From dkg at fifthhorseman.net  Thu Oct  1 00:00:50 2009
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 30 Sep 2009 18:00:50 -0400
Subject: choosing an encryption target from a User ID
In-Reply-To: <200909302332.36254@thufir.ingo-kloecker.de>
References: <4AB90539.7020809@fifthhorseman.net>	<200909292232.29640@thufir.ingo-kloecker.de>	<4AC285DE.2050806@fifthhorseman.net>
	<200909302332.36254@thufir.ingo-kloecker.de>
Message-ID: <4AC3D512.4060501@fifthhorseman.net>

On 09/30/2009 05:32 PM, Ingo Kl?cker wrote:
> Hmm, AFAIU, for someone who does not blindly certify such keys this 
> shouldn't be a problem since those malicious keys wouldn't be valid and 
> thus wouldn't take preference over a valid key ... unless somebody else 
> this person trusts is trying to screw them.

The current gpg behavior is to use the first key with a matching User
ID, regardless of the validity of that User ID.  So this causes (at
best) warnings and alerts about using an invalid key or (at worst) lets
someone with marginal ownertrust abuse the user by taking precedence
over a fully-trusted certification if the keyring happens to be ordered
in a certain way.

	--dkg

PS i hear you about being paranoid and preferring to only trust my own
certifications.  but the larger pool there is of people who understand
the two simple concepts, the more comfortable i am granting trusted
individuals marginal ownertrust, and taking advantage of the WoT to
verify identities i've yet to directly verify myself.  It's way better
than trusting $DEITY-knows-who that comes pre-configured by default in
web browsers these days ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090930/0b4f2f30/attachment.pgp>

From kloecker at kde.org  Thu Oct  1 00:21:54 2009
From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=)
Date: Thu, 01 Oct 2009 00:21:54 +0200
Subject: Decryption Fails on UserName but not on EmailAddress ???
In-Reply-To: <25661872.post@talk.nabble.com>
References: <25577787.post@talk.nabble.com> <25661872.post@talk.nabble.com>
Message-ID: <200910010021.55226@thufir.ingo-kloecker.de>

On Tuesday 29 September 2009, nschroth wrote:
> Interesting. The key is not listed twice, but...
>
> --list-keys PrimaryUserName shows ALL THREE keys while
> --list-keys PrimaryEmailAddress shows only the primary host key.
>
> Could it be that the name I used for the primary key was CompanyName 
> and the email addresses for all the people had that as their domain
> (ex: Bill at companyname.com) ???

Makes sense.
  gpg --list-keys foo
will list all keys where one of the user IDs contains the three 
letters "foo" (substring match).

Please read the section "HOW TO SPECIFY A USER ID" in the manual page of 
gpg (man gpg) for the different possibilities to specify what key(s) to 
use for some operation with gpg.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20091001/5469fce4/attachment.pgp>

From ABrown at milbank.com  Thu Oct  1 09:13:53 2009
From: ABrown at milbank.com (Brown, Annette)
Date: Thu, 1 Oct 2009 08:13:53 +0100
Subject: GPG Software
Message-ID: <7252B42E1ACBB64ABAE3F0D82E0FC7DE03DE78EC@exln1.milbank.local>

I wonder if you can help?  One of our partners has had this loaded via
an e-mail he received and for some reason since it has been loaded the
search function on his Outlook has stopped working properly.  Is there a
particular way in which to remove this software from his machine?

Many thanks.

Annette

_____________________________
Annette Brown | Milbank
10 Gresham Street | London | EC2V 7JD
T: +44 (0)20 7615 3132 | F: +44 (0)20 7615 3100
abrown at milbank.com | www.milbank.com <http://www.milbank.com/> 



=======================================================================

IRS Circular 230 Disclosure: U.S. federal tax advice in the foregoing message from Milbank, Tweed, Hadley & McCloy LLP is not intended or written to be, and cannot be used, by any person for the purpose of avoiding tax penalties that may be imposed regarding the transactions or matters addressed. Some of that advice may have been written to support the promotion or marketing of the transactions or matters addressed within the meaning of IRS Circular 230, in which case you should seek advice based on your particular circumstances from an independent tax advisor.
=======================================================================

This e-mail message may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091001/be7521a1/attachment-0001.htm>

From Michael.GRIFFITHS at arc-intl.com  Fri Oct  2 12:24:02 2009
From: Michael.GRIFFITHS at arc-intl.com (michael GRIFFITHS)
Date: Fri, 2 Oct 2009 12:24:02 +0200
Subject: GPG Software
In-Reply-To: <7252B42E1ACBB64ABAE3F0D82E0FC7DE03DE78EC@exln1.milbank.local>
References: <7252B42E1ACBB64ABAE3F0D82E0FC7DE03DE78EC@exln1.milbank.local>
Message-ID: <6740B3A8EA1647478669675F861F16CF04FC2D7C@MAILFR1.emea.dmai.net>

Hi Annette,

 

First GPG wouldn't have been loaded on its own via email, this would
require user installation. 

 

Which outlook version is he running? Also I am running outlook 2003 with
GPG installed and my search function works OK. How are they trying to do
a search?

 

Regards,

________________________________

Michael Griffiths - IT Systems Administrator

Direct dial: +44 (0) 113 2763422 | Office: +44 (0) 113 2710033 - Ext:
203 | Mobile: +44 (0) 788 1957504 
Address: Arc House | Middleton Grove| Beeston | Leeds | LS11 5BX | UK
Email: michael.griffiths at arc-intl.com
<mailto:michael.griffiths at arc-intl.com> 

P            Please consider the environment before printing this email.

________________________________

________________________________

From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Brown, Annette
Sent: 01 October 2009 08:14
To: Gnupg-users at gnupg.org
Subject: GPG Software

 

I wonder if you can help?  One of our partners has had this loaded via
an e-mail he received and for some reason since it has been loaded the
search function on his Outlook has stopped working properly.  Is there a
particular way in which to remove this software from his machine?

Many thanks. 

Annette 

_____________________________
Annette Brown | Milbank
10 Gresham Street | London | EC2V 7JD
T: +44 (0)20 7615 3132 | F: +44 (0)20 7615 3100
abrown at milbank.com <mailto:abrown at milbank.com>  | www.milbank.com
<http://www.milbank.com/>  

=======================================================================

IRS Circular 230 Disclosure: U.S. federal tax advice in the foregoing
message from Milbank, Tweed, Hadley & McCloy LLP is not intended or
written to be, and cannot be used, by any person for the purpose of
avoiding tax penalties that may be imposed regarding the transactions or
matters addressed. Some of that advice may have been written to support
the promotion or marketing of the transactions or matters addressed
within the meaning of IRS Circular 230, in which case you should seek
advice based on your particular circumstances from an independent tax
advisor.
=======================================================================

This e-mail message may contain legally privileged and/or confidential
information. If you are not the intended recipient(s), or the employee
or agent responsible for delivery of this message to the intended
recipient(s), you are hereby notified that any dissemination,
distribution or copying of this e-mail message is strictly prohibited.
If you have received this message in error, please immediately notify
the sender and delete this e-mail message from your computer.


To ensure an optimal service, the ARC INTERNATIONAL Group uses the most powerful antiviruses and antispam systems currently available. This message and any attachments (the "message") are intended solely for the addresses and are confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accordance with its purpose, any dissemination or disclosure, either in whole or in part, is prohibited without formal approval. The internet cannot guarantee the integrity of this message; ARC INTERNATIONAL (and its subsidiaries) shall (will) not therefore be liable for the message if modified.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091002/7d2ad186/attachment.htm>

From Michael.GRIFFITHS at arc-intl.com  Fri Oct  2 12:26:54 2009
From: Michael.GRIFFITHS at arc-intl.com (michael GRIFFITHS)
Date: Fri, 2 Oct 2009 12:26:54 +0200
Subject: GPG Software
In-Reply-To: <7252B42E1ACBB64ABAE3F0D82E0FC7DE03DE78EC@exln1.milbank.local>
References: <7252B42E1ACBB64ABAE3F0D82E0FC7DE03DE78EC@exln1.milbank.local>
Message-ID: <6740B3A8EA1647478669675F861F16CF04FC2D7E@MAILFR1.emea.dmai.net>

Sorry I forgot to actually answer your question.

 

It will appear under the add/remove programs. For windows it will most
likely be named "GnuPG for windows"

 

________________________________

Michael Griffiths - IT Systems Administrator

Direct dial: +44 (0) 113 2763422 | Office: +44 (0) 113 2710033 - Ext:
203 | Mobile: +44 (0) 788 1957504 
Address: Arc House | Middleton Grove| Beeston | Leeds | LS11 5BX | UK
Email: michael.griffiths at arc-intl.com
<mailto:michael.griffiths at arc-intl.com> 

P            Please consider the environment before printing this email.

________________________________

________________________________

From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Brown, Annette
Sent: 01 October 2009 08:14
To: Gnupg-users at gnupg.org
Subject: GPG Software

 

I wonder if you can help?  One of our partners has had this loaded via
an e-mail he received and for some reason since it has been loaded the
search function on his Outlook has stopped working properly.  Is there a
particular way in which to remove this software from his machine?

Many thanks. 

Annette 

_____________________________
Annette Brown | Milbank
10 Gresham Street | London | EC2V 7JD
T: +44 (0)20 7615 3132 | F: +44 (0)20 7615 3100
abrown at milbank.com <mailto:abrown at milbank.com>  | www.milbank.com
<http://www.milbank.com/>  

=======================================================================

IRS Circular 230 Disclosure: U.S. federal tax advice in the foregoing
message from Milbank, Tweed, Hadley & McCloy LLP is not intended or
written to be, and cannot be used, by any person for the purpose of
avoiding tax penalties that may be imposed regarding the transactions or
matters addressed. Some of that advice may have been written to support
the promotion or marketing of the transactions or matters addressed
within the meaning of IRS Circular 230, in which case you should seek
advice based on your particular circumstances from an independent tax
advisor.
=======================================================================

This e-mail message may contain legally privileged and/or confidential
information. If you are not the intended recipient(s), or the employee
or agent responsible for delivery of this message to the intended
recipient(s), you are hereby notified that any dissemination,
distribution or copying of this e-mail message is strictly prohibited.
If you have received this message in error, please immediately notify
the sender and delete this e-mail message from your computer.


To ensure an optimal service, the ARC INTERNATIONAL Group uses the most powerful antiviruses and antispam systems currently available. This message and any attachments (the "message") are intended solely for the addresses and are confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accordance with its purpose, any dissemination or disclosure, either in whole or in part, is prohibited without formal approval. The internet cannot guarantee the integrity of this message; ARC INTERNATIONAL (and its subsidiaries) shall (will) not therefore be liable for the message if modified.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091002/0af29ddf/attachment-0001.htm>

From jmoore3rd at bellsouth.net  Fri Oct  2 12:40:28 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Fri, 02 Oct 2009 06:40:28 -0400
Subject: GPG Software
In-Reply-To: <6740B3A8EA1647478669675F861F16CF04FC2D7E@MAILFR1.emea.dmai.net>
References: <7252B42E1ACBB64ABAE3F0D82E0FC7DE03DE78EC@exln1.milbank.local>
	<6740B3A8EA1647478669675F861F16CF04FC2D7E@MAILFR1.emea.dmai.net>
Message-ID: <4AC5D89C.5010208@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

michael GRIFFITHS wrote:
> Sorry I forgot to actually answer your question.

> It will appear under the add/remove programs. For windows it will most
> likely be named ?GnuPG for windows?

IIRC, it will appear under Add/Remove Programs as GPGOL.  [GPG /for/
Outlook]

JOHN ;)
Timestamp: Friday 02 Oct 2009, 06:40  --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: http://www.gswot.org
Comment: Personal Web Page:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJKxdiaAAoJEBCGy9eAtCsPbxgH/1nWTl0gQz7xtpluar+mQgDd
p0bxpR/f1crSt6Uwy2jOOa2cK+N4Qmj66skfxy25uUlkVcblhGoi+ISj75J+wF2J
MjAMMNlME6Z9cJgXZXNfZclwzXbCV0/qCn3VzwZybWmrKXIywlV+AZ4o3g/pYYfc
sjGmYKs5ejZ9zKsSFBI02+6rPBttKLFxEjXO98890J8GA9tXNtxk28jxy98T13/6
os/4zdl+R1J0brqLJZFRsHswGeKuvCdENEnoU7wXekPq1lCuTeKCkvifIpSH++6W
3l88gGgoXivS48YBU2go2VkhrC3LA/RS6VRGudQFCBUoaeQhzVAEYXo7utPoMuw=
=NIqC
-----END PGP SIGNATURE-----


From kloecker at kde.org  Fri Oct  2 21:12:36 2009
From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=)
Date: Fri, 02 Oct 2009 21:12:36 +0200
Subject: choosing an encryption target from a User ID
In-Reply-To: <4AC3D512.4060501@fifthhorseman.net>
References: <4AB90539.7020809@fifthhorseman.net>
	<200909302332.36254@thufir.ingo-kloecker.de>
	<4AC3D512.4060501@fifthhorseman.net>
Message-ID: <200910022112.36733@thufir.ingo-kloecker.de>

On Thursday 01 October 2009, Daniel Kahn Gillmor wrote:
> On 09/30/2009 05:32 PM, Ingo Kl?cker wrote:
> > Hmm, AFAIU, for someone who does not blindly certify such keys this
> > shouldn't be a problem since those malicious keys wouldn't be valid
> > and thus wouldn't take preference over a valid key ... unless
> > somebody else this person trusts is trying to screw them.
>
> The current gpg behavior is to use the first key with a matching User
> ID, regardless of the validity of that User ID.  So this causes (at
> best) warnings and alerts about using an invalid key or (at worst)
> lets someone with marginal ownertrust abuse the user by taking
> precedence over a fully-trusted certification if the keyring happens
> to be ordered in a certain way.

Indeed. That's a weird policy.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20091002/34240761/attachment.pgp>

From tux.tsndcb at free.fr  Fri Oct  2 23:05:04 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Fri, 2 Oct 2009 23:05:04 +0200 (CEST)
Subject: poldi logon screen
In-Reply-To: <1097098412.7302011254170178164.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <1884120112.8057441254517504436.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hi,

I answer to my self, in fact it's an gdm setup.

Best Regards.
----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: gnupg-users at gnupg.org
Envoy?: Lundi 28 Septembre 2009 22h36:18 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: poldi logon screen

Hi all,

This is the last functionnaly than I've to setup.

I'm on debian squeeze with limpam-poldi 0.4.1-2, I can logon with my smartcard, so poldi is ok, but I've the normal debian logon screen, not the poldi screen like this :

http://www.g10code.com/graphics/poldi-screenshot-gdm.png

So my question, how to have this logon screen ?

Thanks in advanced for your answer.

Best Regards.

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


From talmage at orange.zero.jp  Sun Oct  4 12:36:34 2009
From: talmage at orange.zero.jp (Talmage)
Date: Sun, 4 Oct 2009 19:36:34 +0900
Subject: OpenPGP-Card2.0 and Omnikey Cardman 3021?
In-Reply-To: <874oqk5xy8.fsf@vigenere.g10code.de>
References: <6539A033-8048-4CEC-830A-1819D410CE8E@orange.zero.jp>
	<874oqk5xy8.fsf@vigenere.g10code.de>
Message-ID: <FCF33609-707A-40A5-9720-C8FF95515E31@orange.zero.jp>

Werner, thanks for the response.
I figured it was a problem with the Omnikey, so I went ahead and got a  
SCR335, only to find out that it gives the same exact error when  
generating keys on the card...  I'm starting to wonder if this is some  
kind of USB issue with Mac OS Snow Leopard.

My system is a Mac OS X 10.6 system, with gnupg 1.4.10, and  
OpenPGPCard v2.0.
I read somewhere that the SCR335 needs the newest firmware, so updated  
firmware to 5.23, but still the same problem.

Again, here is the output.
Any clues as to what might be causing this?
Has anyone successfully used the OpenPGPCard v2.0 on Snow Leopard?
Thanks.

Talmage
--------------------------------
$ gpg --version
gpg (GnuPG) 1.4.10
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html 
 >
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,  
CAMELLIA128,
         CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

$ gpg --card-edit

Application ID ...: D27600012401020000050000012E0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 0000012E
Name of cardholder: Test User
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Command> admin
Admin commands are allowed

Command> generate
Make off-card backup of encryption key? (Y/n) n

Please enter the PIN
What keysize do you want for the Signature key? (2048)
What keysize do you want for the Encryption key? (2048)
What keysize do you want for the Authentication key? (2048)
Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the  
user ID
from the Real Name, Comment and Email Address in this form:
     "Heinrich Heine (Der Dichter) <heinrichh at duesseldorf.de>"

Real name: Test User
Email address: test at domain
Comment: TEST2
You selected this USER-ID:
     "Test User (TEST2) <test at domain>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: generating new key
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
gpg: please wait while key is being generated ...
gpg: ccid_transceive failed: (0x1000a)
gpg: apdu_send_simple(0) failed: card I/O error
gpg: generating key failed
gpg: key generation failed: general error
Key generation failed: general error

Command> quit

$ gpg --card-status --debug-ccid-driver
gpg: DBG: ccid-driver: using CCID reader 0  
(ID=04E6:5115:21120713300395:0)
gpg: DBG: ccid-driver: idVendor: 04E6  idProduct: 5115  bcdDevice: 0523
gpg: DBG: ccid-driver: ChipCard Interface Descriptor:
gpg: DBG: ccid-driver:   bLength                54
gpg: DBG: ccid-driver:   bDescriptorType        33
gpg: DBG: ccid-driver:   bcdCCID              1.10  (Warning: Only  
accurate for version 1.0)
gpg: DBG: ccid-driver:   nMaxSlotIndex           0
gpg: DBG: ccid-driver:   bVoltageSupport         1  5.0V
gpg: DBG: ccid-driver:   dwProtocols             3  T=0 T=1
gpg: DBG: ccid-driver:   dwDefaultClock       4000
gpg: DBG: ccid-driver:   dwMaxiumumClock      8000
gpg: DBG: ccid-driver:   bNumClockSupported      0
gpg: DBG: ccid-driver:   dwDataRate          10753 bps
gpg: DBG: ccid-driver:   dwMaxDataRate      344105 bps
gpg: DBG: ccid-driver:   bNumDataRatesSupp.      0
gpg: DBG: ccid-driver:   dwMaxIFSD             252
gpg: DBG: ccid-driver:   dwSyncProtocols  00000000
gpg: DBG: ccid-driver:   dwMechanical     00000000
gpg: DBG: ccid-driver:   dwFeatures       000100BA
gpg: DBG: ccid-driver:     Auto configuration based on ATR
gpg: DBG: ccid-driver:     Auto voltage selection
gpg: DBG: ccid-driver:     Auto clock change
gpg: DBG: ccid-driver:     Auto baud rate change
gpg: DBG: ccid-driver:     Auto PPS made by CCID
gpg: DBG: ccid-driver:     TPDU level exchange
gpg: DBG: ccid-driver:   dwMaxCCIDMsgLen       271
gpg: DBG: ccid-driver:   bClassGetResponse    echo
gpg: DBG: ccid-driver:   bClassEnvelope       echo
gpg: DBG: ccid-driver:   wlcdLayout           none
gpg: DBG: ccid-driver:   bPINSupport             0
gpg: DBG: ccid-driver:   bMaxCCIDBusySlots       1
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOn:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 1
gpg: DBG: ccid-driver:   bPowerSelect ......: 0x00 (auto)
gpg: DBG: ccid-driver:   [0008]  00 00
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 21
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 1
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   [0010]  3B DA 18 FF 81 B1
gpg: DBG: ccid-driver:   [0016]  FE 75 1F 03 00 31 C5 73 C0 01 40 00  
90 00 0C
gpg: DBG: ccid-driver: PC_to_RDR_GetParameters:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 2
gpg: DBG: ccid-driver:   [0007]  00 00 00
gpg: DBG: ccid-driver: RDR_to_PC_Parameters:
gpg: DBG: ccid-driver:   dwLength ..........: 7
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 2
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   protocol ..........: T=1
gpg: DBG: ccid-driver:   bmFindexDindex ....: 11
gpg: DBG: ccid-driver:   bmTCCKST1 .........: 10
gpg: DBG: ccid-driver:   bGuardTimeT1 ......: 00
gpg: DBG: ccid-driver:   bmWaitingIntegersT1: 75
gpg: DBG: ccid-driver:   bClockStop ........: 00
gpg: DBG: ccid-driver:   bIFSC .............: 254
gpg: DBG: ccid-driver:   bNadValue .........: 0
gpg: DBG: ccid-driver: PC_to_RDR_SetParameters:
gpg: DBG: ccid-driver:   dwLength ..........: 7
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 3
gpg: DBG: ccid-driver:   bProtocolNum ......: 0x01
gpg: DBG: ccid-driver:   [0008]  00 00 11 10 00 75 00 FE
gpg: DBG: ccid-driver:   [0016]  00
gpg: DBG: ccid-driver: RDR_to_PC_Parameters:
gpg: DBG: ccid-driver:   dwLength ..........: 7
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 3
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   protocol ..........: T=1
gpg: DBG: ccid-driver:   bmFindexDindex ....: 11
gpg: DBG: ccid-driver:   bmTCCKST1 .........: 10
gpg: DBG: ccid-driver:   bGuardTimeT1 ......: 00
gpg: DBG: ccid-driver:   bmWaitingIntegersT1: 75
gpg: DBG: ccid-driver:   bClockStop ........: 00
gpg: DBG: ccid-driver:   bIFSC .............: 254
gpg: DBG: ccid-driver:   bNadValue .........: 0
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 5
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 4
gpg: DBG: ccid-driver:   bBWI ..............: 0x00
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 C1 01 FC 3C
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 5
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 4
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   [0010]  00 E1 01 FC 1C
gpg: DBG: ccid-driver: IFSD has been set to 252
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 15
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 5
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 00 0B 00 A4 04
gpg: DBG: ccid-driver:   [0016]  00 06 D2 76 00 01 24 01 2D
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 6
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 5
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 00 02 90 00 92gpg: DBG: ccid- 
driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 6
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 40 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  4F 00 C0
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 22
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 6
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 40 12 D2 76 00
gpg: DBG: ccid-driver:   [0016]  01 24 01 02 00 00 05 00 00 01 2E 00  
00 90 00 6Agpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 7
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 00 05 00 CA 5F
gpg: DBG: ccid-driver:   [0016]  52 00 C2
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 16
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 7
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 00 0C 00 31 C5
gpg: DBG: ccid-driver:   [0016]  73 C0 01 40 05 90 00 90 00 0F
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 8
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 40 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  C4 00 4B
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 13
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 8
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 40 09 01 20 20
gpg: DBG: ccid-driver:   [0016]  20 03 00 03 90 00 F8
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 9
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 00 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  6E 00 A1
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 223
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 9
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 00 DB 4F 10 D2
gpg: DBG: ccid-driver:   [0016]  76 00 01 24 01 02 00 00 05 00 00 01  
2E 00 00 5F
gpg: DBG: ccid-driver:   [0032]  52 0A 00 31 C5 73 C0 01 40 05 90 00  
73 81 B7 C0
gpg: DBG: ccid-driver:   [0048]  0A 7C 00 08 00 08 00 08 00 08 00 C1  
06 01 08 00
gpg: DBG: ccid-driver:   [0064]  00 20 00 C2 06 01 08 00 00 20 00 C3  
06 01 08 00
gpg: DBG: ccid-driver:   [0080]  00 20 00 C4 07 01 20 20 20 03 00 03  
C5 3C 00 00
gpg: DBG: ccid-driver:   [0096]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0112]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0128]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0144]  00 00 00 00 00 00 00 00 00 00 C6 3C  
00 00 00 00
gpg: DBG: ccid-driver:   [0160]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0176]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0192]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0208]  00 00 00 00 00 00 00 00 CD 0C 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0224]  00 00 00 00 00 00 90 00 14
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 10
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 40 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  5E 00 D1
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 6
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 10
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 40 02 90 00 D2gpg: DBG: ccid- 
driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 11
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 00 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  6E 00 A1
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 223
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 11
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 00 DB 4F 10 D2
gpg: DBG: ccid-driver:   [0016]  76 00 01 24 01 02 00 00 05 00 00 01  
2E 00 00 5F
gpg: DBG: ccid-driver:   [0032]  52 0A 00 31 C5 73 C0 01 40 05 90 00  
73 81 B7 C0
gpg: DBG: ccid-driver:   [0048]  0A 7C 00 08 00 08 00 08 00 08 00 C1  
06 01 08 00
gpg: DBG: ccid-driver:   [0064]  00 20 00 C2 06 01 08 00 00 20 00 C3  
06 01 08 00
gpg: DBG: ccid-driver:   [0080]  00 20 00 C4 07 01 20 20 20 03 00 03  
C5 3C 00 00
gpg: DBG: ccid-driver:   [0096]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0112]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0128]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0144]  00 00 00 00 00 00 00 00 00 00 C6 3C  
00 00 00 00
gpg: DBG: ccid-driver:   [0160]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0176]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0192]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0208]  00 00 00 00 00 00 00 00 CD 0C 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0224]  00 00 00 00 00 00 90 00 14
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 12
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 40 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  6E 00 E1
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 223
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 12
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 40 DB 4F 10 D2
gpg: DBG: ccid-driver:   [0016]  76 00 01 24 01 02 00 00 05 00 00 01  
2E 00 00 5F
gpg: DBG: ccid-driver:   [0032]  52 0A 00 31 C5 73 C0 01 40 05 90 00  
73 81 B7 C0
gpg: DBG: ccid-driver:   [0048]  0A 7C 00 08 00 08 00 08 00 08 00 C1  
06 01 08 00
gpg: DBG: ccid-driver:   [0064]  00 20 00 C2 06 01 08 00 00 20 00 C3  
06 01 08 00
gpg: DBG: ccid-driver:   [0080]  00 20 00 C4 07 01 20 20 20 03 00 03  
C5 3C 00 00
gpg: DBG: ccid-driver:   [0096]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0112]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0128]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0144]  00 00 00 00 00 00 00 00 00 00 C6 3C  
00 00 00 00
gpg: DBG: ccid-driver:   [0160]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0176]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0192]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0208]  00 00 00 00 00 00 00 00 CD 0C 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0224]  00 00 00 00 00 00 90 00 54
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 13
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 00 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  6E 00 A1
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 223
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 13
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 00 DB 4F 10 D2
gpg: DBG: ccid-driver:   [0016]  76 00 01 24 01 02 00 00 05 00 00 01  
2E 00 00 5F
gpg: DBG: ccid-driver:   [0032]  52 0A 00 31 C5 73 C0 01 40 05 90 00  
73 81 B7 C0
gpg: DBG: ccid-driver:   [0048]  0A 7C 00 08 00 08 00 08 00 08 00 C1  
06 01 08 00
gpg: DBG: ccid-driver:   [0064]  00 20 00 C2 06 01 08 00 00 20 00 C3  
06 01 08 00
gpg: DBG: ccid-driver:   [0080]  00 20 00 C4 07 01 20 20 20 03 00 03  
C5 3C 00 00
gpg: DBG: ccid-driver:   [0096]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0112]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0128]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0144]  00 00 00 00 00 00 00 00 00 00 C6 3C  
00 00 00 00
gpg: DBG: ccid-driver:   [0160]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0176]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0192]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0208]  00 00 00 00 00 00 00 00 CD 0C 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0224]  00 00 00 00 00 00 90 00 14
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 14
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 40 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  65 00 EA
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 27
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 14
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 40 17 5B 0A 55
gpg: DBG: ccid-driver:   [0016]  73 65 72 3C 3C 54 65 73 74 5F 2D 02  
65 6E 5F 35
gpg: DBG: ccid-driver:   [0032]  01 39 90 00 B8
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 15
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 00 05 00 CA 5F
gpg: DBG: ccid-driver:   [0016]  50 00 C0
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 6
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 15
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 00 02 90 00 92gpg: DBG: ccid- 
driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 16
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 40 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  6E 00 E1
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 223
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 16
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 40 DB 4F 10 D2
gpg: DBG: ccid-driver:   [0016]  76 00 01 24 01 02 00 00 05 00 00 01  
2E 00 00 5F
gpg: DBG: ccid-driver:   [0032]  52 0A 00 31 C5 73 C0 01 40 05 90 00  
73 81 B7 C0
gpg: DBG: ccid-driver:   [0048]  0A 7C 00 08 00 08 00 08 00 08 00 C1  
06 01 08 00
gpg: DBG: ccid-driver:   [0064]  00 20 00 C2 06 01 08 00 00 20 00 C3  
06 01 08 00
gpg: DBG: ccid-driver:   [0080]  00 20 00 C4 07 01 20 20 20 03 00 03  
C5 3C 00 00
gpg: DBG: ccid-driver:   [0096]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0112]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0128]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0144]  00 00 00 00 00 00 00 00 00 00 C6 3C  
00 00 00 00
gpg: DBG: ccid-driver:   [0160]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0176]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0192]  00 00 00 00 00 00 00 00 00 00 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0208]  00 00 00 00 00 00 00 00 CD 0C 00 00  
00 00 00 00
gpg: DBG: ccid-driver:   [0224]  00 00 00 00 00 00 90 00 54
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 17
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 00 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  C4 00 0B
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 13
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 17
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 00 09 01 20 20
gpg: DBG: ccid-driver:   [0016]  20 03 00 03 90 00 B8
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 18
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 40 05 00 CA 00
gpg: DBG: ccid-driver:   [0016]  7A 00 F5
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 11
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 18
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 40 07 93 03 00
gpg: DBG: ccid-driver:   [0016]  00 00 90 00 47
gpg: DBG: ccid-driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 19
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 00 05 00 CA 01
gpg: DBG: ccid-driver:   [0016]  01 00 CF
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 6
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 19
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 00 02 90 00 92gpg: DBG: ccid- 
driver: PC_to_RDR_XfrBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 9
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 20
gpg: DBG: ccid-driver:   bBWI ..............: 0x04
gpg: DBG: ccid-driver:   wLevelParameter ...: 0x0000
gpg: DBG: ccid-driver:   [0010]  00 40 05 00 CA 01
gpg: DBG: ccid-driver:   [0016]  02 00 8C
gpg: DBG: ccid-driver: RDR_to_PC_DataBlock:
gpg: DBG: ccid-driver:   dwLength ..........: 6
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 20
gpg: DBG: ccid-driver:   bStatus ...........: 0
gpg: DBG: ccid-driver:   bChainParameter ...: 0x04
gpg: DBG: ccid-driver:   [0010]  00 40 02 90 00 D2Application ID ...:  
D27600012401020000050000012E0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 0000012E
Name of cardholder: Test User
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg: DBG: ccid-driver: PC_to_RDR_IccPowerOff:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 21
gpg: DBG: ccid-driver:   [0007]  00 00 00
gpg: DBG: ccid-driver: RDR_to_PC_SlotStatus:
gpg: DBG: ccid-driver:   dwLength ..........: 0
gpg: DBG: ccid-driver:   bSlot .............: 0
gpg: DBG: ccid-driver:   bSeq ..............: 21
gpg: DBG: ccid-driver:   bStatus ...........: 1
gpg: DBG: ccid-driver:   bClockStatus ......: 0x01 (stopped-L)

-----------------------------


On Sep 30, 2009, at 11:06 PM, Werner Koch wrote:

> On Wed, 30 Sep 2009 13:51, talmage at orange.zero.jp said:
>
>> Has anyone gotten the Omnikey Cardman 3021 to work with the internal
>> drivers?
>
> That one does not work reliable with 2048 bit keys.  The Windows  
> driver
> seems to have a workaround for it and I tried to come up with a  
> similar
> workaround.  However the protocol analysis I did is not complete and  
> we
> often get out of sync.  Avoid Omnikey or ask them to explain how to
> correctly switch and operation in TPDU mode.
>
>
> Salam-Shalom,
>
>   Werner
>
> -- 
> Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.
>



From tux.tsndcb at free.fr  Sun Oct  4 17:51:18 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Sun, 4 Oct 2009 17:51:18 +0200 (CEST)
Subject: Is it possible to have the same authentication key on several
	smartcard ?
In-Reply-To: <409331006.8198641254671410277.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <1866389316.8199091254671478154.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hi Werner,

How to generated an authentication key off-card ?

