass data to be encrypted to gpg that >> isn't in a file? For example if I want to encrypt "Mary had a little >> lamb" to a an asc file but I don't want to put that text onto the hard >> drive unencrypted first. > > gpg will behave as a pipe or if given no input, quietly wait for you to > type something in. > >> 2. is there something like gpgme that can be used easily for pascal >> programmers? >> Personally I use freepascal and I just want to be able to select a key, >> encrypt and decrypt from within my program. >> If anyone knows of any opensource pascal programs that use gnupg it >> would be appreciated. > > Pascal bindings should exist for the current gpgme, I've just not found > them. > > I've worked with one pascal program that used gpgme bindings but it was > code before gpgme API changed. I'd love to find updated bindings and > save myself the effort of updating the old ones > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From simon at ruderich.org Sat May 2 12:25:45 2009 From: simon at ruderich.org (Simon Ruderich) Date: Sat, 2 May 2009 12:25:45 +0200 Subject: Use other hash than SHA-1 Message-ID: <20090502102545.GA17546@ruderich.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I would like to use a different hash than SHA-1. I tried setting personal-digest-preferences SHA256 in my gpg.conf but it didn't work. What hash can I use with my key (default DSA/Elgamel key) and how? Thanks for your help, Simon - -- + privacy is necessary + using http://gnupg.org + public key id: 0x6115F804EFB33229 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkn8H6kACgkQYRX4BO+zMili5wCeIYIIOru6ZEq+0F+9vzVqE1mo axcAnRh+5fFnzzXWpvZvWVLO5dYf+j5E =wUa4 -----END PGP SIGNATURE----- From david250 at videotron.ca Sat May 2 12:01:51 2009 From: david250 at videotron.ca (David Bernier) Date: Sat, 02 May 2009 06:01:51 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FB7E5E.9060101@sixdemonbag.org> References: <20090501000106.CCDC51A003A@smtp.hushmail.com> <49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> Message-ID: <49FC1A0F.6020401@videotron.ca> Dear Robert J. Hansen, Robert J. Hansen wrote: > Smith, Cathy wrote: > >> Is there a brief explanation available as to how the cipher is used in >> generating the private/public keys? It seems this is separate from the >> cipher that is chosen to encrypt my data. >> > > > rjh at chronicles:~$ gpg --enable-dsa2 --gen-key > Please select what kind of key you want: > (1) DSA and Elgamal (default) > (2) DSA (sign only) > (5) RSA (sign only) > > > If you choose #1, you will be using, by default, DSA as a signature > algorithm, AES256 as a general-purpose message encryption algorithm, > Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm. > > None of these algorithms are actually used to generate the > private/public keys, though. The private and public keys are just > numbers. GnuPG generates those numbers from a cryptographically secure > pseudorandom number generator, then subjects the numbers to a battery of > mathematical tests to make sure the keys are safe to use. > > Is it possible for you to tell us what algorithms your correspondent > expects you to use? Knowing that might help us out quite a bit. > I'd like to know more about the process by which unsigned packages become signed packages. This matters, I think, when using SELinux, which is what I do. Some packages are unsigned, e.g. Xcas, a computer algebra system by Bernard Parisse at a university in France: < http://www-fourier.ujf-grenoble.fr/~parisse/english.html > I had to tell the SELinux motor that she must trust two modules loaded dynamically when Xcas is launched. I succeeded after many hours. It would be easier, I think, if Xcas (the application) had a electronic signature by someone that Fedora 10 trusts ... Thanks a lot, David Bernier From hs2412 at gmail.com Sat May 2 12:51:54 2009 From: hs2412 at gmail.com (Hardeep Singh) Date: Sat, 2 May 2009 16:21:54 +0530 Subject: questions: no input file, and pascal programming In-Reply-To: <49FBF7AC.8090705@christiantena.net> References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> Message-ID: The same can be done in Windows. Visit http://blog.hardeep.name/computer/20080828/linux-shell-on-windows/ this will give you the shell and the Echo commands that you need. Hardeep Singh http://blog.Hardeep.name On Sat, May 2, 2009 at 1:05 PM, Philip wrote: > I found that if I just type "gpg" I get this > "gpg: Go ahead and type your message ..." which looks promising but I > can't find any documentation on how to use it. > > Also this works in linux > "echo Mary had a little lamb|gpg --yes -eat -o test.txt.gpg -r [keyid]" > > but I don't know how to do something similar in dos/windows > > thanks, Philip > > John Clizbe wrote: >> Philip wrote: >>> Hi >>> I have some questions about gpg >>> 1. using gpg command line, can I pass data to be encrypted to gpg that >>> isn't in a file? For example if I want to encrypt "Mary had a little >>> lamb" to a an asc file but I don't want to put that text onto the hard >>> drive unencrypted first. >> >> gpg will behave as a pipe or if given no input, quietly wait for you to >> type something in. >> >>> 2. is there something like gpgme that can be used easily for pascal >>> programmers? >>> Personally I use freepascal and I just want to be able to select a key, >>> encrypt and decrypt from within my program. >>> If anyone knows of any opensource pascal programs that use gnupg it >>> would be appreciated. >> >> Pascal bindings should exist for the current gpgme, I've just not found >> them. >> >> I've worked with one pascal program that used gpgme bindings but it was >> code before gpgme API changed. I'd love to find updated bindings and >> save myself the effort of updating the old ones >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jmoore3rd at bellsouth.net Sat May 2 14:11:46 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat, 02 May 2009 08:11:46 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <20090502102545.GA17546@ruderich.org> References: <20090502102545.GA17546@ruderich.org> Message-ID: <49FC3882.50006@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Simon Ruderich wrote: > I would like to use a different hash than SHA-1. I tried setting > personal-digest-preferences SHA256 in my gpg.conf but it didn't > work. What hash can I use with my key (default DSA/Elgamel key) > and how? Which version of GnuPG are You using & is it DSA2 compatible? Try using the gpg.conf entry digest-algo SHA256 JOHN ;) Timestamp: Saturday 02 May 2009, 08:11 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ/Dh/AAoJEBCGy9eAtCsPt20IAIMlEK5VhAwkgkxakM4c1B31 Ienm5Verbm6N6QQ0BOoZ+ac6oZq9z3Aflt9FY2FIXKQzDJ/B9Y1Aur59HemL6E3A +dNr3iLJy3dVz5A6F2l+ZGIPX2r+Vnz5iK0dkmlIf+0eVNDG16VWK1wPFcr3O32c 8qDACPgIGZ0zTpQyl3YsMMcPnIfLaRgpHN1LCPMwHdMgnrJbwpRrHCL2mozDz4zo lMn9doPwN5c12HY2xQvfD+/y25VmAb3ZpxbJRfj7efllTZne96aoGGSpYqcrD7lX OYEceo/qA0RPQp+Fe/o2p3QKQAlhke4KAatLngREjkJKmBdjEAmrwTzPPQWh06c= =nHuP -----END PGP SIGNATURE----- From subs at christiantena.net Sat May 2 14:28:31 2009 From: subs at christiantena.net (Philip) Date: Sat, 02 May 2009 13:28:31 +0100 Subject: questions: no input file, and pascal programming In-Reply-To: References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> Message-ID: <49FC3C6F.6040205@christiantena.net> I got it to work in Windows. With a default install of gpg4win gpg is not in the path, but this command works echo Mary had a little lamb|"c:\Program Files\GNU\GnuPG\gpg.exe" --yes -eat -o test.txt.gpg -r [keyid] I'm thinking that it might be easier for a pascal programmer to interface with gpg on command line than to figure out how to compile against gpgme c code, even if it isn't probably the right way to do it. thanks, Philip Hardeep Singh wrote: > The same can be done in Windows. > Visit http://blog.hardeep.name/computer/20080828/linux-shell-on-windows/ > this will give you the shell and the Echo commands that you need. > > Hardeep Singh > http://blog.Hardeep.name > > > > On Sat, May 2, 2009 at 1:05 PM, Philip wrote: >> I found that if I just type "gpg" I get this >> "gpg: Go ahead and type your message ..." which looks promising but I >> can't find any documentation on how to use it. >> >> Also this works in linux >> "echo Mary had a little lamb|gpg --yes -eat -o test.txt.gpg -r [keyid]" >> >> but I don't know how to do something similar in dos/windows >> >> thanks, Philip >> >> John Clizbe wrote: >>> Philip wrote: >>>> Hi >>>> I have some questions about gpg >>>> 1. using gpg command line, can I pass data to be encrypted to gpg that >>>> isn't in a file? For example if I want to encrypt "Mary had a little >>>> lamb" to a an asc file but I don't want to put that text onto the hard >>>> drive unencrypted first. >>> gpg will behave as a pipe or if given no input, quietly wait for you to >>> type something in. >>> >>>> 2. is there something like gpgme that can be used easily for pascal >>>> programmers? >>>> Personally I use freepascal and I just want to be able to select a key, >>>> encrypt and decrypt from within my program. >>>> If anyone knows of any opensource pascal programs that use gnupg it >>>> would be appreciated. >>> Pascal bindings should exist for the current gpgme, I've just not found >>> them. >>> >>> I've worked with one pascal program that used gpgme bindings but it was >>> code before gpgme API changed. I'd love to find updated bindings and >>> save myself the effort of updating the old ones >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Gnupg-users mailing list >>> Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> From mail at 404not-found.de Sat May 2 14:56:01 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Sat, 2 May 2009 14:56:01 +0200 Subject: Use other hash than SHA-1 In-Reply-To: <49FC3882.50006@bellsouth.net> References: <20090502102545.GA17546@ruderich.org> <49FC3882.50006@bellsouth.net> Message-ID: <200905021456.15789.mail@404not-found.de> On Saturday 02 May 2009 14:11:46 John W. Moore III wrote: > Simon Ruderich wrote: > > I would like to use a different hash than SHA-1. I tried setting > > personal-digest-preferences SHA256 in my gpg.conf but it didn't > > work. What hash can I use with my key (default DSA/Elgamel key) > > and how? > > Which version of GnuPG are You using & is it DSA2 compatible? > > Try using the gpg.conf entry > > digest-algo SHA256 Well, setting digest-algo works, but this will always use SHA256 even if the recipient doesn't have this algo in his digest list, and thus could create a non-openpgp compliant message. So setting personal-digest-preferences would be the better choice. But Simon is right, this seems to be ignored, even if I set the --recipient to someone who has SHA256 in his digest list. Maybe I have the options still wrong? I tried gpg --recipient --personal-digest-preferences=SHA256 --sign --encrypt I'm using gpg 2.0.11. Raimar -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Sat May 2 15:45:11 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 2 May 2009 09:45:11 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <20090502102545.GA17546@ruderich.org> References: <20090502102545.GA17546@ruderich.org> Message-ID: <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote: > I would like to use a different hash than SHA-1. I tried setting > personal-digest-preferences SHA256 in my gpg.conf but it didn't > work. What hash can I use with my key (default DSA/Elgamel key) > and how? The short answer is that you can only use a 160-bit hash with your default DSA key. That means SHA-1 or RIPEMD/160. There is a feature you can enable (--enable-dsa2) that will allow you to use a bigger hash -- but you can still only use 160 bits worth of it. So if you use SHA-256, you're actually only taking 160 bits worth of it and discarding the rest. To truly use all of a larger hash, you need to either use a RSA key or a large (not default) DSA key (i.e. generated with --enable-dsa2 switched on, and a larger size than 1024 bits selected). David From mail at 404not-found.de Sat May 2 16:47:07 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Sat, 2 May 2009 16:47:07 +0200 Subject: Use other hash than SHA-1 In-Reply-To: <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> Message-ID: <200905021647.11645.mail@404not-found.de> On Saturday 02 May 2009 15:45:11 David Shaw wrote: > On May 2, 2009, at 6:25 AM, Simon Ruderich wrote: > > I would like to use a different hash than SHA-1. I tried setting > > personal-digest-preferences SHA256 in my gpg.conf but it didn't > > work. What hash can I use with my key (default DSA/Elgamel key) > > and how? > > The short answer is that you can only use a 160-bit hash with your > default DSA key. That means SHA-1 or RIPEMD/160. There is a feature > you can enable (--enable-dsa2) that will allow you to use a bigger > hash -- but you can still only use 160 bits worth of it. So if you > use SHA-256, you're actually only taking 160 bits worth of it and > discarding the rest. > > To truly use all of a larger hash, you need to either use a RSA key or > a large (not default) DSA key (i.e. generated with --enable-dsa2 > switched on, and a larger size than 1024 bits selected). SHA256 is included in the default pref list even for a regular DSA key. Is that because my own key is not involved when verifying a signature, and gnupg could verify a SHA256 hash created by someone with a RSA or DSA2 key? Is it therefore reasonable to have SHA256 in first place of the key preferences, even for a regular DSA key? Raimar -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Sat May 2 17:42:16 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 02 May 2009 11:42:16 -0400 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FC1A0F.6020401@videotron.ca> References: <20090501000106.CCDC51A003A@smtp.hushmail.com> <49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <49FC1A0F.6020401@videotron.ca> Message-ID: <49FC69D8.1090903@sixdemonbag.org> David Bernier wrote: > I'd like to know more about the process by which unsigned packages become > signed packages. This matters, I think, when using SELinux, which is what > I do. This process will vary from operating system to operating system. What works for Fedora isn't the same as what works for Ubuntu isn't the same as what works for FreeBSD isn't the same as what works for Windows. I don't know how Fedora works, so I'm not able to answer this question. I would suggest asking on a Fedora mailing list. From dshaw at jabberwocky.com Sat May 2 21:14:50 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 2 May 2009 15:14:50 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <200905021647.11645.mail@404not-found.de> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <200905021647.11645.mail@404not-found.de> Message-ID: <1BA8D025-7D8F-4456-A925-96EFA0201F4D@jabberwocky.com> On May 2, 2009, at 10:47 AM, Raimar Sandner wrote: > On Saturday 02 May 2009 15:45:11 David Shaw wrote: >> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote: >>> I would like to use a different hash than SHA-1. I tried setting >>> personal-digest-preferences SHA256 in my gpg.conf but it didn't >>> work. What hash can I use with my key (default DSA/Elgamel key) >>> and how? >> >> The short answer is that you can only use a 160-bit hash with your >> default DSA key. That means SHA-1 or RIPEMD/160. There is a feature >> you can enable (--enable-dsa2) that will allow you to use a bigger >> hash -- but you can still only use 160 bits worth of it. So if you >> use SHA-256, you're actually only taking 160 bits worth of it and >> discarding the rest. >> >> To truly use all of a larger hash, you need to either use a RSA key >> or >> a large (not default) DSA key (i.e. generated with --enable-dsa2 >> switched on, and a larger size than 1024 bits selected). > > SHA256 is included in the default pref list even for a regular DSA > key. Is > that because my own key is not involved when verifying a signature, > and gnupg > could verify a SHA256 hash created by someone with a RSA or DSA2 key? Yes. > Is it therefore reasonable to have SHA256 in first place of the key > preferences, even for a regular DSA key? Yes. (You can place it anywhere you like, depending on how highly you rank it). David From faramir.cl at gmail.com Sat May 2 21:28:33 2009 From: faramir.cl at gmail.com (Faramir) Date: Sat, 02 May 2009 15:28:33 -0400 Subject: questions: no input file, and pascal programming In-Reply-To: <49FC3C6F.6040205@christiantena.net> References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> <49FC3C6F.6040205@christiantena.net> Message-ID: <49FC9EE1.6020108@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Philip escribi?: > I got it to work in Windows. > With a default install of gpg4win gpg is not in the path, but this > command works > echo Mary had a little lamb|"c:\Program Files\GNU\GnuPG\gpg.exe" --yes > -eat -o test.txt.gpg -r [keyid] I disagree, the installer of gpg4win automatically adds gpg to path global environment variable. It's the installer of gpg 1.4.9 the one that doesn't do it. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ/J7hAAoJEMV4f6PvczxAliYH/0FVS4RhQD9fibosJgpTbnKw cesj4nVKPbYRgXn5KxoCX6xiUAJ3cZHLaSDh56H8S2Lt7hY2V3/0KEeX1oG5+mXf t/b9Ze6TfQ+Ke5sXfcAFgkH0j1Jbufr0yGVODAGPI/vqSz7njRkQRhIiZDIW4qkt 1KU7ejoLZIdNVMuwCTbYhnqrt2/JVDtQ0LDQk517gYPI6zsdFyJlDLIdSev3lz/V 7Zi7hbaECCNapp2SjtTz84Ok8jS/WNhYZAeAsufySnCIV8WMRfQLNN7SqWn7vacO azRfR4jZHLjkhOhTWd5TnU4L1iHk0FJjEhsYdFc+rqlThmtMts2yTSmudru4OKk= =3Thc -----END PGP SIGNATURE----- From allen.schultz at gmail.com Sat May 2 21:46:14 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Sat, 2 May 2009 13:46:14 -0600 Subject: Use other hash than SHA-1 In-Reply-To: <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> Message-ID: <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 2, 2009 at 7:45 AM, David Shaw wrote: > The short answer is that you can only use a 160-bit hash with your default > DSA key. That means SHA-1 or RIPEMD/160. There is a feature you can enable > (--enable-dsa2) that will allow you to use a bigger hash -- but you can > still only use 160 bits worth of it. So if you use SHA-256, you're actually > only taking 160 bits worth of it and discarding the rest. I'm stuck with that smaller key until I change the subkeys, but a question about the two hashes. What's the difference in SHA-1 and RIPEMD/160? Allen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72 iEYEARECAAYFAkn8owIACgkQV5r3Eu55xjZv0QCfTYZAarjQZlpt3Fo+QLkjXiw7 JIYAn0tJf2SEMR/fCquHzj8+FS1GqY5g =QkRh -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sat May 2 22:02:44 2009 From: faramir.cl at gmail.com (Faramir) Date: Sat, 02 May 2009 16:02:44 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com> Message-ID: <49FCA6E4.4060309@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Allen Schultz escribi?: > I'm stuck with that smaller key until I change the subkeys, but > a question about the two hashes. What's the difference in SHA-1 > and RIPEMD/160? Take a look at: http://en.wikipedia.org/wiki/RIPEMD Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ/KbjAAoJEMV4f6PvczxA7+QH/Rtrl2545r+M90E5k3ql/kKg p0Qyt9rX+/DlLtvq9qmz414SwRfRc/SBLBzx5KTNKn/LsK9p4uB3cg6NuPAaY1hd x2LzG9jLLF9luSxingpbrVQJyhi7v8UgRNU7Jo+4yYbpIwnh2AxdZIe6YQhB7m2K zXotCOtQ++SEDHeFpSf5OliythLwCyrdFr8lhOy4tB60XM602KMxm7jARH0izKA1 Dg3QunHayBt71FqpFCT+yfDbvLtLuz3lVodp8/dB8mnHIlV2RIxGcYLuwtp9kLNU U0cGXNfAfSYBxnQjCpYEKSmqWLXlhFZJ0hIzRzHDF0PqTDGh6MLn5dTZTWiQzM0= =o8tN -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sat May 2 22:38:51 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 2 May 2009 16:38:51 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com> Message-ID: On May 2, 2009, at 3:46 PM, Allen Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Sat, May 2, 2009 at 7:45 AM, David Shaw > wrote: >> The short answer is that you can only use a 160-bit hash with > your default >> DSA key. That means SHA-1 or RIPEMD/160. There is a feature > you can enable >> (--enable-dsa2) that will allow you to use a bigger hash -- > but you can >> still only use 160 bits worth of it. So if you use SHA-256, > you're actually >> only taking 160 bits worth of it and discarding the rest. > > I'm stuck with that smaller key until I change the subkeys, but > a question about the two hashes. What's the difference in SHA-1 > and RIPEMD/160? They're different algorithms that have the same hash size (160 bits). The recent attacks against SHA-1 do not apply to RIPEMD/160, but note that RIPEMD/160 is attacked far less than SHA-1 is. David From rjh at sixdemonbag.org Sat May 2 22:43:00 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 02 May 2009 16:43:00 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <3f34f8420905021246h34107261p9dc306f1bcef0f29@mail.gmail.com> Message-ID: <49FCB054.6050606@sixdemonbag.org> Allen Schultz wrote: > I'm stuck with that smaller key until I change the subkeys, but > a question about the two hashes. What's the difference in SHA-1 > and RIPEMD/160? Not much. They're both 160-bit Merkle-Damgard hashes. RIPEMD160 comes out of Europe, SHA-1 comes out of the National Security Agency. Some people distrust anything that comes out of the NSA. For these people, RIPEMD160 is a good option. I think the reason why RIPEMD160 has survived so long is due to the fact hardly anybody is looking at it. Given all we've learned about attacking hash functions from the SHA-1 and MD5 papers, I think it's fair to be a little skeptical of RIPEMD160's long-term prospects. From subs at christiantena.net Sun May 3 11:22:49 2009 From: subs at christiantena.net (Philip) Date: Sun, 03 May 2009 10:22:49 +0100 Subject: questions: no input file, and pascal programming In-Reply-To: <49FC9EE1.6020108@gmail.com> References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> <49FC3C6F.6040205@christiantena.net> <49FC9EE1.6020108@gmail.com> Message-ID: <49FD6269.2030701@christiantena.net> So far I have figured out that on windows if I enter the command gpg -eat -r [recipient key] I get a prompt on the console If I then type a message, followed by control-Z then gpg will encrypt the message and dump the pgp text to the screen, or to a file if I used the -o [filename] option. However on linux control-Z just terminates the program (no pgp text) Does anyone know the official, correct console way to get pgp to terminate and output the encrypted text from console? I'm amazed that it just doesn't seem to be documented anywhere. thanks, Philip From brad at fineby.me.uk Sun May 3 11:44:12 2009 From: brad at fineby.me.uk (Brad Rogers) Date: Sun, 3 May 2009 10:44:12 +0100 Subject: questions: no input file, and pascal programming In-Reply-To: <49FD6269.2030701@christiantena.net> References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> <49FC3C6F.6040205@christiantena.net> <49FC9EE1.6020108@gmail.com> <49FD6269.2030701@christiantena.net> Message-ID: <20090503104412.26c4c3e8@abydos.stargate.org.uk> On Sun, 03 May 2009 10:22:49 +0100 Philip wrote: Hello Philip, > Does anyone know the official, correct console way to get pgp to > terminate and output the encrypted text from console? > I'm amazed that it just doesn't seem to be documented anywhere. Through trial and error, I found D works. -- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Life goes quick and it goes without warning Bombsite Boy - The Adverts -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From src=gnupg at lion.leolix.org Sun May 3 11:49:40 2009 From: src=gnupg at lion.leolix.org (Philipp Schafft) Date: Sun, 03 May 2009 11:49:40 +0200 Subject: questions: no input file, and pascal programming In-Reply-To: <49FD6269.2030701@christiantena.net> References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> <49FC3C6F.6040205@christiantena.net> <49FC9EE1.6020108@gmail.com> <49FD6269.2030701@christiantena.net> Message-ID: <20090503094943.B2C057ADCC@priderock.keep-cool.org> reflum, On Sun, 2009-05-03 at 10:22 +0100, Philip wrote: > So far I have figured out that on windows if I enter the command > gpg -eat -r [recipient key] > > I get a prompt on the console > If I then type a message, followed by control-Z > then gpg will encrypt the message and dump the pgp text to the screen, > or to a file if I used the -o [filename] option. > > However on linux control-Z just terminates the program (no pgp text) > > Does anyone know the official, correct console way to get pgp to > terminate and output the encrypted text from console? > > I'm amazed that it just doesn't seem to be documented anywhere. Take a look at the ASCII table (man ascii :). There is ^D (EOT - end of transmission) for this. This is used by all systems I'm aware of but window$. Don't know why they use something diffrent, maybe just to be diffrent and break the standard. -- Philipp. (Rah of PH2) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 482 bytes Desc: This is a digitally signed message part URL: From martin.agren at gmail.com Sun May 3 13:05:36 2009 From: martin.agren at gmail.com (=?UTF-8?Q?Martin_=C3=85gren?=) Date: Sun, 3 May 2009 13:05:36 +0200 Subject: New results against SHA-1 In-Reply-To: <20090501035849.7658.qmail@smasher.org> References: <20090501035849.7658.qmail@smasher.org> Message-ID: <147e40f30905030405jcf3d8c6j6b99b80e5f1f2464@mail.gmail.com> 2009/5/1 Atom Smasher : > On Thu, 30 Apr 2009, David Shaw wrote: > >> http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf >> >> There is not much hard information yet, but the two big quotes are "SHA-1 >> collisions now 2^52" and "Practical collisions are within resources of a >> well funded organisation." > > [...] what's next? will it have to be a bigger hash? No, not bigger, but better. :) SHA-2 should be better, but since it's conceptually quite similar to SHA-1, one could be somewhat worried... SHA-3, on the other hand, will be very well-studied when it becomes a standard, so we should in a way be able to trust it as much as we trust AES. Google "SHA-3 competition" for more information. Take care! Martin From simon at ruderich.org Sun May 3 14:17:03 2009 From: simon at ruderich.org (Simon Ruderich) Date: Sun, 3 May 2009 14:17:03 +0200 Subject: Use other hash than SHA-1 In-Reply-To: <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> Message-ID: <20090503121703.GA10433@ruderich.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 02, 2009 at 09:45:11AM -0400, David Shaw wrote: > On May 2, 2009, at 6:25 AM, Simon Ruderich wrote: > > The short answer is that you can only use a 160-bit hash with your > default DSA key. That means SHA-1 or RIPEMD/160. There is a feature you > can enable (--enable-dsa2) that will allow you to use a bigger hash -- but > you can still only use 160 bits worth of it. So if you use SHA-256, > you're actually only taking 160 bits worth of it and discarding the rest. > > To truly use all of a larger hash, you need to either use a RSA key or a > large (not default) DSA key (i.e. generated with --enable-dsa2 switched > on, and a larger size than 1024 bits selected). > > David Hi, Thanks for your reply. As it looks like SHA-1 is not so secure anymore I want to switch to something stronger, e.g. SHA-256. What is best way (for a normal user like me) to do this? The solution should be as compatible as possible (I think I read - --enable-dsa2 doesn't work with some clients). I often read I should stick with the defaults but as SHA-1 has it's problems I would prefer a "better" hash; and this doesn't seem to work with the defaults. Thanks, Simon - -- + privacy is necessary + using http://gnupg.org + public key id: 0x6115F804EFB33229 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkn9iz8ACgkQYRX4BO+zMilb8QCggjba5LS7wYh+JtKUokp0H2Kv TWUAnjr/xfauGS3bq5rdv5LsLxr0mW+M =rbFp -----END PGP SIGNATURE----- From subs at christiantena.net Sun May 3 17:22:54 2009 From: subs at christiantena.net (Philip) Date: Sun, 03 May 2009 16:22:54 +0100 Subject: questions: no input file, and pascal programming In-Reply-To: <20090503094943.B2C057ADCC@priderock.keep-cool.org> References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> <49FC3C6F.6040205@christiantena.net> <49FC9EE1.6020108@gmail.com> <49FD6269.2030701@christiantena.net> <20090503094943.B2C057ADCC@priderock.keep-cool.org> Message-ID: <49FDB6CE.7040301@christiantena.net> I spent a little time coding in windows today (using lazarus). I have come to the conclusion that you can pipe stuff to gpg from inside dos window, but that if you try to pipe stuff directly from the pascal program it fails. I actually got my program to work by piping to cmd.exe with "echo Mary had a little lamb|gpg" inside the stream, which sort of proves that I know how to program a pipe. Example code is at http://www.christiantena.net/freepascalgpgexample.zip you can look at this code by installing lazarus, unziping the above file into a folder, and then from lazarus do project/open project and point it at the lpi file in the folder hit F9 to compile it This feels a bit like a bug in gpg to me... regards, Philip Philipp Schafft wrote: > reflum, > > On Sun, 2009-05-03 at 10:22 +0100, Philip wrote: >> So far I have figured out that on windows if I enter the command >> gpg -eat -r [recipient key] >> >> I get a prompt on the console >> If I then type a message, followed by control-Z >> then gpg will encrypt the message and dump the pgp text to the screen, >> or to a file if I used the -o [filename] option. >> >> However on linux control-Z just terminates the program (no pgp text) >> >> Does anyone know the official, correct console way to get pgp to >> terminate and output the encrypted text from console? >> >> I'm amazed that it just doesn't seem to be documented anywhere. > > Take a look at the ASCII table (man ascii :). There is ^D (EOT - end of > transmission) for this. This is used by all systems I'm aware of but > window$. Don't know why they use something diffrent, maybe just to be > diffrent and break the standard. > > From jh at jameshoward.us Sun May 3 22:13:02 2009 From: jh at jameshoward.us (James P. Howard, II) Date: Sun, 03 May 2009 16:13:02 -0400 Subject: questions: no input file, and pascal programming In-Reply-To: <49FDB6CE.7040301@christiantena.net> References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> <49FC3C6F.6040205@christiantena.net> <49FC9EE1.6020108@gmail.com> <49FD6269.2030701@christiantena.net> <20090503094943.B2C057ADCC@priderock.keep-cool.org> <49FDB6CE.7040301@christiantena.net> Message-ID: <49FDFACE.9030604@jameshoward.us> Under DOS, redirecting from the standard output of A to the standard input of B meant the contents were stored in a temporary file somewhere, due to DOS's inability to multitask. It's worth checking to be sure Windows still doesn't do that when running those at the command line. James On Sun May 3 11:22:54 2009, Philip wrote: > I spent a little time coding in windows today (using lazarus). > I have come to the conclusion that you can pipe stuff to gpg from inside > dos window, but that if you try to pipe stuff directly from the pascal > program it fails. > I actually got my program to work by piping to cmd.exe with "echo Mary > had a little lamb|gpg" inside the stream, which sort of proves that I > know how to program a pipe. > Example code is at > http://www.christiantena.net/freepascalgpgexample.zip > > you can look at this code by installing lazarus, unziping the above file > into a folder, and then from lazarus do project/open project and point > it at the lpi file in the folder > > hit F9 to compile it > > This feels a bit like a bug in gpg to me... > > regards, Philip > > Philipp Schafft wrote: >> reflum, >> >> On Sun, 2009-05-03 at 10:22 +0100, Philip wrote: >>> So far I have figured out that on windows if I enter the command >>> gpg -eat -r [recipient key] >>> >>> I get a prompt on the console >>> If I then type a message, followed by control-Z >>> then gpg will encrypt the message and dump the pgp text to the screen, >>> or to a file if I used the -o [filename] option. >>> >>> However on linux control-Z just terminates the program (no pgp text) >>> >>> Does anyone know the official, correct console way to get pgp to >>> terminate and output the encrypted text from console? >>> >>> I'm amazed that it just doesn't seem to be documented anywhere. >> >> Take a look at the ASCII table (man ascii :). There is ^D (EOT - end of >> transmission) for this. This is used by all systems I'm aware of but >> window$. Don't know why they use something diffrent, maybe just to be >> diffrent and break the standard. >> >> > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- James P. Howard, II, MPA jh at jameshoward.us -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From subs at christiantena.net Mon May 4 01:25:34 2009 From: subs at christiantena.net (Philip) Date: Mon, 04 May 2009 00:25:34 +0100 Subject: questions: no input file, and pascal programming In-Reply-To: <49FDFACE.9030604@jameshoward.us> References: <49FB6F42.5000804@christiantena.net> <49FBA778.5010304@Mozilla-Enigmail.org> <49FBF7AC.8090705@christiantena.net> <49FC3C6F.6040205@christiantena.net> <49FC9EE1.6020108@gmail.com> <49FD6269.2030701@christiantena.net> <20090503094943.B2C057ADCC@priderock.keep-cool.org> <49FDB6CE.7040301@christiantena.net> <49FDFACE.9030604@jameshoward.us> Message-ID: <49FE27EE.3020500@christiantena.net> Hmm, that would spoil things. reading this http://www.velocityreviews.com/forums/t365339-p-write-eof-without-closing.html the opinion there is that sending control-Z is just a signal from the keyboard to the shell which the shell uses to cut the flow to the application listening on stdin, it doesn't actually send control-z to the app. in other words I need to flush and close the input side of the pipe, but not the output side or won't collect the program output. I was hoping that tprocess.CloseInput might acheive that but it doesn't seem to cause gpg to stop listening for input. Anyone got any ideas? thanks, Philip James P. Howard, II wrote: > Under DOS, redirecting from the standard output of A to the standard > input of B meant the contents were stored in a temporary file somewhere, > due to DOS's inability to multitask. It's worth checking to be sure > Windows still doesn't do that when running those at the command line. > > James > > On Sun May 3 11:22:54 2009, Philip wrote: > >> I spent a little time coding in windows today (using lazarus). >> I have come to the conclusion that you can pipe stuff to gpg from inside >> dos window, but that if you try to pipe stuff directly from the pascal >> program it fails. >> I actually got my program to work by piping to cmd.exe with "echo Mary >> had a little lamb|gpg" inside the stream, which sort of proves that I >> know how to program a pipe. >> Example code is at >> http://www.christiantena.net/freepascalgpgexample.zip >> >> you can look at this code by installing lazarus, unziping the above file >> into a folder, and then from lazarus do project/open project and point >> it at the lpi file in the folder >> >> hit F9 to compile it >> >> This feels a bit like a bug in gpg to me... >> >> regards, Philip >> >> Philipp Schafft wrote: >>> reflum, >>> >>> On Sun, 2009-05-03 at 10:22 +0100, Philip wrote: >>>> So far I have figured out that on windows if I enter the command >>>> gpg -eat -r [recipient key] >>>> >>>> I get a prompt on the console >>>> If I then type a message, followed by control-Z >>>> then gpg will encrypt the message and dump the pgp text to the screen, >>>> or to a file if I used the -o [filename] option. >>>> >>>> However on linux control-Z just terminates the program (no pgp text) >>>> >>>> Does anyone know the official, correct console way to get pgp to >>>> terminate and output the encrypted text from console? >>>> >>>> I'm amazed that it just doesn't seem to be documented anywhere. >>> Take a look at the ASCII table (man ascii :). There is ^D (EOT - end of >>> transmission) for this. This is used by all systems I'm aware of but >>> window$. Don't know why they use something diffrent, maybe just to be >>> diffrent and break the standard. >>> >>> >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Mon May 4 04:56:24 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 3 May 2009 22:56:24 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <20090503121703.GA10433@ruderich.org> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <20090503121703.GA10433@ruderich.org> Message-ID: <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> On May 3, 2009, at 8:17 AM, Simon Ruderich wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Sat, May 02, 2009 at 09:45:11AM -0400, David Shaw wrote: >> On May 2, 2009, at 6:25 AM, Simon Ruderich wrote: >> >> The short answer is that you can only use a 160-bit hash with your >> default DSA key. That means SHA-1 or RIPEMD/160. There is a >> feature you >> can enable (--enable-dsa2) that will allow you to use a bigger hash >> -- but >> you can still only use 160 bits worth of it. So if you use SHA-256, >> you're actually only taking 160 bits worth of it and discarding the >> rest. >> >> To truly use all of a larger hash, you need to either use a RSA key >> or a >> large (not default) DSA key (i.e. generated with --enable-dsa2 >> switched >> on, and a larger size than 1024 bits selected). >> >> David > > Hi, > > Thanks for your reply. As it looks like SHA-1 is not so secure > anymore I want to switch to something stronger, e.g. SHA-256. > What is best way (for a normal user like me) to do this? The > solution should be as compatible as possible (I think I read > - --enable-dsa2 doesn't work with some clients). > I often read I should stick with the defaults but as SHA-1 has > it's problems I would prefer a "better" hash; and this doesn't > seem to work with the defaults. It's always good advice to stick to the defaults, but it's possible in this case that it's time to change the defaults. In the meantime, while the defaults are being pondered, if your current primary key is a 1024-bit DSA key (it'll say "pub 1024D" when you do a key listing), then you should consider migrating to something else. That "something else" can either be a DSA key that is larger than 1024 bits (often called "DSA2") or an RSA key that is larger than 1024 bits. Different people have different opinions on which is a better choice and there is no one right answer. For what it's worth, I personally favor RSA as RSA+SHA-256 has been around longer than DSA2+SHA-256 and is therefore somewhat more widely supported over the various OpenPGP clients out there, but DSA2 has some good things about it, particularly that the signatures are physically smaller, and thus aren't as intrusive over email. It's important to remember that this isn't a completely SHA-1 free key, as that is not currently possible in the OpenPGP protocol, but it is possible to make a "use as little SHA-1 as possible key". The way to make the new key is a little bit fussy, I'm afraid, as the defaults in GPG are sort of built for SHA-1. If you want a DSA2 key: gpg --enable-dsa2 --gen-key Select option 1, and enter 3072 for the DSA key size. Hit enter. Then enter a key size for the encryption subkey. The default (2048) is fine. If you want an RSA key: gpg --cert-digest-algo sha256 --gen-key Select option 5. Enter a RSA key size. The default (2048) is fine. Finish generating the key as usual, then type: gpg --cert-digest-algo sha256 --edit-key (yourkey) addkey 6 Enter a keysize for the subkey. Again, the default (2048) is fine. For either case, finish up by sticking "personal-digest-preferences sha256" in your gpg.conf file. The end result will be a key that does not use SHA-1 either in its internal construction or in signatures it makes elsewhere. Keep in mind that there are some clients out there that simply cannot cope with this key and will reject it with one failure message or another. The most recent versions of either PGP or GPG can handle it just fine. David From wk at gnupg.org Mon May 4 10:19:18 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 04 May 2009 10:19:18 +0200 Subject: gpgsm data structure In-Reply-To: <5040856.1241092979229.JavaMail.ngmail@webmail18.arcor-online.net> (rookie01@arcor.de's message of "Thu, 30 Apr 2009 14:02:59 +0200 (CEST)") References: <17764364.1241089849578.JavaMail.ngmail@webmail18.arcor-online.net> <5040856.1241092979229.JavaMail.ngmail@webmail18.arcor-online.net> Message-ID: <8763ghth4p.fsf@wheatstone.g10code.de> On Thu, 30 Apr 2009 14:02, rookie01 at arcor.de said: > A recipient cannot decrypt my gpgsm signed and encrypted data. He sent me some data he can decrypt. It looks like this: If you post ASN.1 dumps and expect me to read them, pretty please use dumpasn1 and not the openssl tools. > So here.s my question: Why is the gpgsm data in 4kB blocks and is there a .easy. way to change this blocksize. 