Because when I generate it by : 

gpg2 --edit-key <my_key_id>
commande > addkey
RSA (sign only)

and make a keytocard to authentication, it's appears on sign key (S) and not authentication key (A) .

Thanks in advanced for your answer.

Best Regards

----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: "Werner Koch" <wk at gnupg.org>
Cc: gnupg-users at gnupg.org
Envoy?: Jeudi 24 Septembre 2009 23h01:46 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Is it possible to have the same authentication key on several smartcard ?

Hi werner,

I think I've the solution, could you confirm it please :

gpg2 --edit-key <my_key_id>
commande > addkey
RSA (sign only)

Thanks in advanced for your answer

Best Regards
----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: "Werner Koch" <wk at gnupg.org>
Cc: gnupg-users at gnupg.org
Envoy?: Jeudi 24 Septembre 2009 22h44:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Is it possible to have the same authentication key on several smartcard ?

Hi Werner,

Sorry, but I've need more informations about it.

I tried this :

gpg2 --edit-key <my_key_id>
commande > genkey => commande invalide , may be you wanted to say addkey ?, but in this case what choice : RSA (sign only) or RSA (encrypt only) ?

Thanks in advanced for these informations and your answer.

Best Regards


----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: "Werner Koch" <wk at gnupg.org>
Cc: gnupg-users at gnupg.org
Envoy?: Mercredi 23 Septembre 2009 14h45:37 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Is it possible to have the same authentication key on several smartcard ?

Hi Werner,

Many thanks for your answer, I will try it.

Best Regard

----- Mail Original -----
De: "Werner Koch" <wk at gnupg.org>
?: "tux tsndcb" <tux.tsndcb at free.fr>
Cc: gnupg-users at gnupg.org
Envoy?: Mercredi 23 Septembre 2009 13h36:49 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: Is it possible to have the same authentication key on several smartcard ?

On Wed, 23 Sep 2009 11:46, tux.tsndcb at free.fr said:

> Is it possible to have the same authentication key on several smartcard ? 

Yes.  You need to generate the key off-card and and then put it onto the
card.  Use gpg --edit-key and the subcommands genkey and keytocard for
this.

> Is it possible to done an authentication key backup when it has been generated directly on a smartcard ?

No.  An on-card generated key can't be extracted from the card (except
for the public part of course).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


From tux.tsndcb at free.fr  Sun Oct  4 22:25:20 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Sun, 4 Oct 2009 22:25:20 +0200 (CEST)
Subject: Is it possible to have the same authentication key on several
	smartcard ?
In-Reply-To: <1866389316.8199091254671478154.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <905051996.8237171254687920639.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hi Werner,

I answer to my self, in fact I need to use the expert mode to do that, sorry ...

Best Regards

----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: "Werner Koch" <wk at gnupg.org>
Cc: gnupg-users at gnupg.org
Envoy?: Dimanche 4 Octobre 2009 17h51:18 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Is it possible to have the same authentication key on several smartcard ?

Hi Werner,

How to generated an authentication key off-card ?

Because when I generate it by : 

gpg2 --edit-key <my_key_id>
commande > addkey
RSA (sign only)

and make a keytocard to authentication, it's appears on sign key (S) and not authentication key (A) .

Thanks in advanced for your answer.

Best Regards

----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: "Werner Koch" <wk at gnupg.org>
Cc: gnupg-users at gnupg.org
Envoy?: Jeudi 24 Septembre 2009 23h01:46 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Is it possible to have the same authentication key on several smartcard ?

Hi werner,

I think I've the solution, could you confirm it please :

gpg2 --edit-key <my_key_id>
commande > addkey
RSA (sign only)

Thanks in advanced for your answer

Best Regards
----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: "Werner Koch" <wk at gnupg.org>
Cc: gnupg-users at gnupg.org
Envoy?: Jeudi 24 Septembre 2009 22h44:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Is it possible to have the same authentication key on several smartcard ?

Hi Werner,

Sorry, but I've need more informations about it.

I tried this :

gpg2 --edit-key <my_key_id>
commande > genkey => commande invalide , may be you wanted to say addkey ?, but in this case what choice : RSA (sign only) or RSA (encrypt only) ?

Thanks in advanced for these informations and your answer.

Best Regards


----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: "Werner Koch" <wk at gnupg.org>
Cc: gnupg-users at gnupg.org
Envoy?: Mercredi 23 Septembre 2009 14h45:37 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Is it possible to have the same authentication key on several smartcard ?

Hi Werner,

Many thanks for your answer, I will try it.

Best Regard

----- Mail Original -----
De: "Werner Koch" <wk at gnupg.org>
?: "tux tsndcb" <tux.tsndcb at free.fr>
Cc: gnupg-users at gnupg.org
Envoy?: Mercredi 23 Septembre 2009 13h36:49 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: Is it possible to have the same authentication key on several smartcard ?

On Wed, 23 Sep 2009 11:46, tux.tsndcb at free.fr said:

> Is it possible to have the same authentication key on several smartcard ? 

Yes.  You need to generate the key off-card and and then put it onto the
card.  Use gpg --edit-key and the subcommands genkey and keytocard for
this.

> Is it possible to done an authentication key backup when it has been generated directly on a smartcard ?

No.  An on-card generated key can't be extracted from the card (except
for the public part of course).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


From simon at josefsson.org  Mon Oct  5 08:52:48 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 05 Oct 2009 08:52:48 +0200
Subject: SHA2 in OpenPGP cards?
In-Reply-To: <87my4e56cn.fsf@vigenere.g10code.de> (Werner Koch's message of
	"Tue, 29 Sep 2009 13:38:00 +0200")
References: <87y6nykxbr.fsf@mocca.josefsson.org>
	<87my4e56cn.fsf@vigenere.g10code.de>
Message-ID: <8763aubadb.fsf@mocca.josefsson.org>

Werner Koch <wk at gnupg.org> writes:

> On Tue, 29 Sep 2009 09:46, simon at josefsson.org said:
>> Hi!  Before I spend time testing it, can the OpenPGP card support
>> RSA-SHA2 signatures?
>
> The v2 cards support any hash agorithm as long as they fit into pkcs#1.

When I attempt to generate a new key on the card with this in my
~/.gnupg/gpg.conf:

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

I get this error:

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: checking created signature failed: Bad signature
gpg: signing failed: Bad signature
gpg: make_keysig_packet failed: Bad signature
Key generation failed: Bad signature

When I comment out the three lines above, it worked fine.  Any ideas?

GnuPG 2.0.13 from Debian.

/Simon


From JCochran at hearstnp.com  Sat Oct  3 00:50:26 2009
From: JCochran at hearstnp.com (Cochran, Jason L)
Date: Fri, 2 Oct 2009 17:50:26 -0500
Subject: PHP Script
Message-ID: <EE693FC9779F034E9B7AAAF30284014750988C@RHOUEVS01.resource.hearstcorp.com>

http://www.phpclasses.org/browse/package/245.html

 

I got this working with the above code.

 

~ Jason

 

Midland Reporter Telegram

Direct: (432) 687-9011 (x 3111)

www.mywesttexas.com <http://www.mywesttexas.com> 

 

From: Cochran, Jason L 
Sent: Friday, October 02, 2009 5:21 PM
To: 'gnupg-users at gnupg.org'
Subject: PHP Script

 

I need help getting a scrip working. I am hosted with Hostgator. My key
is in the cpanel. Yet I can't get php to work with it. 

 

PHP_INFO: http://gator1028.hostgator.com/~mwtadmin/php_info.php

SCRIPT: http://gator1028.hostgator.com/~mwtadmin/pgp_test.php 

 

Thanks!

 

===== pgp_test.php =====

<?php

 

    // replace this with the user name or e-mail address that you used
for your PGP key pair

    $pgpuser = "webmaster at mywesttexas.com" ; // The email used to
generate your public key

 

    // Recipient of the email

    $testemail = "jcochran at mrt.com";

 

    // Replace with your subject

    $emailsubject = "Encrypted Email Subject";

 

    // The from field

    $emailfrom = "From: webmaster at mywesttexas.com";

 

    // Feed your text in here

    $body = "To test if your decryption work, put some text here or feed
in the variables from your submitted forms";

 

    // Tell gnupg where the public key is that is should use to encode
your message

    // This is usually in your home directory, below the public_html
(mine is .gnupg)

    // change this to the correct path of your web space. On hostgator:
home/username/.gnupg

    putenv("GNUPGHOME=/home/mwtadmin/.gnupg");

 

    // create a temporary, unique file name to work from

    $infile = tempnam("/tmp", "PGP.asc");

    $outfile = $infile.".asc";

 

    // we write the various bits and bobs into the temp file

    $fp = fopen($infile, "w");

    fwrite($fp, $body);

    fclose($fp);

 

    // Call the other directory of gnuGP (this will work on hostgator)
and run the command

    // When you call this line, it will set off the actuall encoding
process

    $command = "/usr/bin/gpg -a -always-trust -batch -no-secmem-warning
-e -r $pgpuser -o $outfile $infile";

 

    // Call the line that will encrypt your temporary file

    system($command, $result);

 

    // The encryption is now loaded in the system, so delete the temp
file

    //unlink($infile);

 

    if ($result == 0) {

    $fp = fopen($outfile, "r");

 

    if (!$fp || filesize($outfile) == 0) {

    $result = -1;

 

    } else {

 

    // read the encrypted file

    $contents = fread ($fp, filesize ($outfile));

 

    // delete the encrypted file

    unlink($outfile);

 

    // send the email and write something nice if it was a success

    // otherwise moan bitterly and wonder what went wrong

    // Errors are usually either your username, or more like the paths
to your gnuGP

    // contact your Tech Support for your paths - the ones shown here
works for hostgator.

    mail ($testemail, $emailsubject, $contents, $emailfrom);

 

    print "Thank you!! Your encrypted booking information has been
sent.";

 

    }

    }

 

    if ( $result != 0) {

 

    print "There was a problem processing the information.";

 

    }

    

?>

 

~ Jason

 

Midland Reporter Telegram

Direct: (432) 687-9011 (x 3111)

www.mywesttexas.com

 


========================================================
This e-mail message is intended only for the personal
use of the recipient(s) named above. If you are not
an intended recipient, you may not review, copy or
distribute this message.

If you have received this communication in error, please
notify the sender immediately by e-mail and delete the original message.
========================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091002/07515ae5/attachment-0001.htm>

From JCochran at hearstnp.com  Sat Oct  3 00:21:13 2009
From: JCochran at hearstnp.com (Cochran, Jason L)
Date: Fri, 2 Oct 2009 17:21:13 -0500
Subject: PHP Script
Message-ID: <EE693FC9779F034E9B7AAAF302840147509889@RHOUEVS01.resource.hearstcorp.com>

I need help getting a scrip working. I am hosted with Hostgator. My key
is in the cpanel. Yet I can't get php to work with it. 

 

PHP_INFO: http://gator1028.hostgator.com/~mwtadmin/php_info.php

SCRIPT: http://gator1028.hostgator.com/~mwtadmin/pgp_test.php 

 

Thanks!

 

===== pgp_test.php =====

<?php

 

    // replace this with the user name or e-mail address that you used
for your PGP key pair

    $pgpuser = "webmaster at mywesttexas.com" ; // The email used to
generate your public key

 

    // Recipient of the email

    $testemail = "jcochran at mrt.com";

 

    // Replace with your subject

    $emailsubject = "Encrypted Email Subject";

 

    // The from field

    $emailfrom = "From: webmaster at mywesttexas.com";

 

    // Feed your text in here

    $body = "To test if your decryption work, put some text here or feed
in the variables from your submitted forms";

 

    // Tell gnupg where the public key is that is should use to encode
your message

    // This is usually in your home directory, below the public_html
(mine is .gnupg)

    // change this to the correct path of your web space. On hostgator:
home/username/.gnupg

    putenv("GNUPGHOME=/home/mwtadmin/.gnupg");

 

    // create a temporary, unique file name to work from

    $infile = tempnam("/tmp", "PGP.asc");

    $outfile = $infile.".asc";

 

    // we write the various bits and bobs into the temp file

    $fp = fopen($infile, "w");

    fwrite($fp, $body);

    fclose($fp);

 

    // Call the other directory of gnuGP (this will work on hostgator)
and run the command

    // When you call this line, it will set off the actuall encoding
process

    $command = "/usr/bin/gpg -a -always-trust -batch -no-secmem-warning
-e -r $pgpuser -o $outfile $infile";

 

    // Call the line that will encrypt your temporary file

    system($command, $result);

 

    // The encryption is now loaded in the system, so delete the temp
file

    //unlink($infile);

 

    if ($result == 0) {

    $fp = fopen($outfile, "r");

 

    if (!$fp || filesize($outfile) == 0) {

    $result = -1;

 

    } else {

 

    // read the encrypted file

    $contents = fread ($fp, filesize ($outfile));

 

    // delete the encrypted file

    unlink($outfile);

 

    // send the email and write something nice if it was a success

    // otherwise moan bitterly and wonder what went wrong

    // Errors are usually either your username, or more like the paths
to your gnuGP

    // contact your Tech Support for your paths - the ones shown here
works for hostgator.

    mail ($testemail, $emailsubject, $contents, $emailfrom);

 

    print "Thank you!! Your encrypted booking information has been
sent.";

 

    }

    }

 

    if ( $result != 0) {

 

    print "There was a problem processing the information.";

 

    }

    

?>

 

~ Jason

 

Midland Reporter Telegram

Direct: (432) 687-9011 (x 3111)

www.mywesttexas.com

 


========================================================
This e-mail message is intended only for the personal
use of the recipient(s) named above. If you are not
an intended recipient, you may not review, copy or
distribute this message.

If you have received this communication in error, please
notify the sender immediately by e-mail and delete the original message.
========================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091002/eb9ede14/attachment.htm>

From jaylstein at yahoo.com  Mon Oct  5 09:59:13 2009
From: jaylstein at yahoo.com (jason stein)
Date: Mon, 5 Oct 2009 00:59:13 -0700 (PDT)
Subject: configuring gpg to be executed via cgi
Message-ID: <349034.30628.qm@web38106.mail.mud.yahoo.com>

What steps must be taken to execute gpg from a ( perl ) web app?? For this instance we will say we are using apache web server software.
?
Thanks
j


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091005/b4e46e37/attachment.htm>

From simon at josefsson.org  Mon Oct  5 15:54:37 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 05 Oct 2009 15:54:37 +0200
Subject: SSH using OpenPGP card under Windows
Message-ID: <87hbuegd42.fsf@mocca.josefsson.org>

Has anyone managed to get this combination working?

There is a Putty extension but is appears to be non-free:
http://smartcard-auth.de/ssh-en.html

There is a free smartcard-enabled Putty:
http://www.joebar.ch/puttysc/
But it requires a PKCS#11 module -- I see on scute.org that
it is possible to build for Windows, but are there any
pre-compiled binaries available?

There seems to be some efforts in the OpenSC project to facilitate this,
but there is also documentation that suggests smartcard with putty
doesn't work perfectly.

Thanks,
/Simon


From ddurant at intevaproducts.com  Mon Oct  5 18:07:52 2009
From: ddurant at intevaproducts.com (Durant, Dean)
Date: Mon, 5 Oct 2009 16:07:52 +0000
Subject: beginner type questions
Message-ID: <4FA18C2881FC5E4F8F6BF89B8C9919360286B4DE72@MBX1.EXCHPROD.USA.NET>

Hello, I noticed, on windows (which I truly despise), when I type 
 
C:\Documents and Settings\me\Application Data\gnupg>gpg --gen-key
 
I get:

gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc. (add'l copyleft info)

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
 
on ubuntu, I get these choices (the version of GPG is 2.0.9):
Please select what kind of key you want:

(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)

What is the difference?   Isn't RSA better?

I tried using apt-get to get the version on linux up to the same version # on windows, and it wouldn't.  

Once you generate a key, is it bound to the email address supplied during generation, so that, if someone else emails your key out, you won't be able to decrypt something encrypted to their email?   Or is the email address completely uninvolved?

Thanks, Dean

 
 



From rjh at sixdemonbag.org  Mon Oct  5 19:54:41 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 05 Oct 2009 13:54:41 -0400
Subject: beginner type questions
In-Reply-To: <4FA18C2881FC5E4F8F6BF89B8C9919360286B4DE72@MBX1.EXCHPROD.USA.NET>
References: <4FA18C2881FC5E4F8F6BF89B8C9919360286B4DE72@MBX1.EXCHPROD.USA.NET>
Message-ID: <4ACA32E1.7000803@sixdemonbag.org>

Durant, Dean wrote:
> What is the difference?   Isn't RSA better?

The differences are irrelevant to the overwhelming majority of users.

Arguments about whether RSA or DSA are better pop up from time to time.
These arguments have always struck me as being kind of like arguing
over whether Godzilla or King Kong is better at urban destruction.
Maybe you like Godzilla, maybe I like King Kong, but at the end of the
day either one of them will get the job done in style.

> I tried using apt-get to get the version on linux up to the same 
> version # on windows, and it wouldn't.

This is expected.  New versions of GnuPG are being released all the
time.  Most releases offer very, /very/ small improvements over what
came before.  Ubuntu keeps track of what's changed in GnuPG since 2.0.9
was released.  If something major was added or a security bug was fixed,
Ubuntu will modify their version of GnuPG appropriately.  Otherwise,
Ubuntu's policy is generally, "wait until late October for Karmic Koala
to come out, and that will have the latest version of everything you want."

> Or is the email address completely uninvolved?

Uninvolved.  The email addresses exist to make the keys easier for human
beings to use.  By and large, the computer doesn't use the User ID at
all.  :)



From jmoore3rd at bellsouth.net  Mon Oct  5 22:02:35 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Mon, 05 Oct 2009 16:02:35 -0400
Subject: beginner type questions
In-Reply-To: <4FA18C2881FC5E4F8F6BF89B8C9919360286B4DE72@MBX1.EXCHPROD.USA.NET>
References: <4FA18C2881FC5E4F8F6BF89B8C9919360286B4DE72@MBX1.EXCHPROD.USA.NET>
Message-ID: <4ACA50DB.2000004@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Durant, Dean wrote:
> Hello, I noticed, on windows (which I truly despise), when I type 
>  
> C:\Documents and Settings\me\Application Data\gnupg>gpg --gen-key
>  
> I get:
> 
> gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc. (add'l copyleft info)
> 
> Please select what kind of key you want:
>    (1) RSA and RSA (default)
>    (2) DSA and Elgamal
>    (3) DSA (sign only)
>    (4) RSA (sign only)
>  
> on ubuntu, I get these choices (the version of GPG is 2.0.9):
> Please select what kind of key you want:
> 
> (1) DSA and Elgamal (default)
> (2) DSA (sign only)
> (5) RSA (sign only)
> 
> What is the difference?   Isn't RSA better?

Robert's answer was accurate but I'm not sure it was the answer to the
question You were asking.  Between versions 2.0.9 & 2.0.12 the Default
for Key Generation was changed.  This change is viewed as minor by many
which apparently includes the Ubuntu developers.  :)

The reason the Default was changed was to make better use of available
Hash functions.  DSA Signing Keys are limited to 160bit Hashes unless
DSA2 is invoked,  RSA Signing Keys can utilize all the Hash functions
without any 'games' being played.  To eliminate any confusion in the
future and based upon the number of folks who eventually migrated away
from DSA Keys to RSA Keys due to personal perceptions the Default was
changed to RSA.

Additionally, in the very beginning RSA was encumbered by patents which
have now expired.  You can easily work around this in Ubuntu at present
by selecting option 5 and then generating an RSA Encryption sub-Key.

HTH

JOHN ;)
Timestamp: Monday 05 Oct 2009, 16:02  --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: http://www.gswot.org
Comment: Personal Web Page:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJKylDaAAoJEBCGy9eAtCsPdPgIAI/SfIwVc2RVR8I8lhBcem8s
vJzcAz+gZ41vH0afLPRo3RbUmJbxhkzX2qxPZ8w8mH4csTSIAfCtdlG9h+sqXWK/
HB8Hxxk1zVahPSqHo8i5PT//cSM1SMES5K5dw9dFZrCO0IcQZwy81MDxJt6sw7cK
mxCO89fZVC1PpPgh352jWh1DUKqvQ1K5hok8zAzvQvdKimWfoG7K2sRXMuvDfn30
6F6+kWCGEzM3C+oMqEhLXAqhQl1FCfv4slyfmZUhHLc8Q30RJy3R4gIYpigVl0h0
pP5ZQy01SqklRBxg1naWBx/rVAUuWYdIiKnGXPVNf11GLA7mOMsZVIzXni6HYXU=
=ycQz
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Mon Oct  5 23:33:38 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 05 Oct 2009 17:33:38 -0400
Subject: email hashes in PGP keys as protection against spam
In-Reply-To: <200910052302.40020.mailinglisten@hauke-laging.de>
References: <200910050409.00014.mailinglisten@hauke-laging.de>	<200910052027.01509.mailinglisten@hauke-laging.de>	<4ACA45A2.6020702@sixdemonbag.org>
	<200910052302.40020.mailinglisten@hauke-laging.de>
Message-ID: <4ACA6632.3000405@sixdemonbag.org>

Hauke Laging wrote:
> Maybe. But I would not call it science that you imply that harvesting
> from key servers will result in about the same amount of spam as pure
> address guessing by the spammers would.

Estimating how many email addresses are released to spammers via the
keyservers is a black art.  It has been attempted, though.  See, e.g.,
John Clizbe's result.

For your proposal to work, you can never have an email address exposed.
Ever.  Anywhere.  The instant you screw up and your email address gets
out, the game is over.  Soon a spammer will discover it.  Within days
all the spammers will have it, since spammers share email lists with
each other.

In the end, you haven't done anything to stop spam.  All you've done is
bought yourself a little time, and paid a very high price for it --
you've made it very difficult for people who want to talk to you to get
in touch with you.

> Your point maybe. It seems a bit strange to me that you believe to be
> capable of calculating everyone's personal spam risk.

Objective reality is the same for everybody.  The objective reality of
the situation is that as soon as your email address gets exposed
anywhere, spammers will get it.  Closing off just one avenue of address
collection is absurd; it's like facing a horde of army ants and thinking
that just by stomping on one you're going to do something about the swarm.

> Because you want to decide for others what risks they have to take
> and which not. You may make fun of afraid flight passengers but
> nonetheless such assessments should be up to the user.

It already _is_ up to the user.  Nobody forces you to put an email
address on your key.  You can leave it off if you want.  If you're
really that concerned about keyserver spam, then feel free.  Be my
guest.  The protocol accommodates you.

But I think it's a very bad idea to start changing the protocol just to
appease the phantom fears of a small number of users.  Once you do that,
then everyone who has a phantom fear will demand the protocol be changed
to support them.

> Snake-oil refers to fooling somebody. I don't do that.

You may be fooling yourself.



I have cc'd GnuPG-Users on this one.  There doesn't appear to be
anything in this thread that's related to ongoing GnuPG development, so
continuing it on -devel seems inappropriate.  Let's move it over there.


From wk at gnupg.org  Tue Oct  6 10:01:58 2009
From: wk at gnupg.org (Werner Koch)
Date: Tue, 06 Oct 2009 10:01:58 +0200
Subject: SSH using OpenPGP card under Windows
In-Reply-To: <87hbuegd42.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Mon, 05 Oct 2009 15:54:37 +0200")
References: <87hbuegd42.fsf@mocca.josefsson.org>
Message-ID: <877hv9rlvt.fsf@vigenere.g10code.de>

On Mon,  5 Oct 2009 15:54, simon at josefsson.org said:

> But it requires a PKCS#11 module -- I see on scute.org that
> it is possible to build for Windows, but are there any
> pre-compiled binaries available?

Scute is part of gpg4win 2.0.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From wk at gnupg.org  Tue Oct  6 10:04:10 2009
From: wk at gnupg.org (Werner Koch)
Date: Tue, 06 Oct 2009 10:04:10 +0200
Subject: SSH using OpenPGP card under Windows
In-Reply-To: <87hbuegd42.fsf@mocca.josefsson.org> (Simon Josefsson's message
	of "Mon, 05 Oct 2009 15:54:37 +0200")
References: <87hbuegd42.fsf@mocca.josefsson.org>
Message-ID: <873a5xrls5.fsf@vigenere.g10code.de>

On Mon,  5 Oct 2009 15:54, simon at josefsson.org said:

> There is a free smartcard-enabled Putty:
> http://www.joebar.ch/puttysc/

I had in mind to change putty to optionally support gpg-agent - much the
same as we do under Unix.  However I had not enough time to work on it.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From simon at josefsson.org  Tue Oct  6 10:44:19 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 06 Oct 2009 10:44:19 +0200
Subject: SSH using OpenPGP card under Windows
In-Reply-To: <877hv9rlvt.fsf@vigenere.g10code.de> (Werner Koch's message of
	"Tue, 06 Oct 2009 10:01:58 +0200")
References: <87hbuegd42.fsf@mocca.josefsson.org>
	<877hv9rlvt.fsf@vigenere.g10code.de>
Message-ID: <87zl84ewt8.fsf@mocca.josefsson.org>

Werner Koch <wk at gnupg.org> writes:

> On Mon,  5 Oct 2009 15:54, simon at josefsson.org said:
>
>> But it requires a PKCS#11 module -- I see on scute.org that
>> it is possible to build for Windows, but are there any
>> pre-compiled binaries available?
>
> Scute is part of gpg4win 2.0.

Great.

I'm trying to use it with PuttySC's 'pprint' and it says:

scute-assuan[2756]: can't create socket: Function not implemented
scute-assuan[2756]: can't create socket: Function not implemented
sc: C_initialize failed

Running gpg-agent says it is running and available.  Running 'gpg
--card-status' works.  Any ideas?