4KB is a reasonable size, no specific reason for it. An ASN.1 parser is expected to parse it. It is quite possible that there is a but our parser but that would be the first report for a couple of years. What version of gpgsm are you using? $ gpgsm --version gpgsm (GnuPG) 2.0.12-svn4945 libgcrypt 1.4.2-svn1299 libksba 1.0.4-svn284 What software created the data? Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon May 4 10:24:20 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 04 May 2009 10:24:20 +0200 Subject: New results against SHA-1 In-Reply-To: <20090501035849.7658.qmail@smasher.org> (Atom Smasher's message of "Fri, 1 May 2009 15:58:47 +1200 (NZST)") References: <20090501035849.7658.qmail@smasher.org> Message-ID: <87vdohs2bv.fsf@wheatstone.g10code.de> On Fri, 1 May 2009 05:58, atom at smasher.org said: > so... when is the open-pgp spec moving beyond SHA1 hashes to identify > public keys? what's next? will it have to be a bigger hash? OpenPGP does not claim that the fingerprint is a unique way to identify a key. Also note that the results are about collision attacks and not about second preimage attacks. Thus the whole thing basically boils down to the concept of non-repudiation; something which is very hard to achieve anyway. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon May 4 10:26:08 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 04 May 2009 10:26:08 +0200 Subject: gnupg 1.2.6 In-Reply-To: <200905021706.22037.webmaster@felipe1982.com> (Felipe Alvarez's message of "Sat, 2 May 2009 17:06:13 +1000") References: <200905021706.22037.webmaster@felipe1982.com> Message-ID: <87r5z5s28v.fsf@wheatstone.g10code.de> On Sat, 2 May 2009 09:06, webmaster at felipe1982.com said: > My web host has gnupg 1.2.6 on their machines. I often SSH into it when > I am not at home on my gnulinux box. Anything I should be concerned > about when using this version? the two key pairs I made (DSS signing, > ELG encryption) were made on gnupg 2.0.9, and transfered (and > imported) to this host via SSH. Instal a current version of GnuPG. If you are not able to do so, you should never copy your private key to such a machine. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From nicholas.cole at gmail.com Mon May 4 12:16:14 2009 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Mon, 4 May 2009 11:16:14 +0100 Subject: New results against SHA-1 In-Reply-To: <87vdohs2bv.fsf@wheatstone.g10code.de> References: <20090501035849.7658.qmail@smasher.org> <87vdohs2bv.fsf@wheatstone.g10code.de> Message-ID: On Mon, May 4, 2009 at 9:24 AM, Werner Koch wrote: > On Fri, ?1 May 2009 05:58, atom at smasher.org said: > >> so... when is the open-pgp spec moving beyond SHA1 hashes to identify >> public keys? what's next? will it have to be a bigger hash? > > OpenPGP does not claim that the fingerprint is a unique way to identify > a key. How does GPG cope if two keys on the keyring have the same FP? AFAICS that would make things very difficult for most of the front-ends, especially if they had been relying on the uniqueness (in practice) of the FP to specify which key to operate on. N. From wk at gnupg.org Mon May 4 13:39:41 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 04 May 2009 13:39:41 +0200 Subject: New results against SHA-1 In-Reply-To: (Nicholas Cole's message of "Mon, 4 May 2009 11:16:14 +0100") References: <20090501035849.7658.qmail@smasher.org> <87vdohs2bv.fsf@wheatstone.g10code.de> Message-ID: <87my9tqepu.fsf@wheatstone.g10code.de> On Mon, 4 May 2009 12:16, nicholas.cole at gmail.com said: > How does GPG cope if two keys on the keyring have the same FP? AFAICS > that would make things very difficult for most of the front-ends, I don't know, because I am not able to create such keys ;-). It is not different from looking up the keys using the long keyid. We would need to iterate over all matching keys until we can verify/decrypt a message. The only real crypto use in the protocol is with the revocation key (designated revoker) which uses a 20 byte fingerprint to specify the key. However I cannot see where there is a threat. There are some internal uses of SHA-1 and RIPE-MD-160 in GPG: Mainly to identify keys in the trustdb. You will likely run into problems adding another key with the same fingerprint. The forthcoming new keyring format will cope with that by not allowing a second key with the same fingerprint. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dshaw at jabberwocky.com Mon May 4 14:51:56 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 4 May 2009 08:51:56 -0400 Subject: New results against SHA-1 In-Reply-To: References: <20090501035849.7658.qmail@smasher.org> <87vdohs2bv.fsf@wheatstone.g10code.de> Message-ID: <4B1DA997-0E16-4A39-A859-7D7FEB2CA8C5@jabberwocky.com> On May 4, 2009, at 6:16 AM, Nicholas Cole wrote: > On Mon, May 4, 2009 at 9:24 AM, Werner Koch wrote: >> On Fri, 1 May 2009 05:58, atom at smasher.org said: >> >>> so... when is the open-pgp spec moving beyond SHA1 hashes to >>> identify >>> public keys? what's next? will it have to be a bigger hash? >> >> OpenPGP does not claim that the fingerprint is a unique way to >> identify >> a key. > > How does GPG cope if two keys on the keyring have the same FP? AFAICS > that would make things very difficult for most of the front-ends, > especially if they had been relying on the uniqueness (in practice) of > the FP to specify which key to operate on. In theory, OpenPGP implementations should cope just fine with multiple keys having the same fingerprint. What to do depends on the context, but you could for example try all of the same-FP keys to verify a signature, etc. In practice, however, I suspect that most, if not all, OpenPGP programs would exhibit strange behavior of one sort or another. This sort of thing is hard to test for since it essentially implies creating a SHA-1 collision (which even with the recent discoveries is not a trivial thing). It's possible to fake a collision in the code, but again, they're so absurdly rare there are other bugs that would hit first. In the computer urban legend department, I actually heard a story once about someone who claimed to have (completely accidentally) generated a key with a colliding fingerprint. Unfortunately he deleted it because he thought it was a bad key when his client didn't behave well with it.... You may draw from that what you will! David From mail at 404not-found.de Mon May 4 17:21:48 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Mon, 4 May 2009 17:21:48 +0200 Subject: Use other hash than SHA-1 In-Reply-To: <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> References: <20090502102545.GA17546@ruderich.org> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> Message-ID: <200905041721.57079.mail@404not-found.de> On Monday 04 May 2009 04:56:24 David Shaw wrote: > If you want a DSA2 key: > > gpg --enable-dsa2 --gen-key > > Select option 1, and enter 3072 for the DSA key size. > If you want an RSA key: > > gpg --cert-digest-algo sha256 --gen-key > > Select option 5. Enter a RSA key size. The default (2048) is fine. Why do you recommend the DSA2 signing key to be larger than the RSA signing key? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From simon at ruderich.org Mon May 4 18:03:23 2009 From: simon at ruderich.org (Simon Ruderich) Date: Mon, 4 May 2009 18:03:23 +0200 Subject: Use other hash than SHA-1 In-Reply-To: <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> Message-ID: <20090504160323.GA29612@ruderich.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, May 03, 2009 at 10:56:24PM -0400, David Shaw wrote: > [snip] > > The end result will be a key that does not use SHA-1 either in its > internal construction or in signatures it makes elsewhere. Keep in mind > that there are some clients out there that simply cannot cope with this > key and will reject it with one failure message or another. The most > recent versions of either PGP or GPG can handle it just fine. > > David Hi, Thanks for your help. I created a RSA key and it works fine. Simon - -- + privacy is necessary + using http://gnupg.org + public key id: 0x6115F804EFB33229 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCAAGBQJJ/xHLAAoJEJL+/bfkTDL5b0wQAKFm9wGiWU/lqQd+C+F+L/Go kP5guhjk7Bi8tbzZlBMIcHVcaOphHk8OuywmBJLNfmY/bxvCUOVIsJtN4N1Gw52c OY7PMWKAo6nvZXzbRIlFJ9/lztiOMqmvc+ZNSA33hpFgRW4fXthFSJe23sDXxW1Z sg+yg+eW6RCJ/zYko6aIBO671FQEVKv5GC+YbXrpetxkK06x5D5LI50k5L9idrz8 QoA33SRoE2iKt0MSOaSbJX34iEYKpm7jqNi++tMY25RtFjm5e2j1yqsL6uN7yRE3 ID+sVPNqnqK47z58MHWYIgucrPhQshUBw47wOVGQYCBg2iLTMtlZCFVGOLfOSCIZ QnlThQ0T+zYYejWJkeKDfy+/7ReiMa1CHUwC7xCpC9b96WLfbsf8hlsImti0dWKj mwz+BG5Ckep3YAhEiqXQ7Ql8UsFm0YZtLtl1Lh4aciVr2etiIyofgMCUeK+ag0t/ 38efWuwpkjAPpEKCxgmg8byQlz/88eZj4AI6xkwwHfoMuAyMd0dt/VvuMQ765vs9 s5tytIcVOTDCeE7Pb5l0QKOROZJfK3vSxAKptPjiKmBuRdhd7c1tps6WsdVkqXaf GZu7l9HbvKSrEX+j1qY6vpQNdy3xJTUhV6eXu7N6sePuot4Ms0PU6OGtK00Dr+DT wv/SZo3XTgvRvg1kDQBx =lNr4 -----END PGP SIGNATURE----- From christoph.anton.mitterer at physik.uni-muenchen.de Mon May 4 19:33:16 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Mon, 04 May 2009 19:33:16 +0200 Subject: New results against SHA-1 In-Reply-To: <87my9tqepu.fsf@wheatstone.g10code.de> References: <20090501035849.7658.qmail@smasher.org> <87vdohs2bv.fsf@wheatstone.g10code.de> <87my9tqepu.fsf@wheatstone.g10code.de> Message-ID: <1241458396.4024.3.camel@fermat.scientia.net> On Mon, 2009-05-04 at 13:39 +0200, Werner Koch wrote: > The forthcoming new keyring > format will cope with that by not allowing a second key with the same > fingerprint. Ah,.. I've always thought this would be already the case ^^ When will we see this new format? Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From christoph.anton.mitterer at physik.uni-muenchen.de Mon May 4 19:34:58 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Mon, 04 May 2009 19:34:58 +0200 Subject: New results against SHA-1 In-Reply-To: <87my9tqepu.fsf@wheatstone.g10code.de> References: <20090501035849.7658.qmail@smasher.org> <87vdohs2bv.fsf@wheatstone.g10code.de> <87my9tqepu.fsf@wheatstone.g10code.de> Message-ID: <1241458498.4024.5.camel@fermat.scientia.net> On Mon, 2009-05-04 at 13:39 +0200, Werner Koch wrote: > The only real crypto use in the protocol is with the revocation key > (designated revoker) which uses a 20 byte fingerprint to specify the > key. However I cannot see where there is a threat. Ok,.. but most people do not exchange they key-data and signs it,.. but just the fingerprint.... So in practice this does not only affect the revocation signatures, does it? Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From faramir.cl at gmail.com Mon May 4 19:31:45 2009 From: faramir.cl at gmail.com (Faramir) Date: Mon, 04 May 2009 13:31:45 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <200905041721.57079.mail@404not-found.de> References: <20090502102545.GA17546@ruderich.org> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> <200905041721.57079.mail@404not-found.de> Message-ID: <49FF2681.7000803@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Raimar Sandner escribi?: > On Monday 04 May 2009 04:56:24 David Shaw wrote: > >> If you want a DSA2 key: >> >> gpg --enable-dsa2 --gen-key >> >> Select option 1, and enter 3072 for the DSA key size. > > >> If you want an RSA key: >> >> gpg --cert-digest-algo sha256 --gen-key >> >> Select option 5. Enter a RSA key size. The default (2048) is fine. > > Why do you recommend the DSA2 signing key to be larger than the RSA signing > key? Good question, indeed. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ/yaBAAoJEMV4f6PvczxAoaUH/iTplZ9vWA1E7JGpPx8moX8v SDeDHQ4RQmplbgxw29WUz0RnQtZBFHO4lE/O3GohMzN6qaekhGgMdrFzgC/AlhUp nyqlSCDjDO/K4kXEUYRz2eUv0gA5ZGyEKdlWCBKqYaQfZoJHhYPkvhtYnzAtX3sP FAPNPGBGysAh2vobq9QCHBmBVDhyTyegCppm6LDsuTnG0KyR2E9oTd1L/0ughHVe i+d31WU3QOrFSNk4mNurxX4NSaGInZOXv+l09kL4RWxjl5EgF0o7AtwE9IVzpPcu pMVHoLDe6m34Dt4IPQWa8e45Ph2e/VzASh5yBo/xDPVK8btewSMq7kpGimGT6tY= =TfeB -----END PGP SIGNATURE----- From christoph.anton.mitterer at physik.uni-muenchen.de Mon May 4 19:40:05 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Mon, 04 May 2009 19:40:05 +0200 Subject: Use other hash than SHA-1 In-Reply-To: <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> Message-ID: <1241458805.4024.8.camel@fermat.scientia.net> On Sun, 2009-05-03 at 22:56 -0400, David Shaw wrote: > It's important to remember that this isn't a completely SHA-1 free > key, as that is not currently possible in the OpenPGP protocol, but it > is possible to make a "use as little SHA-1 as possible key". Is there anything else than the fingerprint for the revocation signatures and MDC? > The end result will be a key that does not use SHA-1 either in its > internal construction or in signatures it makes elsewhere. Keep in > mind that there are some clients out there that simply cannot cope > with this key and will reject it with one failure message or another. > The most recent versions of either PGP or GPG can handle it just fine. What would you suggest for existing RSA/DSA2 keys that always used SHA1 for their self-sigs and cert-sigs on other keys? Should those be recreated with the "better" hash algo? Regards, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From jmoore3rd at bellsouth.net Mon May 4 23:01:08 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 04 May 2009 17:01:08 -0400 Subject: New results against SHA-1 In-Reply-To: References: <20090501035849.7658.qmail@smasher.org> <87vdohs2bv.fsf@wheatstone.g10code.de> Message-ID: <49FF5794.2030808@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Nicholas Cole wrote: > How does GPG cope if two keys on the keyring have the same FP? AFAICS > that would make things very difficult for most of the front-ends, > especially if they had been relying on the uniqueness (in practice) of > the FP to specify which key to operate on. Please show Me an example of this happening in the Real World. JOHN 8-) Timestamp: Monday 04 May 2009, 17:00 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ/1eSAAoJEBCGy9eAtCsPd68H/Ry2RX3rN0VqnB/hpjv0TlK/ grc0FkSF4CKeC4JBG/9mNOnTIrwR33mJlRa7mLuxH6kd/o/9YNfc+UTKVyxenPTh fBj3CSsBGtzz3HknIOyKNz/N2tujZRxGnCMAm+40DQ9UqgUMzQNPvZeFOpzrjO3Q rTI2KPejEfuqZc8tS/eSegzo/QNIvJtp5XngEmAASJ4VwNg+jdiijONHUGpP3v7X UJfeFM+F1pVB8vjA9yTmHxrp6GISTvvscFqrqr9HwXF24MVKBxbfGcD6mAlSuBed Jl7wsgyYeNCw5ifsW+WTDi8ikcM+T1ztaFx4NLM5qJyaGjVhFR8kBUiiyO0kAyg= =ouDV -----END PGP SIGNATURE----- From moni_sparkle at yahoo.com Fri May 1 20:01:51 2009 From: moni_sparkle at yahoo.com (MShah) Date: Fri, 1 May 2009 11:01:51 -0700 (PDT) Subject: How to use salt in the gpg decrypt expression? Message-ID: <23337352.post@talk.nabble.com> I have gpg encrypted data that I imported into the DB at my company, they have provided the passphrase and salt. I am wondering how to provide the salt in the decrypting expression. Any feedback on this will be appreciated. Here is how I am using it without the salt: gpg.exe --passphrase Id6Ai6Cp4S -d c:\tmp\rrrK.gpg How do I include salt in the above expression? I looked at gpg help, but that has no option of including the salt. Thanks, Moni -- View this message in context: http://www.nabble.com/How-to-use-salt-in-the-gpg-decrypt-expression--tp23337352p23337352.html Sent from the GnuPG - User mailing list archive at Nabble.com. From moni_sparkle at yahoo.com Fri May 1 22:17:05 2009 From: moni_sparkle at yahoo.com (MShah) Date: Fri, 1 May 2009 13:17:05 -0700 (PDT) Subject: How to use salt in the gpg decrypt expression? Message-ID: <23337352.post@talk.nabble.com> I have gpg encrypted data that I imported into the DB at my company, they have provided the passphrase and salt. I am wondering how to provide the salt in the decrypting expression. Any feedback on this will be appreciated. Here is how I am using it without the salt: gpg.exe --passphrase Id6Ai6Cp4S -d c:\tmp\rrrK.gpg How do I include salt in the above expression? I looked at gpg help, but that has no option of including the salt. Thanks, Moni -- View this message in context: http://www.nabble.com/How-to-use-salt-in-the-gpg-decrypt-expression--tp23337352p23337352.html Sent from the GnuPG - User mailing list archive at Nabble.com. From nicholas.cole at gmail.com Tue May 5 00:33:35 2009 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Mon, 4 May 2009 23:33:35 +0100 Subject: New results against SHA-1 In-Reply-To: <49FF5794.2030808@bellsouth.net> References: <20090501035849.7658.qmail@smasher.org> <87vdohs2bv.fsf@wheatstone.g10code.de> <49FF5794.2030808@bellsouth.net> Message-ID: On Mon, May 4, 2009 at 10:01 PM, John W. Moore III wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Nicholas Cole wrote: > >> How does GPG cope if two keys on the keyring have the same FP? ?AFAICS >> that would make things very difficult for most of the front-ends, >> especially if they had been relying on the uniqueness (in practice) of >> the FP to specify which key to operate on. > > Please show Me an example of this happening in the Real World. > > JOHN 8-) Well, I'm just not that lucky! Or is that unlucky? It is possible, though, that someone, somewhere will be. If the story reported earlier in this thread is right, someone already has been. Wouldn't a way around some of the (unlikely) problems be for gpg to give each key on the keyring a guaranteed unique number (guaranteed, for example, to be unique on that keyring), and allow users and front-ends to specify a key by that number? This might even be as simple as a number generated by pre-pending the number of the key in the standard --list-keys output to the fingerprint. Best, N. From dshaw at jabberwocky.com Tue May 5 04:44:12 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 4 May 2009 22:44:12 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <200905041721.57079.mail@404not-found.de> References: <20090502102545.GA17546@ruderich.org> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> <200905041721.57079.mail@404not-found.de> Message-ID: On May 4, 2009, at 11:21 AM, Raimar Sandner wrote: > On Monday 04 May 2009 04:56:24 David Shaw wrote: > >> If you want a DSA2 key: >> >> gpg --enable-dsa2 --gen-key >> >> Select option 1, and enter 3072 for the DSA key size. > > >> If you want an RSA key: >> >> gpg --cert-digest-algo sha256 --gen-key >> >> Select option 5. Enter a RSA key size. The default (2048) is fine. > > Why do you recommend the DSA2 signing key to be larger than the RSA > signing > key? Heh. It's because of fussy internal parameter settings. DSA2 keys can use different hashes, and the hashes they use are tied to the key size. There is some looseness in the parameters, but in GPG it basically it boils down to this: If the key is over 2048 bits, use a 256-bit hash. If the key is over 1024 bits, use a 224-bit hash. Otherwise, use a 160-bit hash. I couldn't specify the DSA key to be 2048 bits long to match the RSA key because that would have given it a 224-bit hash instead of the promised 256-bit hash. David From dshaw at jabberwocky.com Tue May 5 05:46:33 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 4 May 2009 23:46:33 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <1241458805.4024.8.camel@fermat.scientia.net> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> <1241458805.4024.8.camel@fermat.scientia.net> Message-ID: <1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com> On May 4, 2009, at 1:40 PM, Christoph Anton Mitterer wrote: > On Sun, 2009-05-03 at 22:56 -0400, David Shaw wrote: >> It's important to remember that this isn't a completely SHA-1 free >> key, as that is not currently possible in the OpenPGP protocol, but >> it >> is possible to make a "use as little SHA-1 as possible key". > Is there anything else than the fingerprint for the revocation > signatures and MDC? I believe that's it. Fingerprints, revocation signatures (which use fingerprints internally), and the MDC. >> The end result will be a key that does not use SHA-1 either in its >> internal construction or in signatures it makes elsewhere. Keep in >> mind that there are some clients out there that simply cannot cope >> with this key and will reject it with one failure message or another. >> The most recent versions of either PGP or GPG can handle it just >> fine. > What would you suggest for existing RSA/DSA2 keys that always used > SHA1 > for their self-sigs and cert-sigs on other keys? > Should those be recreated with the "better" hash algo? While I would start (did start, actually, a few years ago) using SHA-256 to certify other people's keys, I wouldn't bother re-issuing older SHA-1 certifications. Re-issuing your self-sigs is more or less harmless. The keyservers never delete anything, so they'll end up with both the old and new. Assuming all works properly, the newer clients should end up using the newer selfsig, and the older clients should keep using the old one (as they won't be able to verify the new one). If you're distributing your key outside of the keyservers, then you can go further and strip off the old SHA-1 selfsig. If you do this, you can end up breaking compatibility with some non-zero percentage of the community. The exact amount of breakage depends on your particular circle of correspondents and how often they upgrade, etc. David From wk at gnupg.org Tue May 5 09:24:08 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 05 May 2009 09:24:08 +0200 Subject: New results against SHA-1 In-Reply-To: (Nicholas Cole's message of "Mon, 4 May 2009 23:33:35 +0100") References: <20090501035849.7658.qmail@smasher.org> <87vdohs2bv.fsf@wheatstone.g10code.de> <49FF5794.2030808@bellsouth.net> Message-ID: <877i0w9fmv.fsf@wheatstone.g10code.de> On Tue, 5 May 2009 00:33, nicholas.cole at gmail.com said: > front-ends to specify a key by that number? This might even be as > simple as a number generated by pre-pending the number of the key in > the standard --list-keys output to the fingerprint. We had something like this many years ago but dropped it later. I can't remember the details. The problem was that updating the keyring could lead to conflicts and basically we had to use yet another hash of something. Thus there is no advantage over the fingerprint. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From faramir.cl at gmail.com Tue May 5 18:49:51 2009 From: faramir.cl at gmail.com (Faramir) Date: Tue, 05 May 2009 12:49:51 -0400 Subject: About default key used for trustdb Message-ID: <4A006E2F.6000407@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello: Recently, I noticed a key signed by me was not shown as trusted (using gpgshell GUI). I did a test, and tried to sign the key again, and found gpg wanted to use a "group key" (a key used by a group of persons to encrypt/decrypt messages, to protect them while they are in transit), instead of my personal keys. So, is there a way to tell gpg to "view keys from one of my keys point of view"? I had noticed this before, but since it always selected one of my personal keys, and all of them trust each other, that was never a problem, until now. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKAG4vAAoJEMV4f6PvczxAhrEIAJKToCCljQEMGjrTb2tGViRo jw6pPUwakzL9cHG9GvTgWbnfKcNmJT9WjFhz1Po/XYK3+nY6USPskA76h0XSQ870 BhnVuu9jE1id5D2vHv1Wfstm/btlqtpm1f43o8baxM1aMI5e4CGB64QhfJUQk77T pKrlj9HNmcQ8rLkzfFh2ynHv+FRlNoZa57gm/LLgF5WV6vwQ7TsevOZ/bZ59GBBY Gy3BgCwK+r3pJ56hgnCGwOBxKSVrUWjTtqoObh5aq6NX9vM5fFP0ei7gpVll95ML IMTP9Fzy3gaPnSCGhlfN0nmk58jEpBNLYFom78qVmRstzvQ9mt3tm4UyuODwp7I= =SpQH -----END PGP SIGNATURE----- From subs at christiantena.net Tue May 5 21:50:24 2009 From: subs at christiantena.net (Philip) Date: Tue, 05 May 2009 20:50:24 +0100 Subject: problems with http://www.gnupg.org Message-ID: <4A009880.8090807@christiantena.net> all the links from http://www.gnupg.org/docs.html are dead for example http://www.gnupg.org/howtos.en.html 404 Not Found The requested URL /howtos.en.html was not found on this server. I tried to email the webmaster but the email is bouncing I can't access http://www.gnupg.org/mailing-lists.en.html to see if there's a better list to send to than this one either! I'm hoping someone here can do something about it regards, Philip From brad at fineby.me.uk Tue May 5 22:08:10 2009 From: brad at fineby.me.uk (Brad Rogers) Date: Tue, 5 May 2009 21:08:10 +0100 Subject: problems with http://www.gnupg.org In-Reply-To: <4A009880.8090807@christiantena.net> References: <4A009880.8090807@christiantena.net> Message-ID: <20090505210810.5a240856@abydos.stargate.org.uk> On Tue, 05 May 2009 20:50:24 +0100 Philip wrote: Hello Philip, > all the links from http://www.gnupg.org/docs.html are dead Works for me.... -- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Watching the people get lairy I Predict A Riot - Kaiser Chiefs -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From dave.smith at st.com Tue May 5 22:17:17 2009 From: dave.smith at st.com (David SMITH) Date: Tue, 5 May 2009 21:17:17 +0100 Subject: problems with http://www.gnupg.org In-Reply-To: <4A009880.8090807@christiantena.net> References: <4A009880.8090807@christiantena.net> Message-ID: <20090505201717.GA16232@bristol.st.com> On Tue, May 05, 2009 at 08:50:24PM +0100, Philip wrote: > all the links from http://www.gnupg.org/docs.html are dead > for example > http://www.gnupg.org/howtos.en.html > 404 Not Found > The requested URL /howtos.en.html was not found on this server. > > I tried to email the webmaster but the email is bouncing > > I can't access http://www.gnupg.org/mailing-lists.en.html to see if > there's a better list to send to than this one either! > > I'm hoping someone here can do something about it Works OK for me, so either someone's already fixed it, or it was a transient problem. -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2 Almondsbury | Work Email: Dave.Smith at st.com BRISTOL, BS32 4SQ | Home Email: David.Smith at ds-electronics.co.uk From christoph.anton.mitterer at physik.uni-muenchen.de Tue May 5 23:21:14 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Tue, 05 May 2009 23:21:14 +0200 Subject: Use other hash than SHA-1 In-Reply-To: <1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> <1241458805.4024.8.camel@fermat.scientia.net> <1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com> Message-ID: <1241558474.8226.8.camel@fermat.scientia.net> On Mon, 2009-05-04 at 23:46 -0400, David Shaw wrote: > I believe that's it. Fingerprints, revocation signatures (which use > fingerprints internally), and the MDC. > While I would start (did start, actually, a few years ago) using > SHA-256 to certify other people's keys, I wouldn't bother re-issuing > older SHA-1 certifications. > > Re-issuing your self-sigs is more or less harmless. The keyservers > never delete anything, so they'll end up with both the old and new. I'm not sure if this leads to the same discussion that we had some time ago on the WG-list (about explicitly revoking previous self-sigs),... but if a key has self-sigs with different hash-algos,... does this "allow" downgrad-attacks or that like? > Assuming all works properly, the newer clients should end up using the > newer selfsig, and the older clients should keep using the old one (as > they won't be able to verify the new one). Even when they see, that the self-sig with the "better" algo, has a newer creation date? Would consider this critical :/ Best wishes, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From John at Mozilla-Enigmail.org Wed May 6 00:22:43 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Tue, 05 May 2009 17:22:43 -0500 Subject: problems with http://www.gnupg.org In-Reply-To: <4A009880.8090807@christiantena.net> References: <4A009880.8090807@christiantena.net> Message-ID: <4A00BC33.5090302@Mozilla-Enigmail.org> Philip wrote: > all the links from http://www.gnupg.org/docs.html are dead > for example > http://www.gnupg.org/howtos.en.html > 404 Not Found > The requested URL /howtos.en.html was not found on this server. > > I tried to email the webmaster but the email is bouncing > > I can't access http://www.gnupg.org/mailing-lists.en.html to see if > there's a better list to send to than this one either! > > I'm hoping someone here can do something about it They work with the full path. Your examples leave out '/documentaion' at the beginning of the path. Try http://www.gnupg.org/documentation/howtos.en.html or http://www.gnupg.org/documentation/mailing-lists.en.html -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From stormer at stormer.org Wed May 6 02:19:58 2009 From: stormer at stormer.org (Stormer's Cgi-Archive) Date: Tue, 5 May 2009 20:19:58 -0400 Subject: procmail recipe and gpg? Message-ID: Does anyone have a good procmail recipe for gpg? I'd like it so that any email sent to an email account is encrypted with that users public gpg key. Don't need to worry about attachments. An example application of this would be... Simple perl scripts that send an email to a user on the same server. This way, anything sent to that end user would be encrypted. The end user could then pop the mail off the server and decrypt it with their local private key. Many thanks! James From dshaw at jabberwocky.com Wed May 6 04:16:17 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 5 May 2009 22:16:17 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <1241558474.8226.8.camel@fermat.scientia.net> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> <1241458805.4024.8.camel@fermat.scientia.net> <1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com> <1241558474.8226.8.camel@fermat.scientia.net> Message-ID: <5566128E-F02F-4AB4-B53C-97EC117AF688@jabberwocky.com> On May 5, 2009, at 5:21 PM, Christoph Anton Mitterer wrote: > On Mon, 2009-05-04 at 23:46 -0400, David Shaw wrote: >> >> >> Re-issuing your self-sigs is more or less harmless. The keyservers >> never delete anything, so they'll end up with both the old and new. > I'm not sure if this leads to the same discussion that we had some > time > ago on the WG-list (about explicitly revoking previous self-sigs),... > but if a key has self-sigs with different hash-algos,... does this > "allow" downgrad-attacks or that like? It depends on the attack. What is the attack you are concerned about? >> Assuming all works properly, the newer clients should end up using >> the >> newer selfsig, and the older clients should keep using the old one >> (as >> they won't be able to verify the new one). > Even when they see, that the self-sig with the "better" algo, has a > newer creation date? > Would consider this critical :/ They mustn't do this. They can't, really. It would enable a pretty trivial DoS if I could make up a bogus self-sig with some hash number that isn't even allocated yet, but a later date, and send it to a keyserver to be attached to my victim key. GPG must treat any signature that does not verify as irrelevant. David From hamilric at us.ibm.com Wed May 6 04:06:53 2009 From: hamilric at us.ibm.com (Richard Hamilton) Date: Tue, 5 May 2009 20:06:53 -0600 Subject: AUTO: Richard Hamilton is out of the office (returning 05/06/2009) Message-ID: I am out of the office until 05/06/2009. I am out of the office until May 6th 2009. If this is a production problem, please call the solution center at 918-573-2336 or email Bob Olson at Robert.Olson at williams.com. I will be checking my messages periodically. Note: This is an automated response to your message "Re: problems with http://www.gnupg.org" sent on 5/5/09 16:22:43. This is the only notification you will receive while this person is away. -------------- next part -------------- An HTML attachment was scrubbed... URL: From subs at christiantena.net Wed May 6 11:42:12 2009 From: subs at christiantena.net (Philip) Date: Wed, 06 May 2009 10:42:12 +0100 Subject: problems with http://www.gnupg.org In-Reply-To: <4A00BC33.5090302@Mozilla-Enigmail.org> References: <4A009880.8090807@christiantena.net> <4A00BC33.5090302@Mozilla-Enigmail.org> Message-ID: <4A015B74.6000603@christiantena.net> thanks I don't remember where or what linked to http://www.gnupg.org/docs.html maybe it's related to this "bug" https://bugs.g10code.com/gnupg/issue33 I think it might be better if the content at http://www.gnupg.org/docs.html can be changed to a simple "this page has moved to http://www.gnupg.org/documentation/" or something John Clizbe wrote: > Philip wrote: >> all the links from http://www.gnupg.org/docs.html are dead >> for example >> http://www.gnupg.org/howtos.en.html >> 404 Not Found >> The requested URL /howtos.en.html was not found on this server. >> >> I tried to email the webmaster but the email is bouncing >> >> I can't access http://www.gnupg.org/mailing-lists.en.html to see if >> there's a better list to send to than this one either! >> >> I'm hoping someone here can do something about it > > They work with the full path. Your examples leave out '/documentaion' at > the beginning of the path. > > Try > http://www.gnupg.org/documentation/howtos.en.html > or > http://www.gnupg.org/documentation/mailing-lists.en.html > > > > From webmaster at felipe1982.com Wed May 6 12:03:13 2009 From: webmaster at felipe1982.com (felipe alvarez) Date: Wed, 6 May 2009 20:03:13 +1000 Subject: Fw: problems with http://www.gnupg.org Message-ID: <0B7E8B6BC0C84C93BEB5D0BFECFB44FC@cheetah> ----- Original Message ----- From: "felipe alvarez" To: "David SMITH" Sent: Wednesday, May 06, 2009 8:02 PM Subject: Re: problems with http://www.gnupg.org > > ----- Original Message ----- > From: "David SMITH" > To: > Sent: Wednesday, May 06, 2009 6:17 AM > Subject: Re: problems with http://www.gnupg.org > > >> On Tue, May 05, 2009 at 08:50:24PM +0100, Philip wrote: >>> all the links from http://www.gnupg.org/docs.html are dead >>> for example >>> http://www.gnupg.org/howtos.en.html >>> 404 Not Found >>> The requested URL /howtos.en.html was not found on this server. >>> >>> I tried to email the webmaster but the email is bouncing >>> >>> I can't access http://www.gnupg.org/mailing-lists.en.html to see if >>> there's a better list to send to than this one either! >>> >>> I'm hoping someone here can do something about it >> >> Works OK for me, so either someone's already fixed it, or it was a >> transient problem. They are definately broken. Click on the purple-ish links that are most prominent, centre of page. felipe From brad at fineby.me.uk Wed May 6 12:51:27 2009 From: brad at fineby.me.uk (Brad Rogers) Date: Wed, 6 May 2009 11:51:27 +0100 Subject: problems with http://www.gnupg.org In-Reply-To: <0B7E8B6BC0C84C93BEB5D0BFECFB44FC@cheetah> References: <0B7E8B6BC0C84C93BEB5D0BFECFB44FC@cheetah> Message-ID: <20090506115127.311983a7@abydos.stargate.org.uk> On Wed, 6 May 2009 20:03:13 +1000 "felipe alvarez" wrote: Hello felipe, > They are definately broken. Click on the purple-ish links that are > most prominent, centre of page. Whoops! You're right. I didn't even try those, thinking they weren't links at all, just topic headings. The links down the left hand side still work, of course. -- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Kill joy, bad guy, big talking, small fry Death On Two Legs - Queen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From steveo at syslang.net Wed May 6 19:18:51 2009 From: steveo at syslang.net (Steven W. Orr) Date: Wed, 6 May 2009 13:18:51 -0400 (EDT) Subject: Question about gpg-agent Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm running Fedora 10 (if anyone cares) with gnupg2-2.0.10-1.fc10.i386. I'm up and rolling, but I'd like to know more about configuring the agent. I started the agent via the recommended incantation: eval "$(gpg-agent --daemon)" in my ~/.kde/AutoStart and I set use-agent in my ~/.gnupg/gpg.conf I'm not seeing a place that defines what the default values are for the gpg-agent. I wanted to change the default TTL for a passphrase so I said default-cache-ttl 6000 in my .gnupg/gpg-agent.conf But I also have a gpa.conf and I don't know which is the right place to put the change or how to tell what the current settings are. Also, in my gpg.conf file I have default-key 5E2A01198E98730A87DF205C448572E1F0BE3724 but in the gpa.conf, I have the following. *519 > cat .gnupg/gpa.conf default-key ADA6F1B17880A139848FCE939FD2865783254088 keyserver hkp://random.sks.keyserver.penguin.de So basically, I'm confused and I don't see any docs to help. Can someone help? TIA - -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (GNU/Linux) iEYEARECAAYFAkoBxnsACgkQRIVy4fC+NyThMACeNEws5YtKedbY9u0HFzHekAjc necAn2JksniBJ0zLfateluOWNsy3Jt74 =5PZO -----END PGP SIGNATURE----- From kloecker at kde.org Wed May 6 21:18:42 2009 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Wed, 06 May 2009 21:18:42 +0200 Subject: Question about gpg-agent In-Reply-To: References: Message-ID: <200905062118.43198@thufir.ingo-kloecker.de> On Wednesday 06 May 2009, Steven W. Orr wrote: > I'm running Fedora 10 (if anyone cares) with > gnupg2-2.0.10-1.fc10.i386. > > I'm up and rolling, but I'd like to know more about configuring the > agent. I started the agent via the recommended incantation: > > eval "$(gpg-agent --daemon)" > > in my ~/.kde/AutoStart AFAIK, this should be ~/.kde/env, so that the environment variable set by gpg-agent is available to everything running in the X session. FWIW, I have killall gpg-agent 2>/dev/null eval "$(gpg-agent --daemon --default-cache-ttl 36000)" in ~/.kde/env/start-gpg-agent.sh. > and I set > > use-agent > > in my ~/.gnupg/gpg.conf > > I'm not seeing a place that defines what the default values are for > the gpg-agent. I wanted to change the default TTL for a passphrase so > I said > > default-cache-ttl 6000 See my example above. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From gpg2.20.maniams at dfgh.net Wed May 6 19:53:41 2009 From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net) Date: Wed, 6 May 2009 21:53:41 +0400 Subject: Use GPG to create encrypted files readable by PGP Message-ID: <5313cd090905061053n5f023627u63140ab58ee54c3@mail.gmail.com> Dear Members : Could you (or the list ) help me with the following : - I have an source xl file - say something dot xls - I wish to encrypt this and the recipient is say Mr. Y - I wish to have an encrypted result file that is recognized and readable by Mr. Y using PGP - A command line (that assumes the following ) would be of great help Source file : something.xls Source directory : c:\somewhere\ Result requested : something.xls.pgp -> file that can be decrypted by PGP Result directory : c:\somewhere\ recipient : Mr. Y. : I have his pub key on my ring. I trust Mr. Y (in real life I have verified his e mail etc). But Mr. Y's pub key on my key ring may or _may NOT_ have trusted signatures / trust levels etc on the key. My System : win XP My knowledge level: I can open the command prompt and type..report back error messages etc thanks in advance Best regards maniams -------------- next part -------------- An HTML attachment was scrubbed... URL: From John at Mozilla-Enigmail.org Wed May 6 22:06:38 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 06 May 2009 15:06:38 -0500 Subject: Use GPG to create encrypted files readable by PGP In-Reply-To: <5313cd090905061053n5f023627u63140ab58ee54c3@mail.gmail.com> References: <5313cd090905061053n5f023627u63140ab58ee54c3@mail.gmail.com> Message-ID: <4A01EDCE.9090809@Mozilla-Enigmail.org> gpg2.20.maniams at dfgh.net wrote: > Dear Members : > Could you (or the list ) help me with the following : > - I have an source xl file - say something dot xls > - I wish to encrypt this and the recipient is say Mr. Y > - I wish to have an encrypted result file that is recognized and > readable by Mr. Y using PGP > - A command line (that assumes the following ) would be of great help > > Source file : something.xls > Source directory : c:\somewhere\ > Result requested : something.xls.pgp -> > file that can be decrypted by PGP > Result directory : c:\somewhere\ > recipient : Mr. Y. : > I have his pub key on my ring. > I trust Mr. Y (in real life I have verified his e mail etc). > But Mr. Y's pub key on my key ring may or > _may NOT_ have trusted signatures / trust levels etc on the key. cd c:\somewhere gpg --trust-model always --pgp8 -r -o something.xls.pgp -e something.xls This wraps in the email. In a CMD window you would just type it on one line. --trust-model always says to trust the key(s) anyway --pgp8 is the most recent. There are also --pgp7, --pgp6, and --pgp2 options. -r sets the encryption _r_ecipient -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From gpg2.20.maniams at dfgh.net Thu May 7 07:12:24 2009 From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net) Date: Thu, 7 May 2009 09:12:24 +0400 Subject: Use GPG to create encrypted files readable by PGP Message-ID: <5313cd090905062212h2e1b4d94qf165d479f590b463@mail.gmail.com> On Thu, May 7, 2009 at 12:06 AM, John Clizbe - John at Mozilla-Enigmail.org <+gpg2+maniams+ede7096b82.John#Mozilla-Enigmail.org at spamgourmet.com> wrote: > gpg2.20.maniams at dfgh.net wrote: > > Dear Members : > > Could you (or the list ) help me with the following : > > - I have an source xl file - say something dot xls > > - I wish to encrypt this and the recipient is say Mr. Y > > - I wish to have an encrypted result file that is recognized and > > readable by Mr. Y using PGP > > - A command line (that assumes the following ) would be of great help > > > > Source file : something.xls > > Source directory : c:\somewhere\ > > Result requested : something.xls.pgp -> > > file that can be decrypted by PGP > > Result directory : c:\somewhere\ > > recipient : Mr. Y. : > > I have his pub key on my ring. > > I trust Mr. Y (in real life I have verified his e mail etc). > > But Mr. Y's pub key on my key ring may or > > _may NOT_ have trusted signatures / trust levels etc on the key. > > cd c:\somewhere > > gpg --trust-model always --pgp8 -r -o something.xls.pgp > -e something.xls > > This wraps in the email. In a CMD window you would just type it on one > line. > > --trust-model always says to trust the key(s) anyway > > --pgp8 is the most recent. There are also --pgp7, --pgp6, and --pgp2 > options. > > -r sets the encryption _r_ecipient > > > -- > John P. Clizbe Inet:John (a) Mozilla-Enigmail.org > You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or > mailto:pgp-public-keys at gingerbear.net?subject=HELP > Thanks a ton. That was an amazing reply. It works for me May I add a note for other novices : The file name should not contain spaces. if it did try using " -> quotes to wrap the file name regards subu -------------- next part -------------- An HTML attachment was scrubbed... URL: From gpg2.20.maniams at dfgh.net Thu May 7 07:20:23 2009 From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net) Date: Thu, 7 May 2009 09:20:23 +0400 Subject: Can GPG 1.4.9 be used for commercial purposes ? Message-ID: <5313cd090905062220w595461e1s49a4c3ab5d39a4ad@mail.gmail.com> Dear Members Can GPG 1.4.9 be used for commercial purposes ? like sending company files to a recepient ? regards subu -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Thu May 7 07:45:43 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 07 May 2009 01:45:43 -0400 Subject: Can GPG 1.4.9 be used for commercial purposes ? In-Reply-To: <5313cd090905062220w595461e1s49a4c3ab5d39a4ad@mail.gmail.com> References: <5313cd090905062220w595461e1s49a4c3ab5d39a4ad@mail.gmail.com> Message-ID: <4A027587.7000903@sixdemonbag.org> gpg2.20.maniams at dfgh.net wrote: > Can GPG 1.4.9 be used for commercial purposes ? like sending company > files to a recepient ? Yes. GnuPG places no restrictions of any kind on how the program may be used. From gpg2.20.maniams at dfgh.net Thu May 7 07:19:10 2009 From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net) Date: Thu, 7 May 2009 09:19:10 +0400 Subject: How to import a key from GPG 1.4.9 to PGP ? Message-ID: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com> Dear List How to import a key pair (my own secret and public keys) from GPG 1.4.9 to PGP 6.5 ? Command line help preferred. If not possible help using some GPG graphical interface please I'm Using a win XP machine thanks in advance Regards subu -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Thu May 7 08:01:46 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 07 May 2009 02:01:46 -0400 Subject: Can GPG 1.4.9 be used for commercial purposes ? In-Reply-To: <5313cd090905062220w595461e1s49a4c3ab5d39a4ad@mail.gmail.com> References: <5313cd090905062220w595461e1s49a4c3ab5d39a4ad@mail.gmail.com> Message-ID: <4A02794A.8090406@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 gpg2.20.maniams at dfgh.net escribi?: > Dear Members > > Can GPG 1.4.9 be used for commercial purposes ? like sending company > files to a recepient ? Yes, it's usage it's free, for individuals and enterprises... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKAnlJAAoJEMV4f6PvczxALiMH/25Hwln/3+Qp4OC4x+26oXBP iwp7Tq//8sS379XGxh3bUTBhDkFRv3+X4fsMz30fFgXCg8OgMvhqLXA5ngO8ghQb iqtsDNRFLRBSD79efL7XillSHVEZ/8oVUJvEML9kQ3xPU2JYmSW2mtBzRI4qLE6B /t8mW/WO13EPBrfSyxRDnWBAuHiRfZFqJ5Uqzu/7TEOKmvhnV+bpV+cNSGH9G0re lY2nsEYeS2oVk2XcJrby0jdoWBjul/pBlbhmnsjKXRLEYfZFxeKpgxMSgQLWlk8T uTtFXa4+epRTIZVxGrt/vfhWAJyKoLabOCt5LJ7crdDqOxd3HjmiGJl+RDj/Ftc= =btfQ -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu May 7 08:45:02 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 07 May 2009 02:45:02 -0400 Subject: How to import a key from GPG 1.4.9 to PGP ? In-Reply-To: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com> References: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com> Message-ID: <4A02836E.3040204@sixdemonbag.org> gpg2.20.maniams at dfgh.net wrote: > How to import a key pair (my own secret and public keys) from GPG 1.4.9 > to PGP 6.5 ? This is generally not worth doing. It can be done, but it is not recommended. Is there any possibility of installing PGP 9.x on your XP machine instead? From wk at gnupg.org Thu May 7 08:47:33 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 May 2009 08:47:33 +0200 Subject: problems with http://www.gnupg.org In-Reply-To: <4A015B74.6000603@christiantena.net> (subs@christiantena.net's message of "Wed, 06 May 2009 10:42:12 +0100") References: <4A009880.8090807@christiantena.net> <4A00BC33.5090302@Mozilla-Enigmail.org> <4A015B74.6000603@christiantena.net> Message-ID: <87zldp4dfe.fsf@wheatstone.g10code.de> On Wed, 6 May 2009 11:42, subs at christiantena.net said: > I don't remember where or what linked to http://www.gnupg.org/docs.html > maybe it's related to this "bug" > https://bugs.g10code.com/gnupg/issue33 If you look at this bug report it tells that this is a wrong URL and has been fixed. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From faramir.cl at gmail.com Thu May 7 08:19:07 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 07 May 2009 02:19:07 -0400 Subject: How to import a key from GPG 1.4.9 to PGP ? In-Reply-To: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com> References: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com> Message-ID: <4A027D5B.5050009@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 gpg2.20.maniams at dfgh.net escribi?: > Dear List > > > How to import a key pair (my own secret and public keys) from GPG 1.4.9 > to PGP 6.5 ? For what I have read in this list, I think that version of PGP is very old, and can cause problems about compatibility... But wait for other replies, maybe it can be done safely. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKAn1bAAoJEMV4f6PvczxAW7gH+wSRn+mjpH0cYN85yh6vpoLX JIQfOmoFQBL98i3pyCO/CWDeKpWtnn2SLgbOjYvI0H19EAzki5NfUDgvt2mpcP2H v1At8RhDQntrqm7IwVGjPJ6gfK2Obo8+3G3FKw/BxVRgjM3bJDIzG7v+gWOh3X8k K0Mft/JWtmU28wARuQO94O7f8sfOonetSsKYL7cpsQnP0nJwwe5sJvar4EoSiodC sF6F7Exk24IzwIUN2qYyyUtpgUvXG539+Zch6M/HYBZux6q4C46fQfe8dT/e4h71 cu0eRzMVLZVX9tM5CY0g5lxqrp6s+GSz9bNzQiuGLAqp9roz6wnm/DqfbXj3EJA= =YPIb -----END PGP SIGNATURE----- From joelcsalomon at gmail.com Thu May 7 16:43:44 2009 From: joelcsalomon at gmail.com (Joel C. Salomon) Date: Thu, 07 May 2009 10:43:44 -0400 Subject: How to 'un-sign' a key? Message-ID: <4A02F3A0.2030308@gmail.com> Folks, I foolishly signed a key I had not verified well, and the signed version is on a keyserver. How can I unsign it? I have tried the following (changing the key ID to 0xDEADBEEF): > C:\Users\chesky>"c:\Program Files\GNU\GnuPG\gpg.exe" --edit-key 0xDEADBEEF > gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > > pub 4096R/DEADBEEF created: 2008-08-27 expires: 2010-08-27 usage: SCEA > trust: undefined validity: full > [ full ] (1). Mister Magoo > > Command> revsig > You have signed these user IDs on key DEADBEEF: > Mister Magoo That?s not all that?s supposed to happen, is it? ?Joel Salomon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: From joelcsalomon at gmail.com Thu May 7 16:50:06 2009 From: joelcsalomon at gmail.com (Joel C. Salomon) Date: Thu, 07 May 2009 10:50:06 -0400 Subject: How to 'un-sign' a key? In-Reply-To: <4A02F3A0.2030308@gmail.com> References: <4A02F3A0.2030308@gmail.com> Message-ID: <4A02F51E.9040408@gmail.com> Joel C. Salomon wrote: > I foolishly signed a key I had not verified well, and the signed version > is on a keyserver. How can I unsign it? > > I have tried the following (changing the key ID to 0xDEADBEEF): I tried the command again; not sure why I got a different result: > C:\Users\chesky>"c:\Program Files\GNU\GnuPG\gpg.exe" --edit-key 0xDEADBEEF > gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > > pub 4096R/DEADBEEF created: 2008-08-27 expires: 2010-08-27 usage: SCEA > trust: undefined validity: full > [ full ] (1). Mister Magoo > > Command> revsig > You have signed these user IDs on key DEADBEEF: > Mister Magoo > signed by your key 8C6CA66E on 2009-02-10 > > user ID: "Mister Magoo " > signed by your key 8C6CA66E on 2009-02-10 > Create a revocation certificate for this signature? (y/N) y > You are about to revoke these signatures: > Mister Magoo > signed by your key 8C6CA66E on 2009-02-10 > Really create the revocation certificates? (y/N) y > Please select the reason for the revocation: > 0 = No reason specified > 4 = User ID is no longer valid > Q = Cancel > Your decision? 0 > Enter an optional description; end it with an empty line: > > Key was insufficiently verified before signing. > > > Reason for revocation: No reason specified > Key was insufficiently verified before signing. > Is this okay? (y/N) y > > You need a passphrase to unlock the secret key for > user: "Joel C. Salomon " > 1024-bit DSA key, ID 8C6CA66E, created 2009-02-05 > > pub 4096R/DEADBEEF created: 2008-08-27 expires: 2010-08-27 usage: SCEA > trust: undefined validity: full > [ full ] (1). Mister Magoo > > Command> Okay, now what do I do? ?Joel Salomon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: From mail at 404not-found.de Thu May 7 17:31:02 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Thu, 7 May 2009 17:31:02 +0200 Subject: How to 'un-sign' a key? In-Reply-To: <4A02F51E.9040408@gmail.com> References: <4A02F3A0.2030308@gmail.com> <4A02F51E.9040408@gmail.com> Message-ID: <200905071731.09839.mail@404not-found.de> On Thursday 07 May 2009 16:50:06 Joel C. Salomon wrote: > Joel C. Salomon wrote: > > I foolishly signed a key I had not verified well, and the signed version > > is on a keyserver. How can I unsign it? > > > > I have tried the following (changing the key ID to 0xDEADBEEF): > > > > I tried the command again; not sure why I got a different result: > > C:\Users\chesky>"c:\Program Files\GNU\GnuPG\gpg.exe" --edit-key > > 0xDEADBEEF gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software > > Foundation, Inc. This is free software: you are free to change and > > redistribute it. There is NO WARRANTY, to the extent permitted by law. > > > > > > pub 4096R/DEADBEEF created: 2008-08-27 expires: 2010-08-27 usage: > > SCEA trust: undefined validity: full > > [ full ] (1). Mister Magoo > > > > Command> revsig > > You have signed these user IDs on key DEADBEEF: > > Mister Magoo > > signed by your key 8C6CA66E on 2009-02-10 > > > > user ID: "Mister Magoo " > > signed by your key 8C6CA66E on 2009-02-10 > > Create a revocation certificate for this signature? (y/N) y > > You are about to revoke these signatures: > > Mister Magoo > > signed by your key 8C6CA66E on 2009-02-10 > > Really create the revocation certificates? (y/N) y > > Please select the reason for the revocation: > > 0 = No reason specified > > 4 = User ID is no longer valid > > Q = Cancel > > Your decision? 0 > > > > Enter an optional description; end it with an empty line: > > > Key was insufficiently verified before signing. > > > > Reason for revocation: No reason specified > > Key was insufficiently verified before signing. > > Is this okay? (y/N) y > > > > You need a passphrase to unlock the secret key for > > user: "Joel C. Salomon " > > 1024-bit DSA key, ID 8C6CA66E, created 2009-02-05 > > > > > pub 4096R/DEADBEEF created: 2008-08-27 expires: 2010-08-27 usage: > > SCEA trust: undefined validity: full > > [ full ] (1). Mister Magoo > > > > Command> > > Okay, now what do I do? > You type "save" to save your changes and upload the public key to a keyserver: gpg --send-keys DEADBEEF Raimar -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From steveo at syslang.net Thu May 7 17:39:13 2009 From: steveo at syslang.net (Steven W. Orr) Date: Thu, 7 May 2009 11:39:13 -0400 (EDT) Subject: How to import a key from GPG 1.4.9 to PGP ? In-Reply-To: <4A02836E.3040204@sixdemonbag.org> References: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com> <4A02836E.3040204@sixdemonbag.org> Message-ID: On Thursday, May 7th 2009 at 02:45 -0000, quoth Robert J. Hansen: =>gpg2.20.maniams at dfgh.net wrote: =>> How to import a key pair (my own secret and public keys) from GPG 1.4.9 =>> to PGP 6.5 ? => =>This is generally not worth doing. It can be done, but it is not =>recommended. => =>Is there any possibility of installing PGP 9.x on your XP machine instead? => Great. I'd love to know what's going on here. I tried to read Faramir's message and I get a command failure. To: "gnupg-users at gnupg.org" Subject: Re: How to import a key from GPG 1.4.9 to PGP ? ---------------------------------------------------------------------------- /home/steveo/libexec/ppf/ppf_verify: pgp command failed" gpg: Signature made Thu May 7 02:19:07 2009 EDT using RSA key ID EF733C40 gpg: BAD signature from "Javier Fern 532 > gpg2 --list-keys -v 0x82121A454319410E gpg: using PGP trust model pub 2048R/4319410E 2008-04-14 uid Javier Fernndez Almirall (aka Faramir.cl) uid Faramir uid [ revoked] Galdhrim (Javier) uid Javier Fernndez Almirall (GSWoT:CL68) uid Faramir.cl (It's a nickname, of course) uid Javier Fernndez Almirall (CAcert Assurer) sub 2048R/1771E69C 2008-04-14 [revoked: 2008-05-16] sub 2048R/2E6CD89E 2008-04-15 sub 2048R/EF733C40 2008-05-16 The message looked like this: X-Enigmail-Version: 0.95.7 OpenPGP: id=4319410E; url=http://tinyurl.com/0x4319410E X-BeenThere: gnupg-users at gnupg.org X-Mailman-Version: 2.1.10b1 Precedence: list List-Id: Help and discussion among users of GnuPG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: gnupg-users-bounces at gnupg.org Errors-To: gnupg-users-bounces at gnupg.org Status: RO X-Status: X-Keywords: X-UID: 2 LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEEyNTYKCmdwZzIuMjAu bWFuaWFtc0BkZmdoLm5ldCBlc2NyaWJpw7M6Cj4gRGVhciBMaXN0Cj4gCj4gCj4gSG93IHRvIGlt cG9ydCBhIGtleSBwYWlyIChteSBvd24gc2VjcmV0IGFuZCBwdWJsaWMga2V5cykgZnJvbSBHUEcg MS40LjkKPiB0byBQR1AgNi41ID8KCiAgRm9yIHdoYXQgSSBoYXZlIHJlYWQgaW4gdGhpcyBsaXN0 LCBJIHRoaW5rIHRoYXQgdmVyc2lvbiBvZiBQR1AgaXMgdmVyeQpvbGQsIGFuZCBjYW4gY2F1c2Ug cHJvYmxlbXMgYWJvdXQgY29tcGF0aWJpbGl0eS4uLiBCdXQgd2FpdCBmb3Igb3RoZXIKcmVwbGll cywgbWF5YmUgaXQgY2FuIGJlIGRvbmUgc2FmZWx5LgoKICBCZXN0IFJlZ2FyZHMKLS0tLS1CRUdJ TiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC45IChNaW5nVzMyKQpDb21t ZW50OiBVc2luZyBHbnVQRyB3aXRoIE1vemlsbGEgLSBodHRwOi8vZW5pZ21haWwubW96ZGV2Lm9y ZwoKaVFFY0JBRUJDQUFHQlFKS0FuMWJBQW9KRU1WNGY2UHZjenhBVzdnSCt3U1JuK21qcEgwY1lO ODV5aDZ2cG9MWApKSVFmT21vRlFCTDk4aTNweUNPL0NXRGVLcFd0bm4yU0xnYk9qWXZJMEgxOUVB emtpNU5mVURndnQybXBjUDJICnYxQXQ4UmhEUW50cnFtN0l3VkdqUEo2Z2ZLMk9ibzgrM0czRkt3 L0J4VlJnak0zYkpESXpHN3YrZ1dPaDNYOGsKSzBNZnQvSld0bVUyOHdBUnVRTzk0TzdmOHNmT29u ZXRTc0tZTDdjcHNRblAwbkp3d2U1c0p2YXI0RW9TaW9kQwpzRjZGN0V4azI0SXp3SVVOMnFZeXlV dHBnVXZYRzUzOStaY2g2TS9IWUJadXg2cTRDNDZmUWZlOGRUL2U0aDcxCmN1MGVSek1WTFpWWDl0 TTVDWTBnNWx4cXJwNnMrR1N6OWJOelFpdUdMQXFwOXJvejZ3bm0vRHFmYlhqM0VKQT0KPVlQSWIK LS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fXwpHbnVwZy11c2VycyBtYWlsaW5nIGxpc3QKR251cGctdXNlcnNA Z251cGcub3JnCmh0dHA6Ly9saXN0cy5nbnVwZy5vcmcvbWFpbG1hbi9saXN0aW5mby9nbnVwZy11 c2Vycwo= Is it me? -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net From bahamutzero8825 at gmail.com Thu May 7 17:17:31 2009 From: bahamutzero8825 at gmail.com (Andrew Berg) Date: Thu, 07 May 2009 10:17:31 -0500 Subject: How to 'un-sign' a key? In-Reply-To: <4A02F3A0.2030308@gmail.com> References: <4A02F3A0.2030308@gmail.com> Message-ID: <4A02FB8B.7000806@gmail.com> Joel C. Salomon wrote: > I foolishly signed a key I had not verified well, and the signed version > is on a keyserver. How can I unsign it? > Go back in time. Seriously, there's nothing you can do about it once it's on a keyserver. From jmoore3rd at bellsouth.net Thu May 7 18:36:46 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 07 May 2009 12:36:46 -0400 Subject: How to 'un-sign' a key? In-Reply-To: <4A02F3A0.2030308@gmail.com> References: <4A02F3A0.2030308@gmail.com> Message-ID: <4A030E1E.60609@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Joel C. Salomon wrote: > Folks, > > I foolishly signed a key I had not verified well, and the signed version > is on a keyserver. How can I unsign it? Select the Key with the offending Signature and revoke the Signature. the command is --revsig form the Edit Key prompt. Promptly disseminate the Key with the Sig Revoked via Key Servers and perhaps a direct email to all correspondents. The 'trick' will be to get the Key Owner to re-Import His Key with the [revoked] flag on Your Sig. :-\ JOHN ;) Timestamp: Thursday 07 May 2009, 12:36 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKAw4cAAoJEBCGy9eAtCsPdtwIAIFITPdWscLfZrAwo8C+RKRF K+89j6hDze1oP3U3xKMsn1n+Q025aoFs8pUalA9ziHKurIrV8tzt5vk+hRWjlx8Z 8JoibmSS/dkEnSN4EL+4VNzCw7hRJofNVqIDYTP3Oa4Oo5JOLR+Lt1SLWYMkHh2R wdQATUmW+zaK5e9e6e7EhGKuLTi64GsGDSUb6BBMQzEjiWbzcAVJs34IVi/p75pf pn9bNJDm/Poc0vYhtVTaoMIvw9lflCUHS+MNz6jQhIYfUIqhVugUEI9jGdGBimwM XvyVNBx/xH7yKDQ9pEsc+4+Rh5pU5WqxASfpsRzngAyZGzDPceE6w2wFaTu1JKE= =lVmM -----END PGP SIGNATURE----- From wk at gnupg.org Thu May 7 19:48:35 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 May 2009 19:48:35 +0200 Subject: How to import a key from GPG 1.4.9 to PGP ? In-Reply-To: (Steven W. Orr's message of "Thu, 7 May 2009 11:39:13 -0400 (EDT)") References: <5313cd090905062219n38493417y4f0477e2ebc9beaf@mail.gmail.com> <4A02836E.3040204@sixdemonbag.org> Message-ID: <87eiv07qj0.fsf@wheatstone.g10code.de> On Thu, 7 May 2009 17:39, steveo at syslang.net said: > /home/steveo/libexec/ppf/ppf_verify: pgp command failed" I don't know this tool. > gpg: Signature made Thu May 7 02:19:07 2009 EDT using RSA key ID EF733C40 > gpg: BAD signature from "Javier Fern I just did a verify: $ gpg --verify -v x gpg: armor header: Hash: SHA256 gpg: armor header: Version: GnuPG v1.4.9 (MingW32) gpg: armor header: Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org [..] gpg: Good signature from "Javier Fern.%G???.%@dez Almirall (aka Faramir.cl)" [...] gpg: textmode signature, digest algorithm SHA256 and it works fine. Maybe the tool can't cope with the base64 encoded clearsigned message: > The message looked like this: > Content-Transfer-Encoding: base64 [..] > LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEEyNTYKCmdwZzIuMjAu > bWFuaWFtc0BkZmdoLm5ldCBlc2NyaWJpw7M6Cj4gRGVhciBMaXN0Cj4gCj4gCj4gSG93IHRvIGlt You need to do something like mimencode -u | gpg --verify However the mail reader usually does this for you. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From cathy.smith at pnl.gov Thu May 7 20:27:23 2009 From: cathy.smith at pnl.gov (Smith, Cathy) Date: Thu, 7 May 2009 11:27:23 -0700 Subject: Selecting cipher to generate a key pair In-Reply-To: <49FB8827.1070102@sixdemonbag.org> References: <20090501000106.CCDC51A003A@smtp.hushmail.com><49FA67B9.8070708@gmail.com> <49FA76FD.4040501@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA41@EMAIL03.pnl.gov> <49FB7E5E.9060101@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA4D@EMAIL03.pnl.gov> <49FB8404.7000600@sixdemonbag.org> <255999BBAD1AEE4EA6AA193F66611642AEAA55@EMAIL03.pnl.gov> <49FB8827.1070102@sixdemonbag.org> Message-ID: <255999BBAD1AEE4EA6AA193F66611642AEAAE3@EMAIL03.pnl.gov> I wanted to provide closure on this thread. The customer was able to accept the public key that I generated using this method. I learned from the customer yesterday that they are using Bouncy Castle, bcpg v. 1.33. Thanks vey much for your help. Regards, Cathy --- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.smith at pnl.gov -----Original Message----- From: Robert J. Hansen [mailto:rjh at sixdemonbag.org] Sent: Friday, May 01, 2009 4:39 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: > The customer said they have a proprietary implementation that only > supports Blowfish or 3DES for the key. I'm still trying to find out > exactly what that means. Okay, that much makes sense now. I would suggest adding: cipher-algo 3DES ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and not one I'd generally recommend; however, the downsides are pretty minimal. Then encrypt a message using their public key and send it on to them. If they can read it, great. If they can't, then the problem is their proprietary implementation of OpenPGP is shoddy. Incidentally, if your customer is a telecommunications firm, I think I may know the implementation they're using and some of its more egregious misfeatures. Other than that one and PGP Corporation's offering, though, I have no experience with proprietary OpenPGP offerings. From christoph.anton.mitterer at physik.uni-muenchen.de Fri May 8 01:17:33 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Fri, 08 May 2009 01:17:33 +0200 Subject: Use other hash than SHA-1 In-Reply-To: <5566128E-F02F-4AB4-B53C-97EC117AF688@jabberwocky.com> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> <1241458805.4024.8.camel@fermat.scientia.net> <1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com> <1241558474.8226.8.camel@fermat.scientia.net> <5566128E-F02F-4AB4-B53C-97EC117AF688@jabberwocky.com> Message-ID: <1241738253.20039.5.camel@fermat.scientia.net> On Tue, 2009-05-05 at 22:16 -0400, David Shaw wrote: > > I'm not sure if this leads to the same discussion that we had some > > time > > ago on the WG-list (about explicitly revoking previous self-sigs),... > > but if a key has self-sigs with different hash-algos,... does this > > "allow" downgrad-attacks or that like? > > It depends on the attack. What is the attack you are concerned about? Nothing specific,... it was my question, whether there could be any attacks,.. using the fact, that an older self-sig with "weaker" hash algo is available. > > Even when they see, that the self-sig with the "better" algo, has a > > newer creation date? > > Would consider this critical :/ > > They mustn't do this. They can't, really. It would enable a pretty > trivial DoS if I could make up a bogus self-sig with some hash number > that isn't even allocated yet, but a later date, and send it to a > keyserver to be attached to my victim key. GPG must treat any > signature that does not verify as irrelevant. Oops,.. of course you're right,.. but then it's possible,... that e.g. the newer self-sig (with the newer hash algo) contains e.g. a key revocation, or something else security relevant (e.g. important new policy). As the older signature is not revoked,.. and the newer is not understood (thus ignored),... this could lead to problems, or am I wrong? Cheers, Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From dshaw at jabberwocky.com Fri May 8 02:09:31 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 7 May 2009 20:09:31 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <1241738253.20039.5.camel@fermat.scientia.net> References: <20090502102545.GA17546@ruderich.org> <8501075F-D591-4DF5-A0A3-3CA4861049FC@jabberwocky.com> <20090503121703.GA10433@ruderich.org> <742209AC-3884-468C-AC30-63E250335682@jabberwocky.com> <1241458805.4024.8.camel@fermat.scientia.net> <1C7FD194-AA85-4110-941A-C8B6E0B79946@jabberwocky.com> <1241558474.8226.8.camel@fermat.scientia.net> <5566128E-F02F-4AB4-B53C-97EC117AF688@jabberwocky.com> <1241738253.20039.5.camel@fermat.scientia.net> Message-ID: <46C1AAF0-891F-4743-A630-C28924223438@jabberwocky.com> On May 7, 2009, at 7:17 PM, Christoph Anton Mitterer wrote: > On Tue, 2009-05-05 at 22:16 -0400, David Shaw wrote: >>> I'm not sure if this leads to the same discussion that we had some >>> time >>> ago on the WG-list (about explicitly revoking previous self- >>> sigs),... >>> but if a key has self-sigs with different hash-algos,... does this >>> "allow" downgrad-attacks or that like? >> >> It depends on the attack. What is the attack you are concerned >> about? > > Nothing specific,... it was my question, whether there could be any > attacks,.. using the fact, that an older self-sig with "weaker" hash > algo is available. It depends on what the attack is :) One fear that I've seen talked about for SHA-1 is that an attacker can create a duplicate document such that if you signed document or key A, they could come up with a document or key B that your signature would equally apply to. That fear is more than a little overblown. Even MD5 hasn't been broken to that extent. But for the sake of argument, let's say that this fear is realistic. In that case, it doesn't make much of a difference whether you re-sign or not. If you do re-sign, the attacker can still get the earlier signature from a keyserver. Even if you revoke it, the old signature is still there. >>> Even when they see, that the self-sig with the "better" algo, has a >>> newer creation date? >>> Would consider this critical :/ >> >> They mustn't do this. They can't, really. It would enable a pretty >> trivial DoS if I could make up a bogus self-sig with some hash number >> that isn't even allocated yet, but a later date, and send it to a >> keyserver to be attached to my victim key. GPG must treat any >> signature that does not verify as irrelevant. > > Oops,.. of course you're right,.. but then it's possible,... that e.g. > the newer self-sig (with the newer hash algo) contains e.g. a key > revocation, or something else security relevant (e.g. important new > policy). > As the older signature is not revoked,.. and the newer is not > understood > (thus ignored),... this could lead to problems, or am I wrong? No, you are right. When making an important statement about your key, and you want to make it with an algorithm that doesn't have widespread support yet, you do need to take into account that not everyone might be able to understand your new statement. To them, it would be as if you had said nothing at all. A key revocation is a perfect example of this. You could end up with part of the community thinking you revoked your key and part thinking you did nothing. Personally, if I was revoking a key, I'd use whatever hash algorithm I used for my self-sigs (using the logic that anyone who could use my key at all would see it was revoked, and that I don't particularly care if people who can't use my key at all (because they don't know that has) see if it is revoked or not). David From bahamutzero8825 at gmail.com Fri May 8 08:08:16 2009 From: bahamutzero8825 at gmail.com (Andrew Berg) Date: Fri, 08 May 2009 01:08:16 -0500 Subject: How to 'un-sign' a key? In-Reply-To: <4A030E1E.60609@bellsouth.net> References: <4A02F3A0.2030308@gmail.com> <4A030E1E.60609@bellsouth.net> Message-ID: <4A03CC50.3030809@gmail.com> John W. Moore III wrote: > Joel C. Salomon wrote: > > Folks, > > > I foolishly signed a key I had not verified well, and the signed version > > is on a keyserver. How can I unsign it? > > Select the Key with the offending Signature and revoke the Signature. > > the command is --revsig form the Edit Key prompt. > > Promptly disseminate the Key with the Sig Revoked via Key Servers and > perhaps a direct email to all correspondents. The 'trick' will be to > get the Key Owner to re-Import His Key with the [revoked] flag on Your > Sig. :-\ I feel silly. I was thinking of something else for some reason and I read the message too quickly. :-P -- Key ID: 0xF88E034060A78FCB Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB Windows NT 6.0.6001.18226 | GPG 1.4.9 | Thunderbird 2.0.0.21 | Enigmail 0.95.7 From mail at 404not-found.de Fri May 8 09:14:27 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Fri, 8 May 2009 09:14:27 +0200 Subject: Use other hash than SHA-1 In-Reply-To: <46C1AAF0-891F-4743-A630-C28924223438@jabberwocky.com> References: <20090502102545.GA17546@ruderich.org> <1241738253.20039.5.camel@fermat.scientia.net> <46C1AAF0-891F-4743-A630-C28924223438@jabberwocky.com> Message-ID: <200905080914.38284.mail@404not-found.de> On Friday 08 May 2009 02:09:31 David Shaw wrote: > One fear that I've seen talked about for SHA-1 is that an attacker can > create a duplicate document such that if you signed document or key A, > they could come up with a document or key B that your signature would > equally apply to. That fear is more than a little overblown. Even > MD5 hasn't been broken to that extent. http://eprint.iacr.org/2005/067.pdf As far as I understand this paper, MD5 has been broken to that extent. For SHA1 you're still right of course. Raimar -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From mail at 404not-found.de Fri May 8 09:26:29 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Fri, 8 May 2009 09:26:29 +0200 Subject: Use other hash than SHA-1 In-Reply-To: <200905080914.38284.mail@404not-found.de> References: <20090502102545.GA17546@ruderich.org> <46C1AAF0-891F-4743-A630-C28924223438@jabberwocky.com> <200905080914.38284.mail@404not-found.de> Message-ID: <200905080926.44699.mail@404not-found.de> On Friday 08 May 2009 09:14:27 Raimar Sandner wrote: > On Friday 08 May 2009 02:09:31 David Shaw wrote: > > One fear that I've seen talked about for SHA-1 is that an attacker can > > create a duplicate document such that if you signed document or key A, > > they could come up with a document or key B that your signature would > > equally apply to. That fear is more than a little overblown. Even > > MD5 hasn't been broken to that extent. > > http://eprint.iacr.org/2005/067.pdf > > As far as I understand this paper, MD5 has been broken to that extent. For > SHA1 you're still right of course. http://eprint.iacr.org/2009/111.pdf Sorry, this is the reference I meant... even more impressive :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Fri May 8 14:53:02 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 8 May 2009 08:53:02 -0400 Subject: Use other hash than SHA-1 In-Reply-To: <200905080926.44699.mail@404not-found.de> References: <20090502102545.GA17546@ruderich.org> <46C1AAF0-891F-4743-A630-C28924223438@jabberwocky.com> <200905080914.38284.mail@404not-found.de> <200905080926.44699.mail@404not-found.de> Message-ID: On May 8, 2009, at 3:26 AM, Raimar Sandner wrote: > On Friday 08 May 2009 09:14:27 Raimar Sandner wrote: >> On Friday 08 May 2009 02:09:31 David Shaw wrote: >>> One fear that I've seen talked about for SHA-1 is that an attacker >>> can >>> create a duplicate document such that if you signed document or >>> key A, >>> they could come up with a document or key B that your signature >>> would >>> equally apply to. That fear is more than a little overblown. Even >>> MD5 hasn't been broken to that extent. >> >> http://eprint.iacr.org/2005/067.pdf >> >> As far as I understand this paper, MD5 has been broken to that >> extent. For >> SHA1 you're still right of course. > > http://eprint.iacr.org/2009/111.pdf > > Sorry, this is the reference I meant... even more impressive :) That's a different sort of attack. In the rogue CA attack, the attackers generated both A *and* B themselves. They then arranged to have A signed, and were then able to reveal B as if it had also been signed (massive oversimplification, of course, as there was a huge amount of work involved in even making that work, but the point here is that the attackers generated both A and B themselves). It's a collision attack. This attack (which again I must stress does not yet exist for SHA-1) is one of the reasons why it's a good idea to switch to SHA-256 for new signatures. That's just prudent. There is no current attack, however, against any hash algorithm in OpenPGP, that would allow an attacker to pick some arbitrary signature out there and generate a key or document that hashes to the same value. This is a preimage attack, either variant of which could be used against OpenPGP, but neither of them currently exist - not in MD5, and certainly not in SHA-1. This (lack of) an attack is why I don't think people need to worry all that much about their existing signatures that are out there. David From anotherrrr at gmail.com Wed May 6 12:11:27 2009 From: anotherrrr at gmail.com (Bob Yang) Date: Wed, 6 May 2009 18:11:27 +0800 Subject: Cannot Decryption via UNIX shell script Message-ID: <41db87800905060311t7f66e5c0o1638b01ec5a01781@mail.gmail.com> Hi All, I hit error when using the below script. gpg -e "key" "file" < From mix at awxcnx.de Thu May 7 11:34:20 2009 From: mix at awxcnx.de (Anonymous Remailer) Date: Thu, 07 May 2009 11:34:20 +0200 Subject: delete bad UID from key on keyserver? Message-ID: Hi, One of my email accounts is unusable so I deleted the UID from my key and uploaded it to the keyserver. That accomplished nothing so now I figured out I should of invalidated the UID and then uploaded it. I can't do that now because I deleted the UID from my key. I have to get rid of this email address from my key or people will continue mailing me and I won't get the mails. Is there some way I can delete this UID from my key on the keyserver. I figured to try to add the identical UID back and then invalidate it and then upload the key but before I screwup again I figured to ask here. Thank you. From jnhemley at yahoo.com Fri May 8 16:37:31 2009 From: jnhemley at yahoo.com (jnhemley) Date: Fri, 8 May 2009 07:37:31 -0700 (PDT) Subject: GPG Confirmation Message-ID: <23447277.post@talk.nabble.com> I was given a new key to use with our partner for encryption. Previously, the key was working fine. I removed all keys and then imported our key and then the partner's key. I set trust to ultimate. The encryption works but I now get a confirmation message.How can I get rid of this confirmation message so I can batch my encryption ? -- View this message in context: http://www.nabble.com/GPG-Confirmation-tp23447277p23447277.html Sent from the GnuPG - User mailing list archive at Nabble.com. From pmabie at gmail.com Fri May 8 21:16:30 2009 From: pmabie at gmail.com (Patrick Mabie) Date: Fri, 08 May 2009 15:16:30 -0400 Subject: gpg: WARNING: standard input reopened Message-ID: <4A04850E.7010203@gmail.com> Hello I was just wondering , can I fix this ? RPM version 4.4.2.3 gnupg-1.4.5-14.x86_64 CentOS 5.3 x86_64 kernel : 2.6.18-128.1.10.el5 rpmbuild -bb Documents/Rpm/Spec/q7z-64.spec --sign Generating signature: 1005 gpg: WARNING: standard input reopened gpg: WARNING: standard input reopened Have a good day! Patrick. From jmoore3rd at bellsouth.net Fri May 8 21:45:16 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 08 May 2009 15:45:16 -0400 Subject: delete bad UID from key on keyserver? In-Reply-To: References: Message-ID: <4A048BCC.6060808@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Anonymous Remailer wrote: > One of my email accounts is unusable so I deleted the UID from my key > and uploaded it to the keyserver. That accomplished nothing so now I > figured out I should of invalidated the UID and then uploaded it. I > can't do that now because I deleted the UID from my key. > > I have to get rid of this email address from my key or people will > continue mailing me and I won't get the mails. Is there some way I can > delete this UID from my key on the keyserver. I figured to try to add > the identical UID back and then invalidate it and then upload the key > but before I screwup again I figured to ask here. Thank you. Ahem........ Refresh Your Key from the Keyserver and then Revoke the UID which You will have fetched from the Keyserver. Then Upload the Key with the Revoked UID on it. Then Clean Your Key in Your Keyring and be prepared to repeat having to deluid every time Your Key is either returned to You signed because the revoked UID will forever remain on the Server. For this reason many folks prefer to maintain a Listing on Big Lumber or a Personal Web Page because only that way can You control exactly how the Key is retrieved by Others. HTH JOHN ;) Timestamp: Friday 08 May 2009, 15:44 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4995: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKBIvJAAoJEBCGy9eAtCsP3HsH/2Gec8jz1JA5iPcABwckiT10 alEwOt/jHsLu5oB13+6loh16yB44iueIiOrZPRIChjOICNFSB17XyMggK4nUXBQl PMmJZRraSwuzD1pjtWMmSUZ9HhreqvpmKd0usDFRu53KZLawuIYiLzvL0Vp4rakl GNAdTNwSvcaE07JAgVNrIpegnXU04A0bCuyV1nDym06zjeJb4bVYlbpNoq+JG4gB Wlas3Lo0eno/xKfgvzfeiWQTov3SrlApBDB/ikVfIPcEjdPMTdWTIQZ24GP1mCB8 lusK2QFDd64SFDko5Igx7AEzQAaEOOURLzoLJ9a3QAyn+3GEXkvZM4SQVDS6nxo= =Sm8l -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Fri May 8 21:54:02 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Fri, 08 May 2009 14:54:02 -0500 Subject: delete bad UID from key on keyserver? In-Reply-To: References: Message-ID: <4A048DDA.40405@Mozilla-Enigmail.org> Anonymous Remailer wrote: > Hi, > > One of my email accounts is unusable so I deleted the UID from my key > and uploaded it to the keyserver. That accomplished nothing so now I > figured out I should of invalidated the UID and then uploaded it. I > can't do that now because I deleted the UID from my key. You cannot delete information from the keyservers. This is by design. > I have to get rid of this email address from my key or people will > continue mailing me and I won't get the mails. Is there some way I > can delete this UID from my key on the keyserver. I figured to try to > add the identical UID back and then invalidate it and then upload the > key but before I screwup again I figured to ask here. Thank you. Do not try adding a new uid with the same email. That will give you two copies of that address. Refresh your key from a keyserver. This will restore the UID you thought you could delete: gpg --keyserver pool.sks-keyservers.net -refresh-keys 0xdecafbad now use gpg to revoke the UID gpg --edit-key 0xdecafbad gpg displays a list of UIDs on the key. Enter the number of the UID you wish to revoke. The list is redisplayed with an * next to the selected one. now use the gpg command revuid to revoke: Command> revuid Really revoke this user ID? (y/N) y Please select the reason for the revocation: 0 = No reason specified 4 = User ID is no longer valid Q = Cancel (Probably you want to select 4 here) Your decision? 4 Answer the passphrase prompt and 'save' to update your keyring with the modified key. Now send the key with revoked UID to the keyservers gpg --keyserver pool.sks-keyservers.net -send-keys 0xdecafbad -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Fri May 8 22:09:19 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 8 May 2009 16:09:19 -0400 Subject: gpg: WARNING: standard input reopened In-Reply-To: <4A04850E.7010203@gmail.com> References: <4A04850E.7010203@gmail.com> Message-ID: <62F6C833-331C-403C-B8E8-EA6881716EC2@jabberwocky.com> On May 8, 2009, at 3:16 PM, Patrick Mabie wrote: > Hello > I was just wondering , can I fix this ? > > RPM version 4.4.2.3 > gnupg-1.4.5-14.x86_64 > CentOS 5.3 x86_64 > kernel : 2.6.18-128.1.10.el5 > > rpmbuild -bb Documents/Rpm/Spec/q7z-64.spec --sign > > Generating signature: 1005 > gpg: WARNING: standard input reopened > gpg: WARNING: standard input reopened It's a old bug in RPM, but it was fixed a long time ago. https://bugzilla.redhat.com/show_bug.cgi?id=197602 The fix is to upgrade your version of RPM. In the meantime, you can ignore the error. It's harmless in the RPM case. David From dshaw at jabberwocky.com Fri May 8 22:11:19 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 8 May 2009 16:11:19 -0400 Subject: GPG Confirmation In-Reply-To: <23447277.post@talk.nabble.com> References: <23447277.post@talk.nabble.com> Message-ID: On May 8, 2009, at 10:37 AM, jnhemley wrote: > > I was given a new key to use with our partner for encryption. > Previously, the > key was working fine. I removed all keys and then imported our key > and then > the partner's key. I set trust to ultimate. The encryption works but > I now > get a confirmation message.How can I get rid of this confirmation > message so > I can batch my encryption ? You need to tell GPG that your partner's key is valid. To do this: gpg -u my-key --lsign-key my-partner-key Then set 'my-key' to ultimate trust if you haven't done that already. David From webmaster at felipe1982.com Sat May 9 07:54:33 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Sat, 9 May 2009 15:54:33 +1000 Subject: Cannot Decryption via UNIX shell script In-Reply-To: <41db87800905060311t7f66e5c0o1638b01ec5a01781@mail.gmail.com> References: <41db87800905060311t7f66e5c0o1638b01ec5a01781@mail.gmail.com> Message-ID: <200905091554.39133.webmaster@felipe1982.com> On Wed, 6 May 2009 20:11:27 Bob Yang wrote: > Hi All, > > I hit error when using the below script. > > gpg -e "key" "file" < yes > EOF > > Error: > It is NOT certain that the key belongs to the person named > in the user ID. If you *really* know what you are doing, > you may answer the next question with yes > > Use this key anyway? > > Does anyone come across this before? > > Thanks, > Bob You must sign that recipient's public key with your private key. Do this only after verifying that the public key does indeed belong to the intended recipeint. For example, don't blindly sign a key that says bill.gates at microsoft.com is you are not sure that the key belongs to Bill Gates. It may belong to "me" and I will have the private key to decrypt any messages that you send (of course, I do not have an email address at domain microsoft.com). Also, if you choose "file" (as you have in your script) there is no need to provide standard input (as you wrote < From tspivey at pcdesk.net Sun May 10 14:52:21 2009 From: tspivey at pcdesk.net (Tyler Spivey) Date: Sun, 10 May 2009 05:52:21 -0700 Subject: Problems changing hash algo for clearsign Message-ID: <20090510125201.GA4531@arch1> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello. I'm trying to make any message I clearsign have a hash of SHA256. Here is what I've done so far: I've added "personal-digest-preferences SHA256" to the end of my gpg.conf file. According to the manpage, this should be enough; since the manpage states: The most highly ranked digest algorithm in this list is algo used when signing without encryption (e.g. --clearsign or - --sign). but if I gpg --clearsign a test file, the hash at the top says SHA1. I've verified that My gpg 1.4.9 has sha256, and I can force it with --digest-algo sha256. What do I need to do to make it default to that on signs/clearsigns? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoGzfEACgkQTsjaYASMWKTWuQCfTKhFgEIolXpp3/E37XWzDtmZ UUQAn2hDssNi9d1dGwMvlJ0ROkFcyci9 =WRan -----END PGP SIGNATURE----- From bob.henson at galen.org.uk Sun May 10 16:58:33 2009 From: bob.henson at galen.org.uk (Bob Henson) Date: Sun, 10 May 2009 15:58:33 +0100 Subject: Problems changing hash algo for clearsign In-Reply-To: <20090510125201.GA4531@arch1> References: <20090510125201.GA4531@arch1> Message-ID: <4A06EB99.8030903@galen.org.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tyler Spivey wrote: > and I can force it with --digest-algo sha256. Add just "digest-algo SHA256" (without the parentheses) to your gpg.conf file. Regards, Bob _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKBuuHAAoJEJ3GodtqGtFCgzwH+QF3fnU9tk1EpcEufwfzdZeW X2sZm6AzRSdd1m+WB3mUQfl7sq1nACEgY/hTG7lQxYZ+P+YAgrKKpNEkKHweXR++ Ka7YmXX7oZOK5RIzwJAwxtDqCKQEM/VqXqybuTs8psGr9H+tobzqtBwx79bU1/u+ 0mfouKz9NknqXWN/b2Ek1SWke2jTyHaQqxZ+6WJDgb1iy7c35pIb43SauwKGTMUc JLIYR/q5aV1X1O614juiZYSIlrBpVySA2Kq6/eAHYKfRsTxaAK5/o7umASYBdSEf 3JvGLjGtN8D6tuReeOR0mKzF74J4QvHyHIdZSid8/BobhPpAIo/aJqnviMMPeSY= =bYAM -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Sun May 10 17:53:21 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sun, 10 May 2009 11:53:21 -0400 Subject: Problems changing hash algo for clearsign In-Reply-To: <20090510125201.GA4531@arch1> References: <20090510125201.GA4531@arch1> Message-ID: <4A06F871.3020907@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Tyler Spivey wrote: > Hello. I'm trying to make any message I clearsign > have a hash of SHA256. > Here is what I've done so far: > I've added "personal-digest-preferences SHA256" to the end of my gpg.conf file. According > to the manpage, this should be enough; since the manpage states: > The most highly ranked digest algorithm in > this list is algo used when signing without encryption (e.g. --clearsign or > --sign). > What do I need to do to make it default to that on signs/clearsigns? "Ranked" = the 1st digest algo listed in the preferences string. ;) JOHN 8-) Timestamp: Sunday 10 May 2009, 11:52 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4995: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKBvhvAAoJEBCGy9eAtCsPZYwH/AiRUr6KRxbviBsiazyttNM/ ouOeMjIpkFSccLWsnDBE6vIOU+JUDXbS9cl/DjO4W+FbNWlnlUz4yjwbzygMao3o 2eeUMNUJNRqidB5NXzX7+z+IZxho3x6MJh+017bhlAwdFCcYjedPR7CJsKzSPDK3 UOcnLNZ0DngontojFyT/SoeZKO7WF/xu/6uZW/24Q9HmqNbelVOOfEjaFWtd6J1+ NNvQyal1QK2yqMcVIRdoz6weBpEsSAtx3+pZGm8/MDwhXhgiYnCRFGW/L+KYOaoS F8/xfbPzzXr+5b95CQBbaxA4zu2U3LXHLQ4xFhX/0t/giM4hlwzcJxUEs+TmHos= =SyjZ -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun May 10 20:04:13 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 10 May 2009 14:04:13 -0400 Subject: Problems changing hash algo for clearsign In-Reply-To: <4A06EB99.8030903@galen.org.uk> References: <20090510125201.GA4531@arch1> <4A06EB99.8030903@galen.org.uk> Message-ID: <10EC0B84-AA89-47BE-B07B-E49059495B7D@jabberwocky.com> On May 10, 2009, at 10:58 AM, Bob Henson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > > Tyler Spivey wrote: > >> and I can force it with --digest-algo sha256. > > Add just "digest-algo SHA256" (without the parentheses) to your > gpg.conf > file. Please do not do this. There is an entire section entitled INTEROPERABILITY in the manual giving reasons why this will almost certainly break things for you. David From dshaw at jabberwocky.com Sun May 10 20:02:31 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 10 May 2009 14:02:31 -0400 Subject: Problems changing hash algo for clearsign In-Reply-To: <20090510125201.GA4531@arch1> References: <20090510125201.GA4531@arch1> Message-ID: <54A20429-1C2C-4255-92C4-8EC165024E87@jabberwocky.com> On May 10, 2009, at 8:52 AM, Tyler Spivey wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello. I'm trying to make any message I clearsign > have a hash of SHA256. If the key you are trying to make a SHA256 signature with is the same one that you signed this message with, then you can't. It's a 1024- bit DSA key, and that key can only use a 160 bit hash. (You can force it to use SHA256, but you'll still end up using only 160 bits of the 256 bit hash). David From mail at 404not-found.de Sun May 10 21:00:14 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Sun, 10 May 2009 21:00:14 +0200 Subject: Problems changing hash algo for clearsign In-Reply-To: <20090510125201.GA4531@arch1> References: <20090510125201.GA4531@arch1> Message-ID: <200905102100.21388.mail@404not-found.de> On Sunday 10 May 2009 14:52:21 Tyler Spivey wrote: > Hello. I'm trying to make any message I clearsign > have a hash of SHA256. > Here is what I've done so far: > I've added "personal-digest-preferences SHA256" to the end of my gpg.conf > file. According to the manpage, this should be enough; since the manpage > states: > The most highly ranked digest algorithm in > this list is algo used when signing without encryption (e.g. > --clearsign or --sign). > > but if I gpg --clearsign a test file, the hash at the top says SHA1. I've > verified that My gpg 1.4.9 has sha256, > and I can force it with --digest-algo sha256. > What do I need to do to make it default to that on signs/clearsigns? You might find this thread interisting: http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036338.html especially David's reply http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036344.html Raimar -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Mon May 11 00:00:06 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 10 May 2009 18:00:06 -0400 Subject: Problems changing hash algo for clearsign In-Reply-To: <4A06EB99.8030903@galen.org.uk> References: <20090510125201.GA4531@arch1> <4A06EB99.8030903@galen.org.uk> Message-ID: <4A074E66.2020200@sixdemonbag.org> Bob Henson wrote: > Add just "digest-algo SHA256" (without the parentheses) to your gpg.conf > file. Please don't. This is usually the wrong solution. From Beth.C.Coffman at fnis.com Fri May 8 23:30:39 2009 From: Beth.C.Coffman at fnis.com (Coffman, Beth C) Date: Fri, 8 May 2009 16:30:39 -0500 Subject: Decryption streaming Message-ID: What is a good way to write a C++ app to decrypt multiple large PGP-encrypted files simultaneously into memory? I cannot have the plaintext output in a file on disk at any time. Preferably, one block of data from the file will be decrypted at a time. Therefore, the entire file or files will not need to reside in memory. Thanks, Beth _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _____________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From nobody at nymu.eu Sat May 9 00:12:32 2009 From: nobody at nymu.eu (Anonymous) Date: Fri, 8 May 2009 23:12:32 +0100 (BST) Subject: How to delete bad UID??? Message-ID: Hi, I have to delete a UID from my key on keyservers because the email address is no good. I deleted the UID from my key and uploaded it again but this didn't do anything so I figured I have to invalidate the UID and upload the key again. But I already deleted the UID from my key what I am supposed to do now? Is there some way to delete this email address from my key or people will send mail to a bad address. From platitsa at sfsu.edu Sat May 9 01:31:37 2009 From: platitsa at sfsu.edu (pin_sf) Date: Fri, 8 May 2009 16:31:37 -0700 (PDT) Subject: GPG 2.0.11 and Vista Message-ID: <23455279.post@talk.nabble.com> I would like to know if the latest version of GPG supports Vista. Thank you!!! -- View this message in context: http://www.nabble.com/GPG-2.0.11-and-Vista-tp23455279p23455279.html Sent from the GnuPG - User mailing list archive at Nabble.com. From anonymous at anonymitaet-im-inter.net Sun May 10 18:20:50 2009 From: anonymous at anonymitaet-im-inter.net (Dave U. Random) Date: Sun, 10 May 2009 18:20:50 +0200 (CEST) Subject: delete bad UID from key on keyserver? References: <4A048DDA.40405__2302.86345254189$1241812595$gmane$org@Mozilla-Enigmail.org> Message-ID: <7f6d74c7d32428754a4f419af6d56e4d@anonymitaet-im-inter.net> Thanks very much, John. The instructions worked a treat. One point for anyone reading this in the mail list archives, you need to write --refresh-keys (two dashes rather than one in the example). Cheers. From nobody at pseudo.borked.net Mon May 11 01:34:54 2009 From: nobody at pseudo.borked.net (Borked Pseudo Mailed) Date: Sun, 10 May 2009 17:34:54 -0600 (MDT) Subject: delete bad UID from key on keyserver? References: <4A048BCC.6060808__44253.251530654$1241812045$gmane$org@bellsouth.net> Message-ID: <8f68f4bb424c49443b5e284c51bf11c7@pseudo.borked.net> Thank you. From nobody at pseudo.borked.net Mon May 11 00:39:15 2009 From: nobody at pseudo.borked.net (Borked Pseudo Mailed) Date: Sun, 10 May 2009 16:39:15 -0600 (MDT) Subject: delete bad UID from key on keyserver? References: <4A048BCC.6060808__44253.251530654$1241812045$gmane$org@bellsouth.net> Message-ID: <8f68f4bb424c49443b5e284c51bf11c7@pseudo.borked.net> Thank you. From sanjeev_g11 at hotmail.com Mon May 11 18:44:32 2009 From: sanjeev_g11 at hotmail.com (Sanjeev Gupta) Date: Mon, 11 May 2009 12:44:32 -0400 Subject: Question regarding signature Message-ID: All, I have 2 different vendors an dI would like to sign their keys using 2 different private keys. I don't want to share my public key between them. When ever I try to sign the key the software doesn't give me the option to select my won key, it always use my default key. how can I achieve this. Please help me as I need to finish this project ASAP. Thanks -Sanjeev -------------- next part -------------- An HTML attachment was scrubbed... URL: From ecol2009 at gmail.com Tue May 12 03:22:56 2009 From: ecol2009 at gmail.com (nana nana) Date: Tue, 12 May 2009 03:22:56 +0200 Subject: Question Message-ID: <9d632db30905111822y5671fd04rc4e3a6d6341b5c66@mail.gmail.com> hello, i found your work in http://www.gnupg.org/download/ i read the instruction .i try to use it ,i install it but i don't know why i have only; 03 file .txt and the home page with install application ? where is the problem , thanks. its very important to me. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Tue May 12 15:38:20 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 12 May 2009 09:38:20 -0400 Subject: Question regarding signature In-Reply-To: References: Message-ID: <0EAD9C39-1380-48C8-986C-E2D134754246@jabberwocky.com> On May 11, 2009, at 12:44 PM, Sanjeev Gupta wrote: > All, > > I have 2 different vendors an dI would like to sign their keys > using 2 different private keys. I don't want to share my public key > between them. When ever I try to sign the key the software doesn't > give me the option to select my won key, it always use my default > key. how can I achieve this. Please help me as I need to finish this > project ASAP. gpg -u (the-key-i-want-to-sign-with) --sign-key (the-key-i-want-to-sign) David From dshaw at jabberwocky.com Tue May 12 16:20:05 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 12 May 2009 10:20:05 -0400 Subject: Decryption streaming In-Reply-To: References: Message-ID: <4E37EED5-7256-494D-8864-884BBA7C2C8C@jabberwocky.com> On May 8, 2009, at 5:30 PM, Coffman, Beth C wrote: > What is a good way to write a C++ app to decrypt multiple large PGP- > encrypted files simultaneously into memory? I cannot have the > plaintext output in a file on disk at any time. Preferably, one > block of data from the file will be decrypted at a time. Therefore, > the entire file or files will not need to reside in memory. GPG (the program) can decrypt as a stream. You can either write a program that wraps around it, or use the GPGME library to do the work for you. David From steveo at syslang.net Tue May 12 16:32:52 2009 From: steveo at syslang.net (Steven W. Orr) Date: Tue, 12 May 2009 10:32:52 -0400 (EDT) Subject: Decryption streaming In-Reply-To: References: Message-ID: On Friday, May 8th 2009 at 17:30 -0000, quoth Coffman, Beth C: =>What is?a good way to?write a C++ app?to decrypt multiple =>large?PGP-encrypted files simultaneously into memory???I cannot have =>the?plaintext output in a file on disk?at any time.? Preferably,?one block =>of data from the file?will be decrypted at a time.? Therefore, the entire =>file or files will not need to reside in memory. =>? =>Thanks, =>Beth Hi Beth, I don't have the answer to your question, but I will say that you need to tighten up on your specs: If your program is running under a virtual memory model and you don't want your data to end up on disk then you will have to do something with a large hammer to lock pages of memory, or something along that line. -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net From jmoore3rd at bellsouth.net Tue May 12 19:31:47 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 12 May 2009 13:31:47 -0400 Subject: GPG 2.0.11 and Vista In-Reply-To: <23455279.post@talk.nabble.com> References: <23455279.post@talk.nabble.com> Message-ID: <4A09B283.7090402@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 pin_sf wrote: > I would like to know if the latest version of GPG supports Vista. Thank > you!!! Short Answer: YES! JOHN ;) Timestamp: Tuesday 12 May 2009, 13:31 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4995: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKCbKAAAoJEBCGy9eAtCsP/84IAIdQx20GFZiALpv2pyx0+tSO hsQ8rJOW00w+uhAgzyudopXzgGgN+JRYgAr3JAIZamYZxy+NgqhnZYRQDAh4gTQp +ZhpoGA35lkberSr1ukcAnR8vd0EPFR+lkMl71O9jskIPCVKs1/zAUNy2lBM3hQI 95l/wnA8VJB8Y/Prmk+9uzft9Z1hUBAxD4ghhJJWuJULPmJjdUaS29WX9oZncCwi sgNUDIslLK8bmCXkU98+cKUBmYADz6il+nvdVOwvs2BEvyKON51HjrLf8VCQqLBW v4vbDG1E0pjTQRmSHyFkX0uzW0tWjJAHQjduPpK9J0RO9efDHjCzv8RrIHCver8= =e/eE -----END PGP SIGNATURE----- From faramir.cl at gmail.com Tue May 12 20:53:43 2009 From: faramir.cl at gmail.com (Faramir) Date: Tue, 12 May 2009 14:53:43 -0400 Subject: Question In-Reply-To: <9d632db30905111822y5671fd04rc4e3a6d6341b5c66@mail.gmail.com> References: <9d632db30905111822y5671fd04rc4e3a6d6341b5c66@mail.gmail.com> Message-ID: <4A09C5B7.8050102@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 nana nana escribi?: > hello, > i found your work in http://www.gnupg.org/download/ > i read the instruction .i try to use it ,i install it but i don't know > why i have only; 03 file .txt and the home page with install application ? > where is the problem , > thanks. What operating system are you using? What kind of package did you download from the download site? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKCcW2AAoJEMV4f6PvczxAFPYH/0oKHYOLMvEX2fTsruJjW3cC lEHFklM+HxkcKZT+iCqYwvtmeBU4HkawYDZHzfDxwFq+BgwxJ1OJFGJmDdA2oOIk E1eQsy1J24cNZSZ0vkSRTSv+2nkRP/rlg1mN17UlLrBPNq6OiuqmtYdaJEhW/Ilq a9C6R0l1pkzP4mmyrKhFGuwF+5YQECMAogt2wh+tFTUVQ5qpyAMmvbNqNPuH4tJu KjabxO/MLpuu4xzSo7llEGaUQc8CPxfaCAJNWwjhzN21FkD4uACRgzFcJscHNO2W Xw0GRrl9lk9PDW/mYZbYcZyer2VaJL0ydFImplgTzfiUeSfzd8CSgBh7eMlalMk= =8f3m -----END PGP SIGNATURE----- From macshaggy at gmail.com Wed May 13 00:48:55 2009 From: macshaggy at gmail.com (Jake Bellew) Date: Tue, 12 May 2009 18:48:55 -0400 Subject: Public Key not found. Message-ID: <8D2DB6DF-3708-4916-A9BE-5CA91929EC35@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hey Everyone: I keep getting this from gpg: gpg: public key of ultimately trusted key {key id 1} not found gpg: public key of ultimately trusted key {key id 2} not found Possibly, while learning to use gpg I created two keys that I have ultimate trust with but I'm not sure. How can I remove them from my trustdb since I don't really know how they ended up there? Any help would be appreciated. Thank you, Jake Sent from Home -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iQGcBAEBCAAGBQJKCfzXAAoJEJneeqNiNbVCOLEMAIyAHPTB+erWZv8yEhsvTMTf 3K53fB/fxGXI5di9FDCkTw9g65cUBKqzZoPCQT/qIg5d//Dx2uGMOQ5pVTZZ+UAa F6QScWNN5FfWuZX6YloehaWTSmxn5uVYpE0/t5+0f3hjD293WgM0oLVF018mb2wd KmiM5D+NuHshJHDc1rol+IB6PrvFkrgswCg9gm38bfULVQ2t5CMGoyMB5ICxR4HF 1q2CGx5ymidHPxE5C3lQGJx1aqOuD9ik/2vZUFKTAXHwF8Vs6kUkwgMlgK/QILzB x77M095hTlrwkG9OZFuQLHXkDeg0oLxQOjpzD7Zc5uDpysNNAHmpifnBRY9RUj+8 kl43/oXXwThE+9G4j90zWzBuoBhAzPQxyVZCSYD0aU7V5raGC4qDB1/kEWJvJGt/ CNbRDAMljoRSnPeO8MmgGJLGP5oLR7K7THq7LrK39QMk9ul56AzgTlnr9hUf7Otf qz8SFFdaOBxeoW5vXXeSuVSTKMUa6nop5epB6+Oimw== =KFwx -----END PGP SIGNATURE----- From webmaster at felipe1982.com Wed May 13 03:01:23 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Wed, 13 May 2009 11:01:23 +1000 Subject: Public Key not found. In-Reply-To: <8D2DB6DF-3708-4916-A9BE-5CA91929EC35@gmail.com> References: <8D2DB6DF-3708-4916-A9BE-5CA91929EC35@gmail.com> Message-ID: <200905131101.38366.webmaster@felipe1982.com> On Wed, 13 May 2009 08:48:55 Jake Bellew wrote: > Possibly, while learning to use gpg I created two keys that I have > ultimate trust with but I'm not sure. How can I remove them from my > trustdb since I don't really know how they ended up there? When I started out with gpg, I created and destroyed many private keys. i was very careful not to use them seriously, only to mess with on my private home suse box. I didn't upload them, and I didn't sign any documents with them. I didn't share them with anybody. I destroyed many, and made new ones, until I was comfortable with how gpg worked, and how (a)symmetric crypto works, etc. Hopefully you have not uploaded your public key to a public keyserver. To delete your own private/public keys try [gpg --delete-secret-and- public-key youremail at address.com] Felipe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 258 bytes Desc: This is a digitally signed message part. URL: From stormer at stormer.org Wed May 13 07:39:06 2009 From: stormer at stormer.org (Stormer's Cgi-Archive) Date: Wed, 13 May 2009 01:39:06 -0400 Subject: procmail and gpg Message-ID: I asked this one before... either no response or no one knows. Has anyone got a procmail recipe that works so that any email sent to a particular pop3 account will be encrypted with a public key? maybe I am on the wrong list? Recommendations? James From Beth.C.Coffman at fnis.com Tue May 12 17:09:45 2009 From: Beth.C.Coffman at fnis.com (Coffman, Beth C) Date: Tue, 12 May 2009 10:09:45 -0500 Subject: Decryption streaming In-Reply-To: <4E37EED5-7256-494D-8864-884BBA7C2C8C@jabberwocky.com> Message-ID: Thanks. Does documentation exist anywhere for the individual methods within the libraries? What about examples? I'm not sure what methods to use from GPGME to accomplish my task. There is a lot of gnupg documentation in general, but not on using the individual methods within the libraries. It looks like minip12.c decrypt_block from gnupg-2.0.11 might do what I need, but I don't see anything documenting what the "salt" and "pw" parameters are supposed to be. What I am looking to do is read and decrypt a small subset of data from a file at a time, process it, delete it, and move on to decrypting the next subset. Beth -----Original Message----- From: David Shaw [mailto:dshaw at jabberwocky.com] Sent: Tuesday, May 12, 2009 9:20 AM To: Coffman, Beth C Cc: gnupg-users at gnupg.org Subject: Re: Decryption streaming On May 8, 2009, at 5:30 PM, Coffman, Beth C wrote: > What is a good way to write a C++ app to decrypt multiple large PGP- > encrypted files simultaneously into memory? I cannot have the > plaintext output in a file on disk at any time. Preferably, one block > of data from the file will be decrypted at a time. Therefore, the > entire file or files will not need to reside in memory. GPG (the program) can decrypt as a stream. You can either write a program that wraps around it, or use the GPGME library to do the work for you. David _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _____________ From wk at gnupg.org Wed May 13 14:57:52 2009 From: wk at gnupg.org (Werner Koch) Date: Wed, 13 May 2009 14:57:52 +0200 Subject: Decryption streaming In-Reply-To: (Beth C. Coffman's message of "Tue, 12 May 2009 10:09:45 -0500") References: Message-ID: <87hbzpxir3.fsf@wheatstone.g10code.de> On Tue, 12 May 2009 17:09, Beth.C.Coffman at fnis.com said: > minip12.c decrypt_block from gnupg-2.0.11 might do what I need, but I > don't see anything documenting what the "salt" and "pw" parameters are That is an inetrnal fucntion of gpg. You should not use it. > What I am looking to do is read and decrypt a small subset of data from > a file at a time, process it, delete it, and move on to decrypting the > next subset. Check out the gpgme manual and the examples available in the source below tests/. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed May 13 15:03:48 2009 From: wk at gnupg.org (Werner Koch) Date: Wed, 13 May 2009 15:03:48 +0200 Subject: procmail and gpg In-Reply-To: (Stormer's Cgi-Archive's message of "Wed, 13 May 2009 01:39:06 -0400") References: Message-ID: <87d4adxih7.fsf@wheatstone.g10code.de> On Wed, 13 May 2009 07:39, stormer at stormer.org said: > Has anyone got a procmail recipe that works so that any email sent to > a particular pop3 account will be encrypted with a public key? I don't have one. I attach a script which does something similar: Take a message and re-encrypt it to a list of recipients. It is more complicated than what you want but you might get the idea. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: gpgmlrobot Type: application/octet-stream Size: 5569 bytes Desc: not available URL: From mkrotzer at fastmail.fm Wed May 13 15:24:30 2009 From: mkrotzer at fastmail.fm (Matthew Krotzer) Date: Wed, 13 May 2009 09:24:30 -0400 Subject: procmail and gpg In-Reply-To: References: Message-ID: <20090513132429.GA8707@darkstar> * Stormer's Cgi-Archive [090513 02:51]: > I asked this one before... either no response or no one knows. > > Has anyone got a procmail recipe that works so that any email sent to > a particular pop3 account will be encrypted with a public key? > > maybe I am on the wrong list? Recommendations? > > James > A procmail list would probably be a better place to get this information. I don't use procmail, but this seems more like a client setting to me. Folder-hooks, etc. I don't understand what you are trying to do from the description. Is there a singular public key for the account or multiple? Are you setting this up on a private mailserver? My email client, mutt, picks the right key for the right account based on the key information. Matthew From mearns.b at gmail.com Wed May 13 16:28:03 2009 From: mearns.b at gmail.com (Brian Mearns) Date: Wed, 13 May 2009 10:28:03 -0400 Subject: Question regarding signature In-Reply-To: <4df3a1330905130550k5e6c973cg9616ebed656e5f0f@mail.gmail.com> References: <0EAD9C39-1380-48C8-986C-E2D134754246@jabberwocky.com> <4df3a1330905130550k5e6c973cg9616ebed656e5f0f@mail.gmail.com> Message-ID: <4df3a1330905130728s6e995abdva4d95b97697a08c9@mail.gmail.com> On Tue, May 12, 2009 at 9:38 AM, David Shaw wrote: > On May 11, 2009, at 12:44 PM, Sanjeev Gupta wrote: > >> All, >> >> ? ?I have 2 different vendors an dI would like to sign their keys using 2 >> different private keys. I don't want to share my public key between them. >> When ever I try to sign the key the software doesn't give me the option to >> select my won key, it always use my default key. how can I achieve this. >> Please help me as I need to finish this project ASAP. > > gpg -u (the-key-i-want-to-sign-with) --sign-key (the-key-i-want-to-sign) > > David > > I have to wonder why you don't want to share your public key between them? You understand that's the whole point of public-key-cryptography schemes like those used by gpg, right? A public key is public, it's meant to be shared and doing so does not cause any [feasible] security risks. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net From jhs at berklix.org Wed May 13 17:25:34 2009 From: jhs at berklix.org (Julian Stacey) Date: Wed, 13 May 2009 17:25:34 +0200 Subject: procmail and gpg In-Reply-To: Your message "Wed, 13 May 2009 09:24:30 EDT." <20090513132429.GA8707@darkstar> Message-ID: <200905131525.n4DFPYWs061411@fire.js.berklix.net> Matthew Krotzer wrote: > * Stormer's Cgi-Archive [090513 02:51]: > > I asked this one before... either no response or no one knows. > > > > Has anyone got a procmail recipe that works so that any email sent to > > a particular pop3 account will be encrypted with a public key? > > > > maybe I am on the wrong list? Recommendations? > > > > James > > > > A procmail list would probably be a better place to get this > information. I don't use procmail, but this seems more like a > client setting to me. Folder-hooks, etc. > > I don't understand what you are trying to do from the > description. Is there a singular public key for the account or > multiple? Are you setting this up on a private mailserver? My > email client, mutt, picks the right key for the right account > based on the key information. > > Matthew I use procmail, (but dont use gnupg much 'cept occasionaly for customers, hence lurker status ;-) Seems a puzzling/ badly/ inadequately phrased question from Stormer. - Normaly one _en_crypts before sending - Whereas one uses procmail on receipt. - But POP3 implies local incoming account, else how would one know what protocol another recipient uses to collect. - Stormer talks of "sent to > a particular" rather than "received by .." Puzzling. Maybe Stormer means oungoing from private net, somehow wanting to call procmail on a proxy or relay before heading out over net ? Or he or she could mean other things. Question best re-defined & re-posted. PS man procmail: for submitting questions/answers. for subscription requests. If you would like to stay informed about new versions and official patches send a subscription request to procmail-announce-request at procmail.org (this is a readonly list). Cheers, Julian -- Julian Stacey: BSDUnixLinux C Prog Admin SysEng Consult Munich www.berklix.com Mail plain ASCII text. HTML & Base64 text are spam. www.asciiribbon.org From stormer at stormer.org Wed May 13 18:53:17 2009 From: stormer at stormer.org (Stormer's Cgi-Archive) Date: Wed, 13 May 2009 12:53:17 -0400 Subject: procmail and gpg In-Reply-To: <200905131525.n4DFPYWs061411@fire.js.berklix.net> References: <20090513132429.GA8707@darkstar> <200905131525.n4DFPYWs061411@fire.js.berklix.net> Message-ID: Julian, Sorry for the initial description... here is why I want it... What I would like to do is have a regular pop3 mail account on a private server... any email sent TO that email address will be encrypted with my public key when it arrives on the server. Then when I download it into Mozilla Thunderbird with EnigMail addon it will decrypt it. The usefulness of this ability can be expanded to other perl/php scripts that email information to that same pop3 but don't have any type of gpg port yet. Thanks! James On Wed, May 13, 2009 at 11:25 AM, Julian Stacey wrote: > Matthew Krotzer wrote: >> * Stormer's Cgi-Archive [090513 02:51]: >> > I asked this one before... ?either no response or no one knows. >> > >> > Has anyone got a procmail recipe that works so that any email sent to >> > a particular pop3 account will be encrypted with a public key? >> > >> > maybe I am on the wrong list? ?Recommendations? >> > >> > James >> > >> >> A procmail list would probably be a better place to get this >> information. I don't use procmail, but this seems more like a >> client setting to me. Folder-hooks, etc. >> >> I don't understand what you are trying to do from the >> description. Is there a singular public key for the account or >> multiple? Are you setting this up on a private mailserver? My >> email client, mutt, picks the right key for the right account >> based on the key information. >> >> Matthew > > I use procmail, > (but dont use gnupg much 'cept occasionaly for customers, > ?hence lurker status ;-) > Seems a puzzling/ badly/ inadequately phrased question from Stormer. > - Normaly one _en_crypts before sending > - Whereas one uses procmail on receipt. > - But POP3 implies local incoming account, else how would one know what > ?protocol another recipient uses to collect. > - Stormer talks of "sent to > a particular" rather than "received by .." > Puzzling. > > Maybe Stormer means oungoing from private net, somehow wanting to > call procmail on a proxy or relay before heading out over net ? ?Or > he or she could mean other things. ? Question best re-defined & re-posted. > > PS man procmail: > ? ? ? ? ? ? ? > ? ? ? ? ? ? ? ? ? ? for submitting questions/answers. > ? ? ? ? ? ? ? > ? ? ? ? ? ? ? ? ? ? for subscription requests. > > ? ? ? If ?you ?would ?like ?to ?stay informed about new versions and official > ? ? ? patches send a subscription request to > ? ? ? ? ? ? ?procmail-announce-request at procmail.org > ? ? ? (this is a readonly list). > > Cheers, > Julian > -- > Julian Stacey: BSDUnixLinux C Prog Admin SysEng Consult Munich www.berklix.com > ?Mail plain ASCII text. ?HTML & Base64 text are spam. www.asciiribbon.org > -- Stormer's Cgi-Archive http://www.stormer.org From hrickards at l33tmyst.com Wed May 13 19:27:04 2009 From: hrickards at l33tmyst.com (Harry Rickards) Date: Wed, 13 May 2009 18:27:04 +0100 Subject: procmail and gpg In-Reply-To: References: <20090513132429.GA8707@darkstar> <200905131525.n4DFPYWs061411@fire.js.berklix.net> Message-ID: <4A0B02E8.7080801@l33tmyst.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/13/09 17:53, Stormer's Cgi-Archive wrote: > Julian, > > Sorry for the initial description... here is why I want it... > > What I would like to do is have a regular pop3 mail account on a > private server... any email sent TO that email address will be > encrypted with my public key when it arrives on the server. Then when > I download it into Mozilla > Thunderbird with EnigMail addon it will decrypt it. The usefulness > of this ability can be expanded to other perl/php scripts that email > information to that same pop3 but don't have any type of gpg port yet. > > Thanks! > > James > > > On Wed, May 13, 2009 at 11:25 AM, Julian Stacey wrote: >> Matthew Krotzer wrote: >>> * Stormer's Cgi-Archive [090513 02:51]: >>>> I asked this one before... either no response or no one knows. >>>> >>>> Has anyone got a procmail recipe that works so that any email sent to >>>> a particular pop3 account will be encrypted with a public key? >>>> >>>> maybe I am on the wrong list? Recommendations? >>>> >>>> James >>>> >>> A procmail list would probably be a better place to get this >>> information. I don't use procmail, but this seems more like a >>> client setting to me. Folder-hooks, etc. >>> >>> I don't understand what you are trying to do from the >>> description. Is there a singular public key for the account or >>> multiple? Are you setting this up on a private mailserver? My >>> email client, mutt, picks the right key for the right account >>> based on the key information. >>> >>> Matthew >> I use procmail, >> (but dont use gnupg much 'cept occasionaly for customers, >> hence lurker status ;-) >> Seems a puzzling/ badly/ inadequately phrased question from Stormer. >> - Normaly one _en_crypts before sending >> - Whereas one uses procmail on receipt. >> - But POP3 implies local incoming account, else how would one know what >> protocol another recipient uses to collect. >> - Stormer talks of "sent to > a particular" rather than "received by .." >> Puzzling. >> >> Maybe Stormer means oungoing from private net, somehow wanting to >> call procmail on a proxy or relay before heading out over net ? Or >> he or she could mean other things. Question best re-defined & re-posted. >> >> PS man procmail: >> >> for submitting questions/answers. >> >> for subscription requests. >> >> If you would like to stay informed about new versions and official >> patches send a subscription request to >> procmail-announce-request at procmail.org >> (this is a readonly list). >> >> Cheers, >> Julian >> -- >> Julian Stacey: BSDUnixLinux C Prog Admin SysEng Consult Munich www.berklix.com >> Mail plain ASCII text. HTML & Base64 text are spam. www.asciiribbon.org >> > > > I asked about a similar thing recently on the debian-user mailing list. Basically, we worked out that it would be hard to do, and would be a lot easier just to encrypt the disk. That was using Postfix though. Let us know if you find a solution. - -- Many thanks Harry Rickards - -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT/GCM/GCS/GCC/GIT/GM d? s: a? C++++ UL++++ P- L+++ E--- W+++ N o K+ w--- O- M- V- PS+ PE Y+ PGP++ t 5 X R tv-- b+++ DI D---- G e* h! !r y? - ------END GEEK CODE BLOCK------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoLAugACgkQ1kZz3mRu0Go/oQCg5FtBokZNzv07m+wQQ3egtcuj zGYAn0BhqgagSnx5TiYsIfnYeHw/KQm+ =dFOU -----END PGP SIGNATURE----- From stormer at stormer.org Thu May 14 08:51:33 2009 From: stormer at stormer.org (Stormer's Cgi-Archive) Date: Thu, 14 May 2009 02:51:33 -0400 Subject: procmail and gpg In-Reply-To: <20090514034807.GA28778@foursquare.net> References: <20090514034807.GA28778@foursquare.net> Message-ID: To all that responded, I got it to work... Here is how... First, when executed by .procmailrc, the .gnupg directory needed to be in the same directory as the .procmailrc file. It had to be chown:chgrp for that user. The procmailrc looks like this... :0 * ^X-ClamAV: clean { :0fbw | gpg --encrypt -r 3BE2D343 --armor --output - :0c ! email2 at mydomain.com } The only matching thing in all emails was the X-ClamAV: clean What this does... When an email comes into that pop account, it encrypts it and forwards it to email2 at domain.com cheers! James On Wed, May 13, 2009 at 11:48 PM, Chris Frey wrote: > On Wed, May 13, 2009 at 01:39:06AM -0400, Stormer's Cgi-Archive wrote: >> I asked this one before... ?either no response or no one knows. >> >> Has anyone got a procmail recipe that works so that any email sent to >> a particular pop3 account will be encrypted with a public key? >> >> maybe I am on the wrong list? ?Recommendations? > > You need to make use of the idea of procmail filter rules. > > For example, I use a rule like this to adjust the Subject line of > mail from the full-disclosure mailing list: > > ####### full-disclosure > :0 > * ^List-Id:.