/Simon


From abolukoumiuas24601 at gmail.com  Tue Oct  6 15:24:56 2009
From: abolukoumiuas24601 at gmail.com (Reva Dicerbo)
Date: Tue, 6 Oct 2009 17:24:56 +0400
Subject: illegal porn, preteen boys, preteen pussy, young nymphets, preteen 
	sex!
Message-ID: <255eaff50910060624i39377a36vb33a4eb15ece3c4@mail.gmail.com>

http://adultsexkey.com/vids/part01/
http://adultsexkey.com/vids/part02/
http://adultsexkey.com/vids/part03/
http://adultsexkey.com/vids/part04/
http://adultsexkey.com/vids/part05/
http://adultsexkey.com/vids/part06/
http://adultsexkey.com/vids/part07/
http://adultsexkey.com/vids/part08/
http://adultsexkey.com/vids/part09/
http://adultsexkey.com/vids/part10/





illegal porn
illegal cp
illegal young girls
illegal lolita
illegal girls
illegal preteen
lolitas illegal
illegal pedo
very little girls, illegal cp
illegal pussy
pre lolita illegal lolitas
illegal lolitas
illegal preteens
illegal preteen sex
illegal street racing
illegal pedo kids
illegal child porn
illegal loli
illegal teens
underage bbs illegal lolitas
preteen boys
nude preteen boys
preteen boys in underwear
gay preteen boys
preteen boys sex
preteen boys nude
preteen boys penis
little preteen boys in underwear
naked preteen boys
preteen boys masturbating
preteen gay boys
preteen boys russian
galleries of preteen boys in underwear
preteen nude boys
preteen gay boys sex
preteen boys in speedos
young gay boys preteen sex
young gay preteen boys
tiny preteen lolitas and boys
preteen boys erect penis
preteen pussy
young preteen pussy
preteen lolita pussy
preteen pussy pics
preteen pussies
young lolita preteen underage, underage pussy
preteen pedo pussy
illegal preteen pussy
tight preteen pussy
best preteen pussy
preteen girls pussy
free preteen pussy
pussy preteen
free underage dog pussy preteen
preteen shaved pussy
preteen model pussy
hairless preteen pussy
men fucking preteen pussy
wet preteen pussy
bald preteen pussy
young nymphets
young nymphets art
really young nymphets
young nymphets art young nymphet
free young nymphets galleries
young naked nymphets
nymphets young nymphets
young nude nymphets
hot young nymphets
nymphets young
very young nymphets
free young nymphets lolitas girl ass
free young nude nymphets galleries
young nymphets nude
young teen nymphets
young nymphets art, young nymphet
young nymphets galleries
young nymphets lolita
young nymphets, nymphets
wild young nymphets
preteen sex
preteen lolita sex
preteen sex stories
illegal preteen sex
preteen girl sex
preteen underage sex
preteen boy and girl sex
preteen sex pics
preteen boys sex
preteen lolitas having sex
child sex preteen lolita
russian preteen sex
preteen sex, illegal sex
preteen sex videos
young preteen blonde sex
preteen boy sex
preteen gay boys sex
preteen russian sex
young gay boys preteen sex
preteen ukraine sex


From tux.tsndcb at free.fr  Thu Oct  8 19:46:18 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Thu, 8 Oct 2009 19:46:18 +0200 (CEST)
Subject: How to enable the reader's keypad
In-Reply-To: <260434015.8967331255022686060.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <1390349622.8969821255023978322.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hi,

I'm using gnupg2 2.0.13 (with libccid on my debian) and a smardcard reader with keypad, but code PIN is always ask on my desktop, not on the reader. 
On my scdaemon.conf I've not disable-keypad
So how to do this ?

Thanks in advanced for your answer.

Best regards


From David.Gray at turpin-distribution.com  Fri Oct  9 13:47:07 2009
From: David.Gray at turpin-distribution.com (David Gray)
Date: Fri, 9 Oct 2009 12:47:07 +0100
Subject: Testing the exit status 
Message-ID: <33CE89420E3A834A82E48C2C747A7061029239AE@HERMES.turpin-bg.local>

Hi, 

Does GPG return different status codes when it exits? 
I'm specifically looking for different types of error, such 
as file not found, key not found, invalid passphrase etc. 

I'm using the Windows version if that makes any difference.

Rgds
Dave 
Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. ***** Registered in England No. 1331778 ***** This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software.


From awingnut at hotmail.com  Fri Oct  9 17:40:39 2009
From: awingnut at hotmail.com (gw1500se)
Date: Fri, 9 Oct 2009 08:40:39 -0700 (PDT)
Subject: Network Mounted Home Directory and removal of --passphrase option
In-Reply-To: <87ab0irnpj.fsf@vigenere.g10code.de>
References: <25510161.post@talk.nabble.com>
	<87ab0irnpj.fsf@vigenere.g10code.de>
Message-ID: <25823176.post@talk.nabble.com>




Werner Koch wrote:
> 
> 
> Well, it is available for 6 years and GnuPG 2.0 was released 3 years
> ago.  Gpg-agent is not optional but a cornerstone of GnuPG-2.
> 
> To let us help you fixing your installation, you should give us a bit
> more detailed information and exact error messages.
> 
> 
> Salam-Shalom,
> 
>    Werner
> 

Thanks for the reply. I admit I am behind but as there were no problems
there was no real need to change GPG.

As I said in the original message I believe the problem is associated with
the way the agent determines the path for the .gnupg directory if the user's
home is auto-mounted via Open Directory.

The specific error is:

gpg-agent[6675]: error binding socket to
'/Network/Servers/xxxxxx.xxxxxxxx.com/Volumes/USER1/Users-home/xxxxxxx/.gnupg/S.gpg-agent':
Operation not supported

While that path is perfectly valid ($HOME) I have never been able to get it
to work with anything for unknown reasons. The path that I believe would
work is  '/Volumes/USER1/Users-home/xxxxxxx/.gnupg/S.gpg-agent'. However,
the best path would be ~xxxxxxx/.gnupg/S.gpg-agent'.

-- 
View this message in context: http://www.nabble.com/Network-Mounted-Home-Directory-and-removal-of---passphrase-option-tp25510161p25823176.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From wk at gnupg.org  Sat Oct 10 16:14:09 2009
From: wk at gnupg.org (Werner Koch)
Date: Sat, 10 Oct 2009 16:14:09 +0200
Subject: Testing the exit status
In-Reply-To: <33CE89420E3A834A82E48C2C747A7061029239AE@HERMES.turpin-bg.local>
	(David Gray's message of "Fri, 9 Oct 2009 12:47:07 +0100")
References: <33CE89420E3A834A82E48C2C747A7061029239AE@HERMES.turpin-bg.local>
Message-ID: <87ws33qqtq.fsf@vigenere.g10code.de>

On Fri,  9 Oct 2009 13:47, David.Gray at turpin-distribution.com said:

> Does GPG return different status codes when it exits? 
> I'm specifically looking for different types of error, such 
> as file not found, key not found, invalid passphrase etc. 
 
This would not be reliable.  There are just too many stati to map them
to exit codes.  What you need to do is to use the status lines
(--status-fd N) - or just go with gpgme.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From hs2412 at gmail.com  Sat Oct 10 19:37:48 2009
From: hs2412 at gmail.com (Hardeep Singh)
Date: Sat, 10 Oct 2009 23:07:48 +0530
Subject: beginner type questions
In-Reply-To: <4FA18C2881FC5E4F8F6BF89B8C9919360286B4DE72@MBX1.EXCHPROD.USA.NET>
References: <4FA18C2881FC5E4F8F6BF89B8C9919360286B4DE72@MBX1.EXCHPROD.USA.NET>
Message-ID: <d7a3cfdf0910101037n957eb81md02c3f8d43c387a7@mail.gmail.com>

try gpg --gen-key --expert

Hardeep Singh
http://blog.Hardeep.name



On Mon, Oct 5, 2009 at 9:37 PM, Durant, Dean <ddurant at intevaproducts.com> wrote:
> Hello, I noticed, on windows (which I truly despise), when I type
>
> C:\Documents and Settings\me\Application Data\gnupg>gpg --gen-key
>
> I get:
>
> gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc. (add'l copyleft info)
>
> Please select what kind of key you want:
> ? (1) RSA and RSA (default)
> ? (2) DSA and Elgamal
> ? (3) DSA (sign only)
> ? (4) RSA (sign only)
>
> on ubuntu, I get these choices (the version of GPG is 2.0.9):
> Please select what kind of key you want:
>
> (1) DSA and Elgamal (default)
> (2) DSA (sign only)
> (5) RSA (sign only)
>
> What is the difference? ? Isn't RSA better?
>
> I tried using apt-get to get the version on linux up to the same version # on windows, and it wouldn't.
>
> Once you generate a key, is it bound to the email address supplied during generation, so that, if someone else emails your key out, you won't be able to decrypt something encrypted to their email? ? Or is the email address completely uninvolved?
>
> Thanks, Dean
>
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


From mcse83 at hotmail.com  Sun Oct 11 15:37:46 2009
From: mcse83 at hotmail.com (Sean Wilson)
Date: Sun, 11 Oct 2009 14:37:46 +0100
Subject: OpenPGP error
Message-ID: <BLU0-SMTP898F466FFE316454279BE9DCC90@phx.gbl>

Why is it when I sign an email and someone replies to it I sometimes get
the following error:

Part of the message signed; click on 'Details' button for more information

in the details it says:

OpenPGP Security Info

Error - signature verification failed

gpg command line and output:
C:\Program Files\GNU\GnuPG\gpg.exe
gpg: Signature made 10/11/09 14:13:48 using RSA key ID xxxxxx
gpg: BAD signature from "Sean Wilson <sean at xxxxxx.com>"

Why does this happen?

If I send an email between two different email accounts and I sign it,
then reply I NEVER get a broken signature so why does this happen when
other people reply to my emails?

Thank you!


From mlisten at hammernoch.net  Sun Oct 11 16:01:13 2009
From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=)
Date: Sun, 11 Oct 2009 16:01:13 +0200
Subject: OpenPGP error
In-Reply-To: <BLU0-SMTP898F466FFE316454279BE9DCC90@phx.gbl>
References: <BLU0-SMTP898F466FFE316454279BE9DCC90@phx.gbl>
Message-ID: <4AD1E529.7050506@hammernoch.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Sean Wilson wrote on 11.10.09 15:37:
> Why is it when I sign an email and someone replies to it I sometimes get
> the following error:
> 
> Part of the message signed; click on 'Details' button for more information
> 
> in the details it says:
> 
> OpenPGP Security Info
> 
> Error - signature verification failed
> 
> gpg command line and output:
> C:\Program Files\GNU\GnuPG\gpg.exe
> gpg: Signature made 10/11/09 14:13:48 using RSA key ID xxxxxx
> gpg: BAD signature from "Sean Wilson <sean at xxxxxx.com>"
> 
> Why does this happen?
> 
> If I send an email between two different email accounts and I sign it,
> then reply I NEVER get a broken signature so why does this happen when
> other people reply to my emails?

You're using in-line signatures, the recipient does not use gnupg and
cites your mail when replying, isn't it?

In this case, the following is happening: he/she is citing your mail
including the signature. Enigmail tries to verify it, but due to the
insertion of citation marks, e.g. "> " at the beginning of the lines,
your original message is modified, so the signature is broken.

It doesn't make much sense to sign messages to recipients who can't
verify it. If your recipient is using enigmail, it will strip your
signature upon replying.

HTH

Ludwig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCgAGBQJK0eUpAAoJEA52XAUJWdLjC8gIALAF4b60P9EPwVTq1REeKZLU
ULBvDraFRktopbmNuQCFNgf7k7qApzUgumkxyu9Wzq0dQKnv76jBcbQfkM3sYUKJ
jxTBGj3rSy1ybfiWfPLVr89Ed0q9LdQvLVgkRLeGYjNqbdEcSfm7x45Xxkzkk5c6
Buyxy5iGtrljZUo9wV6q4pRN+fGbHsAT42OCOFKKlEN2y6EC0OxL29AQTO42uX7N
WjL1/wW0f/H8tUDw8+vlB94TUANNxsHTr30mVTx3KejNZOehnyPv6N9GS3+BrP55
GkMHTu4xZRFVWS2n/IYg2LI5c0xQuocfHimpLBnZ7KMBqwNycXRJzSQocaeJ4CQ=
=X52Z
-----END PGP SIGNATURE-----


From jmoore3rd at bellsouth.net  Sun Oct 11 18:11:20 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Sun, 11 Oct 2009 12:11:20 -0400
Subject: OpenPGP error
In-Reply-To: <BLU0-SMTP898F466FFE316454279BE9DCC90@phx.gbl>
References: <BLU0-SMTP898F466FFE316454279BE9DCC90@phx.gbl>
Message-ID: <4AD203A8.4040204@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Sean Wilson wrote:
> Why is it when I sign an email and someone replies to it I sometimes get
> the following error:
> 
> Part of the message signed; click on 'Details' button for more information
> 
> in the details it says:
> 
> OpenPGP Security Info
> 
> Error - signature verification failed
> 
> gpg command line and output:
> C:\Program Files\GNU\GnuPG\gpg.exe
> gpg: Signature made 10/11/09 14:13:48 using RSA key ID xxxxxx
> gpg: BAD signature from "Sean Wilson <sean at xxxxxx.com>"
> 
> Why does this happen?

Oftentimes, the individual replying to You uses a Mail Client that
doesn't strip off Your prior Signature armor block and neither do they
do so manually. [far too many folks _never_ clean their replies]

When GPG encounters the Signature Block embedded in the Reply it
'stumbles' and refuses to verify it.

JOHN ;)
Timestamp: Sunday 11 Oct 2009, 12:11  --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: http://www.gswot.org
Comment: Personal Web Page:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJK0gOnAAoJEBCGy9eAtCsPsUoH/0vs3euBSVeaS+ytnOgmeNDX
ASFIJumjGVixY2ZCopW4iIvcCfwSxe5v/fd39OHlfBorb7Vprjh3rdGRLIcei3hk
f2LS6fTXC7ffXZ0+Xh3QAXxB1LjHNupC0uUFVud4Z/OKp5kPScH0kwivQucXyp3c
t//wYfGH6OcxyiJRnEpvHLG7dKAB857Myg4pfCI6zWL3Bq0vma46ECJ1Wap5KaWv
lOzDXCTwlesr6OSmxzw78ygf+Bf1eynQ+C7GaS+DK0YNrbSgeiJgq25rUt9b/6rt
c9OKaaKbMI7y84KqZluqND8YhapyPCe6fI/x3hWtUs4E8Slaq42dvSkzSCCkuKA=
=sgcA
-----END PGP SIGNATURE-----


From jdever at triad.rr.com  Mon Oct 12 05:50:58 2009
From: jdever at triad.rr.com (Jim Dever)
Date: Sun, 11 Oct 2009 23:50:58 -0400
Subject: Key types
Message-ID: <4AD2A7A2.60201@triad.rr.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


Just a quick question:

Are there any caveats I should be aware of if I generate an RSA signing
key with an Elgamal encryption subkey?


- --
Jim

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEAREDAAYFAkrSp6IACgkQygKI8gBpGS4Q4gCg1KwqAjmj4yR9SBJF1e38bx/r
MOMAoPyXi2OAPJWC4KgQ+pSt8wPj1Ry1
=PMyc
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Mon Oct 12 07:39:11 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 12 Oct 2009 01:39:11 -0400
Subject: Key types
In-Reply-To: <4AD2A7A2.60201@triad.rr.com>
References: <4AD2A7A2.60201@triad.rr.com>
Message-ID: <4AD2C0FF.902@sixdemonbag.org>

Jim Dever wrote:
> Are there any caveats I should be aware of if I generate an RSA
> signing key with an Elgamal encryption subkey?

No.


From David.Gray at turpin-distribution.com  Mon Oct 12 11:29:00 2009
From: David.Gray at turpin-distribution.com (David Gray)
Date: Mon, 12 Oct 2009 10:29:00 +0100
Subject: Testing the exit status
In-Reply-To: <87ws33qqtq.fsf@vigenere.g10code.de>
References: <33CE89420E3A834A82E48C2C747A7061029239AE@HERMES.turpin-bg.local>
	<87ws33qqtq.fsf@vigenere.g10code.de>
Message-ID: <33CE89420E3A834A82E48C2C747A7061029239AF@HERMES.turpin-bg.local>

Hi, 
Thanks for the input. 

Can you tell me what the numeric arguments are for status-fd?  
I've downloaded the source for GPG and looked at the doc/DETAILS 
file but on Windows this is unreadable. 

Also it seems as if gpgme is not available for Windows, is this correct?


I'm running GPG from a C# application using the Process class.  If I
understand 
correctly then you are suggesting I use status-fd to redirect to a file
and then 
open this to interrogate the results. 

Thanks & regards
Dave 


-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org] 
Sent: 10 October 2009 15:14
To: David Gray
Cc: gnupg-users at gnupg.org
Subject: Re: Testing the exit status

On Fri,  9 Oct 2009 13:47, David.Gray at turpin-distribution.com said:

> Does GPG return different status codes when it exits? 
> I'm specifically looking for different types of error, such 
> as file not found, key not found, invalid passphrase etc. 
 
This would not be reliable.  There are just too many stati to map them
to exit codes.  What you need to do is to use the status lines
(--status-fd N) - or just go with gpgme.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. ***** Registered in England No. 1331778 ***** This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software.


From David.Gray at turpin-distribution.com  Mon Oct 12 11:56:40 2009
From: David.Gray at turpin-distribution.com (David Gray)
Date: Mon, 12 Oct 2009 10:56:40 +0100
Subject: gpgme on Windows
Message-ID: <33CE89420E3A834A82E48C2C747A7061029239B1@HERMES.turpin-bg.local>

Hi all, 

Been doing some searching this morning to see if gpgme is available for 
Windows and can be used commercially.  Is anyone using this product on
Windows 
under .net 3.5 (C#) that can give advice? 

Also does anyone know where the Windows download site is?

Thanks in advance 
Dave  
 
Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. ***** Registered in England No. 1331778 ***** This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software.


From wk at gnupg.org  Mon Oct 12 11:59:40 2009
From: wk at gnupg.org (Werner Koch)
Date: Mon, 12 Oct 2009 11:59:40 +0200
Subject: Testing the exit status
In-Reply-To: <33CE89420E3A834A82E48C2C747A7061029239AF@HERMES.turpin-bg.local>
	(David Gray's message of "Mon, 12 Oct 2009 10:29:00 +0100")
References: <33CE89420E3A834A82E48C2C747A7061029239AE@HERMES.turpin-bg.local>
	<87ws33qqtq.fsf@vigenere.g10code.de>
	<33CE89420E3A834A82E48C2C747A7061029239AF@HERMES.turpin-bg.local>
Message-ID: <87zl7xorub.fsf@vigenere.g10code.de>

On Mon, 12 Oct 2009 11:29, David.Gray at turpin-distribution.com said:

> Can you tell me what the numeric arguments are for status-fd?  

That is the file descriptor obn which output should happen.  Usualy you
woul use
  --status-fd 2 
to output to stderr; however how can use arbitrary file descriptors.

> I've downloaded the source for GPG and looked at the doc/DETAILS 
> file but on Windows this is unreadable. 

Read it in an editor (e.g. notepad).  As with all code we use Unix line
endings (LF) and not Windows line endings (CR,LF).

> Also it seems as if gpgme is not available for Windows, is this correct?

It is available for Windows.  Simply install gpg4win (the light version
is sufficient) and you find the gpgme dll in the install directory.
libgpgme-11.dll is the native one, libgpgme-glib-11.dll is the one to
use with GLIB based software and libgpgme-qt-11.dll the one to use with
QT based software.  Note that the file gpgme-w32spawn.exe must be in the
same directory as the DLL.  The header file is identical for Unix and
Windows, a manual is online at
http://gnupg.org/documentation/manuals.en.html .

> I'm running GPG from a C# application using the Process class.  If I
> understand 

There is a C# wrapper for GPGME as well, please use a search machine to
locate it.

> correctly then you are suggesting I use status-fd to redirect to a file
> and then 
> open this to interrogate the results. 

No, you need to use pipes for that.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From dshaw at jabberwocky.com  Mon Oct 12 14:26:46 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 12 Oct 2009 08:26:46 -0400
Subject: Key types
In-Reply-To: <4AD2A7A2.60201@triad.rr.com>
References: <4AD2A7A2.60201@triad.rr.com>
Message-ID: <C2A31D5E-DC51-460D-8A05-65690B410EB1@jabberwocky.com>

On Oct 11, 2009, at 11:50 PM, Jim Dever wrote:

> Just a quick question:
>
> Are there any caveats I should be aware of if I generate an RSA  
> signing
> key with an Elgamal encryption subkey?

No caveats.  In fact, my own key is exactly that.

David



From ciprian.craciun at gmail.com  Mon Oct 12 13:58:04 2009
From: ciprian.craciun at gmail.com (Ciprian Dorin, Craciun)
Date: Mon, 12 Oct 2009 14:58:04 +0300
Subject: gpg-agent --daemon running in foreground
Message-ID: <8e04b5820910120458o10f91a2ex8ad0f1361b96dd9d@mail.gmail.com>

    Hello all!

    I'm facing the following problem: I need to run gpg-agent, but
without him going into background. Is there any solution to this one?

    Thanks,
    Ciprian.


From dshaw at jabberwocky.com  Mon Oct 12 15:08:50 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 12 Oct 2009 09:08:50 -0400
Subject: gpg-agent --daemon running in foreground
In-Reply-To: <8e04b5820910120458o10f91a2ex8ad0f1361b96dd9d@mail.gmail.com>
References: <8e04b5820910120458o10f91a2ex8ad0f1361b96dd9d@mail.gmail.com>
Message-ID: <A8A3ADDD-4872-4605-AA78-DCA469161EC8@jabberwocky.com>

On Oct 12, 2009, at 7:58 AM, Ciprian Dorin, Craciun wrote:

>    Hello all!
>
>    I'm facing the following problem: I need to run gpg-agent, but
> without him going into background. Is there any solution to this one?

I'm not sure exactly what you're trying to do, but you can run gpg- 
agent without it backgrounding by leaving off the "--daemon" option.

David



From ciprian.craciun at gmail.com  Mon Oct 12 15:57:49 2009
From: ciprian.craciun at gmail.com (Ciprian Dorin, Craciun)
Date: Mon, 12 Oct 2009 16:57:49 +0300
Subject: gpg-agent --daemon running in foreground
In-Reply-To: <A8A3ADDD-4872-4605-AA78-DCA469161EC8@jabberwocky.com>
References: <8e04b5820910120458o10f91a2ex8ad0f1361b96dd9d@mail.gmail.com>
	<A8A3ADDD-4872-4605-AA78-DCA469161EC8@jabberwocky.com>
Message-ID: <8e04b5820910120657i580249a9v2a46f7233be2738@mail.gmail.com>

On Mon, Oct 12, 2009 at 4:08 PM, David Shaw <dshaw at jabberwocky.com> wrote:
> On Oct 12, 2009, at 7:58 AM, Ciprian Dorin, Craciun wrote:
>
>> ? Hello all!
>>
>> ? I'm facing the following problem: I need to run gpg-agent, but
>> without him going into background. Is there any solution to this one?
>
> I'm not sure exactly what you're trying to do, but you can run gpg-agent
> without it backgrounding by leaving off the "--daemon" option.
>
> David

    So I have the following situation: I want to be able to run
gpg-agent inside a runsv process (part of runit package), that
monitors the process, and in case it breaks, it shall restart it.
Unfortunately gpg-agent forks into background, and thus I cannot
monitor if it's running from inside runsv.

    Thus I need to make gpg-agent behave just like `gpg-agent
--server` (not forking into background), but using the sockets (just
like --daemon).

    Anyway, I've modified the latest source code (2.0.13), file
agent/gpg-agent.c, to add another option --daemon-fg, that shall not
fork in background. (The patch is attached.) (I'm not very proud of
the patch but it does the job. Hope I've not broken anything... :) )

    So I would like to ask the maintainer of gpg-agent to look upon
it, and either include it, either (if time allows him) provide such an
option.

    Thanks,
    Ciprian.
-------------- next part --------------
diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 2e81567..ac2dfdb 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -74,6 +74,7 @@ enum cmd_and_opt_values
   oLogFile,
   oServer,
   oDaemon,
+  oDaemonFg,
   oBatch,
 
   oPinentryProgram,
@@ -120,6 +121,7 @@ static ARGPARSE_OPTS opts[] = {
 
   { oServer,   "server",     0, N_("run in server mode (foreground)") },
   { oDaemon,   "daemon",     0, N_("run in daemon mode (background)") },
+  { oDaemonFg, "daemon-fg",  0, N_("run in daemon mode (foreground)") },
   { oVerbose, "verbose",     0, N_("verbose") },
   { oQuiet,	"quiet",     0, N_("be somewhat more quiet") },
   { oSh,	"sh",        0, N_("sh-style command output") },
@@ -743,6 +745,7 @@ main (int argc, char **argv )
         case oSh: csh_style = 0; break;
         case oServer: pipe_server = 1; break;
         case oDaemon: is_daemon = 1; break;
+        case oDaemonFg: is_daemon = 2; break;
 
         case oDisplay: default_display = xstrdup (pargs.r.ret_str); break;
         case oTTYname: default_ttyname = xstrdup (pargs.r.ret_str); break;
@@ -996,7 +999,10 @@ main (int argc, char **argv )
       pid = getpid ();
       printf ("set GPG_AGENT_INFO=%s;%lu;1\n", socket_name, (ulong)pid);
 #else /*!HAVE_W32_SYSTEM*/
-      pid = fork ();
+      if (is_daemon == 1)
+          pid = fork ();
+      else
+          pid = getpid ();
       if (pid == (pid_t)-1) 
         {
           log_fatal ("fork failed: %s\n", strerror (errno) );
@@ -1007,7 +1013,8 @@ main (int argc, char **argv )
           char *infostr, *infostr_ssh_sock, *infostr_ssh_pid;
 
           /* Close the socket FD. */
-          close (fd);
+          if (is_daemon == 1)
+              close (fd);
 
           /* Note that we used a standard fork so that Pth runs in
              both the parent and the child.  The pth_fork would
@@ -1019,18 +1026,21 @@ main (int argc, char **argv )
              right now and thus we restore it.  That is not strictly
              necessary but some programs falsely assume a cleared
              signal mask.  */
-          if ( !pth_kill () )
-            log_error ("pth_kill failed in forked process\n");
+          if (is_daemon == 1)
+             if ( !pth_kill () )
+                log_error ("pth_kill failed in forked process\n");
             
 #ifdef HAVE_SIGPROCMASK
-          if (startup_signal_mask_valid)
-            {
-              if (sigprocmask (SIG_SETMASK, &startup_signal_mask, NULL))
-                log_error ("error restoring signal mask: %s\n",
-                           strerror (errno));
-            }
-          else
-            log_info ("no saved signal mask\n");
+          if (is_daemon == 1) {
+              if (startup_signal_mask_valid)
+                {
+                  if (sigprocmask (SIG_SETMASK, &startup_signal_mask, NULL))
+                    log_error ("error restoring signal mask: %s\n",
+                               strerror (errno));
+                }
+              else
+                log_info ("no saved signal mask\n");
+          }
 #endif /*HAVE_SIGPROCMASK*/          
 
           /* Create the info string: <name>:<pid>:<protocol_version> */
@@ -1090,6 +1100,10 @@ main (int argc, char **argv )
 
           if (argc) 
             { /* Run the program given on the commandline.  */
+              if (is_daemon != 1) {
+                  log_error ("no command expected.\n");
+                  exit (1);
+              }
               if (putenv (infostr))
                 {
                   log_error ("failed to set environment: %s\n",
@@ -1128,7 +1142,7 @@ main (int argc, char **argv )
             {
               /* Print the environment string, so that the caller can use
                  shell's eval to set it */
-              if (csh_style)
+              if (is_daemon == 1 && csh_style)
                 {
                   *strchr (infostr, '=') = ' ';
                   printf ("setenv %s\n", infostr);
@@ -1140,7 +1154,7 @@ main (int argc, char **argv )
 		      printf ("setenv %s\n", infostr_ssh_pid);
 		    }
                 }
-              else
+              else if (is_daemon == 1)
                 {
                   printf ( "%s; export GPG_AGENT_INFO;\n", infostr);
 		  if (opt.ssh_support)
@@ -1155,7 +1169,8 @@ main (int argc, char **argv )
 		  xfree (infostr_ssh_sock);
 		  xfree (infostr_ssh_pid);
 		}
-              exit (0); 
+              if (is_daemon == 1)
+                  exit (0);
             }
           /*NOTREACHED*/
         } /* End parent */
@@ -1185,7 +1200,7 @@ main (int argc, char **argv )
                     }
                 }
             }
-          if (setsid() == -1)
+          if (is_daemon == 1 && setsid() == -1)
             {
               log_error ("setsid() failed: %s\n", strerror(errno) );
               cleanup ();

From David.Gray at turpin-distribution.com  Mon Oct 12 17:46:20 2009
From: David.Gray at turpin-distribution.com (David Gray)
Date: Mon, 12 Oct 2009 16:46:20 +0100
Subject: Testing the exit status
In-Reply-To: <87zl7xorub.fsf@vigenere.g10code.de>
References: <33CE89420E3A834A82E48C2C747A7061029239AE@HERMES.turpin-bg.local><87ws33qqtq.fsf@vigenere.g10code.de><33CE89420E3A834A82E48C2C747A7061029239AF@HERMES.turpin-bg.local>
	<87zl7xorub.fsf@vigenere.g10code.de>
Message-ID: <33CE89420E3A834A82E48C2C747A7061029239BA@HERMES.turpin-bg.local>

Hi Werner, 

Thanks for the info.  I'm still not clear on how to use the argument
"status-fd 2"
though.  Could you possibly give me an example? 

I originally opened the file doc/DETAILS with notepad but it was quite
unreadable. 

Downloaded Starksoft GnuPG wrapper but it's not compatible with GPG v2.
Contacted the 
auther who is looking at an upgrade. 

Regards
David 




-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org] 
Sent: 12 October 2009 11:00
To: David Gray
Cc: gnupg-users at gnupg.org
Subject: Re: Testing the exit status

On Mon, 12 Oct 2009 11:29, David.Gray at turpin-distribution.com said:

> Can you tell me what the numeric arguments are for status-fd?  

That is the file descriptor obn which output should happen.  Usualy you
woul use
  --status-fd 2 
to output to stderr; however how can use arbitrary file descriptors.




> I've downloaded the source for GPG and looked at the doc/DETAILS 
> file but on Windows this is unreadable. 

Read it in an editor (e.g. notepad).  As with all code we use Unix line
endings (LF) and not Windows line endings (CR,LF).




> Also it seems as if gpgme is not available for Windows, is this
correct?

It is available for Windows.  Simply install gpg4win (the light version
is sufficient) and you find the gpgme dll in the install directory.
libgpgme-11.dll is the native one, libgpgme-glib-11.dll is the one to
use with GLIB based software and libgpgme-qt-11.dll the one to use with
QT based software.  Note that the file gpgme-w32spawn.exe must be in the
same directory as the DLL.  The header file is identical for Unix and
Windows, a manual is online at
http://gnupg.org/documentation/manuals.en.html .

> I'm running GPG from a C# application using the Process class.  If I
> understand 

There is a C# wrapper for GPGME as well, please use a search machine to
locate it.

> correctly then you are suggesting I use status-fd to redirect to a
file
> and then 
> open this to interrogate the results. 

No, you need to use pipes for that.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. ***** Registered in England No. 1331778 ***** This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software.


From wk at gnupg.org  Tue Oct 13 10:05:31 2009
From: wk at gnupg.org (Werner Koch)
Date: Tue, 13 Oct 2009 10:05:31 +0200
Subject: How to enable the reader's keypad
In-Reply-To: <1390349622.8969821255023978322.JavaMail.root@zimbra7-e1.priv.proxad.net>
	(tux tsndcb's message of "Thu, 8 Oct 2009 19:46:18 +0200 (CEST)")
References: <1390349622.8969821255023978322.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <87aazvwwfo.fsf@vigenere.g10code.de>

On Thu,  8 Oct 2009 19:46, tux.tsndcb at free.fr said:

> On my scdaemon.conf I've not disable-keypad
> So how to do this ?

The keypad is only enabled for certain readers:

  /* We have only tested a few readers so better don't risk anything
     and do not allow the use with other readers. */
  switch (handle->id_vendor)
    {
    case VENDOR_SCM:  /* Tested with SPR 532. */
    case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */
      break;
    case VENDOR_CHERRY:
      /* The CHERRY XX44 keyboard echos an asterisk for each entered
         character on the keyboard channel.  We use a special variant
         of PC_to_RDR_Secure which directs these characters to the
         smart card's bulk-in channel.  We also need to append a zero
         Lc byte to the APDU.  It seems that it will be replaced with
         the actual length instead of being appended before the APDU
         is send to the card. */
      cherry_mode = 1;
      break;
    default:
     return CCID_DRIVER_ERR_NOT_SUPPORTED;
    }

You may add you vendor id (scd/ccid-driver.c) and test it.  Let me know
if that works and I will add the reader.

Further we don't support them when using PC/SC.  At the time I added the
support PC/SC had no standard for using the keypads.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From wk at gnupg.org  Mon Oct 12 19:22:28 2009
From: wk at gnupg.org (Werner Koch)
Date: Mon, 12 Oct 2009 19:22:28 +0200
Subject: Testing the exit status
In-Reply-To: <33CE89420E3A834A82E48C2C747A7061029239BA@HERMES.turpin-bg.local>
	(David Gray's message of "Mon, 12 Oct 2009 16:46:20 +0100")
References: <33CE89420E3A834A82E48C2C747A7061029239AE@HERMES.turpin-bg.local>
	<87ws33qqtq.fsf@vigenere.g10code.de>
	<33CE89420E3A834A82E48C2C747A7061029239AF@HERMES.turpin-bg.local>
	<87zl7xorub.fsf@vigenere.g10code.de>
	<33CE89420E3A834A82E48C2C747A7061029239BA@HERMES.turpin-bg.local>
Message-ID: <87k4z0wmqz.fsf@vigenere.g10code.de>

On Mon, 12 Oct 2009 17:46, David.Gray at turpin-distribution.com said:

> Thanks for the info.  I'm still not clear on how to use the argument
> "status-fd 2"

Writing to a file descriptor is basic technique on almost all systems.
You may want to consult the APUE [1] to see how it works.

> I originally opened the file doc/DETAILS with notepad but it was quite
> unreadable. 

I have no problems to read it; see below


Shalom-Salam,

   Werner


[1]
http://bookzilla.de/shop/action/productDetails/6878129/w_richard_stevens_stephen_a_rago_advanced_programming_in_the_unix_environment_0321525949.html#produktbeschreibung 


doc/DETAILs:
                                                              -*- text -*-
Format of colon listings
========================
First an example:

$ gpg --fixed-list-mode --with-colons --list-keys \
   --with-fingerprint --with-fingerprint wk at gnupg.org

pub:f:1024:17:6C7EE1B8621CC013:899817715:1055898235::m:::scESC:
fpr:::::::::ECAF7590EB3443B5C7CF3ACB6C7EE1B8621CC013:
uid:f::::::::Werner Koch <wk at g10code.com>:
uid:f::::::::Werner Koch <wk at gnupg.org>:
sub:f:1536:16:06AD222CADF6A6E1:919537416:1036177416:::::e:
fpr:::::::::CF8BCC4B18DE08FCD8A1615906AD222CADF6A6E1:
sub:r:1536:20:5CE086B5B5A18FF4:899817788:1025961788:::::esc:
fpr:::::::::AB059359A3B81F410FCFF97F5CE086B5B5A18FF4:

The double --with-fingerprint prints the fingerprint for the subkeys
too. --fixed-list-mode is the modern listing way printing dates in
seconds since Epoch and does not merge the first userID with the pub
record; gpg2 does this by default and the option is a dummy.


 1. Field:  Type of record
	    pub = public key
            crt = X.509 certificate
            crs = X.509 certificate and private key available
	    sub = subkey (secondary key)
	    sec = secret key
	    ssb = secret subkey (secondary key)
	    uid = user id (only field 10 is used).
	    uat = user attribute (same as user id except for field 10).
            sig = signature
            rev = revocation signature
	    fpr = fingerprint: (fingerprint is in field 10)
	    pkd = public key data (special field format, see below)
            grp = reserved for gpgsm
            rvk = revocation key
            tru = trust database information
            spk = signature subpacket

 2. Field:  A letter describing the calculated validity. This is a single
	    letter, but be prepared that additional information may follow
	    in some future versions. (not used for secret keys)
		o = Unknown (this key is new to the system)
                i = The key is invalid (e.g. due to a missing self-signature)
		d = The key has been disabled
		    (deprecated - use the 'D' in field 12 instead)
		r = The key has been revoked
		e = The key has expired
		- = Unknown validity (i.e. no value assigned)
		q = Undefined validity
	            '-' and 'q' may safely be treated as the same
		    value for most purposes
		n = The key is valid
		m = The key is marginal valid.
		f = The key is fully valid
		u = The key is ultimately valid.  This often means
		    that the secret key is available, but any key may
		    be marked as ultimately valid. 

            If the validity information is given for a UID or UAT
            record, it describes the validity calculated based on this
            user ID.  If given for a key record it describes the best
            validity taken from the best rated user ID.

            For X.509 certificates a 'u' is used for a trusted root
            certificate (i.e. for the trust anchor) and an 'f' for all
            other valid certificates.

 3. Field:  length of key in bits.

 4. Field:  Algorithm:	1 = RSA
		       16 = Elgamal (encrypt only)
		       17 = DSA (sometimes called DH, sign only)
		       20 = Elgamal (sign and encrypt - don't use them!)
	    (for other id's see include/cipher.h)

 5. Field:  KeyID

 6. Field:  Creation Date (in UTC).  For UID and UAT records, this is
            the self-signature date.  Note that the date is usally
            printed in seconds since epoch, however, we are migrating
            to an ISO 8601 format (e.g. "19660205T091500").  This is
            currently only relevant for X.509.  A simple way to detect
            the new format is to scan for the 'T'.

 7. Field:  Key or user ID/user attribute expiration date or empty if none.

 8. Field:  Used for serial number in crt records (used to be the Local-ID).
            For UID and UAT records, this is a hash of the user ID contents
            used to represent that exact user ID.  For trust signatures,
            this is the trust depth seperated by the trust value by a
            space.

 9. Field:  Ownertrust (primary public keys only)
	    This is a single letter, but be prepared that additional
	    information may follow in some future versions.  For trust
	    signatures with a regular expression, this is the regular
	    expression value, quoted as in field 10. 

10. Field:  User-ID.  The value is quoted like a C string to avoid
	    control characters (the colon is quoted "\x3a").
            For a "pub" record this field is not used on --fixed-list-mode.
            A UAT record puts the attribute subpacket count here, a
	    space, and then the total attribute subpacket size.
            In gpgsm the issuer name comes here
            An FPR record stores the fingerprint here.
            The fingerprint of an revocation key is stored here.

11. Field:  Signature class as per RFC-4880.  This is a 2 digit
            hexnumber followed by either the letter 'x' for an
            exportable signature or the letter 'l' for a local-only
            signature.  The class byte of an revocation key is also
            given here, 'x' and 'l' is used the same way.  IT is not
            used for X.509.

12. Field:  Key capabilities:
                e = encrypt
                s = sign
                c = certify
                a = authentication
	    A key may have any combination of them in any order.  In
	    addition to these letters, the primary key has uppercase
	    versions of the letters to denote the _usable_
	    capabilities of the entire key, and a potential letter 'D'
	    to indicate a disabled key.

13. Field:  Used in FPR records for S/MIME keys to store the
            fingerprint of the issuer certificate.  This is useful to
            build the certificate path based on certificates stored in
            the local keyDB; it is only filled if the issuer
            certificate is available. The root has been reached if
            this is the same string as the fingerprint. The advantage
            of using this value is that it is guaranteed to have been
            been build by the same lookup algorithm as gpgsm uses.
            For "uid" records this lists the preferences in the same 
            way the gpg's --edit-key menu does.
	    For "sig" records, this is the fingerprint of the key that
	    issued the signature.  Note that this is only filled in if
	    the signature verified correctly.  Note also that for
	    various technical reasons, this fingerprint is only
	    available if --no-sig-cache is used.

14. Field   Flag field used in the --edit menu output:

15. Field   Used in sec/sbb to print the serial number of a token
            (internal protect mode 1002) or a '#' if that key is a
            simple stub (internal protect mode 1001)

All dates are displayed in the format yyyy-mm-dd unless you use the
option --fixed-list-mode in which case they are displayed as seconds
since Epoch.  More fields may be added later, so parsers should be
prepared for this. When parsing a number the parser should stop at the
first non-number character so that additional information can later be
added.

If field 1 has the tag "pkd", a listing looks like this:
pkd:0:1024:B665B1435F4C2 .... FF26ABB:
    !  !   !-- the value
    !  !------ for information number of bits in the value
    !--------- index (eg. DSA goes from 0 to 3: p,q,g,y)


Example for a "tru" trust base record:

   tru:o:0:1166697654:1:3:1:5

 The fields are:

 2: Reason for staleness of trust.  If this field is empty, then the
    trustdb is not stale.  This field may have multiple flags in it:

    o: Trustdb is old
    t: Trustdb was built with a different trust model than the one we
       are using now.

 3: Trust model:
    0: Classic trust model, as used in PGP 2.x.
    1: PGP trust model, as used in PGP 6 and later.  This is the same
       as the classic trust model, except for the addition of trust
       signatures.

    GnuPG before version 1.4 used the classic trust model by default.
    GnuPG 1.4 and later uses the PGP trust model by default.

 4: Date trustdb was created in seconds since 1970-01-01.
 5: Date trustdb will expire in seconds since 1970-01-01.
 6: Number of marginally trusted users to introduce a new key signer
    (gpg's option --marginals-needed)
 7: Number of completely trusted users to introduce a new key signer.
    (gpg's option --completes-needed)
 8: Maximum depth of a certification chain.  
    *gpg's option --max-cert-depth)

The "spk" signature subpacket records have the fields:

 2: Subpacket number as per RFC-4880 and later.
 3: Flags in hex.  Currently the only two bits assigned are 1, to
    indicate that the subpacket came from the hashed part of the
    signature, and 2, to indicate the subpacket was marked critical.
 4: Length of the subpacket.  Note that this is the length of the
    subpacket, and not the length of field 5 below.  Due to the need
    for %-encoding, the length of field 5 may be up to 3x this value.
 5: The subpacket data.  Printable ASCII is shown as ASCII, but other
    values are rendered as %XX where XX is the hex value for the byte.


Format of the "--status-fd" output
==================================
Every line is prefixed with "[GNUPG:] ", followed by a keyword with
the type of the status line and a some arguments depending on the
type (maybe none); an application should always be prepared to see
more arguments in future versions.


    NEWSIG
        May be issued right before a signature verification starts.  This
        is useful to define a context for parsing ERROR status
        messages.  No arguments are currently defined.

    GOODSIG  <long_keyid_or_fpr>  <username>
	The signature with the keyid is good.  For each signature only
        one of the three codes GOODSIG, BADSIG or ERRSIG will be
        emitted and they may be used as a marker for a new signature.
        The username is the primary one encoded in UTF-8 and %XX
        escaped. The fingerprint may be used instead of the long keyid
        if it is available.  This is the case with CMS and might
        eventually also be available for OpenPGP.

    EXPSIG  <long_keyid_or_fpr>  <username>
	The signature with the keyid is good, but the signature is
	expired. The username is the primary one encoded in UTF-8 and
	%XX escaped. The fingerprint may be used instead of the long
	keyid if it is available.  This is the case with CMS and might
	eventually also be available for OpenPGP.

    EXPKEYSIG  <long_keyid_or_fpr> <username> 
        The signature with the keyid is good, but the signature was
	made by an expired key. The username is the primary one
	encoded in UTF-8 and %XX escaped.  The fingerprint may be used
	instead of the long keyid if it is available.  This is the
	case with CMS and might eventually also be available for
	OpenPGP.

    REVKEYSIG  <long_keyid_or_fpr>  <username>
	The signature with the keyid is good, but the signature was
	made by a revoked key. The username is the primary one encoded
	in UTF-8 and %XX escaped. The fingerprint may be used instead
	of the long keyid if it is available.  This is the case with
	CMS and might eventually also be available for OpenPGP.

    BADSIG  <long_keyid_or_fpr>  <username>
	The signature with the keyid has not been verified okay.  The
        username is the primary one encoded in UTF-8 and %XX
        escaped. The fingerprint may be used instead of the long keyid
        if it is available.  This is the case with CMS and might
        eventually also be available for OpenPGP.

    ERRSIG  <long_keyid_or_fpr>  <pubkey_algo> <hash_algo> \
	    <sig_class> <timestamp> <rc>
	It was not possible to check the signature.  This may be
	caused by a missing public key or an unsupported algorithm.  A
	RC of 4 indicates unknown algorithm, a 9 indicates a missing
	public key. The other fields give more information about this
	signature.  sig_class is a 2 byte hex-value.  The fingerprint
	may be used instead of the long keyid if it is available.
	This is the case with CMS and might eventually also be
	available for OpenPGP.

        Note, that TIMESTAMP may either be a number with seconds since
        epoch or an ISO 8601 string which can be detected by the
        presence of the letter 'T' inside.

    VALIDSIG	<fingerprint in hex> <sig_creation_date> <sig-timestamp>
		<expire-timestamp>  <sig-version> <reserved> <pubkey-algo>
		<hash-algo> <sig-class> [ <primary-key-fpr> ]

	The signature with the keyid is good. This is the same as
	GOODSIG but has the fingerprint as the argument. Both status
	lines are emitted for a good signature.  All arguments here
	are on one long line.  sig-timestamp is the signature creation
	time in seconds after the epoch. expire-timestamp is the
	signature expiration time in seconds after the epoch (zero
	means "does not expire"). sig-version, pubkey-algo, hash-algo,
	and sig-class (a 2-byte hex value) are all straight from the
	signature packet.  PRIMARY-KEY-FPR is the fingerprint of the
	primary key or identical to the first argument.  This is
	useful to get back to the primary key without running gpg
	again for this purpose.

        The primary-key-fpr parameter is used for OpenPGP and not
        available for CMS signatures.  The sig-version as well as the
        sig class is not defined for CMS and currently set to 0 and 00.

        Note, that *-TIMESTAMP may either be a number with seconds
        since epoch or an ISO 8601 string which can be detected by the
        presence of the letter 'T' inside.

    SIG_ID  <radix64_string>  <sig_creation_date>  <sig-timestamp>
	This is emitted only for signatures of class 0 or 1 which
	have been verified okay.  The string is a signature id
	and may be used in applications to detect replay attacks
	of signed messages.  Note that only DLP algorithms give
	unique ids - others may yield duplicated ones when they
	have been created in the same second.

        Note, that SIG-TIMESTAMP may either be a number with seconds
        since epoch or an ISO 8601 string which can be detected by the
        presence of the letter 'T' inside.

    ENC_TO  <long_keyid>  <keytype>  <keylength>
	The message is encrypted to this LONG_KEYID.  KEYTYPE is the
	numerical value of the public key algorithm or 0 if it is not
	known, KEYLENGTH is the length of the key or 0 if it is not
	known (which is currently always the case).  Gpg prints this
	line always; Gpgsm only if it knows the certificate.

    NODATA  <what>
	No data has been found. Codes for what are:
	    1 - No armored data.
	    2 - Expected a packet but did not found one.
	    3 - Invalid packet found, this may indicate a non OpenPGP
                message.
            4 - signature expected but not found
	You may see more than one of these status lines.

    UNEXPECTED <what>
        Unexpected data has been encountered
            0 - not further specified               1       
  

    TRUST_UNDEFINED <error token>
    TRUST_NEVER     <error token>
    TRUST_MARGINAL  [0  [<validation_model>]]
    TRUST_FULLY     [0  [<validation_model>]] 
    TRUST_ULTIMATE  [0  [<validation_model>]]
	For good signatures one of these status lines are emitted to
	indicate the validity of the key used to create the signature.
	The error token values are currently only emitted by gpgsm.
	VALIDATION_MODEL describes the algorithm used to check the
	validity of the key.  The defaults are the standard Web of
	Trust model for gpg and the the standard X.509 model for
	gpgsm.  The defined values are

           "pgp"   for the standard PGP WoT.
	   "shell" for the standard X.509 model.
	   "chain" for the chain model.

        Note that we use the term "TRUST_" in the status names for
        historic reasons; we now speak of validity.

    PKA_TRUST_GOOD <mailbox>
    PKA_TRUST_BAD  <mailbox>
        Depending on the outcome of the PKA check one of the above
        status codes is emitted in addition to a TRUST_* status.
        Without PKA info available or 

    SIGEXPIRED
	This is deprecated in favor of KEYEXPIRED.

    KEYEXPIRED <expire-timestamp>
	The key has expired.  expire-timestamp is the expiration time
	in seconds since Epoch.  This status line is not very useful
	because it will also be emitted for expired subkeys even if
	this subkey is not used.  To check whether a key used to sign
	a message has expired, the EXPKEYSIG status line is to be
	used.

        Note, that TIMESTAMP may either be a number with seconds since
        epoch or an ISO 8601 string which can be detected by the
        presence of the letter 'T' inside.

    KEYREVOKED
	The used key has been revoked by its owner.  No arguments yet.

    BADARMOR
	The ASCII armor is corrupted.  No arguments yet.

    RSA_OR_IDEA
	The IDEA algorithms has been used in the data.  A
	program might want to fallback to another program to handle
	the data if GnuPG failed.  This status message used to be emitted
        also for RSA but this has been dropped after the RSA patent expired.
        However we can't change the name of the message.

    SHM_INFO
    SHM_GET
    SHM_GET_BOOL
    SHM_GET_HIDDEN

    GET_BOOL
    GET_LINE
    GET_HIDDEN
    GOT_IT

    NEED_PASSPHRASE <long main keyid> <long keyid> <keytype> <keylength>
	Issued whenever a passphrase is needed.
	keytype is the numerical value of the public key algorithm
	or 0 if this is not applicable, keylength is the length
	of the key or 0 if it is not known (this is currently always the case).

    NEED_PASSPHRASE_SYM <cipher_algo> <s2k_mode> <s2k_hash>
	Issued whenever a passphrase for symmetric encryption is needed.

    NEED_PASSPHRASE_PIN <card_type> <chvno> [<serialno>]
        Issued whenever a PIN is requested to unlock a card.

    MISSING_PASSPHRASE
	No passphrase was supplied.  An application which encounters this
	message may want to stop parsing immediately because the next message
	will probably be a BAD_PASSPHRASE.  However, if the application
	is a wrapper around the key edit menu functionality it might not
	make sense to stop parsing but simply ignoring the following
	BAD_PASSPHRASE.

    BAD_PASSPHRASE <long keyid>
	The supplied passphrase was wrong or not given.  In the latter case
	you may have seen a MISSING_PASSPHRASE.

    GOOD_PASSPHRASE
	The supplied passphrase was good and the secret key material
	is therefore usable.

    DECRYPTION_FAILED
	The symmetric decryption failed - one reason could be a wrong
	passphrase for a symmetrical encrypted message.

    DECRYPTION_OKAY
	The decryption process succeeded.  This means, that either the
	correct secret key has been used or the correct passphrase
	for a conventional encrypted message was given.  The program
	itself may return an errorcode because it may not be possible to
	verify a signature for some reasons.

    NO_PUBKEY  <long keyid>
    NO_SECKEY  <long keyid>
	The key is not available

    IMPORT_CHECK <long keyid> <fingerprint> <user ID>
        This status is emitted in interactive mode right before
        the "import.okay" prompt.

    IMPORTED   <long keyid>  <username>
	The keyid and name of the signature just imported

    IMPORT_OK  <reason> [<fingerprint>]
        The key with the primary key's FINGERPRINT has been imported.
        Reason flags:
          0 := Not actually changed
          1 := Entirely new key.
          2 := New user IDs
          4 := New signatures
          8 := New subkeys 
         16 := Contains private key.
        The flags may be ORed.

    IMPORT_PROBLEM <reason> [<fingerprint>]
        Issued for each import failure.  Reason codes are:
          0 := "No specific reason given".
          1 := "Invalid Certificate".
          2 := "Issuer Certificate missing".
          3 := "Certificate Chain too long".
          4 := "Error storing certificate".

    IMPORT_RES <count> <no_user_id> <imported> <imported_rsa> <unchanged>
	<n_uids> <n_subk> <n_sigs> <n_revoc> <sec_read> <sec_imported> <sec_dups> <not_imported>
	Final statistics on import process (this is one long line)

    FILE_START <what> <filename>
	Start processing a file <filename>.  <what> indicates the performed
	operation:
	    1 - verify
            2 - encrypt
            3 - decrypt        

    FILE_DONE
	Marks the end of a file processing which has been started
	by FILE_START.

    BEGIN_DECRYPTION
    END_DECRYPTION
	Mark the start and end of the actual decryption process.  These
	are also emitted when in --list-only mode.

    BEGIN_ENCRYPTION  <mdc_method> <sym_algo>
    END_ENCRYPTION
	Mark the start and end of the actual encryption process.

    BEGIN_SIGNING
       Mark the start of the actual signing process. This may be used
       as an indication that all requested secret keys are ready for
       use.

    DELETE_PROBLEM reason_code
	Deleting a key failed.	Reason codes are:
	    1 - No such key
	    2 - Must delete secret key first
            3 - Ambigious specification

    PROGRESS what char cur total
	Used by the primegen and Public key functions to indicate progress.
	"char" is the character displayed with no --status-fd enabled, with
	the linefeed replaced by an 'X'.  "cur" is the current amount
	done and "total" is amount to be done; a "total" of 0 indicates that
	the total amount is not known.	The condition 
           TOATL && CUR == TOTAL
        may be used to detect the end of an operation.
        Well known values for WHAT:
             "pk_dsa"   - DSA key generation
             "pk_elg"   - Elgamal key generation
             "primegen" - Prime generation
             "need_entropy" - Waiting for new entropy in the RNG
             "file:XXX" - processing file XXX
                          (note that current gpg versions leave out the
                           "file:" prefix).
             "tick"     - generic tick without any special meaning - useful
                          for letting clients know that the server is
                          still working.
             "starting_agent" - A gpg-agent was started because it is not
                          running as a daemon.
             "learncard"  Send by the agent and gpgsm while learing
	                  the data of a smartcard.
             "card_busy"  A smartcard is still working
        
    SIG_CREATED <type> <pubkey algo> <hash algo> <class> <timestamp> <key fpr>
	A signature has been created using these parameters.
	    type:  'D' = detached
		   'C' = cleartext
		   'S' = standard
		   (only the first character should be checked)
	    class: 2 hex digits with the signature class

        Note, that TIMESTAMP may either be a number with seconds since
        epoch or an ISO 8601 string which can be detected by the
        presence of the letter 'T' inside.
        
    KEY_CREATED <type> <fingerprint> [<handle>]
        A key has been created
            type: 'B' = primary and subkey
                  'P' = primary
                  'S' = subkey
        The fingerprint is one of the primary key for type B and P and
        the one of the subkey for S.  Handle is an arbitrary
        non-whitespace string used to match key parameters from batch
        key creation run.

    KEY_NOT_CREATED [<handle>]
        The key from batch run has not been created due to errors.


    SESSION_KEY  <algo>:<hexdigits>
	The session key used to decrypt the message.  This message will
	only be emitted when the special option --show-session-key
	is used.  The format is suitable to be passed to the option
	--override-session-key

    NOTATION_NAME <name> 
    NOTATION_DATA <string>
        name and string are %XX escaped; the data may be split
        among several NOTATION_DATA lines.

    USERID_HINT <long main keyid> <string>
        Give a hint about the user ID for a certain keyID. 

    POLICY_URL <string>
        string is %XX escaped

    BEGIN_STREAM
    END_STREAM
        Issued by pipemode.

    INV_RECP <reason> <requested_recipient>
    INV_SGNR <reason> <requested_sender>
        Issued for each unusable recipient/sender. The reasons codes
        currently in use are:
          0 := "No specific reason given".
          1 := "Not Found"
          2 := "Ambigious specification"
          3 := "Wrong key usage"
          4 := "Key revoked"
          5 := "Key expired"
          6 := "No CRL known"
          7 := "CRL too old"
          8 := "Policy mismatch"
          9 := "Not a secret key"
	 10 := "Key not trusted"
         11 := "Missing certificate"  (e.g. intermediate or root cert.)

        Note that for historical reasons the INV_RECP status is also
        used for gpgsm's SIGNER command where it relates to signer's
        of course.  Newer GnuPG versions are using INV_SGNR;
        applications should ignore the INV_RECP during the sender's
        command processing once they have seen an INV_SGNR.  We use
        different code so that we can distinguish them while doing an
        encrypt+sign.


    NO_RECP <reserved>
    NO_SGNR <reserved>
        Issued when no recipients/senders are usable.

    ALREADY_SIGNED <long-keyid>
        Warning: This is experimental and might be removed at any time.

    TRUNCATED <maxno>
        The output was truncated to MAXNO items.  This status code is issued
        for certain external requests

    ERROR <error location> <error code> [<more>]

        This is a generic error status message, it might be followed
        by error location specific data. <error code> and
        <error_location> should not contain spaces.  The error code is
        a either a string commencing with a letter or such a string
        prefixed with a numerical error code and an underscore; e.g.:
        "151011327_EOF".

    ATTRIBUTE <fpr> <octets> <type> <index> <count>
	      <timestamp> <expiredate> <flags>
	This is one long line issued for each attribute subpacket when
	an attribute packet is seen during key listing.  <fpr> is the
	fingerprint of the key. <octets> is the length of the
	attribute subpacket. <type> is the attribute type
	(1==image). <index>/<count> indicates that this is the Nth
	indexed subpacket of count total subpackets in this attribute
	packet.  <timestamp> and <expiredate> are from the
	self-signature on the attribute packet.  If the attribute
	packet does not have a valid self-signature, then the
	timestamp is 0.  <flags> are a bitwise OR of:
		0x01 = this attribute packet is a primary uid
		0x02 = this attribute packet is revoked
		0x04 = this attribute packet is expired

    CARDCTRL <what> [<serialno>]
        This is used to control smartcard operations.
        Defined values for WHAT are:
           1 = Request insertion of a card.  Serialnumber may be given
               to request a specific card.  Used by gpg 1.4 w/o scdaemon.
           2 = Request removal of a card.  Used by gpg 1.4 w/o scdaemon.
           3 = Card with serialnumber detected
           4 = No card available.
           5 = No card reader available
           6 = No card support available                      

    PLAINTEXT <format> <timestamp> <filename>
        This indicates the format of the plaintext that is about to be
        written.  The format is a 1 byte hex code that shows the
        format of the plaintext: 62 ('b') is binary data, 74 ('t') is
        text data with no character set specified, and 75 ('u') is
        text data encoded in the UTF-8 character set.  The timestamp
        is in seconds since the epoch.  If a filename is available it
        gets printed as the third argument, percent-escaped as usual.

    PLAINTEXT_LENGTH <length>
        This indicates the length of the plaintext that is about to be
        written.  Note that if the plaintext packet has partial length
        encoding it is not possible to know the length ahead of time.
        In that case, this status tag does not appear.

    SIG_SUBPACKET <type> <flags> <len> <data>
        This indicates that a signature subpacket was seen.  The
        format is the same as the "spk" record above.

    SC_OP_FAILURE [<code>]
        An operation on a smartcard definitely failed.  Currently
        there is no indication of the actual error code, but
        application should be prepared to later accept more arguments.
        Defined values for CODE are:
           0 - unspecified error (identically to a missing CODE)
           1 - canceled
           2 - bad PIN

    SC_OP_SUCCESS
        A smart card operaion succeeded.  This status is only printed
        for certain operation and is mostly useful to check whether a
        PIN change really worked.