*full-disclosure.lists.grok.org.uk > { > ? ? ? ?# filter delivered mail's subject line for better mutt sorting > ? ? ? ?:0hfW > ? ? ? ?| sed -e '/^Subject: / s/\[Full-disclosure\] //' > > ? ? ? ?# send to proper mailbox > ? ? ? ?:0 > ? ? ? ?full-disclosure > } > > > The above was copied from a working setup. ?You'll need to do some testing > and playing around, but extrapolating from my above rule, I'd likely > try something like this: > > # send body of email through a gpg filter, and make sure it succeeds > :0bfW > | gpg --armor -r cdfrey at foursquare.net --encrypt > > > Hope that helps, > - Chris > > -- Stormer's Cgi-Archive http://www.stormer.org From Jake_Rai at tui-uk.co.uk Wed May 13 18:17:29 2009 From: Jake_Rai at tui-uk.co.uk (Rai, Jake) Date: Wed, 13 May 2009 17:17:29 +0100 Subject: Help! Message-ID: Hello, Hoping you could help me. Could you provide me with a link for a GUI version of GNUPG. We are looking to decrypt gpg files received using key authentication. Kind Regards, Jake Rai Senior Operational Support Analyst TUI UK - IT Service Delivery Landline: +44(0)2476 283118 Mobile: +44(0)7976 539817 Thomson.co.uk for Holidays, Flights, Hotels, customer reviews and over 2000 videos. Find us at www.thomson.co.uk, Sky Digital Channel 647 or on your high street. CONFIDENTIALITY NOTICE & DISCLAIMER This message, together with any attachments, is for the confidential and exclusive use of the intended addresses(s). If you receive it in error, please delete the message and its attachments from your system immediately and notify us by return e-mail. Do not disclose copy, circulate or use any information contained in this e-mail. ? The content of this e-mail is to be read subject to our terms of business, as applicable. ? E-mail may be intercepted or affected by viruses and we accept no responsibility for any interception or liability for any form of viruses introduced with this e-mail. ? The sender shall remain solely accountable for any statements, representations or opinions that are clearly his or her own and not made in the course of employment. ? For risk, protection and security purposes, we may monitor e-mails and take appropriate action. Registered Office: TUI Travel House, Crawley Business Quarter, Fleming Way, Crawley, West Sussex RH10 9QL ? TUI Travel PLC, Registered in England and Wales (Number 6072876) ? TUI Northern Europe Limited, Registered in England and Wales (Number 3490138) ? TUI UK Limited, Registered in England and Wales (Number 2830117) ; VAT Number: 233 3687 62 ? Thomson Airways Limited, Registered in England and Wales (Number 444359); VAT Number: 490 2120 79 Telephone: +44 (0)24 7628 2828 | Fax: +44 (0)24 7628 2844 -------------- next part -------------- An HTML attachment was scrubbed... URL: From cdfrey at foursquare.net Thu May 14 05:48:07 2009 From: cdfrey at foursquare.net (Chris Frey) Date: Wed, 13 May 2009 23:48:07 -0400 Subject: procmail and gpg In-Reply-To: References: Message-ID: <20090514034807.GA28778@foursquare.net> On Wed, May 13, 2009 at 01:39:06AM -0400, Stormer's Cgi-Archive wrote: > I asked this one before... either no response or no one knows. > > Has anyone got a procmail recipe that works so that any email sent to > a particular pop3 account will be encrypted with a public key? > > maybe I am on the wrong list? Recommendations? You need to make use of the idea of procmail filter rules. For example, I use a rule like this to adjust the Subject line of mail from the full-disclosure mailing list: ####### full-disclosure :0 * ^List-Id:.*full-disclosure.lists.grok.org.uk { # filter delivered mail's subject line for better mutt sorting :0hfW | sed -e '/^Subject: / s/\[Full-disclosure\] //' # send to proper mailbox :0 full-disclosure } The above was copied from a working setup. You'll need to do some testing and playing around, but extrapolating from my above rule, I'd likely try something like this: # send body of email through a gpg filter, and make sure it succeeds :0bfW | gpg --armor -r cdfrey at foursquare.net --encrypt Hope that helps, - Chris From dave.smith at st.com Thu May 14 12:36:37 2009 From: dave.smith at st.com (David SMITH) Date: Thu, 14 May 2009 11:36:37 +0100 Subject: Help! In-Reply-To: References: Message-ID: <20090514103637.GF17008@bristol.st.com> On Wed, May 13, 2009 at 05:17:29PM +0100, Rai, Jake wrote: > Hoping you could help me. > Could you provide me with a link for a GUI version of GNUPG. > > We are looking to decrypt gpg files received using key authentication. You appear to be describing GPA: http://www.gnupg.org/gpa.html Some friendly advice: 1. Be a bit more descriptive with your subject line. "Help!" doesn't really give any clue what you're after, and some people will just ignore that sort of mail. 2. Learn to ask "smart questions". Include useful information - e.g. in this case, it would be useful to know what Operating System you're running (Windows (version?), Linux, Mac OSX). More info: http://catb.org/esr/faqs/smart-questions.html 3. Huge disclaimers like this one have virtually no legal merit and just annoy people by wasting bandwidth and disk space. In the "old days of the Internet", a 4-line, 72 characters per line signature was gnenerally considered to be an acceptable limit. > > Thomson.co.uk for Holidays, Flights, Hotels, customer reviews and over 2000 videos. Find us at www.thomson.co.uk, Sky Digital Channel 647 or on your high street. > > CONFIDENTIALITY NOTICE & DISCLAIMER > > This message, together with any attachments, is for the confidential and exclusive use of the intended addresses(s). If you receive it in error, please delete the message and its attachments from your system immediately and notify us by return e-mail. Do not disclose copy, circulate or use any information contained in this e-mail. > > ? The content of this e-mail is to be read subject to our terms of business, as applicable. [snip] HTH... -- David Smith Work Email: Dave.Smith at st.com STMicroelectronics Home Email: David.Smith at ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2 From BruderB at cation.de Thu May 14 13:21:17 2009 From: BruderB at cation.de (B) Date: Thu, 14 May 2009 13:21:17 +0200 Subject: Help! In-Reply-To: References: Message-ID: <4A0BFEAD.5080806@cation.de> Hej Jake, you should provide little more information, at least which OS? Boris Rai, Jake schrieb: > Hello, > > Hoping you could help me. > Could you provide me with a link for a GUI version of GNUPG. > > We are looking to decrypt gpg files received using key authentication. > > Kind Regards, > ** > *Jake Rai* > Senior Operational Support Analyst > TUI UK - IT Service Delivery > Landline: +44(0)2476 283118 > Mobile: +44(0)7976 539817 > > > > /Thomson.co.uk for Holidays, Flights, Hotels, customer reviews and over > 2000 videos. Find us at www.thomson.co.uk , > Sky Digital Channel 647 or on your high street./ > > _CONFIDENTIALITY NOTICE & DISCLAIMER_ > > This message, together with any attachments, is for the confidential and > exclusive use of the intended addresses(s). If you receive it in error, > please delete the message and its attachments from your system > immediately and notify us by return e-mail. Do not disclose copy, > circulate or use any information contained in this e-mail. > > ? The content of this e-mail is to be read subject to our terms > of business, as applicable. > > ? E-mail may be intercepted or affected by viruses and we > accept no responsibility for any interception or liability for any form > of viruses introduced with this e-mail. > > ? The sender shall remain solely accountable for any > statements, representations or opinions that are clearly his or her own > and not made in the course of employment. > > ? For risk, protection and security purposes, we may monitor > e-mails and take appropriate action. > > Registered Office: TUI Travel House, Crawley Business Quarter, Fleming > Way, Crawley, West Sussex RH10 9QL > > ? TUI Travel PLC, Registered in England and Wales (Number 6072876) > > ? TUI Northern Europe Limited, Registered in England and Wales > (Number 3490138) > > ? TUI UK Limited, Registered in England and Wales (Number > 2830117) ; VAT Number: 233 3687 62 > > ? Thomson Airways Limited, Registered in England and Wales > (Number 444359); VAT Number: 490 2120 79 > > > > Telephone: +44 (0)24 7628 2828 **|** Fax: +44 (0)24 7628 2844 > > __ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From faramir.cl at gmail.com Thu May 14 19:09:34 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 14 May 2009 13:09:34 -0400 Subject: Help! In-Reply-To: References: Message-ID: <4A0C504E.6090000@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rai, Jake escribi?: > Hello, > > Hoping you could help me. > Could you provide me with a link for a GUI version of GNUPG. What operating system do you use? I mean, Windows? Linux? Other? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKDFBOAAoJEMV4f6PvczxAXaYIAJiY06yYYvAZ0nZAmIXDVTVZ uhxPM5u6G96NQzyg7GKR9pUfAN2kdHVGD2SH7r1LwG/vng7ZKb3zHQjpxJ2GGwlY lzBBDvaUZn+HxWrxcLD6TjrP5OlZ8VXMxRnbnJzL36jYBq2HpI1jSkAoCSwtPKOc YDORBOYkHKnxkmF5dCVWBTrf7LZFdajok+7cryaZ2+YIQdpt8fAMW6IW7wTbSt8i kvPU2dVtLEgljXhvNbQlJj0yM1MvojeXV4UYTi9kM4jNoArQvCPlKocO87piRVvc waPkyrJfMUrdXGuFD+qdvWqet+sREVoW/E0FC3BrActGjI4E+O09T/oxtkHAgjo= =6dUo -----END PGP SIGNATURE----- From allen.schultz at gmail.com Fri May 15 01:41:35 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Thu, 14 May 2009 17:41:35 -0600 Subject: Photo's in keys? Message-ID: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RE: including a photo uid, which is commonly stripped by public keyservers (http://fifthhorseman.net/key-transition-2007-06- 15.txt) Are there any limits on the photo in the keys, format/extension, size, etc? Will GPG resize if necessary? And the basic command to add the pic in, please. Thanks in advance, - -- Allen Schultz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72 iEYEARECAAYFAkoMrC4ACgkQV5r3Eu55xjalOACfZ+CsWicTrc4NL2s6Ip+4+cd3 7MMAnjDlNuf+NSVLfgpcDPTdWX4VbuA8 =RG32 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri May 15 05:25:31 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 14 May 2009 23:25:31 -0400 Subject: Photo's in keys? In-Reply-To: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com> References: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com> Message-ID: <43B1D926-5BF1-478F-AEC4-D30504AFDCF7@jabberwocky.com> On May 14, 2009, at 7:41 PM, Allen Schultz wrote: > RE: including a photo uid, which is commonly stripped by public > keyservers (http://fifthhorseman.net/key-transition-2007-06- > 15.txt) > > Are there any limits on the photo in the keys, format/extension, > size, etc? Will GPG resize if necessary? And the basic command > to add the pic in, please. The pic must be JPEG and the extension doesn't matter. GPG doesn't really care what the size is, but if it is over 6k, you'll get an "are you sure?" message, as it is kindness to the rest of the world to keep key sizes from getting out of control. GPG does not manipulate/resize the photo in any way. The command is "addphoto", in the --edit-key menu. David From John at Mozilla-Enigmail.org Fri May 15 04:30:04 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Thu, 14 May 2009 21:30:04 -0500 Subject: Photo's in keys? In-Reply-To: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com> References: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com> Message-ID: <4A0CD3AC.2080806@Mozilla-Enigmail.org> Allen Schultz wrote: > RE: including a photo uid, which is commonly stripped by public > keyservers (http://fifthhorseman.net/key-transition-2007-06-15.txt) > > Are there any limits on the photo in the keys, format/extension, > size, etc? Will GPG resize if necessary? And the basic command > to add the pic in, please. Not sure where the idea that public keyservers strip photo ids is from. That was a problem with older PKS servers, but the current SKS photos handle all aspects of V4 keys just fine. PGP specifies 120x144 as the maximum image resolution while GPG recommends the usage of 240x288. You'll need to size the image yourself beforehand. Most folks recommend keeping the size down to 4K-6K which favors JPEG. RFC 4880 only mentions JPEG. Open a command window/shell prompt. Run the command gpg --edit-key addphoto GnuPG will then ask you for the filename of your JPEG image. Specify the complete path. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Fri May 15 05:40:58 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 14 May 2009 23:40:58 -0400 Subject: Photo's in keys? In-Reply-To: <43B1D926-5BF1-478F-AEC4-D30504AFDCF7@jabberwocky.com> References: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com> <43B1D926-5BF1-478F-AEC4-D30504AFDCF7@jabberwocky.com> Message-ID: <4A0CE44A.7070800@sixdemonbag.org> David Shaw wrote: > The pic must be JPEG and the extension doesn't matter. GPG doesn't > really care what the size is, but if it is over 6k, you'll get an "are > you sure?" message, as it is kindness to the rest of the world to keep > key sizes from getting out of control. GPG does not manipulate/resize > the photo in any way. The command is "addphoto", in the --edit-key menu. Is there any guidance on what size PGP expects it to be (in terms of screen dimension, not size)? From dshaw at jabberwocky.com Fri May 15 06:10:36 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 15 May 2009 00:10:36 -0400 Subject: Photo's in keys? In-Reply-To: <4A0CE44A.7070800@sixdemonbag.org> References: <3f34f8420905141641y4155c6f6ld85a1f43ca571100@mail.gmail.com> <43B1D926-5BF1-478F-AEC4-D30504AFDCF7@jabberwocky.com> <4A0CE44A.7070800@sixdemonbag.org> Message-ID: <9E9D597C-1F28-427A-AC27-40505D3AB1E9@jabberwocky.com> On May 14, 2009, at 11:40 PM, Robert J. Hansen wrote: > David Shaw wrote: >> The pic must be JPEG and the extension doesn't matter. GPG doesn't >> really care what the size is, but if it is over 6k, you'll get an >> "are >> you sure?" message, as it is kindness to the rest of the world to >> keep >> key sizes from getting out of control. GPG does not manipulate/ >> resize >> the photo in any way. The command is "addphoto", in the --edit-key >> menu. > > Is there any guidance on what size PGP expects it to be (in terms of > screen dimension, not size)? These days it's 120x144, but in the past it was double that (220x288). Incidentally, GPG will allow you to have more than one photo ID, and PGP only permits one. PGP (9, anyway) will accept a key with multiple photo IDs, but it will only show you one photo. This is actually a bit of a step backwards - in earlier versions it showed all photos, even though it would only generate one itself. David From webmaster at felipe1982.com Sat May 16 02:34:19 2009 From: webmaster at felipe1982.com (webmaster at felipe1982.com) Date: Fri, 15 May 2009 18:34:19 -0600 (MDT) Subject: problems with PGP/MIME Message-ID: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com> I will do my best to describe as succinctly and clearly as possible. To begin, I use openSUSE, openoffice for documents, and [usually] kmail for email. I created a document in OOo and clicked on the 'email' button to send it to my "other" email address xx at student.qut.edu.au [backup]. I sent the file signed and encrypted. The other address has only a web interface, and as such, has no support for PGP/MIME. As expected, I see two attachments, application/pgp-encrypted "VERSION 1" file, and application/octet-stream (my encrypted .odt file). It isn't actually binary, it appeares in ASCII when downloaded and opened in text editor. I ran it through Kgpg, and also separately through gpg command line, and was disappointed that I did not recover my original .odt file. The top portion contains email header information stuff (stuff I don't want, or care to understand). There is a signature at the very bottom, but verification fails (it is *my*own* pub/priv key pair). In the middle, above the signature, and below the email header stuff, there is an ascii-armoured portion of data. I have not yet attempted to select it all, copy, paste, decrypt, because I thought to myself, "there must be a better (read: easier) way to do this..." So, is there? I forwarded the message back to my xx at felipe1982.com address, and viewed it in kmail (which as you all know, supports cool things like pgp/mime). But it (after submitting my passphrase) will not decrypt! Is this the normal behaviour of pgp/mime. I did read a little (albeit quickly and not in detail) of rfc3156 (is this the most recent?). Any ideas, suggestions, comments appreciated. Thanks. Felipe From webmaster at felipe1982.com Sat May 16 09:41:26 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Sat, 16 May 2009 17:41:26 +1000 Subject: problems with PGP/MIME In-Reply-To: <4A0E4AAE.5000701@gbenet.com> References: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com> <4A0E4AAE.5000701@gbenet.com> Message-ID: <200905161741.26379.webmaster@felipe1982.com> On Sat, 16 May 2009 15:10:06 david wrote: > You encrypt the document first - before sending. So type oo document > then encrypt it - save it it to disk then open email and add it as an > attachment - this will preserve formatting you do not then have to > encrypt again - you could digitally sign if you wish. > > David > > webmaster at felipe1982.com wrote: > > I will do my best to describe as succinctly and clearly as possible. To > > begin, I use openSUSE, openoffice for documents, and [usually] kmail for > > email. I created a document in OOo and clicked on the 'email' button to > > send it to my "other" email address xx at student.qut.edu.au [backup]. I > > sent the file signed and encrypted. The other address has only a web > > interface, and as such, has no support for PGP/MIME. As expected, I see > > two attachments, application/pgp-encrypted "VERSION 1" file, and > > application/octet-stream (my encrypted .odt file). It isn't actually > > binary, it appeares in ASCII when downloaded and opened in text editor. I > > ran it through Kgpg, and also separately through gpg command line, and > > was disappointed that I did not recover my original .odt file. > > > > The top portion contains email header information stuff (stuff I don't > > want, or care to understand). There is a signature at the very bottom, > > but verification fails (it is *my*own* pub/priv key pair). In the middle, > > above the signature, and below the email header stuff, there is an > > ascii-armoured portion of data. I have not yet attempted to select it > > all, copy, paste, decrypt, because I thought to myself, "there must be a > > better (read: easier) way to do this..." So, is there? > > > > I forwarded the message back to my xx at felipe1982.com address, and viewed > > it in kmail (which as you all know, supports cool things like pgp/mime). > > But it (after submitting my passphrase) will not decrypt! > > > > Is this the normal behaviour of pgp/mime. I did read a little (albeit > > quickly and not in detail) of rfc3156 (is this the most recent?). > > > > Any ideas, suggestions, comments appreciated. Thanks. > > > > Felipe > > > > > > > > > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users I assume[d] (maybe incorrectly?) that clients without support for pgp/mime would still be able to manually extract/download the attachments and manually decrypt them and reliably open, read and change them. Does the RFC allow for 'legacy' email clients to still read/decrypt attachments as normal? Felipe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 258 bytes Desc: This is a digitally signed message part. URL: From kloecker at kde.org Sat May 16 12:13:55 2009 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sat, 16 May 2009 12:13:55 +0200 Subject: problems with PGP/MIME In-Reply-To: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com> References: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com> Message-ID: <200905161213.56202@thufir.ingo-kloecker.de> On Saturday 16 May 2009, webmaster at felipe1982.com wrote: > I will do my best to describe as succinctly and clearly as possible. > To begin, I use openSUSE, openoffice for documents, and [usually] > kmail for email. I created a document in OOo and clicked on the > 'email' button to send it to my "other" email address > xx at student.qut.edu.au [backup]. I sent the file signed and encrypted. > The other address has only a web interface, and as such, has no > support for PGP/MIME. As expected, I see two attachments, > application/pgp-encrypted "VERSION 1" file, and > application/octet-stream (my encrypted .odt file). The application/octet-stream attachment does not only contain your encrypted .odt file, but the whole MIME structure of your message (after signing and before encryption) including the attached .odt file. > It isn't actually > binary, it appeares in ASCII when downloaded and opened in text > editor. I ran it through Kgpg, and also separately through gpg > command line, and was disappointed that I did not recover my original > .odt file. > > The top portion contains email header information stuff (stuff I > don't want, or care to understand). There is a signature at the very > bottom, but verification fails (it is *my*own* pub/priv key pair). That's because KGpg probably does not know how to verify PGP/MIME signatures correctly. > In > the middle, above the signature, and below the email header stuff, > there is an ascii-armoured portion of data. I have not yet attempted > to select it all, copy, paste, decrypt, because I thought to myself, > "there must be a better (read: easier) way to do this..." So, is > there? The "ascii-armoured portion of data" is most likely the base64 encoded .odt attachment. Try running it through base64 -di < "ascii-armoured portion of data" >foo.odt base64 is part of the coreutils. > I forwarded the message back to my xx at felipe1982.com address, and > viewed it in kmail (which as you all know, supports cool things like > pgp/mime). But it (after submitting my passphrase) will not decrypt! Hmm. No idea unless you did not make sure that the message is also encrypted with your own key. > Is this the normal behaviour of pgp/mime. I did read a little (albeit > quickly and not in detail) of rfc3156 (is this the most recent?). In theory, PGP/MIME allows arbitrary complex hierarchies of signed and encrypted body parts. In practice, KMail (and probably most other PGP/MIME capable email clients) encrypt the whole message (except for the email headers) after the optional signing step, i.e. the text and all attachments. Now, if you decrypt the encrypted "attachment" in the received message, you will get something like you write above. I'm not sure what your use-case is. If it's for backup purposes (as indicated above), then I suggest to sign and encrypt the .odt file with KGpg and then attach this signed&encrypted attachment to a message. This message should then not be encrypted because otherwise you'll have the same situation as above. Signing the message should be okay. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From webmaster at felipe1982.com Sat May 16 16:16:08 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Sun, 17 May 2009 00:16:08 +1000 Subject: problems with PGP/MIME In-Reply-To: <200905161213.56202@thufir.ingo-kloecker.de> References: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com> <200905161213.56202@thufir.ingo-kloecker.de> Message-ID: <200905170016.23075.webmaster@felipe1982.com> On Sat, 16 May 2009 20:13:55 Ingo Kl?cker wrote: > On Saturday 16 May 2009, webmaster at felipe1982.com wrote: > > I will do my best to describe as succinctly and clearly as possible. > > To begin, I use openSUSE, openoffice for documents, and [usually] > > kmail for email. I created a document in OOo and clicked on the > > 'email' button to send it to my "other" email address > > xx at student.qut.edu.au [backup]. I sent the file signed and encrypted. > > The other address has only a web interface, and as such, has no > > support for PGP/MIME. As expected, I see two attachments, > > application/pgp-encrypted "VERSION 1" file, and > > application/octet-stream (my encrypted .odt file). > > The application/octet-stream attachment does not only contain your > encrypted .odt file, but the whole MIME structure of your message > (after signing and before encryption) including the attached .odt file. > > > It isn't actually > > binary, it appeares in ASCII when downloaded and opened in text > > editor. I ran it through Kgpg, and also separately through gpg > > command line, and was disappointed that I did not recover my original > > .odt file. > > > > The top portion contains email header information stuff (stuff I > > don't want, or care to understand). There is a signature at the very > > bottom, but verification fails (it is *my*own* pub/priv key pair). > > That's because KGpg probably does not know how to verify PGP/MIME > signatures correctly. > > > In > > the middle, above the signature, and below the email header stuff, > > there is an ascii-armoured portion of data. I have not yet attempted > > to select it all, copy, paste, decrypt, because I thought to myself, > > "there must be a better (read: easier) way to do this..." So, is > > there? > > The "ascii-armoured portion of data" is most likely the base64 > encoded .odt attachment. Try running it through > > base64 -di < "ascii-armoured portion of data" >foo.odt > > base64 is part of the coreutils. > > > I forwarded the message back to my xx at felipe1982.com address, and > > viewed it in kmail (which as you all know, supports cool things like > > pgp/mime). But it (after submitting my passphrase) will not decrypt! > > Hmm. No idea unless you did not make sure that the message is also > encrypted with your own key. > > > Is this the normal behaviour of pgp/mime. I did read a little (albeit > > quickly and not in detail) of rfc3156 (is this the most recent?). > > In theory, PGP/MIME allows arbitrary complex hierarchies of signed and > encrypted body parts. > > In practice, KMail (and probably most other PGP/MIME capable email > clients) encrypt the whole message (except for the email headers) after > the optional signing step, i.e. the text and all attachments. Now, if > you decrypt the encrypted "attachment" in the received message, you > will get something like you write above. > > I'm not sure what your use-case is. If it's for backup purposes (as > indicated above), then I suggest to sign and encrypt the .odt file with > KGpg and then attach this signed&encrypted attachment to a message. > This message should then not be encrypted because otherwise you'll have > the same situation as above. Signing the message should be okay. > > > Regards, > Ingo As it turns out, the attachment was base64 encoded, and the code you asked me to run worked correctly and the file opened beautifully in Ooo again! I restared Kmail, and this time it __did__ decrypt the message (it had failed to do this earlier). All-in-all, clients without pgp/mime are a PITA. Use ascii armour or encrypt attachments before attaching (not encryption after attaching as in pgp/mime.) Felipe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 258 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Sat May 16 16:49:41 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 16 May 2009 10:49:41 -0400 Subject: problems with PGP/MIME In-Reply-To: <200905170016.23075.webmaster@felipe1982.com> References: <2057.130.102.44.51.1242434059.squirrel@host257.hostmonster.com> <200905161213.56202@thufir.ingo-kloecker.de> <200905170016.23075.webmaster@felipe1982.com> Message-ID: <4A0ED285.6020603@sixdemonbag.org> Felipe Alvarez wrote: > As it turns out, the attachment was base64 encoded, and the code > you asked me to run worked correctly and the file opened beautifully > in Ooo again! We're glad your problem has been solved. :) However, in the future, could you please trim your quotes? I would appreciate it, as would I think many others. From louis.capuani at gmail.com Sat May 16 23:33:58 2009 From: louis.capuani at gmail.com (Lucio Capuani) Date: Sat, 16 May 2009 23:33:58 +0200 Subject: There are actually two public keys? Message-ID: Hello everybody and thank you for reading. I have a pretty good understanding of how asymmetric cryptography works in general. Nevertheless, the fact that GPG uses "two keys", I mean a main key and a subkey, confuses me. Are those "two keys" the private/public pair? Or it's else? The subkey is a public key (it must be); since you use it for encryption, that's the one you *publish* to the World so it can crypt stuff for you. So far so good. Now for the other key. Is that to be meant as the "private" key, since is the one that's used for signing? Since that is also the key that people do sign; I think the answer is NO, but I'm not sure. My idea is that *both of those keys are public keys*; one of those public keys is used by other to crypt stuff (the "sub", as seen above) and the other is used to VALIDATE your signature; and that's the one people do sign to acknowledge that that it's yours. So, that key is public too! If that's correct (it is?) it would be more adequate to say that gpg generates a triplet of keys rather than a pair then?; two public keys and one private. If the private is only one of course. And if I got all of this right. :-) Please kindly enlight me, because all the documentation browsing I did was unsuccessful for this purpose. Thank you SO much everybody! Lucio Capuani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Sun May 17 00:41:56 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 16 May 2009 18:41:56 -0400 Subject: There are actually two public keys? In-Reply-To: References: Message-ID: <4A0F4134.4080307@sixdemonbag.org> Lucio Capuani wrote: > Nevertheless, the fact that GPG uses "two keys", I mean a main key and a > subkey, confuses me. Are those "two keys" the private/public pair? Or > it's else? There are two keypairs. One keypair is used for signing, and the other is used for encrypting. The private part of the signing keypair is used to generate signatures; the public part is used to verify them. Likewise, the private part of the encryption keypair is used to decrypt documents; the public part is used to encrypt them. From dshaw at jabberwocky.com Sun May 17 01:34:09 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 16 May 2009 19:34:09 -0400 Subject: There are actually two public keys? In-Reply-To: References: Message-ID: <2A9928AB-2A3E-46B4-BD6E-C7369574855E@jabberwocky.com> On May 16, 2009, at 5:33 PM, Lucio Capuani wrote: > Hello everybody and thank you for reading. I have a pretty good > understanding of how asymmetric cryptography works in general. > Nevertheless, the fact that GPG uses "two keys", I mean a main key > and a subkey, confuses me. Are those "two keys" the private/public > pair? Or it's else? The subkey is a public key (it must be); since > you use it for encryption, that's the one you *publish* to the World > so it can crypt stuff for you. So far so good. Now for the other > key. Is that to be meant as the "private" key, since is the one > that's used for signing? Since that is also the key that people do > sign; I think the answer is NO, but I'm not sure. My idea is that > *both of those keys are public keys*; one of those public keys is > used by other to crypt stuff (the "sub", as seen above) and the > other is used to VALIDATE your signature; and that's the one people > do sign to acknowledge that that it's yours. So, that key is public > too! Exactly right. In your example, both the primary key and the subkey are public keys. Basically, you can have multiple public/private key pairs. When people say "public key" in the OpenPGP world, they generally mean "My public primary key, and any public subkey(s)". Similarly, when people say "secret key" or "private key" in the OpenPGP world, they generally mean "My secret primary key, and any secret subkey(s)". The common OpenPGP key of a primary key and one subkey is 2 key pairs: the public primary, and its secret, and the public subkey, and its secret. Each additional subkey is a public/private key pair on its own. David From jh at jameshoward.us Sun May 17 02:37:30 2009 From: jh at jameshoward.us (James P. Howard, II) Date: Sat, 16 May 2009 20:37:30 -0400 Subject: There are actually two public keys? In-Reply-To: <4A0F4134.4080307@sixdemonbag.org> References: <4A0F4134.4080307@sixdemonbag.org> Message-ID: <4A0F5C4A.8040104@jameshoward.us> On Sat May 16 18:41:56 2009, Robert J. Hansen wrote: > There are two keypairs. One keypair is used for signing, and the other > is used for encrypting. The private part of the signing keypair is used > to generate signatures; the public part is used to verify them. > Likewise, the private part of the encryption keypair is used to decrypt > documents; the public part is used to encrypt them. Can anyone explain why there is a difference between signing and encrypting keypairs, even for the same type (RSA)? James -- James P. Howard, II, MPA jh at jameshoward.us -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Sun May 17 03:33:10 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 16 May 2009 21:33:10 -0400 Subject: There are actually two public keys? In-Reply-To: <4A0F5C4A.8040104@jameshoward.us> References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> Message-ID: <4A0F6956.6040309@sixdemonbag.org> James P. Howard, II wrote: > Can anyone explain why there is a difference between signing and > encrypting keypairs, even for the same type (RSA)? The shift from single keypairs to multiple keypairs was motivated by a lot of concerns. IMO, most of those concerns failed to materialize. For instance, some people say that separate signing and encrypting keys is best, since if an encryption key gets compromised you can just revoke the encryption part and leave your signing key intact. In reality, compromise tends to be an all or nothing affair: either the entire cert is suspect or it's not. From louis.capuani at gmail.com Sun May 17 03:14:16 2009 From: louis.capuani at gmail.com (Lucio Capuani) Date: Sun, 17 May 2009 03:14:16 +0200 Subject: There are actually two public keys? In-Reply-To: <4A0F5C4A.8040104@jameshoward.us> References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> Message-ID: Tanks David and Robert for your informative (and?quick)?replies. It's much more clear now. But, am I the only one to think that the documentation is pretty misleading about "pairs" of keys, and that GPG generate 'a' keypair (With gpg --gen-key a new key-pair is created...), and moreover, that one of the (actually) two generated keypairs is tagged as... "pub"? > Can anyone explain why there is a difference between signing and > encrypting keypairs, even for the same type (RSA)? As far as I've understood from the documentation, one of the reason should be that it would be?good practice to keep the signing key valid indefinitely (thus, having one that never expires so old signatures can be verified too) and renew the cryptographic one pretty often for security reason. As before, I'd love to get confirmations or denials of that ;), and if there's else about it. Thanks so much! -- Lucio Capuani From dshaw at jabberwocky.com Sun May 17 05:40:10 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 16 May 2009 23:40:10 -0400 Subject: There are actually two public keys? In-Reply-To: References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> Message-ID: <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com> On May 16, 2009, at 9:14 PM, Lucio Capuani wrote: >> Can anyone explain why there is a difference between signing and >> encrypting keypairs, even for the same type (RSA)? > > As far as I've understood from the documentation, one of the reason > should be that it would be good practice to keep the signing key valid > indefinitely (thus, having one that never expires so old signatures > can be verified too) and renew the cryptographic one pretty often for > security reason. As before, I'd love to get confirmations or denials > of that ;), and if there's else about it. That's one of the reasons. There were actually a good few reasons for the switch at the time (the "PGP 3" timeframe, which became the PGP 5.0 product). One reason was legal, and not technical. RSA was still patented at the time, so that couldn't as easily be used. DSA was chosen, but DSA can't encrypt, which pretty much required a multiple key (primary key + subkeys) solution. In addition, though, the multiple key solution was chosen for its flexibility, as you noted. It is handy to be able to make multiple subkeys and regenerate them as needed. One thing the multiple subkey design makes possible is to keep the primary key offline altogether, and just use subkeys for all the day to day encryption and signing needs. In this way of working, the primary key is only used for two purposes: to make new subkeys when that becomes necessary, and to sign other people's keys. When it is not in use (i.e. most of the time), the primary key is stored on separate media (say, a CD-ROM or USB stick). See the --export-secret- subkeys description in the GPG manual for more on this. Note, though, that if you want a single key for everything, you can still do that. Generate yourself an RSA key using the --expert flag, and you can create a key that is capable of both encrypting and signing in a single key. It's unusual, and I don't recommend it, but GPG will happily use it. David From gpg2.20.maniams at dfgh.net Sat May 16 17:33:19 2009 From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net) Date: Sat, 16 May 2009 19:33:19 +0400 Subject: 1) How to migrate Keys from PGP to GPG 2) Is the reverse possible ? Message-ID: <5313cd090905160833w2e3c0e3bs79ad5c712a0b4e13@mail.gmail.com> Hi Request list members to help me with _command_line_ tips on how to migrate keys from PGP (6.5.x CKT) to GPG 1.4.9. Is the converse possible i.e. send keys from GPG 1.4.9. to PGP (6.5.x CKT) I work on a Windows XP environment . I do _not_ use any GPG front ends.... regards maniams -------------- next part -------------- An HTML attachment was scrubbed... URL: From steveo at syslang.net Mon May 18 01:21:35 2009 From: steveo at syslang.net (Steven W. Orr) Date: Sun, 17 May 2009 19:21:35 -0400 (EDT) Subject: There are actually two public keys? In-Reply-To: <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com> References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com> Message-ID: On Saturday, May 16th 2009 at 23:40 -0000, quoth David Shaw: =>On May 16, 2009, at 9:14 PM, Lucio Capuani wrote: => =>> > Can anyone explain why there is a difference between signing and =>> > encrypting keypairs, even for the