    BACKUP_KEY_CREATED fingerprint fname
        A backup key named FNAME has been created for the key with
        KEYID.


Format of the "--attribute-fd" output
=====================================

When --attribute-fd is set, during key listings (--list-keys,
--list-secret-keys) GnuPG dumps each attribute packet to the file
descriptor specified.  --attribute-fd is intended for use with
--status-fd as part of the required information is carried on the
ATTRIBUTE status tag (see above).

The contents of the attribute data is specified by RFC 4880.  For
convenience, here is the Photo ID format, as it is currently the only
attribute defined:

   Byte 0-1:  The length of the image header.  Due to a historical
              accident (i.e. oops!) back in the NAI PGP days, this is
              a little-endian number.  Currently 16 (0x10 0x00).

   Byte 2:    The image header version.  Currently 0x01.

   Byte 3:    Encoding format.  0x01 == JPEG.

   Byte 4-15: Reserved, and currently unused.

   All other data after this header is raw image (JPEG) data.


Format of the "--list-config" output
====================================

--list-config outputs information about the GnuPG configuration for
the benefit of frontends or other programs that call GnuPG.  There are
several list-config items, all colon delimited like the rest of the
--with-colons output.  The first field is always "cfg" to indicate
configuration information.  The second field is one of (with
examples):

version: the third field contains the version of GnuPG.

   cfg:version:1.3.5

pubkey: the third field contains the public key algorithmdcaiphers
	this version of GnuPG supports, separated by semicolons.  The
	algorithm numbers are as specified in RFC-4880.

   cfg:pubkey:1;2;3;16;17

cipher: the third field contains the symmetric ciphers this version of
	GnuPG supports, separated by semicolons.  The cipher numbers
	are as specified in RFC-4880.

   cfg:cipher:2;3;4;7;8;9;10

digest: the third field contains the digest (hash) algorithms this
	version of GnuPG supports, separated by semicolons.  The
	digest numbers are as specified in RFC-4880.

   cfg:digest:1;2;3;8;9;10

compress: the third field contains the compression algorithms this
	  version of GnuPG supports, separated by semicolons.  The
	  algorithm numbers are as specified in RFC-4880.

   cfg:compress:0;1;2;3

group: the third field contains the name of the group, and the fourth
       field contains the values that the group expands to, separated
       by semicolons.

For example, a group of:
   group mynames = paige 0x12345678 joe patti

would result in:
   cfg:group:mynames:patti;joe;0x12345678;paige


Key generation
==============
    See the Libcrypt manual.


Unattended key generation
=========================
This feature allows unattended generation of keys controlled by a
parameter file.  To use this feature, you use --gen-key together with
--batch and feed the parameters either from stdin or from a file given
on the commandline.

The format of this file is as follows:
  o Text only, line length is limited to about 1000 chars.
  o You must use UTF-8 encoding to specify non-ascii characters.
  o Empty lines are ignored.
  o Leading and trailing spaces are ignored.
  o A hash sign as the first non white space character indicates a comment line.
  o Control statements are indicated by a leading percent sign, the
    arguments are separated by white space from the keyword.
  o Parameters are specified by a keyword, followed by a colon.  Arguments
    are separated by white space.
  o The first parameter must be "Key-Type", control statements
    may be placed anywhere.
  o Key generation takes place when either the end of the parameter file
    is reached, the next "Key-Type" parameter is encountered or at the
    control statement "%commit"
  o Control statements:
    %echo <text>
	Print <text>.
    %dry-run
	Suppress actual key generation (useful for syntax checking).
    %commit
	Perform the key generation.  An implicit commit is done
	at the next "Key-Type" parameter.
    %pubring <filename>
    %secring <filename>
	Do not write the key to the default or commandline given
	keyring but to <filename>.  This must be given before the first
	commit to take place, duplicate specification of the same filename
	is ignored, the last filename before a commit is used.
	The filename is used until a new filename is used (at commit points)
	and all keys are written to that file.	If a new filename is given,
	this file is created (and overwrites an existing one).
	Both control statements must be given.
    %ask-passphrase
        Enable a mode where the command "passphrase" is ignored and
        instead the usual passphrase dialog is used.  This does not
        make sense for batch key generation; however the unattended
        key generation feature is also used by GUIs and this feature
        relinquishes the GUI from implementing its own passphrase
        entry code.  This is a global option.
    %no-ask-passphrase
        Disable the ask-passphrase mode.        

   o The order of the parameters does not matter except for "Key-Type"
     which must be the first parameter.  The parameters are only for the
     generated keyblock and parameters from previous key generations are not
     used. Some syntactically checks may be performed.
     The currently defined parameters are:
     Key-Type: <algo-number>|<algo-string>
	Starts a new parameter block by giving the type of the
	primary key. The algorithm must be capable of signing.
	This is a required parameter.
     Key-Length: <length-in-bits>
	Length of the key in bits.  Default is 1024.
     Key-Usage: <usage-list>
        Space or comma delimited list of key usage, allowed values are
        "encrypt", "sign", and "auth".  This is used to generate the
        key flags.  Please make sure that the algorithm is capable of
        this usage.  Note that OpenPGP requires that all primary keys
        are capable of certification, so no matter what usage is given
        here, the "cert" flag will be on.  If no Key-Usage is
        specified, all the allowed usages for that particular
        algorithm are used.
     Subkey-Type: <algo-number>|<algo-string>
	This generates a secondary key.  Currently only one subkey
	can be handled.
     Subkey-Length: <length-in-bits>
	Length of the subkey in bits.  Default is 1024.
     Subkey-Usage: <usage-list>
        Similar to Key-Usage.
     Passphrase: <string>
	If you want to specify a passphrase for the secret key,
	enter it here.	Default is not to use any passphrase.
     Name-Real: <string>
     Name-Comment: <string>
     Name-Email: <string>
	The 3 parts of a key. Remember to use UTF-8 here.
	If you don't give any of them, no user ID is created.
     Expire-Date: <iso-date>|(<number>[d|w|m|y])
	Set the expiration date for the key (and the subkey).  It may
	either be entered in ISO date format (2000-08-15) or as number
	of days, weeks, month or years.  The special notation
	"seconds=N" is also allowed to directly give an Epoch
	value. Without a letter days are assumed.  Note that there is
	no check done on the overflow of the type used by OpenPGP for
	timestamps.  Thus you better make sure that the given value
	make sense.  Although OpenPGP works with time intervals, GnuPG
	uses an absolute value internally and thus the last year we
	can represent is 2105.
     Creation-Date: <iso-date>
        Set the creation date of the key as stored in the key
        information and which is also part of the fingerprint
        calculation.  Either a date like "1986-04-26" or a full
        timestamp like "19860426T042640" may be used.  The time is
        considered to be UTC.  If it is not given the current time 
        is used.
     Preferences: <string>
        Set the cipher, hash, and compression preference values for
	this key.  This expects the same type of string as "setpref"
	in the --edit menu.
     Revoker: <algo>:<fpr> [sensitive]
        Add a designated revoker to the generated key.  Algo is the
	public key algorithm of the designated revoker (i.e. RSA=1,
	DSA=17, etc.)  Fpr is the fingerprint of the designated
	revoker.  The optional "sensitive" flag marks the designated
	revoker as sensitive information.  Only v4 keys may be
	designated revokers.
     Handle: <string>
        This is an optional parameter only used with the status lines
        KEY_CREATED and KEY_NOT_CREATED.  STRING may be up to 100
        characters and should not contain spaces.  It is useful for
        batch key generation to associate a key parameter block with a
        status line.
     Keyserver: <string>
        This is an optional parameter that specifies the preferred
        keyserver URL for the key.


Here is an example:
$ cat >foo <<EOF
     %echo Generating a standard key
     Key-Type: DSA
     Key-Length: 1024
     Subkey-Type: ELG-E
     Subkey-Length: 1024
     Name-Real: Joe Tester
     Name-Comment: with stupid passphrase
     Name-Email: joe at foo.bar
     Expire-Date: 0
     Passphrase: abc
     %pubring foo.pub
     %secring foo.sec
     # Do a commit here, so that we can later print "done" :-)
     %commit
     %echo done
EOF
$ gpg --batch --gen-key foo
 [...]
$ gpg --no-default-keyring --secret-keyring ./foo.sec \
				  --keyring ./foo.pub --list-secret-keys
/home/wk/work/gnupg-stable/scratch/foo.sec
------------------------------------------
sec  1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe at foo.bar>
ssb  1024g/8F70E2C0 2000-03-09



Layout of the TrustDB
=====================
The TrustDB is built from fixed length records, where the first byte
describes the record type.  All numeric values are stored in network
byte order. The length of each record is 40 bytes. The first record of
the DB is always of type 1 and this is the only record of this type.

FIXME:  The layout changed, document it here.

  Record type 0:
  --------------
    Unused record, can be reused for any purpose.

  Record type 1:
  --------------
    Version information for this TrustDB.  This is always the first
    record of the DB and the only one with type 1.
     1 byte value 1
     3 bytes 'gpg'  magic value
     1 byte Version of the TrustDB (2)
     1 byte marginals needed
     1 byte completes needed
     1 byte max_cert_depth
	    The three items are used to check whether the cached
	    validity value from the dir record can be used.
     1 u32  locked flags [not used]
     1 u32  timestamp of trustdb creation
     1 u32  timestamp of last modification which may affect the validity
	    of keys in the trustdb.  This value is checked against the
	    validity timestamp in the dir records.
     1 u32  timestamp of last validation [currently not used]
	    (Used to keep track of the time, when this TrustDB was checked
	     against the pubring)
     1 u32  record number of keyhashtable [currently not used]
     1 u32  first free record
     1 u32  record number of shadow directory hash table [currently not used]
	    It does not make sense to combine this table with the key table
	    because the keyid is not in every case a part of the fingerprint.
     1 u32  record number of the trusthashtbale


  Record type 2: (directory record)
  --------------
    Informations about a public key certificate.
    These are static values which are never changed without user interaction.

     1 byte value 2
     1 byte  reserved
     1 u32   LID     .	(This is simply the record number of this record.)
     1 u32   List of key-records (the first one is the primary key)
     1 u32   List of uid-records
     1 u32   cache record
     1 byte  ownertrust
     1 byte  dirflag
     1 byte  maximum validity of all the user ids
     1 u32   time of last validity check.
     1 u32   Must check when this time has been reached.
	     (0 = no check required)


  Record type 3:  (key record)
  --------------
    Informations about a primary public key.
    (This is mainly used to lookup a trust record)

     1 byte value 3
     1 byte  reserved
     1 u32   LID
     1 u32   next   - next key record
     7 bytes reserved
     1 byte  keyflags
     1 byte  pubkey algorithm
     1 byte  length of the fingerprint (in bytes)
     20 bytes fingerprint of the public key
	      (This is the value we use to identify a key)

  Record type 4: (uid record)
  --------------
    Informations about a userid
    We do not store the userid but the hash value of the userid because that
    is sufficient.

     1 byte value 4
     1 byte reserved
     1 u32  LID  points to the directory record.
     1 u32  next   next userid
     1 u32  pointer to preference record
     1 u32  siglist  list of valid signatures
     1 byte uidflags
     1 byte validity of the key calculated over this user id
     20 bytes ripemd160 hash of the username.


  Record type 5: (pref record)
  --------------
    This record type is not anymore used.

     1 byte value 5
     1 byte   reserved
     1 u32  LID; points to the directory record (and not to the uid record!).
	    (or 0 for standard preference record)
     1 u32  next
     30 byte preference data

  Record type 6  (sigrec)
  -------------
    Used to keep track of key signatures. Self-signatures are not
    stored.  If a public key is not in the DB, the signature points to
    a shadow dir record, which in turn has a list of records which
    might be interested in this key (and the signature record here
    is one).

     1 byte   value 6
     1 byte   reserved
     1 u32    LID	    points back to the dir record
     1 u32    next   next sigrec of this uid or 0 to indicate the
		     last sigrec.
     6 times
	1 u32  Local_id of signatures dir or shadow dir record
	1 byte Flag: Bit 0 = checked: Bit 1 is valid (we have a real
			     directory record for this)
			 1 = valid is set (but may be revoked)



  Record type 8: (shadow directory record)
  --------------
    This record is used to reserve a LID for a public key.  We
    need this to create the sig records of other keys, even if we
    do not yet have the public key of the signature.
    This record (the record number to be more precise) will be reused
    as the dir record when we import the real public key.

     1 byte value 8
     1 byte  reserved
     1 u32   LID      (This is simply the record number of this record.)
     2 u32   keyid
     1 byte  pubkey algorithm
     3 byte reserved
     1 u32   hintlist	A list of records which have references to
			this key.  This is used for fast access to
			signature records which are not yet checked.
			Note, that this is only a hint and the actual records
			may not anymore hold signature records for that key
			but that the code cares about this.
    18 byte reserved



  Record Type 10 (hash table)
  --------------
    Due to the fact that we use fingerprints to lookup keys, we can
    implement quick access by some simple hash methods, and avoid
    the overhead of gdbm.  A property of fingerprints is that they can be
    used directly as hash values.  (They can be considered as strong
    random numbers.)
      What we use is a dynamic multilevel architecture, which combines
    hashtables, record lists, and linked lists.

    This record is a hashtable of 256 entries; a special property
    is that all these records are stored consecutively to make one
    big table. The hash value is simple the 1st, 2nd, ... byte of
    the fingerprint (depending on the indirection level).

    When used to hash shadow directory records, a different table is used
    and indexed by the keyid.

     1 byte value 10
     1 byte reserved
     n u32  recnum; n depends on the record length:
	    n = (reclen-2)/4  which yields 9 for the current record length
	    of 40 bytes.

    the total number of such record which makes up the table is:
	 m = (256+n-1) / n
    which is 29 for a record length of 40.

    To look up a key we use the first byte of the fingerprint to get
    the recnum from this hashtable and look up the addressed record:
       - If this record is another hashtable, we use 2nd byte
	 to index this hash table and so on.
       - if this record is a hashlist, we walk all entries
	 until we found one a matching one.
       - if this record is a key record, we compare the
	 fingerprint and to decide whether it is the requested key;


  Record type 11 (hash list)
  --------------
    see hash table for an explanation.
    This is also used for other purposes.

    1 byte value 11
    1 byte reserved
    1 u32  next 	 next hash list record
    n times		 n = (reclen-5)/5
	1 u32  recnum

    For the current record length of 40, n is 7



  Record type 254 (free record)
  ---------------
    All these records form a linked list of unused records.
     1 byte  value 254
     1 byte  reserved (0)
     1 u32   next_free



GNU extensions to the S2K algorithm
===================================
S2K mode 101 is used to identify these extensions.
After the hash algorithm the 3 bytes "GNU" are used to make
clear that these are extensions for GNU, the next bytes gives the
GNU protection mode - 1000.  Defined modes are:
  1001 - do not store the secret part at all
  1002 - a stub to access smartcards (not used in 1.2.x)



Other Notes
===========
    * For packet version 3 we calculate the keyids this way:
	RSA	:= low 64 bits of n
	ELGAMAL := build a v3 pubkey packet (with CTB 0x99) and calculate
		   a rmd160 hash value from it. This is used as the
		   fingerprint and the low 64 bits are the keyid.

    * Revocation certificates consist only of the signature packet;
      "import" knows how to handle this.  The rationale behind it is
      to keep them small.


OIDs below the GnuPG arc:
=========================

 1.3.6.1.4.1.11591.2          GnuPG 
 1.3.6.1.4.1.11591.2.1          notation
 1.3.6.1.4.1.11591.2.1.1          pkaAddress
 1.3.6.1.4.1.11591.2.12242973   invalid encoded OID



Keyserver Message Format
=========================

The keyserver may be contacted by a Unix Domain socket or via TCP.

The format of a request is:

====
command-tag
"Content-length:" digits
CRLF
=======

Where command-tag is

NOOP
GET <user-name>
PUT
DELETE <user-name>


The format of a response is:

======
"GNUPG/1.0" status-code status-text
"Content-length:" digits
CRLF
============
followed by <digits> bytes of data


Status codes are:

     o	1xx: Informational - Request received, continuing process

     o	2xx: Success - The action was successfully received, understood,
	and accepted

     o	4xx: Client Error - The request contains bad syntax or cannot be
	fulfilled

     o	5xx: Server Error - The server failed to fulfill an apparently
	valid request



Documentation on HKP (the http keyserver protocol):

A minimalistic HTTP server on port 11371 recognizes a GET for /pks/lookup.
The standard http URL encoded query parameters are this (always key=value):

- op=index (like pgp -kv), op=vindex (like pgp -kvv) and op=get (like
  pgp -kxa)

- search=<stringlist>. This is a list of words that must occur in the key.
  The words are delimited with space, points, @ and so on. The delimiters
  are not searched for and the order of the words doesn't matter (but see
  next option).

- exact=on. This switch tells the hkp server to only report exact matching
  keys back. In this case the order and the "delimiters" are important.

- fingerprint=on. Also reports the fingerprints when used with 'index' or
  'vindex'

The keyserver also recognizes http-POSTs to /pks/add. Use this to upload
keys.


A better way to do this would be a request like:

   /pks/lookup/<gnupg_formatierte_user_id>?op=<operation>

This can be implemented using Hurd's translator mechanism.
However, I think the whole key server stuff has to be re-thought;
I have some ideas and probably create a white paper.


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From tux.tsndcb at free.fr  Tue Oct 13 11:14:32 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Tue, 13 Oct 2009 11:14:32 +0200 (CEST)
Subject: How to enable the reader's keypad
In-Reply-To: <174387797.9653941255425190454.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <1125716695.9654061255425272208.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hi Werner,

I have add this yesterday in the ccid-driver.c file :

/* We need to know the vendor to do some hacks. */
enum {
  VENDOR_CHERRY = 0x046a,
  VENDOR_SCM    = 0x04e6,
  VENDOR_OMNIKEY= 0x076b,
  VENDOR_GEMPC  = 0x08e6,
  VENDOR_KAAN   = 0x0d46,
  VENDOR_COVADIS= 0x0982
};

and 

/* We have only tested a few readers so better don't risk anything
     and do not allow the use with other readers. */
  switch (handle->id_vendor)
    {
    case VENDOR_SCM:  /* Tested with SPR 532. */
    case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */
    case VENDOR_COVADIS: /* In Testing with VEGA-ALPHA. */
      break;
    case VENDOR_CHERRY:
      /* The CHERRY XX44 keyboard echos an asterisk for each entered
         character on the keyboard channel.  We use a special variant
         of PC_to_RDR_Secure which directs these characters to the
         smart card's bulk-in channel.  We also need to append a zero
         Lc byte to the APDU.  It seems that it will be replaced with
         the actual length instead of being appended before the APDU
         is send to the card. */
      cherry_mode = 1;
      break;
    default:
     return CCID_DRIVER_ERR_NOT_SUPPORTED;
    }

But it doesn't works, I've give more information in the [issue1148]

perhaps it because my conf file are wrong :

gpg.conf :
use-agent
utf8-strings
keyserver hkp://keys.gnupg.net

gpg-agent.conf :
verbose
pinentry-program /usr/bin/pinentry-gtk-2
no-grab
default-cache-ttl 1800

scdaemon.conf :
verbose


and gpg-agent is invoked by STARTUP="$GPGAGENT --daemon --sh --write-env-file=$PID_FILE $STARTUP" in the file /etc/X11/Xsessions.d/90gpg-agent


Thank in advanced for your confirmation.

Best Regards


----- Mail Original -----
De: "Werner Koch" <wk at gnupg.org>
?: "tux tsndcb" <tux.tsndcb at free.fr>
Cc: gnupg-users at gnupg.org
Envoy?: Mardi 13 Octobre 2009 10h05:31 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: How to enable the reader's keypad

On Thu,  8 Oct 2009 19:46, tux.tsndcb at free.fr said:

> On my scdaemon.conf I've not disable-keypad
> So how to do this ?

The keypad is only enabled for certain readers:

  /* We have only tested a few readers so better don't risk anything
     and do not allow the use with other readers. */
  switch (handle->id_vendor)
    {
    case VENDOR_SCM:  /* Tested with SPR 532. */
    case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */
      break;
    case VENDOR_CHERRY:
      /* The CHERRY XX44 keyboard echos an asterisk for each entered
         character on the keyboard channel.  We use a special variant
         of PC_to_RDR_Secure which directs these characters to the
         smart card's bulk-in channel.  We also need to append a zero
         Lc byte to the APDU.  It seems that it will be replaced with
         the actual length instead of being appended before the APDU
         is send to the card. */
      cherry_mode = 1;
      break;
    default:
     return CCID_DRIVER_ERR_NOT_SUPPORTED;
    }

You may add you vendor id (scd/ccid-driver.c) and test it.  Let me know
if that works and I will add the reader.

Further we don't support them when using PC/SC.  At the time I added the
support PC/SC had no standard for using the keypads.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From tux.tsndcb at free.fr  Tue Oct 13 19:10:32 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Tue, 13 Oct 2009 19:10:32 +0200 (CEST)
Subject: How to enable the reader's keypad
In-Reply-To: <1125716695.9654061255425272208.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <1688114904.9749291255453832155.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hi Werner,

the Vendor tell to me than I need also this for the reader, but I dont know where to put it :

bNumberMessage = 0x01
bEntryValidationCondition = 0x02
bNumberMessages = 0x03

Thanks in advanced for your return

Best Regards

----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: "Werner Koch" <wk at gnupg.org>
Cc: gnupg-users at gnupg.org
Envoy?: Mardi 13 Octobre 2009 11h14:32 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: How to enable the reader's keypad

Hi Werner,

I have add this yesterday in the ccid-driver.c file :

/* We need to know the vendor to do some hacks. */
enum {
  VENDOR_CHERRY = 0x046a,
  VENDOR_SCM    = 0x04e6,
  VENDOR_OMNIKEY= 0x076b,
  VENDOR_GEMPC  = 0x08e6,
  VENDOR_KAAN   = 0x0d46,
  VENDOR_COVADIS= 0x0982
};

and 

/* We have only tested a few readers so better don't risk anything
     and do not allow the use with other readers. */
  switch (handle->id_vendor)
    {
    case VENDOR_SCM:  /* Tested with SPR 532. */
    case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */
    case VENDOR_COVADIS: /* In Testing with VEGA-ALPHA. */
      break;
    case VENDOR_CHERRY:
      /* The CHERRY XX44 keyboard echos an asterisk for each entered
         character on the keyboard channel.  We use a special variant
         of PC_to_RDR_Secure which directs these characters to the
         smart card's bulk-in channel.  We also need to append a zero
         Lc byte to the APDU.  It seems that it will be replaced with
         the actual length instead of being appended before the APDU
         is send to the card. */
      cherry_mode = 1;
      break;
    default:
     return CCID_DRIVER_ERR_NOT_SUPPORTED;
    }

But it doesn't works, I've give more information in the [issue1148]

perhaps it because my conf file are wrong :

gpg.conf :
use-agent
utf8-strings
keyserver hkp://keys.gnupg.net

gpg-agent.conf :
verbose
pinentry-program /usr/bin/pinentry-gtk-2
no-grab
default-cache-ttl 1800

scdaemon.conf :
verbose


and gpg-agent is invoked by STARTUP="$GPGAGENT --daemon --sh --write-env-file=$PID_FILE $STARTUP" in the file /etc/X11/Xsessions.d/90gpg-agent


Thank in advanced for your confirmation.

Best Regards


----- Mail Original -----
De: "Werner Koch" <wk at gnupg.org>
?: "tux tsndcb" <tux.tsndcb at free.fr>
Cc: gnupg-users at gnupg.org
Envoy?: Mardi 13 Octobre 2009 10h05:31 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: How to enable the reader's keypad

On Thu,  8 Oct 2009 19:46, tux.tsndcb at free.fr said:

> On my scdaemon.conf I've not disable-keypad
> So how to do this ?

The keypad is only enabled for certain readers:

  /* We have only tested a few readers so better don't risk anything
     and do not allow the use with other readers. */
  switch (handle->id_vendor)
    {
    case VENDOR_SCM:  /* Tested with SPR 532. */
    case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */
      break;
    case VENDOR_CHERRY:
      /* The CHERRY XX44 keyboard echos an asterisk for each entered
         character on the keyboard channel.  We use a special variant
         of PC_to_RDR_Secure which directs these characters to the
         smart card's bulk-in channel.  We also need to append a zero
         Lc byte to the APDU.  It seems that it will be replaced with
         the actual length instead of being appended before the APDU
         is send to the card. */
      cherry_mode = 1;
      break;
    default:
     return CCID_DRIVER_ERR_NOT_SUPPORTED;
    }

You may add you vendor id (scd/ccid-driver.c) and test it.  Let me know
if that works and I will add the reader.

Further we don't support them when using PC/SC.  At the time I added the
support PC/SC had no standard for using the keypads.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


From CONNIE.RODRIGUEZ at childrens.com  Wed Oct 14 19:55:37 2009
From: CONNIE.RODRIGUEZ at childrens.com (CONNIE RODRIGUEZ)
Date: Wed, 14 Oct 2009 12:55:37 -0500
Subject: GNUPG HELP please
Message-ID: <4AD5CA49.632C.0028.0@childrens.com>

Hello All,

I am a rookie at encrypting and run into a brick wall when I tried to run gnupg on a different server......

I hope someone  can help.  I was able to successfully run the gnupg on a development system but when I set up gnupg on my test system I received the following warnings and errors.  Can you help me?  

 + /usr/local/bin/gpg -e -r REWARD /law/test/law/test/interface/watsonwyatt/data/epay.txt
                gpg: WARNING: unsafe permissions on configuration file `/home/lawhr/.gnupg/gpg.conf'
                gpg: WARNING: unsafe enclosing directory permissions on configuration file `/home/lawhr/.gnupg/gpg.conf'
                gpg: WARNING: using insecure memory!
                gpg: please see http://www.gnupg.org/faq.html for more information
                gpg: 4D5AFE2E: There is no assurance this key belongs to the named user
                gpg: cannot open `/dev/tty': There is a request to a device or address that does not exist.


Thank you in advance for any help you can provide
Connie Rodriguez
connie.rodriguez at childrens.com 




Please consider the environment before printing this e-mail.

This e-mail, facsimile, or letter and any files or attachments transmitted with it contains
information that is confidential and privileged. This information is intended only for the
use of the individual(s) and entity(ies) to whom it is addressed. If you are the intended
recipient, further disclosures are prohibited without proper authorization. If you are not
the intended recipient, any disclosure, copying, printing, or use of this information is
strictly prohibited and possibly a violation of federal or state law and regulations. If you
have received this information in error, please notify Children's Medical Center Dallas 
immediately at 214-456-4444 or via e-mail at privacy at childrens.com. Children's Medical
Center Dallas and its affiliates hereby claim all applicable privileges related to this
information.



From tux.tsndcb at free.fr  Wed Oct 14 21:41:34 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Wed, 14 Oct 2009 21:41:34 +0200 (CEST)
Subject: How to enable the reader's keypad
In-Reply-To: <1688114904.9749291255453832155.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <1797053181.9986591255549294143.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hi Werner,

Do I need to change also something in this two files :

agent/divert-scd.c

scd/app-dinsig.c

Is there a commande line to test reader's keypad acces ?

thanks in advanced for your return.

Best Regard
----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: "Werner Koch" <wk at gnupg.org>
Cc: gnupg-users at gnupg.org
Envoy?: Mardi 13 Octobre 2009 19h10:32 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: How to enable the reader's keypad

Hi Werner,

the Vendor tell to me than I need also this for the reader, but I dont know where to put it :

bNumberMessage = 0x01
bEntryValidationCondition = 0x02
bNumberMessages = 0x03

Thanks in advanced for your return

Best Regards

----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: "Werner Koch" <wk at gnupg.org>
Cc: gnupg-users at gnupg.org
Envoy?: Mardi 13 Octobre 2009 11h14:32 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: How to enable the reader's keypad

Hi Werner,

I have add this yesterday in the ccid-driver.c file :

/* We need to know the vendor to do some hacks. */
enum {
  VENDOR_CHERRY = 0x046a,
  VENDOR_SCM    = 0x04e6,
  VENDOR_OMNIKEY= 0x076b,
  VENDOR_GEMPC  = 0x08e6,
  VENDOR_KAAN   = 0x0d46,
  VENDOR_COVADIS= 0x0982
};

and 

/* We have only tested a few readers so better don't risk anything
     and do not allow the use with other readers. */
  switch (handle->id_vendor)
    {
    case VENDOR_SCM:  /* Tested with SPR 532. */
    case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */
    case VENDOR_COVADIS: /* In Testing with VEGA-ALPHA. */
      break;
    case VENDOR_CHERRY:
      /* The CHERRY XX44 keyboard echos an asterisk for each entered
         character on the keyboard channel.  We use a special variant
         of PC_to_RDR_Secure which directs these characters to the
         smart card's bulk-in channel.  We also need to append a zero
         Lc byte to the APDU.  It seems that it will be replaced with
         the actual length instead of being appended before the APDU
         is send to the card. */
      cherry_mode = 1;
      break;
    default:
     return CCID_DRIVER_ERR_NOT_SUPPORTED;
    }

But it doesn't works, I've give more information in the [issue1148]

perhaps it because my conf file are wrong :

gpg.conf :
use-agent
utf8-strings
keyserver hkp://keys.gnupg.net

gpg-agent.conf :
verbose
pinentry-program /usr/bin/pinentry-gtk-2
no-grab
default-cache-ttl 1800

scdaemon.conf :
verbose


and gpg-agent is invoked by STARTUP="$GPGAGENT --daemon --sh --write-env-file=$PID_FILE $STARTUP" in the file /etc/X11/Xsessions.d/90gpg-agent


Thank in advanced for your confirmation.

Best Regards


----- Mail Original -----
De: "Werner Koch" <wk at gnupg.org>
?: "tux tsndcb" <tux.tsndcb at free.fr>
Cc: gnupg-users at gnupg.org
Envoy?: Mardi 13 Octobre 2009 10h05:31 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: How to enable the reader's keypad

On Thu,  8 Oct 2009 19:46, tux.tsndcb at free.fr said:

> On my scdaemon.conf I've not disable-keypad
> So how to do this ?

The keypad is only enabled for certain readers:

  /* We have only tested a few readers so better don't risk anything
     and do not allow the use with other readers. */
  switch (handle->id_vendor)
    {
    case VENDOR_SCM:  /* Tested with SPR 532. */
    case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */
      break;
    case VENDOR_CHERRY:
      /* The CHERRY XX44 keyboard echos an asterisk for each entered
         character on the keyboard channel.  We use a special variant
         of PC_to_RDR_Secure which directs these characters to the
         smart card's bulk-in channel.  We also need to append a zero
         Lc byte to the APDU.  It seems that it will be replaced with
         the actual length instead of being appended before the APDU
         is send to the card. */
      cherry_mode = 1;
      break;
    default:
     return CCID_DRIVER_ERR_NOT_SUPPORTED;
    }

You may add you vendor id (scd/ccid-driver.c) and test it.  Let me know
if that works and I will add the reader.

Further we don't support them when using PC/SC.  At the time I added the
support PC/SC had no standard for using the keypads.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


From dkg at fifthhorseman.net  Wed Oct 14 22:17:31 2009
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 14 Oct 2009 16:17:31 -0400
Subject: GNUPG HELP please
In-Reply-To: <4AD5CA49.632C.0028.0@childrens.com>
References: <4AD5CA49.632C.0028.0@childrens.com>
Message-ID: <4AD631DB.7040103@fifthhorseman.net>

Hi Connie--

On 10/14/2009 01:55 PM, CONNIE RODRIGUEZ wrote:
>  + /usr/local/bin/gpg -e -r REWARD /law/test/law/test/interface/watsonwyatt/data/epay.txt
>                 gpg: WARNING: unsafe permissions on configuration file `/home/lawhr/.gnupg/gpg.conf'

This suggests that your configuration file may be readable or writable
by other users.  You can view the permissions on that file with:

  ls -l /home/lawbr/.gnupg/gpg.conf

You can lock it down with:

  chmod go-rwx /home/lawbr/.gnupg/gpg.conf

(note here that "go-rwx" means "remove (-) read (r), write (w), and
execute (x) from group (g) and all other users (o)" )

If you're not sure about the concept of filesystem permissions, it's
worthwhile to think about them a bit.  they'll come up fairly often on
unix systems.  wikipedia has a good start:

http://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions

>                 gpg: WARNING: unsafe enclosing directory permissions on configuration file `/home/lawhr/.gnupg/gpg.conf'

This is due to a directory being potentially readable or writable by
other users.  You can lock down the "enclosing directory" with:

 chmod go-rwx`/home/lawhr/.gnupg/

>                 gpg: WARNING: using insecure memory!

Search for "insecure memory" in the gpg manual page (try "man gpg") for
more information about this error under the BUGS section.  You may
either want to make gpg setuid root (if secure memory is important to
you) or to tell gpg to ignore this particular error by adding the
relvant option to your gpg.conf file.

>                 gpg: please see http://www.gnupg.org/faq.html for more information

have you read this?  It's worth reading!  You might be interested in
section 6.1 in particular:

  http://www.gnupg.org/faq.html#q6.1

>                 gpg: 4D5AFE2E: There is no assurance this key belongs to the named user

this is likely because you've imported the "REWARD" key into your remote
system without indicating any particular "ultimate" ownertrust.

gpg does a fair amount of work to make sure that keys belong to who you
think they should belong to -- it doesn't make any sense to encrypt data
to a key if you aren't sure whose key it is.

Presumably, there is someone who is making reasonable assertions about
which keys belong to which entities, and signing those keys.  You
probably want to designate "ultimate" ownertrust for that certifier on
your server.  For example, if you hold key DECAFBAD privately
(off-server), but you use that key to sign the REWARD key, you could
import the DECAFBAD public key on the server, and then (still on the
server) do:

 gpg --edit-key DECAFBAD
  trust

and then choose "ultimate" ownertrust.  Make sense?

>                 gpg: cannot open `/dev/tty': There is a request to a device or address that does not exist.

i dunno why this is coming up; what operating system are you running
this on?  what version of gpg?  did you build it yourself, or is it the
version provided by your OS?

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091014/92783533/attachment.pgp>

From CONNIE.RODRIGUEZ at childrens.com  Wed Oct 14 23:07:13 2009
From: CONNIE.RODRIGUEZ at childrens.com (CONNIE RODRIGUEZ)
Date: Wed, 14 Oct 2009 16:07:13 -0500
Subject: GNUPG HELP please
In-Reply-To: <4AD631DB.7040103@fifthhorseman.net>
References: <4AD5CA49.632C.0028.0@childrens.com>
	<4AD631DB.7040103@fifthhorseman.net>
Message-ID: <4AD5F731.632C.0028.0@childrens.com>

Thank you very much for the very informative information.  I have locked down some of the permissions.  

I attempted key signing but was not successful.  I received the following output:

[lawhr at lsftest1/usr/local/bin # ./gpg --edit-key REWARD
pub  1024D/C2126D6D  created: 2009-02-23  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048g/4D5AFE2E  created: 2009-02-23  expires: never       usage: E
[ unknown] (1). REWARD data interchange 2009

Command> sign
gpg: no default secret key: secret key not available

Command>

Any help is appreciated!

Thank you,
Connie Rodriguez 


>>> Daniel Kahn Gillmor <dkg at fifthhorseman.net> 10/14/2009 3:17 PM >>>
Hi Connie--

On 10/14/2009 01:55 PM, CONNIE RODRIGUEZ wrote:
>  + /usr/local/bin/gpg -e -r REWARD /law/test/law/test/interface/watsonwyatt/data/epay.txt
>                 gpg: WARNING: unsafe permissions on configuration file `/home/lawhr/.gnupg/gpg.conf'

This suggests that your configuration file may be readable or writable
by other users.  You can view the permissions on that file with:

  ls -l /home/lawbr/.gnupg/gpg.conf

You can lock it down with:

  chmod go-rwx /home/lawbr/.gnupg/gpg.conf

(note here that "go-rwx" means "remove (-) read (r), write (w), and
execute (x) from group (g) and all other users (o)" )

If you're not sure about the concept of filesystem permissions, it's
worthwhile to think about them a bit.  they'll come up fairly often on
unix systems.  wikipedia has a good start:

http://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions 

>                 gpg: WARNING: unsafe enclosing directory permissions on configuration file `/home/lawhr/.gnupg/gpg.conf'

This is due to a directory being potentially readable or writable by
other users.  You can lock down the "enclosing directory" with:

chmod go-rwx`/home/lawhr/.gnupg/

>                 gpg: WARNING: using insecure memory!

Search for "insecure memory" in the gpg manual page (try "man gpg") for
more information about this error under the BUGS section.  You may
either want to make gpg setuid root (if secure memory is important to
you) or to tell gpg to ignore this particular error by adding the
relvant option to your gpg.conf file.

>                 gpg: please see http://www.gnupg.org/faq.html for more information

have you read this?  It's worth reading!  You might be interested in
section 6.1 in particular:

  http://www.gnupg.org/faq.html#q6.1 

>                 gpg: 4D5AFE2E: There is no assurance this key belongs to the named user

this is likely because you've imported the "REWARD" key into your remote
system without indicating any particular "ultimate" ownertrust.

gpg does a fair amount of work to make sure that keys belong to who you
think they should belong to -- it doesn't make any sense to encrypt data
to a key if you aren't sure whose key it is.

Presumably, there is someone who is making reasonable assertions about
which keys belong to which entities, and signing those keys.  You
probably want to designate "ultimate" ownertrust for that certifier on
your server.  For example, if you hold key DECAFBAD privately
(off-server), but you use that key to sign the REWARD key, you could
import the DECAFBAD public key on the server, and then (still on the
server) do:

gpg --edit-key DECAFBAD
  trust

and then choose "ultimate" ownertrust.  Make sense?

>                 gpg: cannot open `/dev/tty': There is a request to a device or address that does not exist.

i dunno why this is coming up; what operating system are you running
this on?  what version of gpg?  did you build it yourself, or is it the
version provided by your OS?

hth,

--dkg




Please consider the environment before printing this e-mail.

This e-mail, facsimile, or letter and any files or attachments transmitted with it contains
information that is confidential and privileged. This information is intended only for the
use of the individual(s) and entity(ies) to whom it is addressed. If you are the intended
recipient, further disclosures are prohibited without proper authorization. If you are not
the intended recipient, any disclosure, copying, printing, or use of this information is
strictly prohibited and possibly a violation of federal or state law and regulations. If you
have received this information in error, please notify Children's Medical Center Dallas 
immediately at 214-456-4444 or via e-mail at privacy at childrens.com. Children's Medical
Center Dallas and its affiliates hereby claim all applicable privileges related to this
information.



From dkg at fifthhorseman.net  Wed Oct 14 23:40:41 2009
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 14 Oct 2009 17:40:41 -0400
Subject: GNUPG HELP please
In-Reply-To: <4AD5F731.632C.0028.0@childrens.com>
References: <4AD5CA49.632C.0028.0@childrens.com>	<4AD631DB.7040103@fifthhorseman.net>
	<4AD5F731.632C.0028.0@childrens.com>
Message-ID: <4AD64559.1030001@fifthhorseman.net>

Hi Connie--

I'm glad that was useful.

On 10/14/2009 05:07 PM, CONNIE RODRIGUEZ wrote:
> I attempted key signing but was not successful.  I received the following output:
> 
> [lawhr at lsftest1/usr/local/bin # ./gpg --edit-key REWARD
> pub  1024D/C2126D6D  created: 2009-02-23  expires: never       usage: SC
>                      trust: unknown       validity: unknown
> sub  2048g/4D5AFE2E  created: 2009-02-23  expires: never       usage: E
> [ unknown] (1). REWARD data interchange 2009
> 
> Command> sign
> gpg: no default secret key: secret key not available
> 
> Command>
> 
> Any help is appreciated!

It sounds to me like you might be confusing validity with ownertrust.
In my earlier note, i suggested that you *trust* the keyholder of some
key that will certify the keys you are encrypting to.

Instead, it looks to me like you've chosen to try to *sign* one of the
keys you're encrypting to directly from the server.

It helps me to separate out these concepts into two ideas:

 0) who do you know (i.e. who can you identify)?

 1) who do you trust to identify others?

And since you're dealing with two different gpg installations (one on
the server and one that you control elsewhere) you probably want to
think about those from separate perspectives.

I don't know what you're planning to do on your server, but i'll pretend
for the moment that you're working with a web application which is
expected to recieve information over the web, and then encrypt it to
someone.  I'll refer to that someone as the "encryption target".

from the webapp's view, how does it know it's encrypting info to the
right person?

let's say you're the administrator of such a system, and you want the
webapp to believe you when you certify that a certain key belongs to a
given person.  Then you (as the admin) would have your own OpenPGP key,
stored off of the server (probably on your own workstation someplace).
Let's assume that key is key ID 0xDECAFBAD. You'd upload the public part
of 0xDECAFBAD to the server, and import it into the webapp's keyring.
After import *as the webapp user* you'd say "i trust the sysadmin to
identify encryption targets" by doing:

  gpg --edit-key 0xDECAFBAD
   trust

and then designate "ultimate" ownertrust.

Then, you'd use your own key to certify the key belonging to the
encryption target -- you'd "sign the target's public key" with your own
key.  Then you'd upload the target's public key (with your
certification) to the server, and import it into the webapp's keyring.

Does this make sense?  The advantage of this arrangement is that now
your webapp can be used to encrypt to a variety of people -- you'll just
need to sign their keys, and they can be encryption targets as well.

hope this helps,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091014/5f62d664/attachment.pgp>

From Joachim.Blomberg at vr-leasing.de  Thu Oct 15 04:00:37 2009
From: Joachim.Blomberg at vr-leasing.de (Joachim.Blomberg at vr-leasing.de)
Date: Thu, 15 Oct 2009 04:00:37 +0200
Subject: =?ISO-8859-1?Q?Joachim_Blomberg=2FVRD=2FVR-GRUPPE_ist_au=DFer_Haus=2E?=
Message-ID: <OF17E17893.C5CA2400-ONC1257650.000B0B56-C1257650.000B0B56@vr-leasing.de>


Ich werde ab  12.10.2009 nicht im B?ro sein. Ich kehre zur?ck am
17.10.2009.

Ich werde Ihre Nachricht nach meiner R?ckkehr beantworten.
In dringenden F?llen bin auf meinm Dienst-Handy erreichbar .



From CONNIE.RODRIGUEZ at childrens.com  Thu Oct 15 16:20:04 2009
From: CONNIE.RODRIGUEZ at childrens.com (CONNIE RODRIGUEZ)
Date: Thu, 15 Oct 2009 09:20:04 -0500
Subject: GNUPG HELP please
In-Reply-To: <4AD64559.1030001@fifthhorseman.net>
References: <4AD5CA49.632C.0028.0@childrens.com>	<4AD631DB.7040103@fifthhorseman.net>
	<4AD5F731.632C.0028.0@childrens.com><4AD5F731.632C.0028.0@childrens.com>
	<4AD64559.1030001@fifthhorseman.net>
Message-ID: <4AD6E944.632C.0028.0@childrens.com>

Great!!  Signed and edit key ...Works like a charm.  Thank you

>>> Daniel Kahn Gillmor <dkg at fifthhorseman.net> 10/14/2009 4:40 PM >>>
Hi Connie--

I'm glad that was useful.

On 10/14/2009 05:07 PM, CONNIE RODRIGUEZ wrote:
> I attempted key signing but was not successful.  I received the following output:
> 
> [lawhr at lsftest1/usr/local/bin # ./gpg --edit-key REWARD
> pub  1024D/C2126D6D  created: 2009-02-23  expires: never       usage: SC
>                      trust: unknown       validity: unknown
> sub  2048g/4D5AFE2E  created: 2009-02-23  expires: never       usage: E
> [ unknown] (1). REWARD data interchange 2009
> 
> Command> sign
> gpg: no default secret key: secret key not available
> 
> Command>
> 
> Any help is appreciated!

It sounds to me like you might be confusing validity with ownertrust.
In my earlier note, i suggested that you *trust* the keyholder of some
key that will certify the keys you are encrypting to.

Instead, it looks to me like you've chosen to try to *sign* one of the
keys you're encrypting to directly from the server.

It helps me to separate out these concepts into two ideas:

0) who do you know (i.e. who can you identify)?

1) who do you trust to identify others?

And since you're dealing with two different gpg installations (one on
the server and one that you control elsewhere) you probably want to
think about those from separate perspectives.

I don't know what you're planning to do on your server, but i'll pretend
for the moment that you're working with a web application which is
expected to recieve information over the web, and then encrypt it to
someone.  I'll refer to that someone as the "encryption target".

from the webapp's view, how does it know it's encrypting info to the
right person?

let's say you're the administrator of such a system, and you want the
webapp to believe you when you certify that a certain key belongs to a
given person.  Then you (as the admin) would have your own OpenPGP key,
stored off of the server (probably on your own workstation someplace).
Let's assume that key is key ID 0xDECAFBAD. You'd upload the public part
of 0xDECAFBAD to the server, and import it into the webapp's keyring.
After import *as the webapp user* you'd say "i trust the sysadmin to
identify encryption targets" by doing:

  gpg --edit-key 0xDECAFBAD
   trust

and then designate "ultimate" ownertrust.

Then, you'd use your own key to certify the key belonging to the
encryption target -- you'd "sign the target's public key" with your own
key.  Then you'd upload the target's public key (with your
certification) to the server, and import it into the webapp's keyring.

Does this make sense?  The advantage of this arrangement is that now
your webapp can be used to encrypt to a variety of people -- you'll just
need to sign their keys, and they can be encryption targets as well.

hope this helps,

--dkg




Please consider the environment before printing this e-mail.

This e-mail, facsimile, or letter and any files or attachments transmitted with it contains
information that is confidential and privileged. This information is intended only for the
use of the individual(s) and entity(ies) to whom it is addressed. If you are the intended
recipient, further disclosures are prohibited without proper authorization. If you are not
the intended recipient, any disclosure, copying, printing, or use of this information is
strictly prohibited and possibly a violation of federal or state law and regulations. If you
have received this information in error, please notify Children's Medical Center Dallas 
immediately at 214-456-4444 or via e-mail at privacy at childrens.com. Children's Medical
Center Dallas and its affiliates hereby claim all applicable privileges related to this
information.



From danm at prime.gushi.org  Fri Oct 16 03:37:08 2009
From: danm at prime.gushi.org (Dan Mahoney, System Admin)
Date: Thu, 15 Oct 2009 21:37:08 -0400 (EDT)
Subject: A lot of questions about CERT, PKA and make-dns-cert
Message-ID: <alpine.BSF.2.00.0910151430530.55115@prime.gushi.org>

All,

I'm in the process of writing a blog entry about the PKA and CERT methods. 
A couple people have written them a long time ago, and I'd like to bring 
some of the info up to date. (If this is better asked on gnupg-dev, let me know).

For starters:

1) Currently the only tool that can generate a CERT record, make-dns-cert, 
is not built or packaged by default under any os I've found (I've tried 
FreeBSD and ubuntu).  It has no documentation, no examples, and only a 
terse 4-line usage summary.  I've also seen a few bugs reported with it, 
that I don't know if they're fixed, such as not handling whitespace in the 
key fingerprint properly.

2) I realize this is a fringe feature, but other than a few scattered blog 
posts that reference each other, some of which are written by gnupg 
developers, info on these methods is HARD TO FIND. There's nothing in the 
docs/faq about this, at all.  I think adoption would be much more 
widespread if this were a faq-able item.  It's mentioned once in the 
manpage, once in the default gnupg.conf, and that's really it.  If you 
document it, people will use it (and with thawte dropping personal 
freemail certs lately, this is something you want).

3) As far as I know, PKA isn't standardized in any RFC.  Has this been 
changed?  I saw mention of applying to IANA for its own typecode.  Is 
there a list somewhere of what uri types are supported?  I saw talk of it 
not supporting http 1.1, but that may be fixed with curl.

Of the two methods, I tend to actually prefer PKA because it lets me 
delegate _pka.example.com to its own sub-zone, whereas CERT records must 
be inserted into the main zone.

4) Try though I might, I can't seem to get my full-key in CERT format to 
recognize.  I am not sure if this is because my key is "complicated" (i.e. 
it has subkeys), because the cert is not under my primary uid, or because 
I just plain exported it wrong.

I'm running:

echo foo | gpg -v -v --auto-key-locate cert --recipient gushi at gushi.org 
--encrypt -a

And get gpg: error retrieving `gushi at gushi.org' via DNS CERT: No fingerprint

I exported my key with:

gpg --export --export-options minimal > file; and make-dns-cert -n 
gushi.gushi.org -f file

It's still live if anyone wants to try.

5) Finally, the quality of records being generated, while consistent with 
rfc3597, leaves them as a real bear to manage, and import.  If you're 
going to export them in hex, could we please also get whitespace so we can 
get this into an editor easily?  Ideally, the things would just be base64 
encoded, in accordance with rfc4398.

Most versions of bind9 understand the CERT record, with base64 
representation, and numeric typecodes.  bind9.6 understands the PGP type 
value mnemonic but not IPGP.  BIND 9.7 understands IPGP.

What would be really, really cool, is step by step instructions for 
exporting, or hell, let gpg generate these records, the way ssh-keygen 
generates SSHFP records.

Those are my thoughts.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



From dshaw at jabberwocky.com  Fri Oct 16 05:27:52 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 15 Oct 2009 23:27:52 -0400
Subject: A lot of questions about CERT, PKA and make-dns-cert
In-Reply-To: <alpine.BSF.2.00.0910151430530.55115@prime.gushi.org>
References: <alpine.BSF.2.00.0910151430530.55115@prime.gushi.org>
Message-ID: <AF022427-8EBF-4CE9-BD39-F639B9638F53@jabberwocky.com>

On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote:

> 1) Currently the only tool that can generate a CERT record, make-dns- 
> cert, is not built or packaged by default under any os I've found  
> (I've tried FreeBSD and ubuntu).  It has no documentation, no  
> examples, and only a terse 4-line usage summary.  I've also seen a  
> few bugs reported with it, that I don't know if they're fixed, such  
> as not handling whitespace in the key fingerprint properly.

The whitespace issue was handled back in 2006 (one day after the  
program was added to GnuPG, as it happens).  Possibly you saw an email  
from someone who was tracking the code repository in between  
releases.  There is no version of GnuPG that was ever released with  
the bug.

> 2) I realize this is a fringe feature, but other than a few  
> scattered blog posts that reference each other, some of which are  
> written by gnupg developers, info on these methods is HARD TO FIND.  
> There's nothing in the docs/faq about this, at all.  I think  
> adoption would be much more widespread if this were a faq-able  
> item.  It's mentioned once in the manpage, once in the default  
> gnupg.conf, and that's really it.  If you document it, people will  
> use it (and with thawte dropping personal freemail certs lately,  
> this is something you want).

Even if the documentation was better (and I agree, it is poorly  
documented), I don't think CERT or PKA would be a very widely used  
feature.  The reality is that the majority of users do not have the  
kind of access to DNS that CERT requires.  PKA is a bit better in this  
regard as it uses TXT records, which can at least be used by people  
who have some web-based DNS configuration for their domain.  I don't  
know of many of those configuration tools that do CERT at all (we're  
talking text-files-and-bind usually for CERT).  Whether TXT or CERT,  
though, it's a fairly high barrier for many users.

I do encourage you to document it better, and I'm willing to help  
explain wherever necessary, or make code changes if there is something  
that could be done better.

> 3) As far as I know, PKA isn't standardized in any RFC.  Has this  
> been changed?  I saw mention of applying to IANA for its own  
> typecode.  Is there a list somewhere of what uri types are  
> supported?  I saw talk of it not supporting http 1.1, but that may  
> be fixed with curl.

If you build GnuPG with curl (which is the default, assuming you have  
curl), then you have HTTP 1.1 support.  That said, is there a  
particular HTTP 1.1 feature that you need here?  After the PKA parsing  
happens, GPG is just doing a regular HTTP GET.

> 4) Try though I might, I can't seem to get my full-key in CERT  
> format to recognize.  I am not sure if this is because my key is  
> "complicated" (i.e. it has subkeys), because the cert is not under  
> my primary uid, or because I just plain exported it wrong.
>
> I'm running:
>
> echo foo | gpg -v -v --auto-key-locate cert --recipient gushi at gushi.org 
>  --encrypt -a
>
> And get gpg: error retrieving `gushi at gushi.org' via DNS CERT: No  
> fingerprint
>
> I exported my key with:
>
> gpg --export --export-options minimal > file; and make-dns-cert -n  
> gushi.gushi.org -f file

It works fine for me.  What version of GPG are you using?

Incidentally, you have two different CERT records for gushi.gushi.org  
at the same time.  You have both a fingerprint-style answer and a full- 
key answer.  This is not a major problem (GPG won't care - it'll just  
take the first one that parses), but if your nameserver does some sort  
of round-robining, it can be confusing as to which record is the one  
that gets used.

> 5) Finally, the quality of records being generated, while consistent  
> with rfc3597, leaves them as a real bear to manage, and import.  If  
> you're going to export them in hex, could we please also get  
> whitespace so we can get this into an editor easily?  Ideally, the  
> things would just be base64 encoded, in accordance with rfc4398.
>
> Most versions of bind9 understand the CERT record, with base64  
> representation, and numeric typecodes.  bind9.6 understands the PGP  
> type value mnemonic but not IPGP.  BIND 9.7 understands IPGP.

When I wrote the code, precious few nameservers understood any of this  
(and none understood IPGP at all - that patch only went into BIND a  
few months ago).  That's why the record is TYPE37 and not CERT.  It's  
ugly, but it was the least common denominator.  It has been a few  
years since then.  Possibly it's time to upgrade.

David



From danm at prime.gushi.org  Fri Oct 16 06:34:46 2009
From: danm at prime.gushi.org (Dan Mahoney, System Admin)
Date: Fri, 16 Oct 2009 00:34:46 -0400 (EDT)
Subject: A lot of questions about CERT, PKA and make-dns-cert
In-Reply-To: <AF022427-8EBF-4CE9-BD39-F639B9638F53@jabberwocky.com>
References: <alpine.BSF.2.00.0910151430530.55115@prime.gushi.org>
	<AF022427-8EBF-4CE9-BD39-F639B9638F53@jabberwocky.com>
Message-ID: <alpine.BSF.2.00.0910152335140.20859@prime.gushi.org>

On Thu, 15 Oct 2009, David Shaw wrote:

David,

For starters let me thank you on both the fullness and the expedience of 
your answer.  Far too many open source projects just go "crickets" when I 
send out a laundry list, and I need to recognize your time.  Let me also 
apologize in advance for my wordiness.  We have quite a bit of ground to 
cover.

> On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote:
>
>> 1) Currently the only tool that can generate a CERT record, make-dns-cert, 
>> is not built or packaged by default under any os I've found (I've tried 
>> FreeBSD and ubuntu).  It has no documentation, no examples, and only a 
>> terse 4-line usage summary.  I've also seen a few bugs reported with it, 
>> that I don't know if they're fixed, such as not handling whitespace in the 
>> key fingerprint properly.

I was referencing this thread:

http://lists.gnupg.org/pipermail/gnupg-users/2006-April/028314.html

If that's no longer the case, then no worry.  I suppose if doc were more 
abundant I wouldn't have had to pore over old mailing list entries looking 
for examples :)  The few examples I've seen online as to how to use this 
have the FP whitespace-stripped, so I assumed it was done so deliberately 
to work around that, and I did the same.

> Whether TXT or CERT, though, it's a fairly high barrier for many users.

True, and sadly, applying for a separate typecode would be an additional 
barrier to entry there.  (SPF made TXT what it is today!)  Is there a 
formal spec document?  The most I could find was a PDF slideshow.

> I do encourage you to document it better, and I'm willing to help explain 
> wherever necessary, or make code changes if there is something that could be 
> done better.

Docs, I'm totally on.  I'm trying as much as I can to link to the 
standards docs as well, which is why I was asking for a 
supported-uri-format doc.

Ideally there should be something in the gpg faq, something in the 
manpage, and at least a small README in tools that covers all the things 
in there (maybe we can talk about what the rest of those do as well).

If you really feel up to making code changes:

gpg --export --format cert-PGP danm at prime.gushi.org
gpg --export --format cert-IPGP gushi at gushi.org [--url=http://foo]
gpg --export --format pka foo at bar.com --url=http://foo

Some variation on the above would all be wonderful, but I don't think I'm 
likely to get that wish granted.

One of the tutorials I saw made reference of using pgp-clean -- what is 
the gnupg equivalent of this?

> If you build GnuPG with curl (which is the default, assuming you have curl), 
> then you have HTTP 1.1 support.  That said, is there a particular HTTP 1.1 
> feature that you need here?  After the PKA parsing happens, GPG is just doing 
> a regular HTTP GET.

No, I'm just looking for a full list of what you can put in the uri= 
portion of a _pka record.  I never found it enumerated.  Is https 
supported?  If so, does the system do cert validation?  I've seen finger 
and http, but wouldn't know where in the code to try to read to figure out 
the full list.

I also didn't find a clear listing of what format the key should be in, 
although the finger "hinted" at the usual armored format.  From a code 
end, I'd like to know for sure if either/both work.

>> 4) Try though I might, I can't seem to get my full-key in CERT format to 
>> recognize.
>
> It works fine for me.  What version of GPG are you using?

gpg (GnuPG) 2.0.12
libgcrypt 1.4.4

When you say it works for you, do you mean you're able to parse my key, or 
that you've been able to publish and retrieve your own CERT-PGP record?

If I nuke things down to my single cert-ipgp record, could you try again?

> Incidentally, you have two different CERT records for gushi.gushi.org at the 
> same time.  You have both a fingerprint-style answer and a full-key answer. 
> This is not a major problem (GPG won't care - it'll just take the first one 
> that parses), but if your nameserver does some sort of round-robining, it can 
> be confusing as to which record is the one that gets used.

I did that because it complained about having "no fingerprint", so I 
thought for a moment it needed both kinds, one with the key, and a 
separate one with the FP.

>> Most versions of bind9 understand the CERT record, with base64 
>> representation, and numeric typecodes.  bind9.6 understands the PGP type 
>> value mnemonic but not IPGP.  BIND 9.7 understands IPGP.

The cert is a single, long, unbroken hex string.  BIND will understand it 
if you chuck it into an include file or paste it in with a non-wrapping 
editor.  But it's fragile and unwieldly.

If you feel like carefully counting characters, you can wrap it, as long 
as you hit a hex boundary.  Adding a few spaces and parens would make it 
just work if wrapped.  And the presentation format should be base64, not 
binary (dnssec-signzone will convert both _pka and CERT records to this 
format anyway).