same type (RSA)? =>> =>> As far as I've understood from the documentation, one of the reason =>> should be that it would be good practice to keep the signing key valid =>> indefinitely (thus, having one that never expires so old signatures =>> can be verified too) and renew the cryptographic one pretty often for =>> security reason. As before, I'd love to get confirmations or denials =>> of that ;), and if there's else about it. => =>That's one of the reasons. There were actually a good few reasons for the =>switch at the time (the "PGP 3" timeframe, which became the PGP 5.0 product). =>One reason was legal, and not technical. RSA was still patented at the time, =>so that couldn't as easily be used. DSA was chosen, but DSA can't encrypt, =>which pretty much required a multiple key (primary key + subkeys) solution. =>In addition, though, the multiple key solution was chosen for its flexibility, =>as you noted. It is handy to be able to make multiple subkeys and regenerate =>them as needed. => =>One thing the multiple subkey design makes possible is to keep the primary key =>offline altogether, and just use subkeys for all the day to day encryption and =>signing needs. In this way of working, the primary key is only used for two =>purposes: to make new subkeys when that becomes necessary, and to sign other =>people's keys. When it is not in use (i.e. most of the time), the primary key =>is stored on separate media (say, a CD-ROM or USB stick). See the =>--export-secret-subkeys description in the GPG manual for more on this. => =>Note, though, that if you want a single key for everything, you can still do =>that. Generate yourself an RSA key using the --expert flag, and you can =>create a key that is capable of both encrypting and signing in a single key. =>It's unusual, and I don't recommend it, but GPG will happily use it. This is somewhat of a revelation to me, but I admit I'm a little new to this so can't claim that it's a big revelation. I have read up on the theory of asymmetric crypto and I'm comfortable with that side of it, but I'd like to learn more on the technical side, especially as it pertains specifically to gpg. I have read the GPG and PGP book by Lucas and I also read the old PGP book by Garfinkel. I look at the output of gpg2 -K and I never actually saw anything that describes what the sec, uid and ssb rows mean. I don't see a concise description of how and when the different data items are used to ref a key in a gpg command, e.g., when do I use a fingerprint? what's the proper thing to use when specifying an operation? It's sort of analogous to knowing how to create a complex definition in C and also being able to deref it. (Most programmers, don't usually get it right when they try to distinguish between an array of ptrs to ints vs a ptr to an array of ints.) How do I make use of multiple subkeys and when and why do I want to do this? Things like that. Any suggestions? -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net From Resul-Cetin at gmx.net Fri May 15 12:30:27 2009 From: Resul-Cetin at gmx.net (Resul Cetin) Date: Fri, 15 May 2009 12:30:27 +0200 Subject: Changing usage of master key Message-ID: <200905151230.27573.Resul-Cetin@gmx.net> Hi, I generated a new RSA cert/sign key. Default is to use it as sign and cert, but I wanted to use a seperated sign subkey and use the master key only for cert stuff. Is it possible to change it afterwards and how to do it? I have no fear of hex editors and unix commandline tools. My first idea is to switch a bit somewhere in a `gpg --export` and then reimport it to do a resign of the key and upload it again to a key server. Is there now a good way to move a subkey between two keys? The method described at http://atom.smasher.org/gpg/gpg-migrate.txt don't work because in the step "resign using the expire trick" doesn't work. I cannot see a usage behind the short output of the `key` command in --edit-key and when I try to save it after the resign, gpg will end with 2 as return code (I would assume that the key and its subkey wasn't saved). A export and reimport afterwards removes the "moved" key. Can you please cc me, because I am not subscribed to the mailing list (but will look at the archives from time to time). Best regards, Resul Cetin From robert.stemper at parknicollet.com Fri May 15 18:27:46 2009 From: robert.stemper at parknicollet.com (Stemper, Robert (Bob)) Date: Fri, 15 May 2009 11:27:46 -0500 Subject: Configure error libgcrypt and libgpg-error Message-ID: <6993ECE27A020546A47BAB2CD95FBB1F7E455139@EXVS2.master.com> Hi. I am trying to install the GPG 2.0 package and need to first install the prereq packages, as listed in the readme. GnuPG 2.0 depends on the following packages: libgpg-error (ftp://ftp.gnupg.org/gcrypt/libgpg-error/) libgcrypt (ftp://ftp.gnupg.org/gcrypt/libgcrypt/) libksba (ftp://ftp.gnupg.org/gcrypt/libksba/) libassuan (ftp://ftp.gnupg.org/gcrypt/libassuan/) I have just compiled and installed the libgpg-error-1.7 package (on a AIX 6.1 system -PowerPC Power6) ) . Then I tried to install the libgcrypt -1.4.4 package next, but the configure step failed with the error, ... checking whether padlock support is requested... yes checking for gpg-error-config... no checking for GPG Error - version >= 1.4... no configure: error: libgpg-error is needed. See ftp://ftp.gnupg.org/gcrypt/libgpg-error/ . although this package did install fine, and this file is located under the default lib dir of /usr/local/lib. Any idea? Bob ________________________________ PRIVACY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain business confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If this e-mail was not intended for you, please notify the sender by reply e-mail that you received this in error. Destroy all copies of the original message and attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jnhemley at yahoo.com Mon May 18 03:08:40 2009 From: jnhemley at yahoo.com (jnhemley) Date: Sun, 17 May 2009 18:08:40 -0700 (PDT) Subject: Import Secret Key Message-ID: <23589668.post@talk.nabble.com> I was sent a file to decrypt. I got an error saying "secret key not available". I then tried to import a secret key from my original file. I got an error "permission Denied" along wile "file rename error" and "error reading file". What am I doing wrong ? -- View this message in context: http://www.nabble.com/Import-Secret-Key-tp23589668p23589668.html Sent from the GnuPG - User mailing list archive at Nabble.com. From fpatnaikk at westpac.com.au Mon May 18 03:05:37 2009 From: fpatnaikk at westpac.com.au (Farha Patnaikk) Date: Mon, 18 May 2009 11:05:37 +1000 Subject: gpg: mpi too large for this implementation (20744 bits) Message-ID: Hi, I am exchanging files with another party , i use Version : 7.1.1 of pgp . The party with whome i am exchanging files uses gpg. I am able to decrypt their encrypted file successfully but they are not able to decrypt my encrypted file. They get the following error message C:\Temp>gpg --homedir "C:\temp" --output 01.txt --decrypt testfile.dat.pgp gpg: mpi too large for this implementation (20744 bits) C:\Temp>gpg --homedir "C:\temp" --output 01.txt --openpgp --decrypt testfile.dat .pgp gpg: mpi too large for this implementation (20744 bits) what could be the reason for this ??? I am not able to find any help on the internet. Please try to help me . Thanks. Regards, Farha Patnaikk | Consultant | Corporate Core Projects & Technology | Westpac Banking Corporation Level 17, 275 Kent Street, Sydney NSW 2000 Australia Phone +61 8254 (2)7547 | fpatnaikk at westpac.com.au Please consider our environment before printing this email. WARNING - This email and any attachments may be confidential. If received in error, please delete and inform us by return email. Because emails and attachments may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems, you must be cautious. Westpac cannot guarantee that what you receive is what we sent. If you have any doubts about the authenticity of an email by Westpac, please contact us immediately. It is also important to check for viruses and defects before opening or using attachments. Westpac's liability is limited to resupplying any affected attachments. This email and its attachments are not intended to constitute any form of financial advice or recommendation of, or an offer to buy or offer to sell, any security or other financial product. We recommend that you seek your own independent legal or financial advice before proceeding with any investment decision. Westpac Institutional Bank is a division of Westpac Banking Corporation, a company registered in New South Wales in Australia under the Corporations Act 2001 (Cth). Westpac is authorised and regulated in the United Kingdom by the Financial Services Authority and is registered at Cardiff in the United Kingdom as Branch No. BR 106. Westpac operates in the United States of America as a federally chartered branch, regulated by the Office of the Comptroller of the Currency. Westpac Banking Corporation ABN 33 007 457 141. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sk at intertivity.com Mon May 18 12:19:39 2009 From: sk at intertivity.com (Sascha Kiefer) Date: Mon, 18 May 2009 14:19:39 +0400 Subject: mpi too large for this implementation (20744 bits) In-Reply-To: References: Message-ID: <007d01c9d7a2$284f76e0$78ee64a0$@com> You may try gpg --print-md sha1 testfile.dat.pgp to ensure that the file is not corrupted during transport. HTH Sascha From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Farha Patnaikk Sent: Montag, 18. Mai 2009 05:06 To: gnupg-users at gnupg.org Subject: gpg: mpi too large for this implementation (20744 bits) Hi, I am exchanging files with another party , i use Version : 7.1.1 of pgp . The party with whome i am exchanging files uses gpg. I am able to decrypt their encrypted file successfully but they are not able to decrypt my encrypted file. They get the following error message C:\Temp>gpg --homedir "C:\temp" --output 01.txt --decrypt testfile.dat.pgp gpg: mpi too large for this implementation (20744 bits) C:\Temp>gpg --homedir "C:\temp" --output 01.txt --openpgp --decrypt testfile.dat .pgp gpg: mpi too large for this implementation (20744 bits) what could be the reason for this ??? I am not able to find any help on the internet. Please try to help me . Thanks. Regards, Farha Patnaikk | Consultant | Corporate Core Projects & Technology | Westpac Banking Corporation Level 17, 275 Kent Street, Sydney NSW 2000 Australia Phone +61 8254 (2)7547 | fpatnaikk at westpac.com.au Please consider our environment before printing this email. WARNING - This email and any attachments may be confidential. If received in error, please delete and inform us by return email. Because emails and attachments may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems, you must be cautious. Westpac cannot guarantee that what you receive is what we sent. If you have any doubts about the authenticity of an email by Westpac, please contact us immediately. It is also important to check for viruses and defects before opening or using attachments. Westpac's liability is limited to resupplying any affected attachments. This email and its attachments are not intended to constitute any form of financial advice or recommendation of, or an offer to buy or offer to sell, any security or other financial product. We recommend that you seek your own independent legal or financial advice before proceeding with any investment decision. Westpac Institutional Bank is a division of Westpac Banking Corporation, a company registered in New South Wales in Australia under the Corporations Act 2001 (Cth). Westpac is authorised and regulated in the United Kingdom by the Financial Services Authority and is registered at Cardiff in the United Kingdom as Branch No. BR 106. Westpac operates in the United States of America as a federally chartered branch, regulated by the Office of the Comptroller of the Currency. Westpac Banking Corporation ABN 33 007 457 141. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmoore3rd at bellsouth.net Mon May 18 13:10:20 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 18 May 2009 07:10:20 -0400 Subject: Import Secret Key In-Reply-To: <23589668.post@talk.nabble.com> References: <23589668.post@talk.nabble.com> Message-ID: <4A11421C.5090001@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 jnhemley wrote: > I was sent a file to decrypt. I got an error saying "secret key not > available". I then tried to import a secret key from my original file. I got > an error "permission Denied" along wile "file rename error" and "error > reading file". What am I doing wrong ? Sounds like the 'failed/forgot' to encrypt the file to Your Key. Perhaps You should request a resend. JOHN ;) Timestamp: Monday 18 May 2009, 07:10 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn5005: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKEUIZAAoJEBCGy9eAtCsPK64H/RiRmwRBZgd3GLmtWUDrH2p7 8vCP3isy9IuKzMZ5OjmG3oYJP9E/M8zLwgs5U1Vvvy/lhCiLrRp40ixCyABM0eU4 OiHxjPhvK6K6TPR3LCHc7zTE1HVr3Y41vcBDmlBZBwLBUE9dJ1Y3Quz0WwaylYc+ rlNGpoU5EJ6+Bg+tHdhALtuMSYcVPYod8CXmaeJaBNV3bnfsyYMyohSF7eM2EmDj C/wAFXv93vYr0coGHpE3n/46cbxXVBr0d1/n5EZb6JzhSc+x9LqY6x/XQG7lgxpV fxiDHs15vYo/th16/i0sFAmkbuh8+mGVLBHQv+GXBgzksPbxBSorbI3VkUvyaYs= =tDpU -----END PGP SIGNATURE----- From rah at shipwright.com Mon May 18 14:45:38 2009 From: rah at shipwright.com (R.A. Hettinga) Date: Mon, 18 May 2009 08:45:38 -0400 Subject: There are actually two public keys? In-Reply-To: References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com> Message-ID: I passed this on to Jon Callas. Here's what he came back with... Cheers, RAH ------- Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit My apologies for top-posting, and please forward this on. I'm going to agree slightly differently with David Shaw. The reason for it is a notion of what's called "key hygiene," and that's an important concept in RSA usage. That is the notion that one should never sign with an encryption key, and never encrypt with a signing key. The reason for RSA is that every signature is a decryption, and every encryption is a signature verification. The worry is that if you use one key for both encrypting and signing, there's the possibility that something exists that corresponds to that encryption as a signature. And actually, such a thing must exist. In the hyperbole of the time, there's the possibility that a murder confession exists that corresponds to every encryption. I'm probably not explaining it as well as others could, mostly because it's late as I write this, and it always made me roll my eyes when I heard it. The idea is arguably daft, but less so if you have weak hash functions, perhaps. Nonetheless, it does make sense that since encrypting and signing are the reverses of each other in RSA, you should just make the policy decision to use a key *either* for encrypting or signing, but not both. That's the real reason for the dual key stuff in PGP 3, and thus OpenPGP. The discrete log stuff followed, but that was events catching up with design. The DSA/Elgamal versions came very close to never being shipped. Key hygiene was the first reason for the dual key structure. Jon On May 17, 2009, at 4:32 PM, R.A. Hettinga wrote: > > > Begin forwarded message: > >> From: "Steven W. Orr" >> Date: May 17, 2009 7:21:35 PM GMT-04:00 >> To: GnuPG Users >> Subject: Re: There are actually two public keys? >> >> On Saturday, May 16th 2009 at 23:40 -0000, quoth David Shaw: >> >> =>On May 16, 2009, at 9:14 PM, Lucio Capuani wrote: >> => >> =>> > Can anyone explain why there is a difference between signing >> and >> =>> > encrypting keypairs, even for the same type (RSA)? >> =>> >> =>> As far as I've understood from the documentation, one of the >> reason >> =>> should be that it would be good practice to keep the signing >> key valid >> =>> indefinitely (thus, having one that never expires so old >> signatures >> =>> can be verified too) and renew the cryptographic one pretty >> often for >> =>> security reason. As before, I'd love to get confirmations or >> denials >> =>> of that ;), and if there's else about it. >> => >> =>That's one of the reasons. There were actually a good few >> reasons for the >> =>switch at the time (the "PGP 3" timeframe, which became the PGP >> 5.0 product). >> =>One reason was legal, and not technical. RSA was still patented >> at the time, >> =>so that couldn't as easily be used. DSA was chosen, but DSA >> can't encrypt, >> =>which pretty much required a multiple key (primary key + subkeys) >> solution. >> =>In addition, though, the multiple key solution was chosen for its >> flexibility, >> =>as you noted. It is handy to be able to make multiple subkeys >> and regenerate >> =>them as needed. >> => >> =>One thing the multiple subkey design makes possible is to keep >> the primary key >> =>offline altogether, and just use subkeys for all the day to day >> encryption and >> =>signing needs. In this way of working, the primary key is only >> used for two >> =>purposes: to make new subkeys when that becomes necessary, and to >> sign other >> =>people's keys. When it is not in use (i.e. most of the time), >> the primary key >> =>is stored on separate media (say, a CD-ROM or USB stick). See the >> =>--export-secret-subkeys description in the GPG manual for more on >> this. >> => >> =>Note, though, that if you want a single key for everything, you >> can still do >> =>that. Generate yourself an RSA key using the --expert flag, and >> you can >> =>create a key that is capable of both encrypting and signing in a >> single key. >> =>It's unusual, and I don't recommend it, but GPG will happily use >> it. >> >> This is somewhat of a revelation to me, but I admit I'm a little >> new to >> this so can't claim that it's a big revelation. >> >> I have read up on the theory of asymmetric crypto and I'm >> comfortable with >> that side of it, but I'd like to learn more on the technical side, >> especially as it pertains specifically to gpg. I have read the GPG >> and PGP >> book by Lucas and I also read the old PGP book by Garfinkel. >> >> I look at the output of gpg2 -K and I never actually saw anything >> that >> describes what the sec, uid and ssb rows mean. I don't see a concise >> description of how and when the different data items are used to >> ref a key >> in a gpg command, e.g., when do I use a fingerprint? what's the >> proper >> thing to use when specifying an operation? It's sort of analogous to >> knowing how to create a complex definition in C and also being able >> to >> deref it. (Most programmers, don't usually get it right when they >> try to >> distinguish between an array of ptrs to ints vs a ptr to an array of >> ints.) How do I make use of multiple subkeys and when and why do I >> want to >> do this? Things like that. >> >> Any suggestions? >> >> -- >> Time flies like the wind. Fruit flies like a banana. Stranger >> things have .0. >> happened but none stranger than this. Does your driver's license >> say Organ ..0 >> Donor?Black holes are where God divided by zero. Listen to me! We >> are all- 000 >> individuals! What if this weren't a hypothetical question? >> steveo at syslang.net >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From christoph.anton.mitterer at physik.uni-muenchen.de Mon May 18 16:35:29 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Mon, 18 May 2009 16:35:29 +0200 Subject: Changing usage of master key In-Reply-To: <200905151230.27573.Resul-Cetin@gmx.net> References: <200905151230.27573.Resul-Cetin@gmx.net> Message-ID: <20090518163529.13695enz88rzt5wk@webmail.physik.uni-muenchen.de> In principle it is possible by issuing new self-sigs, but gnupg doesn't support this AFAIK. Chris. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From jh at jameshoward.us Mon May 18 23:49:40 2009 From: jh at jameshoward.us (James P. Howard, II) Date: Mon, 18 May 2009 17:49:40 -0400 Subject: There are actually two public keys? In-Reply-To: References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com> Message-ID: <4A11D7F4.2080104@jameshoward.us> On Mon May 18 08:45:38 2009, R.A. Hettinga wrote: > The reason for it is a notion of what's called "key hygiene," and > that's an important concept in RSA usage. That is the notion that one > should never sign with an encryption key, and never encrypt with a > signing key. This leads indirectly to another question: Why can't I sign someone else's key with a subkey? And on a divergent note, using the black magic described elsewhere[1], is it bad to convert a subkey into a primary key and use it to sign others? James 1. http://atom.smasher.org/gpg/gpg-migrate.txt -- James P. Howard, II, MPA jh at jameshoward.us -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Tue May 19 01:58:08 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 18 May 2009 19:58:08 -0400 Subject: There are actually two public keys? In-Reply-To: <4A11D7F4.2080104@jameshoward.us> References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com> <4A11D7F4.2080104@jameshoward.us> Message-ID: <0E8A6406-4685-48CF-B407-FF8451E411D4@jabberwocky.com> On May 18, 2009, at 5:49 PM, James P. Howard, II wrote: > On Mon May 18 08:45:38 2009, R.A. Hettinga wrote: > >> The reason for it is a notion of what's called "key hygiene," and >> that's an important concept in RSA usage. That is the notion that one >> should never sign with an encryption key, and never encrypt with a >> signing key. > > This leads indirectly to another question: Why can't I sign someone > else's key with a subkey? Signing with a subkey has a slightly different meaning than signing with a primary key. When you sign a key, you're actually signing a combination of the primary key and user ID that you chose to sign. If you signed with a subkey, you'd lose the nice symmetry of signing with the thing that your friend is also signing on your key. Rather, you'd be signing with something one "hop" away from that primary key, as the subkeys are signed by the primary. Perhaps a more immediate answer is that nobody ever implemented it. OpenPGP itself doesn't care (OpenPGP actually doesn't specify all that much about trust models and the web of trust). Historically, the web of trust was built between signatures between primaries, and that's what everyone implements today. At one point there was talk of publishing a standard for the web of trust, but there didn't seem to be much interest in it. > And on a divergent note, using the black > magic described elsewhere[1], is it bad to convert a subkey into a > primary key and use it to sign others? To do this, you have to have the key in primary key form in the (local) web of trust. If you don't, then the signatures won't be used. David From chris at chrispoole.com Tue May 19 13:32:12 2009 From: chris at chrispoole.com (Chris Poole) Date: Tue, 19 May 2009 12:32:12 +0100 Subject: SHA1 issues, generic advice for average user? Message-ID: <9b0fc5ee0905190432x3b792aceg68ef60dde050aeab@mail.gmail.com> I don't use GPG all that much, but am a little concerned with the recent SHA1 collision news. >From what I've read on this list, it doesn't seem to be too much of an issue. I wonder if someone could clarify some things for me, please: 1) Is this just an issue with signatures, or does it impact the encryption resistance? 2) I don't want to lose my current keys, as I have many files that I have encrypted. Will changing the default hash with the setpref command in the edit menu (to something like SHA512) help, at all? Essentially, should an average user of GPG be doing anything? If, after people have thought about this issue and better hashes are recommended, will that require current keys to be discarded? (My key is 1024D with 4096g subkey, if that makes any difference.) Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jh at jameshoward.us Tue May 19 19:46:58 2009 From: jh at jameshoward.us (James P. Howard, II) Date: Tue, 19 May 2009 13:46:58 -0400 Subject: There are actually two public keys? In-Reply-To: <0E8A6406-4685-48CF-B407-FF8451E411D4@jabberwocky.com> References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com> <4A11D7F4.2080104@jameshoward.us> <0E8A6406-4685-48CF-B407-FF8451E411D4@jabberwocky.com> Message-ID: <4A12F092.3020803@jameshoward.us> On Mon May 18 19:58:08 2009, David Shaw wrote: > Signing with a subkey has a slightly different meaning than signing with > a primary key. When you sign a key, you're actually signing a > combination of the primary key and user ID that you chose to sign. If > you signed with a subkey, you'd lose the nice symmetry of signing with > the thing that your friend is also signing on your key. Rather, you'd > be signing with something one "hop" away from that primary key, as the > subkeys are signed by the primary. > > Perhaps a more immediate answer is that nobody ever implemented it. > OpenPGP itself doesn't care (OpenPGP actually doesn't specify all that > much about trust models and the web of trust). Historically, the web of > trust was built between signatures between primaries, and that's what > everyone implements today. At one point there was talk of publishing a > standard for the web of trust, but there didn't seem to be much interest > in it. This is fascinating and I need to think about that a bit. >> And on a divergent note, using the black >> magic described elsewhere[1], is it bad to convert a subkey into a >> primary key and use it to sign others? > > To do this, you have to have the key in primary key form in the (local) > web of trust. If you don't, then the signatures won't be used. Well, I did succeed in doing it last night as a test. So I guess the bigger question, is it poor etiquette? James -- James P. Howard, II, MPA jh at jameshoward.us -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Wed May 20 02:19:17 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 19 May 2009 20:19:17 -0400 Subject: There are actually two public keys? In-Reply-To: <4A12F092.3020803@jameshoward.us> References: <4A0F4134.4080307@sixdemonbag.org> <4A0F5C4A.8040104@jameshoward.us> <7249AE4C-852D-40A0-AF25-6598548197BA@jabberwocky.com> <4A11D7F4.2080104@jameshoward.us> <0E8A6406-4685-48CF-B407-FF8451E411D4@jabberwocky.com> <4A12F092.3020803@jameshoward.us> Message-ID: <2518858D-3B32-452C-A35B-F4D80F977BDC@jabberwocky.com> On May 19, 2009, at 1:46 PM, James P. Howard, II wrote: >>> And on a divergent note, using the black >>> magic described elsewhere[1], is it bad to convert a subkey into a >>> primary key and use it to sign others? >> >> To do this, you have to have the key in primary key form in the >> (local) >> web of trust. If you don't, then the signatures won't be used. > > Well, I did succeed in doing it last night as a test. So I guess the > bigger question, is it poor etiquette? I wouldn't think so. The rest of the world will likely never even notice that you're doing it, and the only person who you can really hurt here is yourself. At worst, you'd be denying other people the use of some key signatures that you made. David From webmaster at felipe1982.com Wed May 20 14:23:30 2009 From: webmaster at felipe1982.com (Felipe Alvarez) Date: Wed, 20 May 2009 22:23:30 +1000 Subject: gpg: mpi too large for this implementation (20744 bits) In-Reply-To: References: Message-ID: <200905202223.41310.webmaster@felipe1982.com> On Mon, 18 May 2009 11:05:37 Farha Patnaikk wrote: > C:\Temp>gpg --homedir "C:\temp" --output 01.txt --decrypt testfile.dat.pgp > gpg: mpi too large for this implementation (20744 bits) > > C:\Temp>gpg --homedir "C:\temp" --output 01.txt --openpgp --decrypt > testfile.dat > .pgp > gpg: mpi too large for this implementation (20744 bits) Is the recipient able to verify your signature? Felipe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 258 bytes Desc: This is a digitally signed message part. URL: From kaustubh.gadkari at gmail.com Wed May 20 17:13:50 2009 From: kaustubh.gadkari at gmail.com (kaustubh.gadkari at gmail.com) Date: Wed, 20 May 2009 09:13:50 -0600 (MDT) Subject: gpgme does not find key for user after setuid() Message-ID: Hi, I have a signer, that I run as root, but which drops privileges to a user 'A', using setuid(). I run the signer with the command below: ./simple-signer 'name of key' 'data to sign' A When run like this, the signer does not find the key for user A. If I run the signer as user A: ./simple-signer 'name of key' 'data to sign' gpgme finds the key. Any pointers as to why this happens would be appreciated. Thanks, Kaustubh -- Kaustubh Gadkari kaustubh [dot] gadkari [at] gmail [dot] com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 270 bytes Desc: OpenPGP digital signature URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: simple-signer.cc Type: text/x-c++src Size: 5419 bytes Desc: not available URL: From arizonagroovejet at gmail.com Wed May 20 21:00:42 2009 From: arizonagroovejet at gmail.com (mike _) Date: Wed, 20 May 2009 20:00:42 +0100 Subject: Can't enter passphrase in su session. Message-ID: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> I have an account, bob, on a machine that is used for building rpms and then creating and signing a repository. If I log in to the machine as bob via ssh and run $ gpg -a --detach-sign somedir/repodata/repomd.xml then all is well. As the bob account will be used by multiple people I want to block ssh logins for bob and have people log in via ssh with their own account and use 'su -' to become the user. This then leaves a trail in the log of who became bob when. But, if I log in to the machine as myself, then do $ su - bob Then run $ gpg -a --detach-sign somedir/repodata/repomd.xml I get gpg: using PGP trust model gpg: key B97DE878: accepted as trusted key You need a passphrase to unlock the secret key for user: "Bob" 4096-bit RSA key, ID B97DE878, created 2009-05-19 can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory gpg: no running gpg-agent - starting one gpg-agent[29808]: command get_passphrase failed: Operation cancelled gpg: cancelled by user gpg: no default secret key: General error gpg: signing failed: General error I'm never given a chance to enter the passphrase, gpg just declares failure and tells me I canceled the operation. Which I didn't. I've compared the output of 'env' for both an ssh login session and 'su -' session and apart from a few variables relating to ssh, they're the same. There must be something different about the sessions that explains why I'm never given a chance to enter the passphrase in the 'su -' session, but I'm at a loss as to what. I did try searching the mailing lists and Google, but 'su' results in an huge amount of (at least seemingly) irrelevant hits, so I gave up fairly quickly! Can anyone offer any insight in this issue? thanks, mike From cbabcock at kolonelpanic.com Wed May 20 23:36:48 2009 From: cbabcock at kolonelpanic.com (Chris Babcock) Date: Wed, 20 May 2009 14:36:48 -0700 Subject: Can't enter passphrase in su session. In-Reply-To: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> Message-ID: <20090520143648.07b74643@mail.asciiking.com> On Wed, 20 May 2009 20:00:42 +0100 mike _ wrote: > Can anyone offer any insight in this issue? http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html In .bash_profile, you will have something *like* this: if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`\ 2>/dev/null; then GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info` export GPG_AGENT_INFO else eval `/usr/bin/gpg-agent --daemon` echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info fi You *may* have something like this: if [ -f /etc/bashrc ]; then . /etc/bashrc fi The code to launch gpg-agent needs to be in .bashrc if you want it to execute for su users. If your .bash_profile executes your .bashrc as above then you can remove the definition from .bash_profile. Chris Babcock -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 489 bytes Desc: not available URL: From steveo at syslang.net Thu May 21 00:31:23 2009 From: steveo at syslang.net (Steven W. Orr) Date: Wed, 20 May 2009 18:31:23 -0400 (EDT) Subject: Can't enter passphrase in su session. In-Reply-To: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> Message-ID: On Wednesday, May 20th 2009 at 15:00 -0000, quoth mike _: =>I have an account, bob, on a machine that is used for building rpms =>and then creating and signing a repository. => =>If I log in to the machine as bob via ssh and run => =>$ gpg -a --detach-sign somedir/repodata/repomd.xml => =>then all is well. => =>As the bob account will be used by multiple people I want to block ssh =>logins for bob and have people log in via ssh with their own account =>and use 'su -' to become the user. This then leaves a trail in the log =>of who became bob when. But, if I log in to the machine as myself, =>then do => =>$ su - bob => =>Then run => =>$ gpg -a --detach-sign somedir/repodata/repomd.xml => =>I get => =>gpg: using PGP trust model =>gpg: key B97DE878: accepted as trusted key => =>You need a passphrase to unlock the secret key for =>user: "Bob" =>4096-bit RSA key, ID B97DE878, created 2009-05-19 => =>can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory =>gpg: no running gpg-agent - starting one =>gpg-agent[29808]: command get_passphrase failed: Operation cancelled =>gpg: cancelled by user =>gpg: no default secret key: General error =>gpg: signing failed: General error => =>I'm never given a chance to enter the passphrase, gpg just declares =>failure and tells me I canceled the operation. Which I didn't. => =>I've compared the output of 'env' for both an ssh login session and =>'su -' session and apart from a few variables relating to ssh, they're =>the same. => =>There must be something different about the sessions that explains why =>I'm never given a chance to enter the passphrase in the 'su -' =>session, but I'm at a loss as to what. => =>I did try searching the mailing lists and Google, but 'su' results in =>an huge amount of (at least seemingly) irrelevant hits, so I gave up =>fairly quickly! => =>Can anyone offer any insight in this issue? I'm going to take a stab at this one. If I'm wrong then I expect to be suitibly chastised. It seems like you need to read the man page on gpg-agent to make sure that whether you log in directly, via su or via ssh, that the GPG_AGENT_INFO variable be properly set. If you log in via X then you probably have the variable set as part of your session. su will prevent that env var from being passed through by default. That is configurable by using -m or by using sudo instead of su and suitably configuring your sudoers file. Also, ssh can be configured to set the variable, but you probably jujst want to do it in your .bash_profile dependant on how DISPLAY is set. -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net From allen.schultz at gmail.com Thu May 21 11:35:44 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Thu, 21 May 2009 03:35:44 -0600 Subject: Key Transition Letter 2009-05-21 In-Reply-To: <3f34f8420905210234l7e21e2fn758456f155f9743c@mail.gmail.com> References: <3f34f8420905210234l7e21e2fn758456f155f9743c@mail.gmail.com> Message-ID: <3f34f8420905210235y1bb6b6f8sca6b9104776fa0d1@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256,SHA1 For the reason of SHA1 issues in the news, I've recently set up a new OpenPGP key, and will be transitioning away from my old one. The old key will continue to be valid for some time, but i prefer all future correspondence to come to the new one. ?I would also like this new key to be re- integrated into the web of trust. ?This message is signed by both keys to certify the transition. the old key was: pub ? 1024D/EE79C636 2009-04-24 ? ? ?Key fingerprint = 0DC0 D8F6 A3A7 C107 59C4 ?1512 579A F712 EE79 C636 uid ? ? ? ? ? ? ? ? ?Allen Schultz uid ? ? ? ? ? ? ? ? ?[jpeg image of size 6128] sub ? 2048g/762B1E36 2009-04-24 And the new key is: pub ? 3072R/DAD4736B 2009-05-20 ? ? ?Key fingerprint = 16AD EFE1 D68F C8A8 B086 ?68CD 1A35 85C7 DAD4 736B uid ? ? ? ? ? ? ? ? ?Allen Schultz (aldaek) sub ? 2048R/F55651E0 2009-05-20 [expires: 2010-05-20] sub ? 2048R/5687B83E 2009-05-20 [expires: 2010-05-20] To fetch my new key from a public key server, you can simply do: ?gpg --keyserver pgp.mit.edu --recv-key DAD4736B If you already know my old key, you can now verify that the new key is signed by the old one: ?gpg --check-sigs DAD4736B If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above: ?gpg --fingerprint DAD4736B If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key: ?gpg --sign-key DAD4736B Lastly, if you could upload these signatures, i would appreciate it. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system): ?gpg --armor --export DAD4736B | mail -s 'OpenPGP Signatures' allen.schultz at gmail.com Or you can just upload the signatures to a public keyserver directly: ?gpg --keyserver pgp.mit.edu --send-key DAD4736B Please let me know if there is any trouble, and sorry for the inconvenience. Regards, ? ?--ads PS: Transiition Letter idea copied from dkg (http://fifthhorseman.net/key- transition-2007-06-15.txt). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72 iQEcBAEBCAAGBQJKFSAVAAoJEMNyjCz1VlHgjWMH/iU0U/VR1/zdpM93pL72/sfc E4OBBaz6LtHmvYJTS+lQ8EYBf9dMTd+R8r2Nh4tKCYj8oY6HhffCIhGUrgE73Gba QQbZTE56pmWtwGwiki2a+rhK9y8du8X2pajBJurTqeSNRMv8q3iGkQPI/Wn6J/l3 gBdZYZ1zqJcFIYXzzm4y10+rOtShOuOwz43DrGas6cW4FETJGWA1WUQfoLYQ5L2c mVf4y1zR6DY4nJ8zgpsJeWO5J3UJQaqpRKDvl2Ls3OdcZHJ0n1S3v1J1MK2X5Q5K A5dKauvO82YGpq5c8JR1Zp2XCdDKTZ2qxRdgESCRj3X68uGceRTS9gd7WN5whZqI RgQBEQIABgUCShUgFQAKCRBXmvcS7nnGNlcqAJ9l352qqohUIVoVE/Z+EA1HzXPQ +gCfYCXuRN9aDq/HIwig5s9ElXBWVbQ= =BThX -----END PGP SIGNATURE----- -- Allen Schultz From Resul-Cetin at gmx.net Mon May 18 16:46:02 2009 From: Resul-Cetin at gmx.net (Resul Cetin) Date: Mon, 18 May 2009 16:46:02 +0200 Subject: Changing usage of master key In-Reply-To: <20090518163529.13695enz88rzt5wk@webmail.physik.uni-muenchen.de> References: <200905151230.27573.Resul-Cetin@gmx.net> <20090518163529.13695enz88rzt5wk@webmail.physik.uni-muenchen.de> Message-ID: <200905181646.03701.Resul-Cetin@gmx.net> On Monday 18 May 2009 16:35:29 Christoph Anton Mitterer wrote: > In principle it is possible by issuing new self-sigs, but gnupg > doesn't support this AFAIK. Does there exist another program to do this (I won't tell anyone ;) )? The PGP Desktop applications doesn't seem to be able to do anything advanced. I will look at the gnupg source code to try to find the correct section to manipulate the usage. But the info that it can be handled by a new self signature helps a lot. Now I know that it doesn't get ignored by the information stored on the key server. Thanks Regards, Resul Cetin From Resul-Cetin at gmx.net Mon May 18 17:47:29 2009 From: Resul-Cetin at gmx.net (Resul Cetin) Date: Mon, 18 May 2009 17:47:29 +0200 Subject: Changing usage of master key In-Reply-To: <200905181646.03701.Resul-Cetin@gmx.net> References: <200905151230.27573.Resul-Cetin@gmx.net> <20090518163529.13695enz88rzt5wk@webmail.physik.uni-muenchen.de> <200905181646.03701.Resul-Cetin@gmx.net> Message-ID: <200905181747.29784.Resul-Cetin@gmx.net> On Monday 18 May 2009 16:46:02 Resul Cetin wrote: > On Monday 18 May 2009 16:35:29 Christoph Anton Mitterer wrote: > > In principle it is possible by issuing new self-sigs, but gnupg > > doesn't support this AFAIK. > > I will look at the gnupg source code to try to find the correct section to > manipulate the usage. But the info that it can be handled by a new self > signature helps a lot. Now I know that it doesn't get ignored by the > information stored on the key server. Thanks Ok, it was quite easy to do (not clean, but it could be done in a fast and hackish way). Just searched for gnupg-1.4.9/g10/getkey.c:parse_key_usage and changed p to non-const and always set "(*p) &=~2;". Afterwards I started my new compiled hackish-gpg --edit-key and set the expire of my master key. After this procedure I had only the Cert flag set. Thanks Christoph - you are my personal hero of the day :) Regards, Resul Cetin From Resul-Cetin at gmx.net Mon May 18 18:47:29 2009 From: Resul-Cetin at gmx.net (Resul Cetin) Date: Mon, 18 May 2009 18:47:29 +0200 Subject: Changing usage of master key In-Reply-To: <200905151230.27573.Resul-Cetin@gmx.net> References: <200905151230.27573.Resul-Cetin@gmx.net> Message-ID: <200905181847.29456.Resul-Cetin@gmx.net> On Friday 15 May 2009 12:30:27 Resul Cetin wrote: > Is there now a good way to move a subkey between two keys? The method > described at http://atom.smasher.org/gpg/gpg-migrate.txt don't work because > in the step "resign using the expire trick" doesn't work. I cannot see a > usage behind the short output of the `key` command in --edit-key and when I > try to save it after the resign, gpg will end with 2 as return code (I > would assume that the key and its subkey wasn't saved). A export and > reimport afterwards removes the "moved" key. Just removed the do_check for sig->sig_class == 0x18 in sig- check.c:check_key_signature2 and it worked. Please never ever do that at home. Best regards, Resul Cetin From pawelzuk0 at gmail.com Wed May 20 11:25:21 2009 From: pawelzuk0 at gmail.com (=?ISO-8859-2?Q?Pawe=B3_=AFuk?