> When I wrote the code, precious few nameservers understood any of this (and 
> none understood IPGP at all - that patch only went into BIND a few months 
> ago).

Per one of the BIND developers, cert has been supported for 10 years, 
typeXX for 7, although you probably would have had to use numeric algo 
id's.

> That's why the record is TYPE37 and not CERT.  It's ugly, but it was 
> the least common denominator.  It has been a few years since then.  Possibly 
> it's time to upgrade.

I think so.  I'm in favor of keeping the algotype numeric, but using the 
CERT record, properly encoded.  For most DNS folks, the \# notation is 
confusing: it looks like an escaped comment.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



From franklinhu at yahoo.com  Thu Oct 15 19:36:09 2009
From: franklinhu at yahoo.com (Franklin Hu)
Date: Thu, 15 Oct 2009 10:36:09 -0700 (PDT)
Subject: Calling libgpgme-11.dll from Visual basic 6
Message-ID: <303699.38504.qm@web65416.mail.ac4.yahoo.com>


I have been able to find the Win32 version of the gpgme library called libgpgme-11.dll from the gpg4win package. I am trying to figure out how to call it from visual basic 6. I have first started by looking how to call C dlls from vb:
?
http://support.microsoft.com/kb/106553
?
I want to call the gpgme_new function which takes one parameter which is a context. It is declared in the .h file (used when calling from c++) as:
?
/* The context holds some global state and configration options, as
well as the results of a crypto operation. */
struct gpgme_context;
typedef struct gpgme_context *gpgme_ctx_t;
/* Create a new context and return it in CTX. */
gpgme_error_t gpgme_new (gpgme_ctx_t *ctx);
?
To start, I just tried to set it up and call it like:
?
Declare Function gpgme_new Lib "libgpgme-11.dll" (ctx)
Sub Main()
Dim ctx
Dim gpgme_error

gpgme_error = gpgme_new(ctx)
End Sub
?
It is able to find the dll and the reference to gpgme_new. If I put in the name of a function which doesn't exist, it complains. But it comes back with the error:
?
Run-time error '49':
Bad DLL calling convention
?
I looked up this error and found:
http://support.microsoft.com/kb/85108
?
This said something about calling ByVal which I tried and that didn't do anything. Seems to me, I need to figure out just what kind of object the ctx is and specify that specific type 
in the declaration. The way it is declared, it just looks like a pointer, but VB doesn't have a pointer type.
?
I'm a beginner to this whole gpg and calling DLL thing. So I'm not even sure that it is possible to do this or if I'm just making a silly mistake in the declaration. If anyone can help out on how to call this dll, I would appreciate it.
?
-thanks


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091015/08558a4c/attachment.htm>

From wk at gnupg.org  Fri Oct 16 12:05:19 2009
From: wk at gnupg.org (Werner Koch)
Date: Fri, 16 Oct 2009 12:05:19 +0200
Subject: A lot of questions about CERT, PKA and make-dns-cert
In-Reply-To: <AF022427-8EBF-4CE9-BD39-F639B9638F53@jabberwocky.com> (David
	Shaw's message of "Thu, 15 Oct 2009 23:27:52 -0400")
References: <alpine.BSF.2.00.0910151430530.55115@prime.gushi.org>
	<AF022427-8EBF-4CE9-BD39-F639B9638F53@jabberwocky.com>
Message-ID: <87ws2vslgg.fsf@vigenere.g10code.de>

On Fri, 16 Oct 2009 05:27, dshaw at jabberwocky.com said:

> Even if the documentation was better (and I agree, it is poorly
> documented), I don't think CERT or PKA would be a very widely used

FWIW: At least for PKA that is my fault.  I once wrote a paper for it in
German and presented it at the GUUG house conference.  Unfortunately I
had no time to pursue the PKA idea further or to translate the paper.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From vedaal at hush.com  Fri Oct 16 19:27:03 2009
From: vedaal at hush.com (vedaal at hush.com)
Date: Fri, 16 Oct 2009 13:27:03 -0400
Subject: Gpg4win // Kleopatra
Message-ID: <20091016172703.DDB842803F@smtp.hushmail.com>

i installed gpg4win 2.0.1 on a 32 bit xp system, and everything, 
(so far) works fine.

i have a Kleopatra question:
(Kleopatra is not explained, neither in the English nor German 
documentation)

what does kleopatra use to wipe the original, when this option is 
chosen during encryption, and is it configurable?

(also, i always thought she had black hair, not red, and her 
complexion in the icon looks awfully pale ;-)  )

TIA

vedaal



From nils.faerber at kernelconcepts.de  Fri Oct 16 19:17:23 2009
From: nils.faerber at kernelconcepts.de (Nils Faerber)
Date: Fri, 16 Oct 2009 19:17:23 +0200
Subject: Card-reader tests
Message-ID: <4AD8AAA3.9050906@kernelconcepts.de>

Hello!
Maybe it is of interest for some of you, I have tested a bunch of
readers lately and here are my results.

All tests were performed with GnuPG SVN head as of 14 October 2009 with
an OpenPGP V2.0 card.

working with GnuPG-CCID *and* PC/SC:
- SCM SCR-335
- SCM SPR-532 (with pinpad when using GnuPG CCID, without pinpad when
using PC/SC)

working only with PC/SC:
- Omnikey Cardman 4040 (PCMCIA)
- Gemalto USB Shell Token V2
- Gemalto USB PC-Twin
- Gemalto USB SL
- Gemalto PC Pinpad (keypad and LCD not supported)
- Gemalto PC Card
untestet but quite likely to work:
- Gemalto PC Express Card

not working with either GnuPG CCID or PC/SC:
- Omnikey CardMan 3121
- Omnikey CardMan 3021
- Omnikey CardMan 3621
- Omnikey CardMan 6121

Interesting is that though Gemalto claims that their USB readers are
CCID compliant none of them works with the GnuPG CCID.
What might be the reason? Since I happen to have access to all of them,
could I potentially fix this?

Cheers
  nils

-- 
kernel concepts GbR        Tel: +49-271-771091-12
Sieghuetter Hauptweg 48    Fax: +49-271-771091-19
D-57072 Siegen             Mob: +49-176-21024535
http://www.kernelconcepts.de



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091016/a60865dc/attachment.pgp>

From fejj at novell.com  Sat Oct 17 00:21:25 2009
From: fejj at novell.com (Jeffrey Stedfast)
Date: Fri, 16 Oct 2009 18:21:25 -0400
Subject: Creating self-signed S/MIME certificates
Message-ID: <4AD8F1E5.1000201@novell.com>

I'm working on implementing S/MIME support in my GMime library and need
to create a set of keys for some unit tests. Is there any way I can
create some self-signed S/MIME certificates with gpgsm?

Thanks,

Jeff




From tux.tsndcb at free.fr  Sat Oct 17 00:46:21 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Sat, 17 Oct 2009 00:46:21 +0200 (CEST)
Subject: APDU for CKECKPIN and MODIFY PIN for Smartcard GnuPG V2 ?
In-Reply-To: <246801469.10344491255732430182.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <756269494.10344821255733181525.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hi,

I've done some tests to validate my reader's pinpad with my smartcard GnuPG V2

I've put this to CHECKPIN :

	/* PC/SC v2.02.05 Part 10 PIN verification data structure */
	pin_verify -> bTimerOut = 0x00;
	pin_verify -> bTimerOut2 = 0x00;
	pin_verify -> bmFormatString = 0x82;
	pin_verify -> bmPINBlockString = 0x00;
	pin_verify -> bmPINLengthFormat = 0x00;
	pin_verify -> wPINMaxExtraDigit = HOST_TO_CCID_16(0x0408); /* Min Max */
	pin_verify -> bEntryValidationCondition = 0x02;	/* validation key pressed */
	pin_verify -> bNumberMessage = 0x01;
	pin_verify -> wLangId = HOST_TO_CCID_16(0x0904);
	pin_verify -> bMsgIndex = 0x00;
	pin_verify -> bTeoPrologue[0] = 0x00;
	pin_verify -> bTeoPrologue[1] = 0x00;
	pin_verify -> bTeoPrologue[2] = 0x00;
	/* pin_verify -> ulDataLength = 0x00; we don't know the size yet */

	/* APDU: 00 20 00 82 06 31 32 33 34 35 36 00 00 smartcard GnuPG V2*/
	offset = 0;
	pin_verify -> abData[offset++] = 0x00;	/* CLA */
	pin_verify -> abData[offset++] = 0x20;	/* INS: VERIFY */
	pin_verify -> abData[offset++] = 0x00;	/* P1 */
	pin_verify -> abData[offset++] = 0x82;	/* P2 */
	pin_verify -> abData[offset++] = 0x06;	/* Lc: 8 data bytes */
	pin_verify -> abData[offset++] = 0x31;	/* '0' */
	pin_verify -> abData[offset++] = 0x32;	/* '0' */
	pin_verify -> abData[offset++] = 0x33;	/* '0' */
	pin_verify -> abData[offset++] = 0x34;	/* '0' */
	pin_verify -> abData[offset++] = 0x35;	/* '\0' */
	pin_verify -> abData[offset++] = 0x36;	/* '\0' */
	pin_verify -> abData[offset++] = 0x00;	/* '\0' */
	pin_verify -> abData[offset++] = 0x00;	/* '\0' */
	pin_verify -> ulDataLength = HOST_TO_CCID_32(offset);	/* APDU size */

But I've this answer :

 Reader: Covadis Vega (000000F5) 00 00 (length 30 bytes)
 State: 0x190034
 Prot: 0
 ATR (length 21 bytes): 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
SCardStatus: OK

 Protocol: 2
SCardReconnect: OK

 Secure verify PIN
 command: 00 00 82 00 00 08 04 02 01 04 09 00 00 00 00 0D 00 00 00 00 20 00 82 06 31 32 33 34 35 36 00 00
Enter your PIN: 
 card response: 67 00
SCardControl: OK


verify PIN dump:  00 40 00 00 FF
 card response: 6D 00
SCardTransmit: OK


So if I anderstand : I've a problem with a Wrong length (Lc and/or Le) and with the Instruction (INS) not supported


And for MODIFY PIN, I've put this :


	/* PC/SC v2.02.05 Part 10 PIN modification data structure *
	pin_modify -> bTimerOut = 0x00;
	pin_modify -> bTimerOut2 = 0x00;
	pin_modify -> bmFormatString = 0x82;
	pin_modify -> bmPINBlockString = 0x04;
	pin_modify -> bmPINLengthFormat = 0x00;
	pin_modify -> bInsertionOffsetOld = 0x00; 	/* offset from APDU start */
	pin_modify -> bInsertionOffsetNew = 0x04;	/* offset from APDU start */
	pin_modify -> wPINMaxExtraDigit = HOST_TO_CCID_16(0x0408);	/* Min Max */
	pin_modify -> bConfirmPIN = 0x03;	/* b0 set = confirmation requested */
									/* b1 set = current PIN entry requested */
	pin_modify -> bEntryValidationCondition = 0x02;	/* validation key pressed */
	pin_modify -> bNumberMessage = 0x03; /* see table above */
	pin_modify -> wLangId = HOST_TO_CCID_16(0x0904);
	pin_modify -> bMsgIndex1 = 0x00;
	pin_modify -> bMsgIndex2 = 0x00;
	pin_modify -> bMsgIndex3 = 0x00;
	pin_modify -> bTeoPrologue[0] = 0x00;
	pin_modify -> bTeoPrologue[1] = 0x00;
	pin_modify -> bTeoPrologue[2] = 0x00;
	/* pin_modify -> ulDataLength = 0x00; we don't know the size yet */

	/* APDU: 00 24 00 81 0C 31 32 33 34 35 36 00 00 smartcard GnuPG V2*/
	offset = 0;
	pin_modify -> abData[offset++] = 0x00;	/* CLA */
	pin_modify -> abData[offset++] = 0x24;	/* INS: CHANGE/UNBLOCK */
	pin_modify -> abData[offset++] = 0x00;	/* P1 */
	pin_modify -> abData[offset++] = 0x81;	/* P2 */
	pin_modify -> abData[offset++] = 0x0C;	/* Lc: 2x8 data bytes */
	pin_modify -> abData[offset++] = 0x31;	/* '0' old PIN */
	pin_modify -> abData[offset++] = 0x32;	/* '0' */
	pin_modify -> abData[offset++] = 0x33;	/* '0' */
	pin_modify -> abData[offset++] = 0x34;	/* '0' */
	pin_modify -> abData[offset++] = 0x35;	/* '0' new PIN */
	pin_modify -> abData[offset++] = 0x36;	/* '0' */
	pin_modify -> abData[offset++] = 0x00;	/* '0' */
	pin_modify -> abData[offset++] = 0x00;	/* '0' */
	pin_modify -> ulDataLength = HOST_TO_CCID_32(offset);	/* APDU size */

but I've this answer :


 Secure modify PIN
 command: 00 00 82 04 00 00 04 08 04 03 02 03 04 09 00 00 00 00 00 00 0D 00 00 00 00 24 00 81 0C 31 32 33 34 35 36 00 00
Enter your PIN:  card response: 67 00
SCardControl: OK


modify PIN dump:  00 40 00 00 FF
 card response: 6D 00
SCardTransmit: OK

SCardDisconnect: OK


So if I anderstand : I've also a problem with a Wrong length (Lc and/or Le) and with the Instruction (INS) not supported



Could you give me the good APDU in this two case ?

Thanks in advanced.

Best Ragerds.


From fejj at novell.com  Fri Oct 16 23:58:15 2009
From: fejj at novell.com (Jeffrey Stedfast)
Date: Fri, 16 Oct 2009 17:58:15 -0400
Subject: Creating self-signed S/MIME certificate
Message-ID: <4AD8EC77.7010501@novell.com>

I'm working on implementing S/MIME support in my GMime library and need
to create a set of keys for some unit tests. Is there any way I can
create some self-signed S/MIME certificates with gpgsm?

Thanks,

Jeff



From wk at gnupg.org  Sat Oct 17 20:33:23 2009
From: wk at gnupg.org (Werner Koch)
Date: Sat, 17 Oct 2009 20:33:23 +0200
Subject: Creating self-signed S/MIME certificate
In-Reply-To: <4AD8EC77.7010501@novell.com> (Jeffrey Stedfast's message of
	"Fri, 16 Oct 2009 17:58:15 -0400")
References: <4AD8EC77.7010501@novell.com>
Message-ID: <87ljj9rhu4.fsf@vigenere.g10code.de>

On Fri, 16 Oct 2009 23:58, fejj at novell.com said:

> I'm working on implementing S/MIME support in my GMime library and need
> to create a set of keys for some unit tests. Is there any way I can
> create some self-signed S/MIME certificates with gpgsm?

Sorry, no.  You need to use some CA software for that.  I wish I would
have the time to write thecode to generate at least self-signed
certificates.

I use tinyca for setting up test PKIs.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From tux.tsndcb at free.fr  Mon Oct 19 14:33:27 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Mon, 19 Oct 2009 14:33:27 +0200 (CEST)
Subject: Smartcard GnuPG V2 and CHECKPIn with keypad (pin code conversion) ?
In-Reply-To: <34236407.10627721255955602202.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <987226440.10627761255955607468.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hi All,

I'm testing my reader's pinpad with my GnuPG smartcard V2 for VERIFY PIN function by scardcontrol tools, but I don't know how the PIN code is read by the smartcard :

               - PIN uses a binary format conversion
               - PIN uses a shift rotation format conversion
               - PIN uses a BCD format conversion with PIN length insertion
               - PIN uses BCD, right justification and a control field 
               - PIN uses an ASCII format conversion with padding

Is there any body who have tested the GnuPG smartcard with it's reader's keypad by scardcontrol ?

Thanks in advanced for your answer.

Best Regards


From tux.tsndcb at free.fr  Mon Oct 19 15:29:36 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Mon, 19 Oct 2009 15:29:36 +0200 (CEST)
Subject: Smartcard GnuPG V2 and CHECKPIn with keypad (pin code
	conversion) ?
In-Reply-To: <987226440.10627761255955607468.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <1533316550.10639961255958976112.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hi All,

I answer to myself, in fact it's PIN uses an ASCII format conversion with padding

Best Regards
----- Mail Original -----
De: "tux tsndcb" <tux.tsndcb at free.fr>
?: gnupg-users at gnupg.org
Envoy?: Lundi 19 Octobre 2009 14h33:27 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Smartcard GnuPG V2 and CHECKPIn with keypad (pin code conversion) ?

Hi All,

I'm testing my reader's pinpad with my GnuPG smartcard V2 for VERIFY PIN function by scardcontrol tools, but I don't know how the PIN code is read by the smartcard :

               - PIN uses a binary format conversion
               - PIN uses a shift rotation format conversion
               - PIN uses a BCD format conversion with PIN length insertion
               - PIN uses BCD, right justification and a control field 
               - PIN uses an ASCII format conversion with padding

Is there any body who have tested the GnuPG smartcard with it's reader's keypad by scardcontrol ?

Thanks in advanced for your answer.

Best Regards

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


From tux.tsndcb at free.fr  Mon Oct 19 20:55:37 2009
From: tux.tsndcb at free.fr (tux.tsndcb at free.fr)
Date: Mon, 19 Oct 2009 20:55:37 +0200 (CEST)
Subject: tools to test reader's keypad with GnuPG smartcard V2 ?
In-Reply-To: <1225754549.10702271255978440806.JavaMail.root@zimbra7-e1.priv.proxad.net>
Message-ID: <991461084.10702611255978537729.JavaMail.root@zimbra7-e1.priv.proxad.net>

Hello Werner,

Could you tell me if you've a debug tools to test reader's keypad with a GnuPG smartcard  V2 ?

Or could you explain please how you've done your tests and valided the reader's keypad with a GnuPG smartcard  V2 ?

Thanks in advanced for your answer.

Best Regards


From david.savage at paremus.com  Tue Oct 20 16:41:46 2009
From: david.savage at paremus.com (David Savage)
Date: Tue, 20 Oct 2009 15:41:46 +0100
Subject: gpg-agent "unknown value for WHAT"
Message-ID: <fd848f8b0910200741w36507324y8372c3af223b8255@mail.gmail.com>

Hi there,

I'm attempting to generate a 4096bit RSA key using gnupg 2.0.12 and
gpg-agent 2.0.11 but I'm getting an error message prior to entering
the passphrase:

"gpg: problem with the agent: Not supported"

Having done a little digging I decided to enable --debug-all to see if
this would shed any light on the problem - unfortunately the error
message means very little on first inspection - hence this mail.

"gpg-agent[66760.6] DBG: -> ERR 67109144 parameter conflict - unknown
value for WHAT"

I've included the full session output below with certain fields XXXXX'd out...

_Environment_info_
Mac OS X 10.5.8
gnupg2 installed via darwin ports

_Non_standard_entries_in_"~/.gnupg/gpg.conf"_
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
CAST5 ZLIB BZIP2 ZIP Uncompressed

Any help or suggestions of where to look further appreciated.

Regards,

Dave

Session output...

bash-3.2$ gpg-agent --daemon --debug-all /bin/bash
gpg-agent[66759]: NOTE: no default option file
`/Users/XXXXXXXX/.gnupg/gpg-agent.conf'
gpg-agent[66759]: listening on socket `/tmp/XXXXXXXXXXXX/S.gpg-agent'
bash-3.2$ gpg2 --gen-key
gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: XXXXXXXXX
Email address: XXXXXXXXXX
Comment: CODE SIGNING KEY
You selected this USER-ID:
    "XXXXXXX (CODE SIGNING KEY) <XXXXXXXX>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

gpg-agent[66760]: handler 0x302780 for fd 6 started
gpg-agent[66760.6] DBG: -> OK Pleased to meet you
gpg-agent[66760.6] DBG: <- RESET
gpg-agent[66760.6] DBG: -> OK
gpg-agent[66760.6] DBG: <- OPTION display=/tmp/launch-JBTxKt/:0
gpg-agent[66760.6] DBG: -> OK
gpg-agent[66760.6] DBG: <- OPTION ttyname=/dev/ttys002
gpg-agent[66760.6] DBG: -> OK
gpg-agent[66760.6] DBG: <- OPTION ttytype=xterm
gpg-agent[66760.6] DBG: -> OK
gpg-agent[66760.6] DBG: <- OPTION lc-ctype=en_GB.UTF-8
gpg-agent[66760.6] DBG: -> OK
gpg-agent[66760.6] DBG: <- OPTION lc-messages=en_GB.UTF-8
gpg-agent[66760.6] DBG: -> OK
gpg-agent[66760.6] DBG: <- OPTION allow-pinentry-notify
gpg-agent[66760.6] DBG: -> OK
gpg-agent[66760.6] DBG: <- GETINFO cmd_has_option GET_PASSPHRASE repeat
gpg-agent[66760.6] DBG: -> ERR 67109144 parameter conflict - unknown
value for WHAT
gpg: problem with the agent: Not supported
gpg: Key generation canceled.


From wk at gnupg.org  Tue Oct 20 19:31:32 2009
From: wk at gnupg.org (Werner Koch)
Date: Tue, 20 Oct 2009 19:31:32 +0200
Subject: gpg-agent "unknown value for WHAT"
In-Reply-To: <fd848f8b0910200741w36507324y8372c3af223b8255@mail.gmail.com>
	(David Savage's message of "Tue, 20 Oct 2009 15:41:46 +0100")
References: <fd848f8b0910200741w36507324y8372c3af223b8255@mail.gmail.com>
Message-ID: <87skde55vv.fsf@vigenere.g10code.de>

On Tue, 20 Oct 2009 16:41, david.savage at paremus.com said:

> I'm attempting to generate a 4096bit RSA key using gnupg 2.0.12 and
> gpg-agent 2.0.11 but I'm getting an error message prior to entering

That does not work.  You have to update gpg-agent.  The conflict is an
attempt to minimize such dependencies in the future.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From shavital at mac.com  Tue Oct 20 18:52:12 2009
From: shavital at mac.com (Charly Avital)
Date: Tue, 20 Oct 2009 12:52:12 -0400
Subject: gpg-agent "unknown value for WHAT"
In-Reply-To: <fd848f8b0910200741w36507324y8372c3af223b8255@mail.gmail.com>
References: <fd848f8b0910200741w36507324y8372c3af223b8255@mail.gmail.com>
Message-ID: <4ADDEABC.6020709@mac.com>

David Savage wrote the following on 10/20/09 10:41 AM:
> Hi there,
> 
> I'm attempting to generate a 4096bit RSA key using gnupg 2.0.12 and
> gpg-agent 2.0.11 but I'm getting an error message prior to entering
> the passphrase:
> 
> "gpg: problem with the agent: Not supported"

Hi David,


IMO, the problems resides with your installation of gnupg2 via Darwin Ports.

Darwin Ports installs a version of pinentry (required for gpg-agent to
function) that is not compatible with MacOSX.

If you want to install a functioning gnupg2 for MacOSX, with a Mac
native pinentry.app, you might want to try MacGPG2 2.0.12
<http://sourceforge.net/projects/macgpg2/>
<http://lists.gnupg.org/pipermail/gnupg-users/2009-June/036724.html>,
that can be downloaded from:
<http://sourceforge.net/projects/macgpg2/files/macgpg2/>

> Having done a little digging I decided to enable --debug-all to see if
> this would shed any light on the problem - unfortunately the error
> message means very little on first inspection - hence this mail.
> 
> "gpg-agent[66760.6] DBG: -> ERR 67109144 parameter conflict - unknown
> value for WHAT"
> 
> I've included the full session output below with certain fields XXXXX'd out...
> 
> _Environment_info_
> Mac OS X 10.5.8
> gnupg2 installed via darwin ports

That should be the problem.
> 
> _Non_standard_entries_in_"~/.gnupg/gpg.conf"_
> personal-digest-preferences SHA512
> cert-digest-algo SHA512
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
> CAST5 ZLIB BZIP2 ZIP Uncompressed
> 
> Any help or suggestions of where to look further appreciated.

Please see above.
[...]

> gpg: problem with the agent: Not supported

Ditto, Darwin Ports does not install gpg-agent with the required
pinentry that will function under MacOSX

Charly
MacOSX 10.6.1 32bits MacBook5,1 - Gnupg 1.4.10 - MacGPG2 2.0.12 -
Running Enigmail version 0.97a (20091019-2108), with Mozilla/5.0
(Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre) Gecko/20090915
Thunderbird/3.0b4


From david.savage at paremus.com  Tue Oct 20 20:04:14 2009
From: david.savage at paremus.com (David Savage)
Date: Tue, 20 Oct 2009 19:04:14 +0100
Subject: gpg-agent "unknown value for WHAT"
In-Reply-To: <87skde55vv.fsf@vigenere.g10code.de>
References: <fd848f8b0910200741w36507324y8372c3af223b8255@mail.gmail.com>
	<87skde55vv.fsf@vigenere.g10code.de>
Message-ID: <fd848f8b0910201104r6af9aadbyb6a9220bc11baef6@mail.gmail.com>

Firstly, thx for the quick replies.

I'm in the process of updating gpg using the urls Charly forwarded in
the previous email - I guess I could try to just update the gpg-agent
in use on my machine from that release then stick with the mac port
version of gpg? Just one less variable to tidy up?

Sound's like a patch is needed to mac ports in any case.

I'll try pinging a mail over there and see if there's any chance they
can update.

Regards,

Dave

On Tue, Oct 20, 2009 at 6:31 PM, Werner Koch <wk at gnupg.org> wrote:
> On Tue, 20 Oct 2009 16:41, david.savage at paremus.com said:
>
>> I'm attempting to generate a 4096bit RSA key using gnupg 2.0.12 and
>> gpg-agent 2.0.11 but I'm getting an error message prior to entering
>
> That does not work. ?You have to update gpg-agent. ?The conflict is an
> attempt to minimize such dependencies in the future.
>
>
> Shalom-Salam,
>
> ? Werner
>
> --
> Die Gedanken sind frei. ?Auschnahme regelt ein Bundeschgesetz.
>
>


From shavital at mac.com  Tue Oct 20 22:15:02 2009
From: shavital at mac.com (Charly Avital)
Date: Tue, 20 Oct 2009 16:15:02 -0400
Subject: gpg-agent "unknown value for WHAT"
In-Reply-To: <fd848f8b0910201104r6af9aadbyb6a9220bc11baef6@mail.gmail.com>
References: <fd848f8b0910200741w36507324y8372c3af223b8255@mail.gmail.com>
	<87skde55vv.fsf@vigenere.g10code.de>
	<fd848f8b0910201104r6af9aadbyb6a9220bc11baef6@mail.gmail.com>
Message-ID: <4ADE1A46.8000501@mac.com>

David Savage wrote the following on 10/20/09 2:04 PM:
> I'm in the process of updating gpg using the urls Charly forwarded in
> the previous email - I guess I could try to just update the gpg-agent
> in use on my machine from that release then stick with the mac port
> version of gpg? Just one less variable to tidy up?

I don't remember whether using the MacGPG2 2.0.12 installer will simply
overwrite your Darwin Ports installation.
If it does, you will have a working MacGPG2 2.0.12, complete with
gpg-agent and Mac native pinentry.app.
If it doesn't, you might still have some problems with the remnants of
the previous install.
> 
> Sound's like a patch is needed to mac ports in any case.

Yes.

> 
> I'll try pinging a mail over there and see if there's any chance they
> can update.

Wish you luck.

Charly


From danm at prime.gushi.org  Wed Oct 21 04:55:03 2009
From: danm at prime.gushi.org (Dan Mahoney, System Admin)
Date: Tue, 20 Oct 2009 22:55:03 -0400 (EDT)
Subject: A lot of questions about CERT, PKA and make-dns-cert
In-Reply-To: <AF022427-8EBF-4CE9-BD39-F639B9638F53@jabberwocky.com>
References: <alpine.BSF.2.00.0910151430530.55115@prime.gushi.org>
	<AF022427-8EBF-4CE9-BD39-F639B9638F53@jabberwocky.com>
Message-ID: <alpine.BSF.2.00.0910202158240.20859@prime.gushi.org>

On Thu, 15 Oct 2009, David Shaw wrote:

> On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote:
>> I'm running:
>> 
>> echo foo | gpg -v -v --auto-key-locate cert --recipient gushi at gushi.org 
>> --encrypt -a
>> 
>> And get gpg: error retrieving `gushi at gushi.org' via DNS CERT: No 
>> fingerprint
>> 
>> I exported my key with:
>> 
>> gpg --export --export-options minimal > file; and make-dns-cert -n 
>> gushi.gushi.org -f file
>
> It works fine for me.  What version of GPG are you using?

I tried this again, after I nuked the "fingerprint" cert record.

Oddly, running on gpg2 on an older debian system, I get:

# echo "foo" | gpg2 -v -v --auto-key-locate cert --encrypt -r 
gushi at gushi.org
gpg: no keyserver known (use option --keyserver)
gpg: error retrieving `gushi at gushi.org' via DNS CERT: General error
gpg: gushi at gushi.org: skipped: General error
gpg: [stdin]: encryption failed: General error

That first line specifically makes me scratch my head a bit.

(The gpg manpage also appears to be a bit corrupted on this system).

On my bsd system, I get what you see at http://www.gushi.org/gpg.txt.  It 
retrieves the key, but complains of "no fingerprint", however it actually 
DOES import the key, so it works a second time.  If you require a shell to 
play with this, let me know and I'll provide one.  With the demise of 
thawte's free cert offering, I'd really like to do what I can to increase 
awareness of this stuff.