=) Date: Wed, 20 May 2009 11:25:21 +0200 Subject: GNUPG 1.2.1 problem Message-ID: <4A13CC81.4020800@gmail.com> I use gnupg 1.2.1 version For same cases during decrypting I receive: gpg: encrypted with 2048-bit RSA key, ID 453733BB, created 2006-02-13 "Comapny (User) " gpg: md_enable: algorithm 8 not available gpg: Signature made Tue May 19 16:10:09 2009 CEST using RSA key ID FD947F6A gpg: Can't check signature: unknown digest algorithm There is any possibility to skip this error. I can not upgrade my current version of gnupg Regards, Pawe? From FZaporozhets at medgate.com Wed May 20 19:53:47 2009 From: FZaporozhets at medgate.com (Fayina Zaporozhets) Date: Wed, 20 May 2009 13:53:47 -0400 Subject: Question from GPG Message-ID: Good afternoon, I have one problem encrypting the file using gnupg. When I run: cmd/c c:\gnu\GnuPG\gpg --homedir C:\GNU\GnuPG\pubrings\ --yes -e -r "E3655B17" Medgate_LeaveOgAbsenceStatus_2009-05-20.csv 2>errors.txt I'm getting the question: pub 2048g/5A85DEB2 2008-07-14 Schneider B2B Services - UAT/Training (UAT and Training Key.) Primary key fingerprint: C2C0 304A E23A D0F5 2911 AE4F 0EBD 3829 E365 5B17 Subkey fingerprint: 40F1 EC5E 7BD0 B69B F0A2 96DC 4CF4 BFE6 5A85 DEB2 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) I did trust and signed the key before: C:\GNU\GnuPG>gpg --edit-key E3655B17 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024D/E3655B17 created: 2008-07-14 expires: 2018-07-12 usage: SC trust: ultimate validity: ultimate sub 2048g/5A85DEB2 created: 2008-07-14 expires: 2018-07-12 usage: E [ultimate] (1). Schneider B2B Services - UAT/Training (UAT and Training Key.) C:\GNU\GnuPG>gpg --sign-key E3655B17 pub 1024D/E3655B17 created: 2008-07-14 expires: 2018-07-12 usage: SC trust: ultimate validity: ultimate sub 2048g/5A85DEB2 created: 2008-07-14 expires: 2018-07-12 usage: E [ultimate] (1). Schneider B2B Services - UAT/Training (UAT and Training Key.) "Schneider B2B Services - UAT/Training (UAT and Training Key.) " was already signed by key 0CA9461C Nothing to sign with key 0CA9461C Key not changed so no update needed. What could be a problem? Doing a Google search didn't really shed any new light on this either. I need to schedule automatic process and this confirmation question does not let me do it. I'll appreciate any advice. Thanks, Fayina -------------- next part -------------- An HTML attachment was scrubbed... URL: From arizonagroovejet at gmail.com Thu May 21 12:39:21 2009 From: arizonagroovejet at gmail.com (mike _) Date: Thu, 21 May 2009 11:39:21 +0100 Subject: Can't enter passphrase in su session. In-Reply-To: References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> Message-ID: <5f65ad900905210339i501a2f4co7a97612c9215eccb@mail.gmail.com> 2009/5/20 Chris Babcock : > > In .bash_profile, you will have something *like* this: > if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 > [cut] Nothing like that bob at foo:~> grep -ir gpg-agent /etc/bash* 2>/dev/null bob at foo:~> grep -ir gpg-agent /etc/profile* 2>/dev/null bob at foo:~> Nothing in ~/.bash* or ~/.profile* either. 2009/5/20 Steven W. Orr : > > If you log in via X I don't. Never have. The machine doesn't have X installed. Both the replies so far have made me realised that I'm guilty of neglecting to include some relevant info. When logged in via ssh, the session in which I do get prompted to enter the passphrase, the output is as follows. gpg: using PGP trust model gpg: key B97DE878: accepted as trusted key You need a passphrase to unlock the secret key for user: "Bob" 4096-bit RSA key, ID B97DE878, created 2009-05-19 can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory gpg: no running gpg-agent - starting one [I am prompted to enter my passphrase via some sort of ncurses interface. From output of strace it appears to be /usr/bin/pinentry-curses] File `/home/bob/rpmbuild/RPMS//repodata/repomd.xml.asc' exists. Overwrite? (y/N) y gpg: writing to `/home/bob/rpmbuild/RPMS//repodata/repomd.xml.asc' gpg: RSA/SHA1 signature from: "B97DE878 Bob" The "can't connect to `/home/bob/.gnupg/S.gpg-agent': No such file or directory" message appears in both sessions. Hence the appearance of this message does not appear to be related to my not being prompted to enter the passphrase. Also GPG_AGENT_INFO is not set in either the ssh or su sessions. Hence it being set up properly or otherwise does not appear to be relevant to my not being prompted to enter the passphrase in a su session. Further investigation today reveals: If I dump the output of env in the ssh session and in the su session to files and then run diff I get bob at foo:~> diff /tmp/env_ssh /tmp/env_su 8d7 < TERM=xterm 9a9 > TERM=xterm 12d11 < SSH_CLIENT=XXX.XXX.XXX.XXX 56278 22 15d13 < SSH_TTY=/dev/pts/0 26c24 < MAIL=/var/mail/bob --- > MAIL=/var/spool/mail/bob 29d26 < SSH_SENDS_LOCALE=yes 47d43 < SSH_CONNECTION=XXX.XXX.XXX.XXX 56278 YYY.YYY.YYY.YYY 22 SSH_TTY is set in the ssh session but not the su session. Setting it in the su session to the value it's set for by the user that ran su doesn't help. (I.e. if I log in via ssh then check the value of SSH_TTY, su to bob then set SSH_TTY to that value.) When bob logs in, via ssh or via su, no gpg-agent process is started. Under both sessions, after the attempt is made to sign a file, no gpg-agent process is running. So when gpg says "gpg: no running gpg-agent - starting one" presumably it starts one then kills it again after the passphrase entry. Under the su session, if I start a gpg-agent process manually I get this: bob at foo:~> eval $(gpg-agent --daemon) bob at foo:~> ps aux | grep gpg bob 356 0.0 0.0 4016 480 ? Ss 11:14 0:00 gpg-agent --daemon bob 358 0.0 0.0 3232 728 pts/0 S+ 11:14 0:00 grep gpg bob at foo:~> echo $GPG_AGENT_INFO /tmp/gpg-K81hbj/S.gpg-agent:356:1 bob at foo:~> gpg -a --detach-sign ~/rpmbuild/RPMS/repodata/repomd.xml You need a passphrase to unlock the secret key for user: "Bob" 4096-bit RSA key, ID B97DE878, created 2009-05-19 gpg: cancelled by user gpg: no default secret key: General error gpg: signing failed: General error Again I'm not prompted to enter the passphrase. So maybe the problem is that under su, gpg-agent fails to launch /usr/bin/pinentry (which in turn decides whether to launch pinentry-curses, or a QT or GTK equivalent). If I run gpg under strace and look through the output there is no mention of /usr/bin/pinentry being called, but there is in the ssh session. Why no attempt is to launch /usr/bin/pinentry though I have not been able to determine. thanks, mike From shavital at mac.com Thu May 21 13:28:30 2009 From: shavital at mac.com (Charly Avital) Date: Thu, 21 May 2009 07:28:30 -0400 Subject: Key Transition Letter 2009-05-21 In-Reply-To: <3f34f8420905210235y1bb6b6f8sca6b9104776fa0d1@mail.gmail.com> References: <3f34f8420905210234l7e21e2fn758456f155f9743c@mail.gmail.com> <3f34f8420905210235y1bb6b6f8sca6b9104776fa0d1@mail.gmail.com> Message-ID: <4A153ADE.80408@mac.com> Allen Schultz wrote the following on 5/21/09 5:35 AM: [...] > > Please let me know if there is any trouble, and sorry for the > inconvenience. [...] No inconvenience. Results of signature verification and key usage: -----BEGIN GPG OUTPUT----- gpg: Signature made Thu May 21 05:34:13 2009 EDT using RSA key ID F55651E0 gpg: BAD signature from "Allen Schultz (aldaek) " -----END GPG OUTPUT----- $ gpg --edit-key F55651E0 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 3072R/DAD4736B created: 2009-05-20 expires: never usage: SC trust: unknown validity: unknown sub 2048R/F55651E0 created: 2009-05-20 expires: 2010-05-20 usage: S sub 2048R/5687B83E created: 2009-05-20 expires: 2010-05-20 usage: E [ unknown] (1). Allen Schultz (aldaek) [ unknown] (2) [jpeg image of size 6128] Command> check uid Allen Schultz (aldaek) sig!3 DAD4736B 2009-05-20 [self-signature] sig! EE79C636 2009-05-20 Allen Schultz uid [jpeg image of size 6128] sig!3 DAD4736B 2009-05-20 [self-signature] To sum up (as far as I can sum up). 1. Your message (who shows in the PGP headers both SHA1 and SHA256) shows that signature has been done using the signing subkey F55651E0 of primary key DAD4736B. 2. Signature does not verify. Your photo file can be displayed. 3. Your primary key DAD4736B has been signed using EE79C636 (as you said it would be): $ gpg --edit-key EE79C636 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024D/EE79C636 created: 2009-04-24 expires: never usage: SC trust: unknown validity: unknown sub 2048g/762B1E36 created: 2009-04-24 expires: never usage: E [ unknown] (1). Allen Schultz Command> check uid Allen Schultz sig!3 EE79C636 2009-04-24 [self-signature] 4. I cannot sign your key, not because I am double extra paranoid or even simple basic paranoid (which I am), but because I don't know you, I can't ascertain that you are who to claim to be, or that the above key or keys belong to you. There are some basic rules to the Web of Trust. Best regards, Charly From mail at 404not-found.de Thu May 21 15:01:30 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Thu, 21 May 2009 15:01:30 +0200 Subject: Question from GPG Message-ID: <200905211501.31042.mail@404not-found.de> On Wednesday 20 May 2009 19:53:47 Fayina Zaporozhets wrote: > I did trust and signed the key before: > > > > C:\GNU\GnuPG>gpg --edit-key E3655B17 > > gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. > > This is free software: you are free to change and redistribute it. > > There is NO WARRANTY, to the extent permitted by law. > > > pub 1024D/E3655B17 created: 2008-07-14 expires: 2018-07-12 usage: SC > > trust: ultimate validity: ultimate > > sub 2048g/5A85DEB2 created: 2008-07-14 expires: 2018-07-12 usage: E > > [ultimate] (1). Schneider B2B Services - UAT/Training (UAT and Training > Key.) From mail at 404not-found.de Thu May 21 15:15:18 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Thu, 21 May 2009 15:15:18 +0200 Subject: Key Transition Letter 2009-05-21 Message-ID: <200905211515.23209.mail@404not-found.de> Hello On Thursday 21 May 2009 11:35:44 Allen Schultz wrote: > For the reason of SHA1 issues in the news, I've recently set up > a new OpenPGP key, and > will be transitioning away from my old one. > This message is signed by > both keys to certify the > transition. I have not recieved signatures with your mail, but Charly's reply implicates that there is a signature, though it does not validate. I have switched to a new mail system, I hope it does not strip away signatures :-/ > If you already know my old key, you can now verify that the new > key is > signed by the old one: > > gpg --check-sigs DAD4736B I believe (an I think others do too) it is good praxis to not sign new keys even if you have signed the old one and the new key is signed by the old one, without personally checking with the keyholder first. After all, the new key could have been compromised. > If you don't already know my old key, or you just want to be > double > extra paranoid, you can check the fingerprint against the one > above: > > gpg --fingerprint DAD4736B If someone does _not_ know the old key, checking the fingerprint against an untrusted source like an eMail is certainly not enough. It is crucial for the web of trust that key/UID combinations are only signed after the fingerpint has been confirmed by the keyholder in person, and the UID has been checked against an official identification. I think the best way to have your new key integrated in the web of trust is to visit a keysigning party, or to look up key signers in your area at biglumber.com. Raimar -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From mail at 404not-found.de Thu May 21 15:31:17 2009 From: mail at 404not-found.de (Raimar Sandner) Date: Thu, 21 May 2009 15:31:17 +0200 Subject: Key Transition Letter 2009-05-21 In-Reply-To: <200905211515.23209.mail@404not-found.de> References: <200905211515.23209.mail@404not-found.de> Message-ID: <200905211531.21250.mail@404not-found.de> On Thursday 21 May 2009 15:15:18 Raimar Sandner wrote: > I believe (an I think others do too) it is good praxis to not sign new keys > even if you have signed the old one and the new key is signed by the old > one, without personally checking with the keyholder first. After all, the > new key could have been compromised. After all the _old_ key could have been compromised, that is what I meant :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Thu May 21 16:59:21 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 21 May 2009 10:59:21 -0400 Subject: AW: Re: laying groundwork for an eventual migration away from SHA1 with gpg In-Reply-To: References: Message-ID: <4A156C49.2040909@sixdemonbag.org> This subject is increasingly off-topic for -devel. I've cc'd this message to -users; let's see if we can't move the thread there. Niels Dettenbach wrote: > Hmmm, Keysigning parties makes sense if they strictly follow serious > procedures and requirements - but can't give a 100% security (as the > most other identity checks too). Even a Passport could be modified or > cheated. With a high-quality forged passport I can not only travel -- I can also vote, run for (most) public offices, get utilities in my name, open bank accounts, and so on. Those secondary pieces of documentation won't be forgeries, they'll be real -- and once I have them, I destroy my forged passport and settle into my new assumed identity. If the attacker is smart enough and savvy enough to get a high-quality forged passport, there's no way they'll present it for inspection to someone who's actively looking for a forged passport. They'll present their real (obtained illegally and containing incorrect information, but quite real) identity documents instead. Further, you won't find 100% security anywhere. Pursuing it is an ephemera. You won't get there, and if you obsess over it your obsession will ultimately hurt your security. From dshaw at jabberwocky.com Thu May 21 18:00:40 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 21 May 2009 12:00:40 -0400 Subject: GNUPG 1.2.1 problem In-Reply-To: <4A13CC81.4020800@gmail.com> References: <4A13CC81.4020800@gmail.com> Message-ID: <1BE5A7AF-80E3-481E-9A34-6E7915DE6591@jabberwocky.com> On May 20, 2009, at 5:25 AM, Pawe? ?uk wrote: > I use gnupg 1.2.1 version > For same cases during decrypting I receive: > > gpg: encrypted with 2048-bit RSA key, ID 453733BB, created > 2006-02-13 "Comapny (User) " gpg: > md_enable: algorithm 8 not available > gpg: Signature made Tue May 19 16:10:09 2009 CEST using RSA key ID > FD947F6A > gpg: Can't check signature: unknown digest algorithm > There is any possibility to skip this error. Yes. If you use the --skip-verify option to GPG, it will do the decryption step, but not do the verification step. Note, though, that may not be what you want if the signature over the data is important to you. In that case, you must either upgrade or ask the person sending you the message to use a digest algorithm that you can handle. You can get a list of digests that you can handle by typing "gpg --version". The "Hash" list is what you can handle. > I can not upgrade my current version of gnupg "Algorithm 8" is SHA-256. Those folks who want a switchover to SHA-256, pay attention :) David From steveo at syslang.net Thu May 21 19:19:44 2009 From: steveo at syslang.net (Steven W. Orr) Date: Thu, 21 May 2009 13:19:44 -0400 (EDT) Subject: Can't enter passphrase in su session. In-Reply-To: <20090520143648.07b74643@mail.asciiking.com> References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> <20090520143648.07b74643@mail.asciiking.com> Message-ID: On Wednesday, May 20th 2009 at 17:36 -0000, quoth Chris Babcock: =>On Wed, 20 May 2009 20:00:42 +0100 =>mike _ wrote: => =>> Can anyone offer any insight in this issue? => =>http://www.joshstaiger.org/archives/2005/07/bash_profile_vs.html => =>In .bash_profile, you will have something *like* this: =>if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`\ =>2>/dev/null; then => GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info` => export GPG_AGENT_INFO =>else => eval `/usr/bin/gpg-agent --daemon` => echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info =>fi => =>You *may* have something like this: => =>if [ -f /etc/bashrc ]; then => . /etc/bashrc =>fi => => =>The code to launch gpg-agent needs to be in .bashrc if you want it to =>execute for su users. If your .bash_profile executes your .bashrc as =>above then you can remove the definition from .bash_profile. This topic is getting far more complicated than you might expect. Setting environment variables needs to be done from your .bash_profile . It happens once when you log in and all child processes inherit the resulting variables. If you use su then you do not go through the .bash_profile unless you use the - option. i.e., "su - bob" will go through bob's .bash_profile but "su bob" will only go through the .bashrc . The same is true of ssh. If you ssh to a host to create a session then you will go through the .bash_profile but if you ssh to a host to just execute a command then you will only go through the .bashrc . The proper way to deal with this is to: * Source in your .bashrc from your .bash_profile * Set all of your environment variables in your .bash_profile * Check in your .bashrc to see if PS1 is set. If not then you are not in an interactive session and you need to set critical environment variables. Usually PATH is the only one you need to set. if [[ -n "${PS1}" ]] then : Do interactive stuff. Set aliases and variables, etc. else . ~/.bash_pathset fi -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net From jmoore3rd at bellsouth.net Thu May 21 19:38:57 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 21 May 2009 13:38:57 -0400 Subject: GNUPG 1.2.1 problem In-Reply-To: <4A13CC81.4020800@gmail.com> References: <4A13CC81.4020800@gmail.com> Message-ID: <4A1591B1.8000107@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Pawe? ?uk wrote: > I can not upgrade my current version of gnupg Can You please be more specific regarding why You cannot Upgrade GnuPG? Since You are apparently using a Windows O/S [based upon the version of Thunderbird this message was sent with] I am wondering why You are unable to simply swap the pertinent Binary Files with ones for a newer version in Your installation. :-\ JOHN ;) Timestamp: Thursday 21 May 2009, 13:38 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn5019: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKFZGvAAoJEBCGy9eAtCsPkBUH/AwyMlaJ+evYieKI8GG7Xi2E sQ07BoNoYzFUo1ELxYYK/J8H3hduC7TtoWVV7eUFqU6qqTCHSlzAPQk9M+jc4k4u YcPchp4lpBQ+suA6eOtBiePqvca86ggYKNtEp9XxMwTqlvy81ULIwTC9PsN0zKyh JCFYkZhAAa0X6eX573u3UcA7wDSAm3LhMNhBZL/FvmTToEg3WNJVWFO3QZOsKrjQ urV5USDjfCK68Dd8BxXevRXCPI1g9AQFVDewTaxRAPgF/ntMBIxHT9k3ukZJkF9U 0JTseIVCQDWe6NnyZNqO12ZcR2Ccpy09HUVsxxMHwBIP/b4WiYH4RSJNjZMbLtI= =vtIb -----END PGP SIGNATURE----- From allen.schultz at gmail.com Thu May 21 18:48:43 2009 From: allen.schultz at gmail.com (Allen Schultz) Date: Thu, 21 May 2009 10:48:43 -0600 Subject: Key Transition Letter 2009-05-21 In-Reply-To: <200905211531.21250.mail@404not-found.de> References: <200905211515.23209.mail@404not-found.de> <200905211531.21250.mail@404not-found.de> Message-ID: <3f34f8420905210948t3974f29fpf6b7cb5264ec890f@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, May 21, 2009 at 7:31 AM, Raimar Sandner wrote: > After all the _old_ key could have been compromised, that is what I meant :) Thank you for the information. I will clearsign this using the new key only. EE79C636 has already been updated [and uploaded] with an expiration date. This key is outdated due to the SHA-1 break in collisions. pub 1024D/EE79C636 2009-04-24 [expires: 2009-08-19] Key fingerprint = 0DC0 D8F6 A3A7 C107 59C4 1512 579A F712 EE79 C636 uid Allen Schultz uid [jpeg image of size 6128] sub 2048g/762B1E36 2009-04-24 As far as signing or verifying through email. The subject has already been discussed. Again, it's your choice. I may sign at a "unverified - fingerprint through unsecure medium" per the questions gpg asks. It does not validate the rest of my public ring. But that was only done with the older EE79C636 as of the signing of this email. Let me know if this signature does not work either. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.72 iQEcBAEBCAAGBQJKFYWWAAoJEMNyjCz1VlHgo3YH/05JARgW8utXay9rR7nIe7lI b1aRHYxTVslXKEKOiGk4PqAWkVCPbdly2dOzta/q1r+yq1HOXDe9v8mfMFstJdMd MTDhZd7QF9Cc2o586Nz1zHbGqkNvBb4U3oO+4AkgjmZMzL3IMXeYvUCvWbKHm7uh Bd0ofmYC/ABFCKR0jSrn/Zfs3Qf0fAXomPuuPSSpTghVZyeTyAvwtnda5tqvmjmh 2DK2SGJ0c6yC8GbHFzS2np8plL957FpnEHfrTkxfuOw6GVNixOvrcAlyepkX2rW+ Vi3KfSrVIp2KOxTy6pOSkXLnweFY5C9fKsgEpS2hnUpy43L0YeChu7bQDRWHKlA= =wFD0 -----END PGP SIGNATURE----- -- Allen Schultz pub 3072R/DAD4736B 2009-05-20 Key fingerprint = 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B uid Allen Schultz (aldaek) uid [jpeg image of size 6128] sub 2048R/F55651E0 2009-05-20 [expires: 2010-05-20] sub 2048R/5687B83E 2009-05-20 [expires: 2010-05-20] From jmoore3rd at bellsouth.net Thu May 21 20:18:08 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 21 May 2009 14:18:08 -0400 Subject: Key Transition Letter 2009-05-21 In-Reply-To: <3f34f8420905210948t3974f29fpf6b7cb5264ec890f@mail.gmail.com> References: <200905211515.23209.mail@404not-found.de> <200905211531.21250.mail@404not-found.de> <3f34f8420905210948t3974f29fpf6b7cb5264ec890f@mail.gmail.com> Message-ID: <4A159AE0.4000004@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Allen Schultz wrote: > Thank you for the information. I will clearsign this using the > new key only. > Let me know if this signature does not work either. OpenPGP Security Info UNTRUSTED Good signature from Allen Schultz (aldaek) Key ID: 0xF55651E0 / Signed on: 5/21/2009 12:47 PM Key fingerprint: 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B Works much better with just a single Signature. :-D JOHN 8-) Timestamp: Thursday 21 May 2009, 14:17 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn5019: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKFZreAAoJEBCGy9eAtCsPooYIAJvpfHU++TMnzzIk+WeK2TJt /aHasNt68bdMw0O9MDc7pHkzuH4tEpW5LSa9sf9M6/EexbNovLBkb1JFMeGajHSc VrTtiozjXos33qcL9D155gCHb//T0QtFKvDKZWCsYP403wtlMEiQL8YiP3lwGmLk H3+g0O0/rS0k+ZSyiEYjYk0n92W40SoOOJyBtN87DEjW/av66OQRJSFjSO2Avk1j OZRHvkh+HM/xZWbNI1ffCaaGJKMSTLHKA/xtMOiC+NdUpWuNo+pZvVQTZLqjI4NW JM+qQU0aeS5tSo9EwqMKflBGOWPDm5VL6+mVBMe76+uawOqSXQL45Tp8dBeBons= =jnd6 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu May 21 20:24:53 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 21 May 2009 14:24:53 -0400 Subject: laying groundwork for an eventual migration away from SHA1 with gpg In-Reply-To: <4A159976.1000708@bellsouth.net> References: <4A01226D.4050606@fifthhorseman.net> <97618F71-F4DD-4F10-B242-6C33A4D8AE72@jabberwocky.com> <4A034B33.8050901@fifthhorseman.net> <8A8B2763-4FB3-4B22-BD86-CFB2FC430C73@jabberwocky.com> <4A045E0C.6000304@fifthhorseman.net> <946F33F5-5F87-4BF7-A581-4B81B6856332@jabberwocky.com> <4A049D52.3000304@fifthhorseman.net> <0945226C-197C-4ED6-9A27-E9272A6FEA3F@jabberwocky.com> <8763g34x25.fsf@pond.riseup.net> <4A155289.4070602@sixdemonbag.org> <4A159976.1000708@bellsouth.net> Message-ID: <4A159C75.9030203@sixdemonbag.org> (also cc'd to GnuPG-Users. This thread seems like it's more appropriate there; let's continue it there if possible.) John W. Moore III wrote: > Presumably this tactic would also be effective by visiting a State > Website. I chose the example I did because I couldn't find information on Arkansas driver's license security features in a five minute web search. Other states may be different, I don't know. > Still, BoF Parties can be a helluva lot of fun. :) Yeah, that's why I show up to the keysigning BoFs at conventions. :) From arizonagroovejet at gmail.com Thu May 21 21:30:36 2009 From: arizonagroovejet at gmail.com (mike _) Date: Thu, 21 May 2009 20:30:36 +0100 Subject: Can't enter passphrase in su session. In-Reply-To: References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> <20090520143648.07b74643@mail.asciiking.com> Message-ID: <5f65ad900905211230r5e3d9fc4r77553f0e932f6193@mail.gmail.com> 2009/5/21 Steven W. Orr : > > This topic is getting far more complicated than you might expect. I'm familiar with the differences between bash_profile and bashrc and when they are or at not read. Or least I believe I am. > If you use su then you do not go through the .bash_profile unless you use > the - option. i.e., "su - bob" will go through bob's .bash_profile but > > "su bob" will only go through the .bashrc . I'm using 'su -' As I said: - There is nothing, nothing, in /etc/bash* or /etc/profile*, or the equivalents in bob's home directory, that has anything to do with setting up environment variables to for gpg. Bob doesn't even have a .bash_profile. - When I log in via ssh there is no GPG_AGENT_INFO variable set. - When I log in via ssh and sign the file I am prompted to enter the passphrase. There's no GPG_AGENT_INFO variable set, yet I'm still prompted to enter the passphrase. - The output of env in both sessions is almost identical, saving those differences I previously mentioned which I don't see have anything to do with gpg. - Even if I manually invoke gpg-agent as a deamon and set the GPG_AGENT_INFO variable in the 'su -' session, I am still not prompted to enter the passphrase. Perhaps I'm missing something and need it spelling out to me. but given the above, I really don't see how the problem of not being prompted to enter the passphrase whilst logged in under 'su -' can be related to a problem with the parsing, or lack of, of bash config files. thanks, mike From faramir.cl at gmail.com Thu May 21 21:53:10 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 21 May 2009 15:53:10 -0400 Subject: Key Transition Letter 2009-05-21 In-Reply-To: <3f34f8420905210235y1bb6b6f8sca6b9104776fa0d1@mail.gmail.com> References: <3f34f8420905210234l7e21e2fn758456f155f9743c@mail.gmail.com> <3f34f8420905210235y1bb6b6f8sca6b9104776fa0d1@mail.gmail.com> Message-ID: <4A15B126.2000508@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Allen Schultz escribi?: > For the reason of SHA1 issues in the news, I've recently set up > a new OpenPGP key, and > will be transitioning away from my old one. ... > To fetch my new key from a public key server, you can simply do: > > gpg --keyserver pgp.mit.edu --recv-key DAD4736B Don't use that keyserver, it can damage your key. Try pool.sks-keyservers.net Probably most people won't sign your new key, unless they have signed your old key. WoT usually requires people exchanging keys face-to-face or relying on other signatures to know the key belongs to the right person... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKFbEmAAoJEMV4f6PvczxArfkH/jb/nH5hjvr7DAE2SPNHvbOg N6Lexa1krIwbY815WNGWmkGLsRnQWxbJ0OiCEIhR9OIfSo4aki69pBKh1PC72R9U b4xalL/5G58Wo3gAJEnaeKEmIYc437RS8kYwVt9kYAd0gPq1zSO3zqAhCtc8F1pw A7tJoXkGmbZOf6XzHAEXtA548P0f6rOWpVityJ8Sto5NZB5Qf/G1T5wMWJyoSed/ PR5orl7poPRNZoTUR+REivqYUU9JTCoGvFLMWvGQf5vAErcZ93lwqNDMJdfK+fx7 Wbsd9NGDFppXzcCgf9sN7w+1oek6GfeX3qFdVzvI5ymfHWDuGmOfjAH3qZ/36VM= =qDQ2 -----END PGP SIGNATURE----- From one.jsim at gmail.com Thu May 21 21:45:21 2009 From: one.jsim at gmail.com (One Jsim) Date: Thu, 21 May 2009 20:45:21 +0100 Subject: B A = BA Message-ID: I have been creating key-pars for me and helping other people. Since I am not a cryptographer I use always GPG defaults options and suggestions (line command) Alfter all this new stuff (creating sha-1 collisions, md-5 ? or so) should I change the procedures I used to use? Should I revoke (and help others to revoke) their keys - some keys have yet 5 years or so "to live"? For a new key, continue to use default options? Thanks Jos? Sim?es From roam at ringlet.net Thu May 21 23:04:23 2009 From: roam at ringlet.net (Peter Pentchev) Date: Fri, 22 May 2009 00:04:23 +0300 Subject: Checking for interactive shell sessions [Was: Re: Can't enter passphrase in su session.] In-Reply-To: References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> <20090520143648.07b74643@mail.asciiking.com> Message-ID: <20090521210423.GA1120@straylight.m.ringlet.net> On Thu, May 21, 2009 at 01:19:44PM -0400, Steven W. Orr wrote: [snip] > The proper way to deal with this is to: > > * Source in your .bashrc from your .bash_profile > * Set all of your environment variables in your .bash_profile > * Check in your .bashrc to see if PS1 is set. If not then you are not in > an interactive session and you need to set critical environment variables. Just BTW, a *much* more reliable way to check for an interactive session, which will not fail in many common cases (PS1 set in system-wide config files, PS1 also set in .bashrc, PS1 set in the environment of the calling shell, etc.), is the following: # First, set up all variables for both interactive and non-interactive # sessions. # Then, do this: case "$-" in *i*) echo 'Setting up interactive shell params..' stty erase ^H ;; *) # Non-interactive session, better don't output anything something_or_other=foo ;; esac Of course, substitute your own commands for the "stty" and the assignment :) Bear in mind that this only applies to Bourne-style shells; for tcsh, you might need to resort to testing for ($?prompt), indeed. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From gpg2.20.maniams at dfgh.net Fri May 22 07:47:44 2009 From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net) Date: Fri, 22 May 2009 09:47:44 +0400 Subject: Key Transition Letter 2009-05-21 Message-ID: <5313cd090905212247o6c03b6c8s28ca3481ffdc8a7a@mail.gmail.com> Dear Members What are the algos that are compromised ? or NOT to be used ? If this is too long a list What are the Algos that are _to_be_ /or/ _could_be_ used /or/ _not_yet_compromised_ I understand that choosing the key size and algo is something personal and others cant decide..... but I'm trying to know the choice .... regards maniams -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Sun May 24 04:15:13 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 23 May 2009 22:15:13 -0400 Subject: Key Transition Letter 2009-05-21 In-Reply-To: <5313cd090905212247o6c03b6c8s28ca3481ffdc8a7a@mail.gmail.com> References: <5313cd090905212247o6c03b6c8s28ca3481ffdc8a7a@mail.gmail.com> Message-ID: <4A18ADB1.3090408@sixdemonbag.org> gpg2.20.maniams at dfgh.net wrote: > What are the algos that are compromised ? or NOT to be used ? If this is > too long a list Sorry to be so late to the party -- As of this writing, no algorithm supported by GnuPG has been compromised. Even MD5 is still on its feet. That said, the SHA-1 and MD5 algorithms are both looking a little shaky, and generally the recommendation seems to be to move away from those algorithms. All other algorithms supported by GnuPG are in good shape. > I understand that choosing the key size and algo is something personal > and others cant decide..... but I'm trying to know the choice .... Please don't do this. The defaults are the defaults for a very good reason: they're good defaults. With the exception of "move away from SHA1", please do not mess around with the defaults more than you absolutely have to. From gpg2.20.maniams at dfgh.net Sun May 24 04:43:33 2009 From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net) Date: Sun, 24 May 2009 06:43:33 +0400 Subject: Key Transition Letter 2009-05-21 Message-ID: <5313cd090905231943l590b2b8y729abaee0f2bb381@mail.gmail.com> Dear Robert On Sun, May 24, 2009 at 6:42 AM, Subu wrote: > > > On Sun, May 24, 2009 at 6:15 AM, Robert J. Hansen - rjh at sixdemonbag.org > <+gpg2+maniams+ba4eefb302.rjh#sixdemonbag.org at spamgourmet.com> wrote: > >> gpg2.20.maniams at dfgh.net wrote: >> > What are the algos that are compromised ? or NOT to be used ? If this is >> > too long a list >> >> Sorry to be so late to the party -- >> >> As of this writing, no algorithm supported by GnuPG has been >> compromised. Even MD5 is still on its feet. >> >> That said, the SHA-1 and MD5 algorithms are both looking a little shaky, >> and generally the recommendation seems to be to move away from those >> algorithms. >> >> All other algorithms supported by GnuPG are in good shape. >> >> > I understand that choosing the key size and algo is something personal >> > and others cant decide..... but I'm trying to know the choice .... >> >> Please don't do this. The defaults are the defaults for a very good >> reason: they're good defaults. With the exception of "move away from >> SHA1", please do not mess around with the defaults more than you >> absolutely have to. >> > > > > > Thanks for the reply and advice. I shall follow the same > > Regards > maniams > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From webmaster at felipe1982.com Sun May 24 06:38:56 2009 From: webmaster at felipe1982.com (webmaster at felipe1982.com) Date: Sat, 23 May 2009 22:38:56 -0600 (MDT) Subject: Key Transition Letter 2009-05-21 In-Reply-To: <4A18ADB1.3090408@sixdemonbag.org> References: <5313cd090905212247o6c03b6c8s28ca3481ffdc8a7a@mail.gmail.com> <4A18ADB1.3090408@sixdemonbag.org> Message-ID: <3375.130.102.44.52.1243139936.squirrel@host257.hostmonster.com> > As of this writing, no algorithm supported by GnuPG has been > compromised. Even MD5 is still on its feet. i don't think this is correct. See: http://th.informatik.uni-mannheim.de/People/lucks/HashCollisions/ felipe From rjh at sixdemonbag.org Sun May 24 08:15:39 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 24 May 2009 02:15:39 -0400 Subject: Key Transition Letter 2009-05-21 In-Reply-To: <3375.130.102.44.52.1243139936.squirrel@host257.hostmonster.com> References: <5313cd090905212247o6c03b6c8s28ca3481ffdc8a7a@mail.gmail.com> <4A18ADB1.3090408@sixdemonbag.org> <3375.130.102.44.52.1243139936.squirrel@host257.hostmonster.com> Message-ID: <4A18E60B.1080506@sixdemonbag.org> webmaster at felipe1982.com wrote: > i don't think this is correct. See: > http://th.informatik.uni-mannheim.de/People/lucks/HashCollisions/ It depends on what sort of threat you're facing. In this case, the MD5 attack is predicated on the victim signing documents they did not originate. This is often considered bad policy, since it tends to facilitate attacks like this. This usage case is kind of rare for GnuPG -- not unheard of, but rare. MD5 is best avoided, yes, please don't get me wrong -- but it's kind of a stretch to say that it is entirely broken for purposes of email cryptography. From gpg2.20.maniams at dfgh.net Sun May 24 09:48:24 2009 From: gpg2.20.maniams at dfgh.net (gpg2.20.maniams at dfgh.net) Date: Sun, 24 May 2009 11:48:24 +0400 Subject: Key Transition Letter 2009-05-21 In-Reply-To: <5313cd090905240014v37cad824m899158bf55e61989@mail.gmail.com> References: <5313cd090905212247o6c03b6c8s28ca3481ffdc8a7a@mail.gmail.com> <4A18ADB1.3090408@sixdemonbag.org> <3375.130.102.44.52.1243139936.squirrel@host257.hostmonster.com> <5313cd090905240014v37cad824m899158bf55e61989@mail.gmail.com> Message-ID: <5313cd090905240048t3fa2c41cm663faa9bd329fa07@mail.gmail.com> Wow Felipe ... WowT On Sun, May 24, 2009 at 8:38 AM, webmaster at felipe1982.com <+gpg2+maniams+aec56db6fa.webmaster#felipe1982.com at spamgourmet.com> wrote: > > > As of this writing, no algorithm supported by GnuPG has been > > compromised. Even MD5 is still on its feet. > i don't think this is correct. See: > http://th.informatik.uni-mannheim.de/People/lucks/HashCollisions/ > > > felipe > > I say Wow here to the simple presentation of the collision and also forwarding this great piece here. The technical gurus of this board may have found the above link boring....but a novice like me found it very interesting I'm looking for similar simple explanations like the above on what a hash functions is and what algorithms are and what other basics should some one know before making _their_own_ choice of algos, hash etc any pointers would be most appreciated regards maniams -------------- next part -------------- An HTML attachment was scrubbed... URL: From fred.kantor at gmail.com Sun May 24 13:49:41 2009 From: fred.kantor at gmail.com (Fred Kantor) Date: Sun, 24 May 2009 07:49:41 -0400 Subject: laying groundwork for an eventual migration away from SHA1 with gpg In-Reply-To: <4A159C75.9030203@sixdemonbag.org> References: <4A01226D.4050606@fifthhorseman.net> <4A045E0C.6000304@fifthhorseman.net> <946F33F5-5F87-4BF7-A581-4B81B6856332@jabberwocky.com> <4A049D52.3000304@fifthhorseman.net> <0945226C-197C-4ED6-9A27-E9272A6FEA3F@jabberwocky.com> <8763g34x25.fsf@pond.riseup.net> <4A155289.4070602@sixdemonbag.org> <4A159976.1000708@bellsouth.net> <4A159C75.9030203@sixdemonbag.org> Message-ID: <6899a0d30905240449l53dfeda6ge4683f0da26430ca@mail.gmail.com> re identity -- may I suggest considering (a) DNA swipe(s) at key-signing party? On Thu, May 21, 2009 at 2:24 PM, Robert J. Hansen wrote: > (also cc'd to GnuPG-Users. ?This thread seems like it's more appropriate > there; let's continue it there if possible.) > > John W. Moore III wrote: >> Presumably this tactic would also be effective by visiting a State >> Website. > > I chose the example I did because I couldn't find information on > Arkansas driver's license security features in a five minute web search. > ?Other states may be different, I don't know. > >> Still, BoF Parties can be a helluva lot of fun. ?:) > > Yeah, that's why I show up to the keysigning BoFs at conventions. ?:) > > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > From dkg at fifthhorseman.net Sun May 24 22:54:40 2009 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 24 May 2009 16:54:40 -0400 Subject: MD5 is an unreliable digest algorithm [was: Re: Key Transition Letter 2009-05-21] In-Reply-To: <4A18E60B.1080506@sixdemonbag.org> References: <5313cd090905212247o6c03b6c8s28ca3481ffdc8a7a@mail.gmail.com> <4A18ADB1.3090408@sixdemonbag.org> <3375.130.102.44.52.1243139936.squirrel@host257.hostmonster.com> <4A18E60B.1080506@sixdemonbag.org> Message-ID: <4A19B410.2060203@fifthhorseman.net> On 05/24/2009 02:15 AM, Robert J. Hansen wrote: > It depends on what sort of threat you're facing. In this case, the MD5 > attack is predicated on the victim signing documents they did not > originate. This is often considered bad policy, since it tends to > facilitate attacks like this. This usage case is kind of rare for GnuPG > -- not unheard of, but rare. Actually, it is fairly common in certain circumstances: Certifying that another user's key is correctly bound to their User ID (a.k.a. "signing someone's key") is effectively making a signature over a document that you did not originate. The only element in a standard OpenPGP certification which changes is the timestamp of the certification itself. The timestamp is fairly predictable (the hash-clash rogue CA X.509 MD5 compromise in December 2008 relied on timestamping with the same granularity that OpenPGP uses). Furthermore, the timestamp is *appended* to the element in question that is signed (as are any additional subpackets that the issuer of the certification elects to include). Certifier-authored appended data is less useful for defeating a collision attack, since signatures are made over digests that are one-pass. With a one-pass digest, an attacker needs only to find a collision in the lead-up to the appended data, and then subsequent appended data can simply be copied from the tail of one message to the other to maintain the collision in the digest output space. > MD5 is best avoided, yes, please don't get me wrong -- but it's kind of > a stretch to say that it is entirely broken for purposes of email > cryptography. MD5 *is* broken in that it does not provide the exepcted level of security that a digest of its length implies, particularly for collision-resistance. The ability to find two messages with identical digests should be no less expensive than a so-called "birthday attack", which is 2^64 digest calculations for a 128-bit digest like MD5. MD5's collision resistance is demonstrably less than 2^64 today. Wikipedia notes attacks that find MD5 collisions in a few hours on a notebook computer. Collision attacks have significant utility in subverting all kinds of crypto-systems including e-mail cryptography, particularly because so many mail clients are willing to ignore invalid or garbage-y data in an e-mail message. SHA-1's collision resistance is weakened as well, reportedly to the level of 2^52 operations (it should be 2^80, since SHA-1 is a 160-bit hash), but (a) no one has seen an exploit of this in the wild yet, and (b) 2^52 is a fairly big number anyway (within reach of well-funded organizations, but not nearly as bad as MD5). So MD5 should indeed be avoided today, and we should be methodically and reasonably moving away from reliance on SHA-1 in circumstances where collision-resistance is necessary. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Mon May 25 00:09:20 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 24 May 2009 18:09:20 -0400 Subject: MD5 is an unreliable digest algorithm [was: Re: Key Transition Letter 2009-05-21] In-Reply-To: <4A19B410.2060203@fifthhorseman.net> References: <5313cd090905212247o6c03b6c8s28ca3481ffdc8a7a@mail.gmail.com> <4A18ADB1.3090408@sixdemonbag.org> <3375.130.102.44.52.1243139936.squirrel@host257.hostmonster.com> <4A18E60B.1080506@sixdemonbag.org> <4A19B410.2060203@fifthhorseman.net> Message-ID: <4A19C590.4060905@sixdemonbag.org> Daniel Kahn Gillmor wrote: > Actually, it is fairly common in certain circumstances: Certifying > that another user's key is correctly bound to their User ID (a.k.a. > "signing someone's key") is effectively making a signature over a > document that you did not originate. Yes. And then if you take a look at how often this happens with MD5 in OpenPGP, you'll find the answer is effectively never, since SHA-1 generally gets used instead. So this attack is mostly a nonissue for OpenPGP usage. > MD5 *is* broken in that it does not provide the exepcted level of > security that a digest of its length implies, particularly for > collision-resistance. I am getting pretty frustrated with how people are misreading, misinterpreting, or outright not listening to the qualifications I am putting on the things I'm saying. My original text was, "it's kind of a stretch to say that it is entirely broken for purposes of email cryptography." The word "entirely" is pretty important there. Algorithms are not, as is commonly believed, to be either "secure" or "insecure". OpenPGP in particular is used in a variety of different ways. There is a continuum of "secure for all known uses of OpenPGP" at one end, and "insecure for all known uses of OpenPGP" at the other, and a lot of gray area in the middle where "secure for some uses" lives. MD5 is in that continuum. It is not /entirely/ broken, as seems to be the common misperception. > So MD5 should indeed be avoided today, and we should be methodically > and reasonably moving away from reliance on SHA-1 in circumstances > where collision-resistance is necessary. Yes. Which is exactly what I've been saying. From sttob at mailshack.com Mon May 25 01:18:51 2009 From: sttob at mailshack.com (Stan Tobias) Date: Mon, 25 May 2009 01:18:51 +0200 Subject: Can't enter passphrase in su session. In-Reply-To: <5f65ad900905210339i501a2f4co7a97612c9215eccb@mail.gmail.com> References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> <5f65ad900905210339i501a2f4co7a97612c9215eccb@mail.gmail.com> Message-ID: <4a19d5db.QIhYcszRXHYr2OI0%sttob@mailshack.com> mike _ wrote: > So maybe the problem is that under su, gpg-agent fails to launch > /usr/bin/pinentry (which in turn decides whether to launch > pinentry-curses, or a QT or GTK equivalent). If I run gpg under strace > and look through the output there is no mention of /usr/bin/pinentry > being called, but there is in the ssh session. Why no attempt is to > launch /usr/bin/pinentry though I have not been able to determine. I don't use and I don't know how `pinentry' works, so let it be a blind shot. `ssh' opens a new terminal session, while `su' doesn't. When you `su - newuser', you run with stdin/stdout/stderr attached to the olduser terminal, with the olduser owner and most probably zeroed permission bits for the "other" group, which means newuser cannot open /dev/tty. If a program (like `pinentry' maybe, or `screen') run by newuser tries to read directly from a terminal which belongs to olduser, it will fail. I sometimes "fix" this by running `exec script /dev/null'. Regards, Stan From John at Mozilla-Enigmail.org Mon May 25 19:25:16 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 25 May 2009 12:25:16 -0500 Subject: RSA+RSA is now the default In-Reply-To: References: <87zldcszvb.fsf@wheatstone.g10code.de> <87ab51y5ed.fsf@wheatstone.g10code.de> Message-ID: <4A1AD47C.8090304@Mozilla-Enigmail.org> Nicholas Cole wrote: > It's a small point and I don't mean to get side-tracked, but if any > front-ends have used this menu, I rather fear that you have replaced > one evil (not using the right default) with a worse one - presenting > one thing in the front end and doing another behind the scenes! I think Werner has already pointed out that any program relying on the menus is living in sin. The batch-file approach for generating keys has been documented for quite some time. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From nicholas.cole at gmail.com Mon May 25 19:54:20 2009 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Mon, 25 May 2009 18:54:20 +0100 Subject: RSA+RSA is now the default In-Reply-To: <4A1AD47C.8090304@Mozilla-Enigmail.org> References: <87zldcszvb.fsf@wheatstone.g10code.de> <87ab51y5ed.fsf@wheatstone.g10code.de> <4A1AD47C.8090304@Mozilla-Enigmail.org> Message-ID: On Mon, May 25, 2009 at 6:25 PM, John Clizbe wrote: > Nicholas Cole wrote: >> It's a small point and I don't mean to get side-tracked, but if any >> front-ends have used this menu, I rather fear that you have replaced >> one evil (not using the right default) with a worse one - presenting >> one thing in the front end and doing another behind the scenes! > > I think Werner has already pointed out that any program relying on the > menus is living in sin. The batch-file approach for generating keys has > been documented for quite some time. I completely agree for creating keys, for which there is the batch-file approach. Adding subkeys is another matter. And while I have never written anything that 'lives in sin' in the way you describe, I was just pointing out that if Warner was assuming such things exist (I am sure they do) then there could be unfortunate consequences as a result of the way this (entirely proper) change has been made! Best, N From shrzic0973 at verizon.net Mon May 25 21:19:04 2009 From: shrzic0973 at verizon.net (shrzic0973) Date: Mon, 25 May 2009 15:19:04 -0400 Subject: GnuPG Win Patch File Installation Help Message-ID: <123AEAF6863F4817A423B689717FFECC@SMHHOMEPC> I'm a new user to GnuPG. I just installed GnuPG 1.4.9. I see there is also a Patch File 'gnupg-1.4.8-1.4.9.diff.bz2' with this release that needs to be installed but I cannot find any information on how to do this. Can someone provide the correct procedures to install this Patch File? Thanks in advance! Steve Hrzic -------------- next part -------------- An HTML attachment was scrubbed... URL: From John at Mozilla-Enigmail.org Mon May 25 23:38:20 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 25 May 2009 16:38:20 -0500 Subject: GnuPG Win Patch File Installation Help In-Reply-To: <123AEAF6863F4817A423B689717FFECC@SMHHOMEPC> References: <123AEAF6863F4817A423B689717FFECC@SMHHOMEPC> Message-ID: <4A1B0FCC.3040607@Mozilla-Enigmail.org> shrzic0973 wrote: > I'm a new user to GnuPG. I just installed GnuPG 1.4.9. I see there is > also a Patch File 'gnupg-1.4.8-1.4.9.diff.bz2' with this release that > needs to be installed but I cannot find any information on how to do this. > Can someone provide the correct procedures to install this Patch File? In your case, there is none. The patch file is to _upgrade_ a 1.4.8 source tree to a 1.4.9 source tree. You already have 1.4.9, there's no need for the changes from 1.4.8. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From faramir.cl at gmail.com Mon May 25 22:31:28 2009 From: faramir.cl at gmail.com (Faramir) Date: Mon, 25 May 2009 16:31:28 -0400 Subject: GnuPG Win Patch File Installation Help In-Reply-To: <123AEAF6863F4817A423B689717FFECC@SMHHOMEPC> References: <123AEAF6863F4817A423B689717FFECC@SMHHOMEPC> Message-ID: <4A1B0020.9080106@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 shrzic0973 escribi?: > I'm a new user to GnuPG. I just installed GnuPG 1.4.9. I see there is > also a Patch File 'gnupg-1.4.8-1.4.9.diff.bz2' with this release that > needs to be installed but I cannot find any information on how to do this. I think that patch is to upgrade from 1.4.8 to 1.4.9, and probably not under windows OS. If you use windows, all you need is GnuPG 1.4.9. Maybe you would like to install some GUI to make usage easier, but that's optional. If you are using Windows, I recommend GPGShell (just google it) as GUI. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKGwAgAAoJEMV4f6PvczxAf5AH/1yZgN7ltJPN8d1+qxHxrjDo wlFLnN7fIc/e7ugq4a0bwoW5lHx8FjZNypYOgzDJ7kxH/AIcT08e+60Pxb/87vAS XcB4pqqzRXph3TMYIhlNHxjCMvwTLYOedxubatdKbOIofdDkfHy8DtJd4Al/JG6b EfzBjnuinh5eqk/mjjB/hlODhnPjJlmhL6Q+79knZu9HgLaxQYWjOhKT817C4qOx PJCkhaNLjH6cEb5jg/tRxjrBlPGRhhbZ5o3wKeqwyqp1CFuCP7rZL/efx2oFM0AB 8qX5ixPVEUPJjfKfQg5NXq/Fqs5P2P/yNB76hm0gGd+OSbecuvuDVsKc9BbfcBE= =uIYA -----END PGP SIGNATURE----- From shrzic0973 at verizon.net Tue May 26 00:11:11 2009 From: shrzic0973 at verizon.net (Stephen Hrzic) Date: Mon, 25 May 2009 15:11:11 -0700 (PDT) Subject: No subject Message-ID: <966105.73424.qm@web84303.mail.re1.yahoo.com> As a new user to GnuPG 1.4.9 I'm not having a good day with the?product. When importing a key, I receive a 'Permission denied' during the pubring renaming process. Log follows. Any help would be appreciated. Thank you. Steve Hrzic ? C:\Documents and Settings\momadministrator>gpg --version gpg (GnuPG) 1.4.9 (Gpg4win 1.1.4) Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: C:/Documents and Settings/Default User/Application Data/gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 C:\Documents and Settings\momadministrator>gpg --import d:\mykey_key.asc gpg: renaming `C:/Documents and Settings/Default User/Application Data/gnupg\pub ring.gpg' to `C:/Documents and Settings/Default User/Application Data/gnupg\pubr ing.bak' failed: Permission denied gpg: error writing keyring `C:/Documents and Settings/Default User/Application D ata/gnupg\pubring.gpg': file rename error gpg: key BDFC43BD: public key "[User ID not found]" imported gpg: error reading `d:\\mykey_key.asc': file rename error gpg: import from `d:\\mykey_key.asc' failed: file rename error gpg: Total number processed: 0 gpg:?????????????? imported: 1? (RSA: 1) C:\Documents and Settings\momadministrator> -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Tue May 26 03:58:05 2009 From: faramir.cl at gmail.com (Faramir) Date: Mon, 25 May 2009 21:58:05 -0400 Subject: In-Reply-To: <966105.73424.qm@web84303.mail.re1.yahoo.com> References: <966105.73424.qm@web84303.mail.re1.yahoo.com> Message-ID: <4A1B4CAD.2040509@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Stephen Hrzic escribi?: > > As a new user to GnuPG 1.4.9 I'm not having a good day with the product. > When importing a key, I receive a 'Permission denied' during the pubring > renaming process. ... > C:\Documents and Settings\momadministrator>gpg --version What operating system are you using? It seems it's windows, but I don't know if it's XP or Vista Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKG0ytAAoJEMV4f6PvczxAFv4IAJ5dlKPyPy1JgZRBTpuNGvZv tzgO/GHLAQ90XflCHoOU6uG0ymtb3nas1GrSYAJQgkKGr3jwBcdfNLOQxY5HAhk+ ZBbiHSqliFb95qA19Fo73VPhrgyJ4N8CDzFmdG5xUplqFEWruTveV2MMQjNO0/0Z K9INY4a90c6WFAEdIf31NjmNCgoJUAgC9oW0zCK7cyWPfZ+PVuuM8xqEPogNaWGg vp3kacVstDGM+1o227E3qbH3B+4sutG6p0ZMYmZrLp1HGVlOh7ygzsw8nHcElnSp fRkRXP+GTRXpVSaKhNyksbBPzhhrPx10SBxHR0NupMShx2qTWOLM8PFj3kC+vm0= =uy1p -----END PGP SIGNATURE----- From vishwin80 at gmail.com Tue May 26 02:42:07 2009 From: vishwin80 at gmail.com (C Li) Date: Mon, 25 May 2009 20:42:07 -0400 Subject: (unknown) In-Reply-To: <966105.73424.qm__33739.5967836075$1243294863$gmane$org@web84303.mail.re1.yahoo.com> References: <966105.73424.qm__33739.5967836075$1243294863$gmane$org@web84303.mail.re1.yahoo.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Stephen Hrzic's mail client expels the following stream of bytes on 25/05/09 18:11 (EDT): > C:\Documents and Settings\momadministrator>gpg --import d:\mykey_key.asc > gpg: renaming `C:/Documents and Settings/Default User/Application > Data/gnupg\pub > ring.gpg' to `C:/Documents and Settings/Default User/Application > Data/gnupg\pubr > ing.bak' failed: Permission denied > gpg: error writing keyring `C:/Documents and Settings/Default > User/Application D > ata/gnupg\pubring.gpg': file rename error > gpg: key BDFC43BD: public key "[User ID not found]" imported > gpg: error reading `d:\\mykey_key.asc': file rename error > gpg: import from `d:\\mykey_key.asc' failed: file rename error > gpg: Total number processed: 0 > gpg: imported: 1 (RSA: 1) Try replacing the backslash with a forward slash when specifying the path in the command. Unlike Windows, the backslash is an escape character in gpg and other Unix-like software. You may also want to check the permission settings of C:\Documents and Settings\Default User\Application Data\gnupg or wherever your keyrings are located. - -- C Li (vishwin/O) Can't think of a witty .sigline today... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJKGzrfAAoJECOzVexFwP1/wboP/Aol87lNSbMXlP8o/At5Tk7K IUlv9SiJnhb9ZFhl/JtCQkcaY05m0eyCEJSwG9J5oQBEAnN/pZeM66D+oMk18vy7 Ssq571Ftsd5JEpPzkUu0YYLuf2l6W7K+/K7B338VuSmpdPmzX8jBwnN3mp98T4mX In6hit2uql48AmBDC9XyPyUmSWWpju9OpZfPvUJHgeT57ifZU2sLwKYadMyi3tIn /QAFr9j4ZXL53yZM3M6/tM+lbyyHIHEzIhxtjlSmhpfvdgvICppd/9rORnFArvDT QlGSuYXGG++alv/n3hMRKroP5nOJHtGuZwZv7RSRTKD0okxPOeOyJHI1Y+6ljOrJ aIk5ajwOLHATIlFEna+LOIRq+slRJvzlih184KbdzhKMnvW3LXONTWI5zbTQ1uTe BTi8vu39KiMne98Ch/uzL9Ey/osttgig3ubI7PWXUIK8HLS5AYIOygv0MhBhnkUf sI0ckHHEyoySHbkGrvpA16+HI3PNCW94QbXValtK0/quP/g6FAagjym0+0WB3BIA hurUHZ0uwLcT7Yc5RJphKKM5tjgQeQUC3UtMsocl/TvIYLS/pcD+YIPb/RrOjEup y7Sxg0ZcaFvvkQ1tRYB1EBNc9GTT2Euc25dkEdKdK6yr9bwFio7NxduAkgLKGgSQ VWTo/CBncYvfWrDwetJH =0SmI -----END PGP SIGNATURE----- From vishwin80 at gmail.com Tue May 26 04:26:31 2009 From: vishwin80 at gmail.com (C Li) Date: Mon, 25 May 2009 22:26:31 -0400 Subject: In-Reply-To: <4A1B4CAD.2040509__31190.1135756218$1243303274$gmane$org@gmail.com> References: <966105.73424.qm@web84303.mail.re1.yahoo.com> <4A1B4CAD.2040509__31190.1135756218$1243303274$gmane$org@gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir's mail client expels the following stream of bytes on 25/05/09 21:58 (EDT): > Stephen Hrzic escribi?: >> C:\Documents and Settings\momadministrator>gpg --version > > What operating system are you using? It seems it's windows, but I > don't know if it's XP or Vista If the directory containing all of the users' home directories is named "Documents and Settings", it is anything of the Windows NT kernel prior to Vista (Windows 2000, XP, Server 2003). This specific issue applies to any version of Windows. - -- C Li (vishwin/O) Can't think of a witty .sigline today... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJKG1NXAAoJECOzVexFwP1/y5MP/iEt7gbhcvaX1FZPuuVYg/c9 BAP96OdqE6LwHP9d4hm9H2/vVT+4+MGJYf7L25ock6IWhtNDTVvSMNgRrsAeD953 0bHLxbxmTEu/ovTVEZXDjU9a5BnOzpVi0ekKuYidpTZEvB5R3eE/7LKw743d7Zya UDolMJ4HjdVVIFx+ezQRrbCZrtPCCnEpDYAee68o7ZYRMIqt95qZqyLQxkccglN9 gAFylPYd2N4wWa44RHc88ladvpPwVaSMd92+0znB/EQIQJvDVIjGRAJkr7byWy0N J05egG8yneU8tNl5wsziTA+dQ7QGlsh72sovJEbqwX0xbwoPhfv5mDw/LIi4jYUI PrPYPH434ZXY9oCk+uZiThevoiFiX4QOoBfrCTffRknmitRKQtO8ukvnOVAT4Tsd NDyERdlNerBY7kb4SjaboGYhZkyn0vxO23PmK3REa4T2mEuuFl+cLnpOJLhbiSDm s41tN9Z972Hp0XrVRgRDB/BeRXg1BEXE5MFKJbGKQ6V2mWGgwAfLpZyMao77WFL9 5sI1+jRs7uAA4LhDSm/62HuQiEdDfczRqjrIeJtoRlInlcBEG6xiwlGnr0lJQhCh 4c4Uhi5ctCfUcjys9rxidDB+3aClYqyZsdp2KgaB/oat8YFIYx36m55EHMjM0GMa usWA0DSq0OytMC7ALpT4 =BDw2 -----END PGP SIGNATURE----- From arizonagroovejet at gmail.com Tue May 26 16:50:50 2009 From: arizonagroovejet at gmail.com (mike _) Date: Tue, 26 May 2009 15:50:50 +0100 Subject: Can't enter passphrase in su session. In-Reply-To: <4a19d5db.QIhYcszRXHYr2OI0%sttob@mailshack.com> References: <5f65ad900905201200w3012e06fid8d1ff007dc8e3b6@mail.gmail.com> <5f65ad900905210339i501a2f4co7a97612c9215eccb@mail.gmail.com> <4a19d5db.QIhYcszRXHYr2OI0%sttob@mailshack.com> Message-ID: <5f65ad900905260750i40e0b0e7s58ebf06cd1570cf8@mail.gmail.com> 2009/5/25 Stan Tobias : > mike _ wrote: > I don't use and I don't know how `pinentry' works, so let it be a blind > shot. `ssh' opens a new terminal session, while `su' doesn't. When you > `su - newuser', you run with stdin/stdout/stderr attached to the olduser > terminal, with the olduser owner and most probably zeroed permission > bits for the "other" group, which means newuser cannot open /dev/tty. > If a program (like `pinentry' maybe, or `screen') run by newuser tries > to read directly from a terminal which belongs to olduser, it will fail. > I sometimes "fix" this by running `exec script /dev/null'. You've got it! It is a tty permissions problem. Apparently it's a general issue that programs that want to write directly to terminal won't work when run under su. E.g. there's mention here of someone encountering the problem with screen. http://www.mail-archive.com/screen-users at gnu.org/msg02081.html If I do this: $ chmod o+rw $(tty) before using 'su -' to become bob then I am prompted to enter the passphrase when I run gpg. Setting such permissions on the tty device seems like something that would usually be a hideously bad idea. I think doing it on a sever which only a very small number of trusted people are able to log in to would be OK though. (Unless anyone can suggest a reason why not.) From faramir.cl at gmail.com Wed May 27 03:56:34 2009 From: faramir.cl at gmail.com (Faramir) Date: Tue, 26 May 2009 21:56:34 -0400 Subject: how to sign files inside a folder? Message-ID: <4A1C9DD2.2030609@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, I saw a question in the support list in Spanish language, and it is about how to sign files inside a folder, in Windows OS, without using additional tools. The goal is to have a tree of folders, with files inside, and to sign individually each file (with detached signature, if I am not wrong). Since I have never had to do something like that, I don't have the faintest idea about how to do it, if it is possible to do it. Compressing the folder an signing the compressed file is what the person behind the question wants to avoid. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJKHJ3SAAoJEMV4f6PvczxAtP0H/1EbgoHoLhEQDEGmq1Zqx5T4 4O3CgOkq+qGzRQ8AUE9/IBufuhMsNSEZKfLEZjFnPV0THZk18odcZmyW4GtTixTM P/jm5EYTKkDxRSR8WcsHXVMnrylh7ux0LANLtAPOd4eq9WmIoZZs5ZeN4/wgtY1p BuMZF6Gbmz6dXIl/JwCnvThFpANz5d2aptQu5amTVlbohVN2aJkEGWedgM7q+5Iq QNZTqvfhYis6y+74LMIl2abfFIpB4IesAmjaCoyoAieJpX9SzYWONzM+bs+nXqax tUG1hotvHzbhg5MZiiS6FzP3C3f2WJeu6MxscLPJzrwngbWJmAME5upvJjgcfRw= =EgFR -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Wed May 27 05:19:01 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 26 May 2009 23:19:01 -0400 Subject: how to sign files inside a folder? In-Reply-To: <4A1C9DD2.2030609@gmail.com> References: <4A1C9DD2.2030609@gmail.com> Message-ID: <4A1CB125.2090404@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Faramir wrote: > Hello, > I saw a question in the support list in Spanish language, and it is > about how to sign files inside a folder, in Windows OS, without using > additional tools. The goal is to have a tree of folders, with files > inside, and to sign individually each file (with detached signature, if > I am not wrong). > > Since I have never had to do something like that, I don't have the > faintest idea about how to do it, if it is possible to do it. > > Compressing the folder an signing the compressed file is what > the person behind the question wants to avoid. I recommend the addition of the GPG Frontend GPGee [http://gpgee.excelcia.org/] as You may run this app on a Folder and You will be left with the Folder appearing unchanged but each individual file within the Folder/Directory being Encrypted. Signed or Encrypted & Signed. Just remember that if You wish every thing left Encrypted You will then need to Open the Folder/Directory and then Delete/Wipe all the Un-Encrypted copies. HTH JOHN ;) Timestamp: Tuesday 26 May 2009, 23:18 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn5021: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJKHLEjAAoJEBCGy9eAtCsP6kcIAKeCf4X4mDyAK2TEE+Hp2A+i 1lpWB0qUHzo4nERT785sdKg2nqndmyYIVTyzbJYEZya38gyUyr60xcNkQKMGHDQO /ogLfvZI+JjgiYeizWz9SFNaR90hqjnbaYYpXJIf8nk92tQCzRdzZZLUtEn1qvvb tOMf8kZEqNRk32lenjv6K8LR7cQ6kaO16qMNiMYHzSHxA9ufHXRSqKdfjxy48fyB JMRtXtLb0oJesXwNAid4eX1a0EhUl+GAtKnABxFCBjsEJjrfpYIlVYr96qHOkaQ9 lesfHohdWkxmRZzzUOpWDCUVn5J/ezDXWnUJSySPPz5dhCLjbvfEYbp+wP/Q+zI= =Pmsd -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Wed May 27 05:38:53 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Tue, 26 May 2009 22:38:53 -0500 Subject: how to sign files inside a folder? In-Reply-To: <4A1C9DD2.2030609@gmail.com> References: <4A1C9DD2.2030609@gmail.com> Message-ID: <4A1CB5CD.3010305@Mozilla-Enigmail.org> Faramir wrote: > Hello, > I saw a question in the support list in Spanish language, and it is > about how to sign files inside a folder, in Windows OS, without using > additional tools. The goal is to have a tree of folders, with files > inside, and to sign individually each file (with detached signature, if > I am not wrong). > > Since I have never had to do something like that, I don't have the > faintest idea about how to do it, if it is possible to do it. > > Compressing the folder an signing the compressed file is what > the person behind the question wants to avoid. I saw that one. I don't know about doing it "without using additional tools". The windows CMD shell doesn't give one a boatload of useful commands. I'd pull the RC1 of MSYS 1.0.11 cause this is a snap with bash and find. Using his .TXT example: cd for file in $(find . -name \*.[tT][xX]][tT] -print); \ do echo $file; \ gpg --passphrase deafbeef -u 0xdecafbad -sb $file ; \ done -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From John at Mozilla-Enigmail.org Wed May 27 06:01:19 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Tue, 26 May 2009 23:01:19 -0500 Subject: how to sign files inside a folder? In-Reply-To: <4A1CB5CD.3010305@Mozilla-Enigmail.org> References: <4A1C9DD2.2030609@gmail.com> <4A1CB5CD.3010305@Mozilla-Enigmail.org> Message-ID: <4A1CBB0F.40004@Mozilla-Enigmail.org> John Clizbe wrote: > Faramir wrote: >> Hello, >> I saw a question in the support list in Spanish language, and it is >> about how to sign files inside a folder, in Windows OS, without using >> additional tools. The goal is to have a tree of folders, with files >> inside, and to sign individually each file (with detached signature, if >> I am not wrong). >> >> Since I have never had to do something like that, I don't have the >> faintest idea about how to do it, if it is possible to do it. >> >> Compressing the folder an signing the compressed file is what >> the person behind the question wants to avoid. > > I saw that one. > > I don't know about doing it "without using additional tools". The > windows CMD shell doesn't give one a boatload of useful commands. Amazing what I can find with Google and an ancient Pocket Ref Try this in a CMD window cd \top\level\directory FOR /F "usebackq delims==" %i IN (`dir/s/b *.txt`) DO @gpg --passphrase deafbeef -u 0xdecafbad -sb %i -u is the key one wishes to use to sign. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 678 bytes Desc: OpenPGP digital signature URL: From steveo at syslang.net Wed May 27 14:23:51 2009 From: steveo at syslang.net (Steven W. Orr) Date: Wed, 27 May 2009 08:23:51 -0400 (EDT) Subject: how to sign files inside a folder? In-Reply-To: <4A1CB5CD.3010305@Mozilla-Enigmail.org> References: <4A1C9DD2.2030609@gmail.com> <4A1CB5CD.3010305@Mozilla-Enigmail.org> Message-ID: On Tuesday, May 26th 2009 at 23:38 -0000, quoth John Clizbe: =>Faramir wrote: =>> Hello, =>> I saw a question in the support list in Spanish language, and it is =>> about how to sign files inside a folder, in Windows OS, without using =>> additional tools. The goal is to have a tree of folders, with files =>> inside, and to sign individually each file (with detached signature, if =>> I am not wrong). =>> =>> Since I have never had to do something like that, I don't have the =>> faintest idea about how to do it, if it is possible to do it. =>> =>> Compressing the folder an signing the compressed file is what =>> the person behind the question wants to avoid. => =>I saw that one. => =>I don't know about doing it "without using additional tools". The =>windows CMD shell doesn't give one a boatload of useful commands. => =>I'd pull the RC1 of MSYS 1.0.11 cause this is a snap with bash and find. =>Using his .TXT example: => =>cd =>for file in $(find . -name \*.[tT][xX]][tT] -print); \ => do echo $file; \ => gpg --passphrase deafbeef -u 0xdecafbad -sb $file ; \ =>done fyi, that's why they invented -iname option. :-) for file in $(find . -iname \*.txt -print); the semi is not needed. But if the list of filenames is large, you could end up overflowing your shell buffer. Another way to do it that would prevent that from happening... find . -iname \*.txt -print | while read file do echo $file gpg --passphrase deafbeef -u 0xdecafbad -sb $file done -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net From rogerx at sdf.lonestar.org Sat May 30 22:58:26 2009 From: rogerx at sdf.lonestar.org (Roger) Date: Sat, 30 May 2009 12:58:26 -0800 Subject: Avoid pinentry-gtk-2 when using console! Message-ID: <1243717106.6645.34.camel@localhost2.local> Is there a method to avoid using pinentry-gtk-2 when using a console within X and specify using pinentry or pinentry-curses? I've already tried recompiling gnupg & pinentry (using -gtk -qt3). :-/ This bugs me because I'm working on the console and have to move my fingers from the keyboard to my mouse (or whatever) to enter the pin into the X widget instead of console! -- Roger http://rogerx.freeshell.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From steveo at syslang.net Sun May 31 05:16:29 2009 From: steveo at syslang.net (Steven W. Orr) Date: Sat, 30 May 2009 23:16:29 -0400 (EDT) Subject: Avoid pinentry-gtk-2 when using console! In-Reply-To: <1243717106.6645.34.camel@localhost2.local> References: <1243717106.6645.34.camel@localhost2.local> Message-ID: On Saturday, May 30th 2009 at 16:58 -0000, quoth Roger: > Is there a method to avoid using pinentry-gtk-2 when using a console > within X and specify using pinentry or pinentry-curses? > > I've already tried recompiling gnupg & pinentry (using -gtk -qt3). :-/ > > > This bugs me because I'm working on the console and have to move my > fingers from the keyboard to my mouse (or whatever) to enter the pin > into the X widget instead of console! Whatever program you're using that is invoking gpg has the DISPLAY variable set. What you can do is to create a shell wrapper that shuts DISPLAY off. e.g., I'm running alpine, so I *could* create an alpine command a la #! /bin/bash unset DISPLAY /usr/bin/alpine "$@" exit The only caveat is that whatever program you use will suffer the loss of access to your entire DISPLAY, not just pinentry -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net From rogerx at sdf.lonestar.org Sun May 31 07:49:26 2009 From: rogerx at sdf.lonestar.org (Roger) Date: Sat, 30 May 2009 21:49:26 -0800 Subject: Avoid pinentry-gtk-2 when using console! In-Reply-To: References: <1243717106.6645.34.camel@localhost2.local> Message-ID: <1243748967.26799.11.camel@localhost2.local> On Sat, 2009-05-30 at 23:16 -0400, Steven W. Orr wrote: > Whatever program you're using that is invoking gpg has the DISPLAY > variable set. What you can do is to create a shell wrapper that shuts > DISPLAY off. e.g., I'm running alpine, so I *could* create an alpine > command a la > > #! /bin/bash > unset DISPLAY > /usr/bin/alpine "$@" > exit > > The only caveat is that whatever program you use will suffer the loss of > access to your entire DISPLAY, not just pinentry I'm using rxvt-unicode and GNU Screen combo. As I stated, "I'm invoking gpg from the command line shell." Interesting hack, but this is going to kill my command line experience when I type "gvim"! Notice, vim & gvim have an option to call either or, and if X isn't present, falls back to vi/vim? This is probably what pinentry should do, instead of depending on X (gtk or qt3) explicitly. ---snip--- if {environmental variable is set to console/gtk/qt3} use the specified pinentry flavor else use pinentry-console else use pinentry-gtk fi ---snip--- A good place for this environmental variable is within $HOME/.gnupg/options. This way, there's a fallback to the fallback method as there is no telling where a user or what X application is going to invoke gpg. Well, obviously there is, but it hinders those working in a shell doing simple task with gpg! I'm guessing, the current solution is to assume the user is a dumb X user. ;-) (I use both, command line for gpg, as well as Evolution for email which is set to only call pinentry-gtk-2.) From searching on the web, there's quite a few others griping about this same issue. -- Roger http://rogerx.freeshell.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From benjamin at py-soft.co.uk Sun May 31 14:09:23 2009 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 31 May 2009 13:09:23 +0100 Subject: Avoid pinentry-gtk-2 when using console! In-Reply-To: <1243748967.26799.11.camel@localhost2.local> References: <1243717106.6645.34.camel@localhost2.local> <1243748967.26799.11.camel@localhost2.local> Message-ID: <732076a80905310509r359a5700j36aee6d16e16359c@mail.gmail.com> 2009/5/31 Roger : > From searching on the web, there's quite a few others griping about this > same issue. I do wish people would stop complaining about open source software and actually roll their sleeves up and do something to help. One solution, create a symbolic link in your home directory to whatever pinentry you want to use at a particular time, and point your gpg-agent config to that, eg in ~/.gnupg/gpg-agent - pinentry-program /home/gpguser/.gnupg/use-this-pinentry So when X starts have your link, say ~/.gnupg/use-this-pinentry point to the X one, when you start a shell, modify the link for ~/.gpg-agent/use-this-pinentry to the curses one - easy enough to achieve with the bash login/out scripts. Alternatively, modify the code for gpg-agent to achieve what you want and submit to Werner for evaluation. Ben From mo at g10code.com Sun May 31 15:08:43 2009 From: mo at g10code.com (Moritz Schulte) Date: 31 May 2009 15:08:43 +0200 Subject: Avoid pinentry-gtk-2 when using console! In-Reply-To: <1243717106.6645.34.camel@localhost2.local> References: <1243717106.6645.34.camel@localhost2.local> Message-ID: <4A22815B.6050205@g10code.com> > This bugs me because I'm working on the console and have to move my > fingers from the keyboard to my mouse (or whatever) to enter the pin > into the X widget instead of console! Actually, the graphical pinentry should capture the keyboard focus and thus make it unnecessary to use the mouse in this situation. What pinentry GUI are you using (GTK+ or Qt?) and what pinentry version is this? Thanks, mo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From darylstyrk at gmail.com Sun May 31 15:31:06 2009 From: darylstyrk at gmail.com (Daryl Styrk) Date: Sun, 31 May 2009 09:31:06 -0400 Subject: Avoid pinentry-gtk-2 when using console! In-Reply-To: <732076a80905310509r359a5700j36aee6d16e16359c@mail.gmail.com> References: <1243717106.6645.34.camel@localhost2.local> <1243748967.26799.11.camel@localhost2.local> <732076a80905310509r359a5700j36aee6d16e16359c@mail.gmail.com> Message-ID: <20090531133106.GA24911@daryls.homelinux.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, May 31, 2009 at 01:09:23PM +0100, Benjamin Donnachie wrote: > I do wish people would stop complaining about open source > software and actually roll their sleeves up and do something to > help. Working my way through the 'Llama' book at the moment.. We'll see where that goes. - -- Daryl Styrk Naples, FL USA -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoihpoACgkQ6baBhW8CzrhkXACfZtgn9vyihGxtlsMDGwhiVa3N dKwAniCU+8SaF9GAFNjH8SeFCwaEjNxw =c6sy -----END PGP SIGNATURE----- From rogerx at sdf.lonestar.org Sun May 31 23:37:29 2009 From: rogerx at sdf.lonestar.org (Roger) Date: Sun, 31 May 2009 13:37:29 -0800 Subject: Avoid pinentry-gtk-2 when using console! In-Reply-To: <732076a80905310509r359a5700j36aee6d16e16359c@mail.gmail.com> References: <1243717106.6645.34.camel@localhost2.local> <1243748967.26799.11.camel@localhost2.local> <732076a80905310509r359a5700j36aee6d16e16359c@mail.gmail.com> Message-ID: <1243805850.2871.3.camel@localhost2.local> On Sun, 2009-05-31 at 13:09 +0100, Benjamin Donnachie wrote: > 2009/5/31 Roger : > > From searching on the web, there's quite a few others griping about this > > same issue. > > I do wish people would stop complaining about open source > software and actually roll their sleeves up and do something to > help. I do... when, if ever, I get time now. For others, they did too. One of them proposed a patch for pinentry and posted the proposal on the web. ... not sure if they sent it to the mailing list though. > One solution, create a symbolic link in your home directory to > whatever pinentry you want to use at a particular time, and point your > gpg-agent config to that, eg in ~/.gnupg/gpg-agent - pinentry-program > /home/gpguser/.gnupg/use-this-pinentry > > So when X starts have your link, say ~/.gnupg/use-this-pinentry point > to the X one, when you start a shell, modify the link for > ~/.gpg-agent/use-this-pinentry to the curses one - easy enough to > achieve with the bash login/out scripts. Quick & dirty hack compared to one that is hard coded with if/then. Besides, I don't use gpg-agent. I got prompted one too many times for my pin and/or something broke too. Seemed more of a hassle at the current time, so I recompiled everything on my Gentoo box here to not use gpg-agent. Besides, I'm the only one using this computer/network and thought it was overkill. > Alternatively, modify the code for gpg-agent to achieve what you want > and submit to Werner for evaluation. -- Roger http://rogerx.freeshell.org From rogerx at sdf.lonestar.org Sun May 31 23:45:59 2009 From: rogerx at sdf.lonestar.org (Roger) Date: Sun, 31 May 2009 13:45:59 -0800 Subject: Avoid pinentry-gtk-2 when using console! In-Reply-To: <4A22815B.6050205@g10code.com> References: <1243717106.6645.34.camel@localhost2.local> <4A22815B.6050205@g10code.com> Message-ID: <1243806360.2871.12.camel@localhost2.local> On Sun, 2009-05-31 at 15:08 +0200, Moritz Schulte wrote: > > This bugs me because I'm working on the console and have to move my > > fingers from the keyboard to my mouse (or whatever) to enter the pin > > into the X widget instead of console! > > Actually, the graphical pinentry should capture the keyboard focus and > thus make it unnecessary to use the mouse in this situation. What > pinentry GUI are you using (GTK+ or Qt?) and what pinentry version is this? > > Thanks, > mo Unless one has configured the console window to always "stay on top" of other windows. ... however, I have to move my eyeballs to the center of the display & type instead of keeping my eyes at the console & typing. I know this sounds ridiculous, but when you consider a console/terminal to be as good look'n as a girl, and then you're made to a X window and forced to type in it, it just feels ridiculous. Think most folks whom praise the console Gods, feel the same way. -- Roger http://rogerx.freeshell.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From benjamin at py-soft.co.uk Sun May 31 23:52:50 2009 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 31 May 2009 22:52:50 +0100 Subject: Avoid pinentry-gtk-2 when using console! In-Reply-To: <1243806360.2871.12.camel@localhost2.local> References: <1243717106.6645.34.camel@localhost2.local> <4A22815B.6050205@g10code.com> <1243806360.2871.12.camel@localhost2.local> Message-ID: <732076a80905311452p6ca6968fs5d6521ebcf1fc481@mail.gmail.com> 2009/5/31 Roger : > I know this sounds ridiculous, but when you consider a console/terminal > to be as good look'n as a girl, and then you're made to a X window and > forced to type in it, it just feels ridiculous. ?Think most folks whom > praise the console Gods, feel the same way. Enable passphrase caching, just enter it the once and be done with it. Ben