On my ubuntu desktop, it works fine.

I suspect strongly that this feature doesn't get the most broad platform 
testing.  Let me know if you'd like to help.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



From dshaw at jabberwocky.com  Wed Oct 21 06:17:06 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 21 Oct 2009 00:17:06 -0400
Subject: A lot of questions about CERT, PKA and make-dns-cert
In-Reply-To: <alpine.BSF.2.00.0910202158240.20859@prime.gushi.org>
References: <alpine.BSF.2.00.0910151430530.55115@prime.gushi.org>
	<AF022427-8EBF-4CE9-BD39-F639B9638F53@jabberwocky.com>
	<alpine.BSF.2.00.0910202158240.20859@prime.gushi.org>
Message-ID: <E08BD7E1-8440-41A7-9CF8-11C6BDD01651@jabberwocky.com>

On Oct 20, 2009, at 10:55 PM, Dan Mahoney, System Admin wrote:

> On Thu, 15 Oct 2009, David Shaw wrote:
>
>> On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote:
>>> I'm running:
>>> echo foo | gpg -v -v --auto-key-locate cert --recipient gushi at gushi.org 
>>>  --encrypt -a
>>> And get gpg: error retrieving `gushi at gushi.org' via DNS CERT: No  
>>> fingerprint
>>> I exported my key with:
>>> gpg --export --export-options minimal > file; and make-dns-cert -n  
>>> gushi.gushi.org -f file
>>
>> It works fine for me.  What version of GPG are you using?
>
> I tried this again, after I nuked the "fingerprint" cert record.
>
> Oddly, running on gpg2 on an older debian system, I get:
>
> # echo "foo" | gpg2 -v -v --auto-key-locate cert --encrypt -r gushi at gushi.org
> gpg: no keyserver known (use option --keyserver)
> gpg: error retrieving `gushi at gushi.org' via DNS CERT: General error
> gpg: gushi at gushi.org: skipped: General error
> gpg: [stdin]: encryption failed: General error
>
> That first line specifically makes me scratch my head a bit.

You didn't give an actual version number (run gpg2 --version), so I  
can only make an educated guess, but I do think I see your problem.   
You don't have one key in your CERT - you have two (309C17C5 and  
624BB249) combined into one DNS record.  That doesn't work - it's a  
one-name-one-key mapping.  We should give a better error message in  
this case.

Can you try again with a single key in your CERT?  Alternately, if you  
want both of your keys, you could use 2 different CERT records for the  
gushi.gushi.org. name, each with one of your keys (rather than 1 CERT  
record with a payload containing two keys).  Note that this will  
usually result in round-robining for those people who don't have your  
key, which may or may not be what you want.

At least using gpg 2.0.13, and a single key in the CERT, this works  
properly for me.  I can't speak for an earlier version.

All of that said, I think it's worth pointing out that IPGP (the  
fingerprint+URL variation of CERT) is far more useful that PGP (the  
full key).  Not all systems are going to be able to pass a 1718-byte  
DNS message, as yours is.

> I suspect strongly that this feature doesn't get the most broad  
> platform testing.  Let me know if you'd like to help.

Please do!  More testing is always welcome.

David



From danm at prime.gushi.org  Wed Oct 21 09:34:34 2009
From: danm at prime.gushi.org (Dan Mahoney, System Admin)
Date: Wed, 21 Oct 2009 03:34:34 -0400 (EDT)
Subject: A lot of questions about CERT, PKA and make-dns-cert
In-Reply-To: <E08BD7E1-8440-41A7-9CF8-11C6BDD01651@jabberwocky.com>
References: <alpine.BSF.2.00.0910151430530.55115@prime.gushi.org>
	<AF022427-8EBF-4CE9-BD39-F639B9638F53@jabberwocky.com>
	<alpine.BSF.2.00.0910202158240.20859@prime.gushi.org>
	<E08BD7E1-8440-41A7-9CF8-11C6BDD01651@jabberwocky.com>
Message-ID: <alpine.BSF.2.00.0910210027570.20859@prime.gushi.org>

On Wed, 21 Oct 2009, David Shaw wrote:

> On Oct 20, 2009, at 10:55 PM, Dan Mahoney, System Admin wrote:
>
>> On Thu, 15 Oct 2009, David Shaw wrote:
>> 
>>> On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote:
>>>> I'm running:
>>>> echo foo | gpg -v -v --auto-key-locate cert --recipient gushi at gushi.org 
>>>> --encrypt -a
>>>> And get gpg: error retrieving `gushi at gushi.org' via DNS CERT: No 
>>>> fingerprint
>>>> I exported my key with:
>>>> gpg --export --export-options minimal > file; and make-dns-cert -n 
>>>> gushi.gushi.org -f file
>>> 
>>> It works fine for me.  What version of GPG are you using?
>> 
>> I tried this again, after I nuked the "fingerprint" cert record.
>> 
>> Oddly, running on gpg2 on an older debian system, I get:
>> 
>> # echo "foo" | gpg2 -v -v --auto-key-locate cert --encrypt -r 
>> gushi at gushi.org
>> gpg: no keyserver known (use option --keyserver)
>> gpg: error retrieving `gushi at gushi.org' via DNS CERT: General error
>> gpg: gushi at gushi.org: skipped: General error
>> gpg: [stdin]: encryption failed: General error
>> 
>> That first line specifically makes me scratch my head a bit.
>
> You didn't give an actual version number (run gpg2 --version), so I can only 
> make an educated guess, but I do think I see your problem.  You don't have 
> one key in your CERT - you have two (309C17C5 and 624BB249) combined into one 
> DNS record.  That doesn't work - it's a one-name-one-key mapping.  We should 
> give a better error message in this case.
>
> Can you try again with a single key in your CERT?  Alternately, if you want 
> both of your keys, you could use 2 different CERT records for the 
> gushi.gushi.org. name, each with one of your keys (rather than 1 CERT record 
> with a payload containing two keys).  Note that this will usually result in 
> round-robining for those people who don't have your key, which may or may not 
> be what you want.

For the benefit of people who may search this later, what's the best 
set of args to extract the key with?

Neither export-clean nor export-minimal seems to be what I want.  In 
effect what I want is only the most recent signature from each other key, 
so some hybrid of export-clean and export-minimal?

> At least using gpg 2.0.13, and a single key in the CERT, this works properly 
> for me.  I can't speak for an earlier version.
>
> All of that said, I think it's worth pointing out that IPGP (the 
> fingerprint+URL variation of CERT) is far more useful that PGP (the full 
> key).  Not all systems are going to be able to pass a 1718-byte DNS message, 
> as yours is.

As DNSSEC becomes more widely adopted, as EDNS0 and TCPDNS become more the 
norm, this is less of an issue. IPGP is also little more than a 
standards-based version of HKP, which I'm also publishing.

If I've uncommented the line in options.skel (present in some distros, 
not others), the order will be:
#auto-key-locate cert pka ldap hkp://subkeys.pgp.net

(one of my other pet peeves is that gpg hangs up on unknown options, 
instead of falling to the next, so if I haven't compiled with LDAP 
support that whole line will break things.  Is this worth filing a bug?)

Anyway, if we assume most people just say "yeah sounds good" and uncomment 
the option, pka is a chance to get info out if CERT fails.  Why would I 
duplicate the same info?  If I've published an IPGP cert, and it fails to 
validate, the same info in PKA won't fare any better.

Since there's no way to reliably publish both forms of CERT and have the 
client able to request one or the other (or parse all records until we 
find one that works, instead of the first it gets), the PGP variant 
actually gets the key out there in a case where the URL is unretrievable 
(for example, behind a firewall where outbound finger is blocked, or in a 
case where we're compiled without curl support, but hitting a host that 
requires HTTP 1.1).  Put another way, with PGP, all the info you need is 
in the DNS packets.  With IPGP, you have another step to chase down.

Only parsing one CERT response also prevents one from putting in multiple 
keys with the same key retrievable via multiple URIs, i.e. one finger, one 
http, etc.  (On a related note, I can't specify multiple keyservers to 
search on the command line or in my config file, which is also annoying, 
is this worth filing a bug?).

Is the way a CERT record is parsed (i.e. only parsing the first one) 
goverened by an RFC?  Or considering the likely little use this is 
getting, do you feel it's too late in the game to change the way multiple 
records would be handled?

This is also why I asked for a list of what uri formats are supported, and 
it would help me to know which of those are retrievable by default with no 
external libs.  Given an HTTPS-capable webserver where I also control 
vhost order, if I only have one URI-format to publish, what's my best 
chance to have this support the most clients?  Hell, can one put an hkp:// 
uri in that URL field?

>> I suspect strongly that this feature doesn't get the most broad platform 
>> testing.  Let me know if you'd like to help.
>
> Please do!  More testing is always welcome.
>
> David

-- 

"No mowore webooting!!!"

-Paul, 10-16-99, 10 PM

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



From danm at prime.gushi.org  Wed Oct 21 11:44:55 2009
From: danm at prime.gushi.org (Dan Mahoney, System Admin)
Date: Wed, 21 Oct 2009 05:44:55 -0400 (EDT)
Subject: A lot of questions about CERT, PKA and make-dns-cert
In-Reply-To: <E08BD7E1-8440-41A7-9CF8-11C6BDD01651@jabberwocky.com>
References: <alpine.BSF.2.00.0910151430530.55115@prime.gushi.org>
	<AF022427-8EBF-4CE9-BD39-F639B9638F53@jabberwocky.com>
	<alpine.BSF.2.00.0910202158240.20859@prime.gushi.org>
	<E08BD7E1-8440-41A7-9CF8-11C6BDD01651@jabberwocky.com>
Message-ID: <alpine.BSF.2.00.0910210450250.20859@prime.gushi.org>

On Wed, 21 Oct 2009, David Shaw wrote:

> You didn't give an actual version number (run gpg2 --version), so I can only 
> make an educated guess, but I do think I see your problem.  You don't have 
> one key in your CERT - you have two (309C17C5 and 624BB249) combined into one 
> DNS record.  That doesn't work - it's a one-name-one-key mapping.  We should 
> give a better error message in this case.

Aah, yes, there we go.  Now it seems to work on all my systems.  For some 
reason I assumed --export would just pick one key to match on, just as 
--delete-keys does.  Note there's still a secondary key, hence my 
confusion.

So far, the commands for a PGP CERT are:

gpg --list-keys gushi at gushi.org
(read, get key id)
gpg2 --export --export-options export-clean > keyid.pub.bin
-or-
gpg2 --export --export-options export-minimal > keyid.pub.bin
make-dns-cert -k keyid.pub.bin -n gushi.gushi.org. > keyid.dnscert

The commands for an IPGP cert are:

gpg --list-keys you at you.com
Choose your keyid from the above.
gpg2 --export --armor keyid > keyid.pub.asc
copy the ascii file somewhere where it's url accessable.
Manually copy/paste your fingerprint into the next command:
make-dns-cert -n gushi.gushi.org. -u url format (which?) -f fingerprint >keyid.dnscert

Then, publish one (and only one) CERT record in dns per-label.  In my 
case this also means signing the zone and all that.

Finally, for an _PKA record, it involves manually:

user at domain.com becomes user._pka.domain.com.
Get your keyid as above.

1) Export to a uri as for IPGP cert, above (presumably, it can be the same 
uri).

Strip your fingerprint like so:

2) gpg --fingerprint keyid | grep "Key fingerprint" | cut -d "=" -f 2 | 
sed 's/ *//g'

The format of the text record is simple:

you._pka.domain.com.  IN  TXT "v=pka1;fpr=[#1];uri=[#2]"

Where the values are substituted from the steps above.

Publish this in DNS.

Test using: dig you._pka.domain.com TXT, see if you get a result.

Test with a GPG client that doesn't otherwise have the key:

echo "foo" | gpg --auto-key-locate pka --armor --encrypt -r you at domain.com 
and see if you get an output.

So here's the laundry list:

0) Do the above look mostly-right?
1) What are the best options for exporting certs for a CERT record?  For a 
uri-styled record?  (i.e. which signatures do you want to include?)
2) Do either the pka or the IPGP standards require the key to be in 
binary/ascii format?
3) What's the "sanctioned" list of uri formats?  Where is it defined for 
CERT?  For PKA?
4) As I'm not a c-coder, how difficult would it be to have the 
make-dns-cert output in base64 instead of binary?
5) How solid is the output of --fingerprint?  Is it likely to change 
between versions, or are the grep and sed listed likely to work most 
places?
6) How difficult would it be to get the cert-export functions right into 
gpg?
7) How difficult would it be to get make-dns-cert built-by-default?
8) (asked previously) Is it worth filing a bug on not being able to 
specify multiple keyservers for auto-key-locate?
9) (also previously) Is it worth filing a bug to not have auto-key-locate 
vomit on unsupported methods?

With the answers to the above, I'll write up a nice howto doc including 
the prereqs for all the above, the DNS requirements, and the like.

-Dan

-- 

"It's three o'clock in the morning.  It's too late for 'oops'.  After
Locate Updates, don't even go there."

-Paul Baecker
  January 3, 2k
  Indeed, sometime after 3AM

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



From josselin.jacquard at gmail.com  Thu Oct 22 09:02:12 2009
From: josselin.jacquard at gmail.com (Josselin Jacquard)
Date: Thu, 22 Oct 2009 09:02:12 +0200
Subject: gpgme error no data for op_verify
In-Reply-To: <8fc486710910211352s7100465dtcc9ce2b49449d945@mail.gmail.com>
References: <8fc486710910211352s7100465dtcc9ce2b49449d945@mail.gmail.com>
Message-ID: <8fc486710910220002h157c9933h130b93a0d5b8eff1@mail.gmail.com>

Hi,
I've got a bug and I can't find the solution.

I'm calling gpgme_op_verify with a non empty signature and a non empty plain
text, but the gpgme returns a no data error.

It looks like when debugging that the _gpgme_op_data_lookup return this
error (called by _gpgme_op_verify_init_result)

The line 48 - 49 throws the error :

data = calloc (1, sizeof (struct ctx_op_data) + size);

if (!data)


data is initialized by
*data = ctx->op_data

It looks like data is always null pointer during my debugs.


Thanks in advance,


Joss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091022/7aa4606a/attachment.htm>

From alejandro.erickson at gmail.com  Sun Oct 18 20:37:49 2009
From: alejandro.erickson at gmail.com (Alejandro Erickson)
Date: Sun, 18 Oct 2009 11:37:49 -0700
Subject: verification/installation
Message-ID: <73FC0973-1061-4D42-BEC5-2C8739532101@gmail.com>

Hi,
I'm a little confused about the verification/installation process.

I have gpg 1.4.7 which came with Mac OS X - assume I trust it.  I want  
to verify and install gpg 2.  I download gnupg-2.0.13.tar.bz2 and  
gnupg-2.0.13.tar.bz2.sig and run
$ gpg --verify gnupg-2.0.13.tar.bz2.sig
but it tells me public key not found.  I checked on the gnupg website  
and found the username associated with 1CE0C630 (the public key for  
the signature on gpg 2).  I can get gpg to list this public key with
$ gpg --search-keys dd9jn at gnu.org
but I can't seem to find a command to import it or to search the  
keyserver when verifying.  I can find the key online and copy/paste  
into a file and import the key to gpg but I imagine this is automated.

Cheers,
Alejandro


From rjh at sixdemonbag.org  Thu Oct 22 16:42:17 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 22 Oct 2009 10:42:17 -0400
Subject: verification/installation
In-Reply-To: <73FC0973-1061-4D42-BEC5-2C8739532101@gmail.com>
References: <73FC0973-1061-4D42-BEC5-2C8739532101@gmail.com>
Message-ID: <4AE06F49.7060001@sixdemonbag.org>

Alejandro Erickson wrote:
> I have gpg 1.4.7 which came with Mac OS X - assume I trust it.

Perhaps you shouldn't; GnuPG is not part of OS X.

> but it tells me public key not found.  I checked on the gnupg website
> and found the username associated with 1CE0C630 (the public key for the
> signature on gpg 2).  I can get gpg to list this public key with
> $ gpg --search-keys dd9jn at gnu.org

gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-key 1CE0C630

This has been tested on OS X 10.6.1.



From dshaw at jabberwocky.com  Thu Oct 22 16:52:37 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 22 Oct 2009 10:52:37 -0400
Subject: verification/installation
In-Reply-To: <73FC0973-1061-4D42-BEC5-2C8739532101@gmail.com>
References: <73FC0973-1061-4D42-BEC5-2C8739532101@gmail.com>
Message-ID: <51B68F9B-221C-4CC4-91B9-6776FB9B9350@jabberwocky.com>

On Oct 18, 2009, at 2:37 PM, Alejandro Erickson wrote:

> Hi,
> I'm a little confused about the verification/installation process.
>
> I have gpg 1.4.7 which came with Mac OS X - assume I trust it.  I  
> want to verify and install gpg 2.  I download gnupg-2.0.13.tar.bz2  
> and gnupg-2.0.13.tar.bz2.sig and run

GPG (any version) does not come with OSX.  If it is present there,  
someone other than Apple installed it.

> $ gpg --verify gnupg-2.0.13.tar.bz2.sig
> but it tells me public key not found.  I checked on the gnupg  
> website and found the username associated with 1CE0C630 (the public  
> key for the signature on gpg 2).  I can get gpg to list this public  
> key with
> $ gpg --search-keys dd9jn at gnu.org
> but I can't seem to find a command to import it or to search the  
> keyserver when verifying.  I can find the key online and copy/paste  
> into a file and import the key to gpg but I imagine this is automated.

If you see results when you do a --search-keys, just enter the number  
in parentheses, next to the key.  GPG will use the same keyserver to  
retrieve and import the key.

David



From shavital at mac.com  Thu Oct 22 17:39:20 2009
From: shavital at mac.com (Charly Avital)
Date: Thu, 22 Oct 2009 11:39:20 -0400
Subject: verification/installation
In-Reply-To: <73FC0973-1061-4D42-BEC5-2C8739532101@gmail.com>
References: <73FC0973-1061-4D42-BEC5-2C8739532101@gmail.com>
Message-ID: <4AE07CA8.3080305@mac.com>

Alejandro Erickson wrote the following on 10/18/09 2:37 PM:
> Hi,
> I'm a little confused about the verification/installation process.
> 
> I have gpg 1.4.7 which came with Mac OS X - assume I trust it.

Hi Alejandro,

I am a little confused by your assertion that "gpg 1.4.7 came with Mac
OS X". GnuPG software is not included in any way in the MacOS X releases.
One has to to actually download the software and either compile it, or
download a binary installer, and install it.

> I want  
> to verify and install gpg 2.  I download gnupg-2.0.13.tar.bz2 and  
> gnupg-2.0.13.tar.bz2.sig and run
> $ gpg --verify gnupg-2.0.13.tar.bz2.sig
> but it tells me public key not found.

Not found in your public keyring, or not found at all?

In my Terminal:
$ gpg --verify gnupg-2.0.13.tar.bz2.sig gnupg-2.0.13.tar.bz2
gpg: Signature made Fri Sep  4 12:35:03 2009 EDT using RSA key ID 1CE0C630
gpg: Good signature from "Werner Koch (dist sig) <dd9jn at gnu.org>"

> I checked on the gnupg website  
> and found the username associated with 1CE0C630 (the public key for  
> the signature on gpg 2).  I can get gpg to list this public key with
> $ gpg --search-keys dd9jn at gnu.org
> but I can't seem to find a command to import it or to search the  
> keyserver when verifying.  I can find the key online and copy/paste  
> into a file and import the key to gpg but I imagine this is automated.

When the key you are searching for, with the command search-key and not
recv-key is found in a keyserver (following your CLI in Terminal), the
Terminal output will display the key information and offer the option to
import it. Once you have imported it into your public keyring, you will
be able to verify the signature. When using the command recv-key, the
key (if found on the keyserver you are using) will be automatically
downloaded and imported into your public keyring.

By the way, if you intend to compile gnupg-2.0.13 in MacOSX, you will
not, I'm afraid, succeed to have a working gpg2 2.0.13 unless you also
download and install the libraries required by gpg2. Even then, the
resulting installation will not "work" because you need to install
gpg-agent and pinentry that are compatible with MacOSX environment.

A binary installer for MacGPG2 2.0.12 is available for download from the
MacGPG2 project at
<http://sourceforge.net/projects/macgpg2/develop>.
I believe a similar installer for MacGPG2 2.0.13 is in the making by Ben
Donnachie, manager and maintainer of the project.

MacGPG2 is a project separate from MacGPG <http://macgpg.sourceforge.net/>

Best regards,
Charly 0xA57A8EFA
MacOSX 10.6.1 32bits MacBook5,1 - Gnupg 1.4.10 - MacGPG2 2.0.12 -
Running Enigmail version 0.97a (20091021-0809)




From josselin.jacquard at gmail.com  Fri Oct 23 10:55:50 2009
From: josselin.jacquard at gmail.com (Josselin Jacquard)
Date: Fri, 23 Oct 2009 10:55:50 +0200
Subject: gpgme error no data for op_verify
In-Reply-To: <8fc486710910220002h157c9933h130b93a0d5b8eff1@mail.gmail.com>
References: <8fc486710910211352s7100465dtcc9ce2b49449d945@mail.gmail.com>
	<8fc486710910220002h157c9933h130b93a0d5b8eff1@mail.gmail.com>
Message-ID: <8fc486710910230155r79d0590ag3ae51207c7cb52c0@mail.gmail.com>

I've working on my problem, and the data allocation seem solved. (Or maybe
it never appeared and I misjudge the debug info)

Now it's the gpg engine which throws a no data error. I've got this gpgme
debug output, can someone ather information from it (I myself don't
understand it quite well).

For information, before this op_verify call, my program is making calls for
keys and web of trust management without problems.

Thx in advance.

_gpgme_io_pipe (filedes=0xa2a632c): enter: inherit_idx=1 (GPGME uses it for
reading)
_gpgme_io_pipe (filedes=0xa2a632c): leave: read=0x6, write=0x7
_gpgme_io_set_close_notify (fd=0x6): enter:
close_handler=0xb7e7722c/0xa2a6318
_gpgme_io_set_close_notify (fd=0x6): leave: result=0
_gpgme_io_set_close_notify (fd=0x7): enter:
close_handler=0xb7e7722c/0xa2a6318
_gpgme_io_set_close_notify (fd=0x7): leave: result=0
_gpgme_io_pipe (filedes=0xbfd2e1c8): enter: inherit_idx=0 (GPGME uses it for
writing)
_gpgme_io_pipe (filedes=0xbfd2e1c8): leave: read=0x8, write=0x9
_gpgme_io_set_close_notify (fd=0x8): enter:
close_handler=0xb7e7722c/0xa2a6318
_gpgme_io_set_close_notify (fd=0x8): leave: result=0
_gpgme_io_set_close_notify (fd=0x9): enter:
close_handler=0xb7e7722c/0xa2a6318
_gpgme_io_set_close_notify (fd=0x9): leave: result=0
_gpgme_io_pipe (filedes=0xbfd2e1c8): enter: inherit_idx=0 (GPGME uses it for
writing)
_gpgme_io_pipe (filedes=0xbfd2e1c8): leave: read=0xb, write=0xc
_gpgme_io_set_close_notify (fd=0xb): enter:
close_handler=0xb7e7722c/0xa2a6318
_gpgme_io_set_close_notify (fd=0xb): leave: result=0
_gpgme_io_set_close_notify (fd=0xc): enter:
close_handler=0xb7e7722c/0xa2a6318
_gpgme_io_set_close_notify (fd=0xc): leave: result=0
_gpgme_io_spawn (path=0xa286c30): enter: path=/usr/bin/gpg
_gpgme_io_spawn (path=0xa286c30): check: argv[ 0] = gpg
_gpgme_io_spawn (path=0xa286c30): check: argv[ 1] =
--enable-special-filenames
_gpgme_io_spawn (path=0xa286c30): check: argv[ 2] = --use-agent
_gpgme_io_spawn (path=0xa286c30): check: argv[ 3] = --batch
_gpgme_io_spawn (path=0xa286c30): check: argv[ 4] = --no-sk-comment
_gpgme_io_spawn (path=0xa286c30): check: argv[ 5] = --lc-messages
_gpgme_io_spawn (path=0xa286c30): check: argv[ 6] = fr_FR.UTF-8
_gpgme_io_spawn (path=0xa286c30): check: argv[ 7] = --lc-ctype
_gpgme_io_spawn (path=0xa286c30): check: argv[ 8] = fr_FR.UTF-8
_gpgme_io_spawn (path=0xa286c30): check: argv[ 9] = --status-fd
_gpgme_io_spawn (path=0xa286c30): check: argv[10] = 7
_gpgme_io_spawn (path=0xa286c30): check: argv[11] = --no-tty
_gpgme_io_spawn (path=0xa286c30): check: argv[12] = --charset
_gpgme_io_spawn (path=0xa286c30): check: argv[13] = utf8
_gpgme_io_spawn (path=0xa286c30): check: argv[14] = --enable-progress-filter
_gpgme_io_spawn (path=0xa286c30): check: argv[15] = --display
_gpgme_io_spawn (path=0xa286c30): check: argv[16] = :0.0
_gpgme_io_spawn (path=0xa286c30): check: argv[17] = --verify
_gpgme_io_spawn (path=0xa286c30): check: argv[18] = --
_gpgme_io_spawn (path=0xa286c30): check: argv[19] = -&8
_gpgme_io_spawn (path=0xa286c30): check: argv[20] = -&11
_gpgme_io_spawn (path=0xa286c30): check: fd[0] = 0x7
_gpgme_io_spawn (path=0xa286c30): check: fd[1] = 0x8
_gpgme_io_spawn (path=0xa286c30): check: fd[2] = 0xb
gpgme:max_fds (((void *)0)=0x0): call: max fds=1024 (RLIMIT_NOFILE)
_gpgme_io_spawn (path=0xa286c30): check: waiting for child process pid=22801
_gpgme_io_close (fd=0x7): enter
_gpgme_io_close (fd=0x7): check: invoking close handler 0xb7e7722c/0xa2a6318
_gpgme_io_close (fd=0x7): leave: result=0
_gpgme_io_close (fd=0x8): enter
_gpgme_io_close (fd=0x8): check: invoking close handler 0xb7e7722c/0xa2a6318
_gpgme_io_close (fd=0x8): leave: result=0
_gpgme_io_close (fd=0xb): enter
_gpgme_io_close (fd=0xb): check: invoking close handler 0xb7e7722c/0xa2a6318
_gpgme_io_close (fd=0xb): leave: result=0
_gpgme_io_spawn (path=0xa286c30): leave: result=0
_gpgme_add_io_cb (ctx=0xa285d48): call: fd 6, dir=1 -> tag=0xa286c20
_gpgme_add_io_cb (ctx=0xa285d48): call: fd 9, dir=0 -> tag=0xa2a6400
_gpgme_io_set_nonblocking (fd=0x9): enter
_gpgme_io_set_nonblocking (fd=0x9): leave: result=0
_gpgme_add_io_cb (ctx=0xa285d48): call: fd 12, dir=0 -> tag=0xa2a6428
_gpgme_io_set_nonblocking (fd=0xc): enter
_gpgme_io_set_nonblocking (fd=0xc): leave: result=0
gpgme:gpg_io_event (gpg=0xa2a6318): call: event 0xb7e6bb9c, type 0,
type_data (nil)

2009/10/22 Josselin Jacquard <josselin.jacquard at gmail.com>

> Hi,
> I've got a bug and I can't find the solution.
>
> I'm calling gpgme_op_verify with a non empty signature and a non empty
> plain text, but the gpgme returns a no data error.
>
> It looks like when debugging that the _gpgme_op_data_lookup return this
> error (called by _gpgme_op_verify_init_result)
>
> The line 48 - 49 throws the error :
>
> data = calloc (1, sizeof (struct ctx_op_data) + size);
>
> if (!data)
>
>
> data is initialized by
> *data = ctx->op_data
>
> It looks like data is always null pointer during my debugs.
>
>
> Thanks in advance,
>
>
> Joss
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091023/4a88f171/attachment.htm>

From ph at sevencs.com  Fri Oct 23 12:45:08 2009
From: ph at sevencs.com (Knud Pehrs)
Date: Fri, 23 Oct 2009 12:45:08 +0200
Subject: verify signature between two files
Message-ID: <35932AA3CBC336449141A46A9F0FAF3D248CA9@BARNEY.sevencs.net>

Hello!

I am developing an application that needs to verify the signature between two files.
One File (*.asc) contains the PGP PUBLIC KEY, the other one contains the PGP SIGNATURE (*.asc or *.sig).
I have downloaded, installed and build libgpg-error1.7, libgcrypt-1.4.4, gnupg-1.4.10 and gpg_MadeEasy_1.1.8.

I have included the libpgpme-11.dll in my c++ project in MS Visual Studio 2005.

My question is:
Is there a method in the libpgpme-11.dll (or perhaps in any other dll) that I can call in my source code and give the method two parameters wich contains the path of the two files and wich can verify the signature between the two files?

For example:
// verify signature between PUBLIC_KEY file and PGP SIGNATURE file
verify_Signature( path of PUBLIC_KEY file, path of PGP SIGNATURE file );	

Please let me know if there is a method as described above and where I can find it (if possible with little example).
If there is no such method available, please can you give me some information how I can solve this issue and where I can get more information about the described problem.

Many thanks and 
best regards

knud

Knud Pehrs
Software-Development
SevenCs GmbH
Ruhrstrasse 90, D-22761 Hamburg
Tel. +49-(0)40 851 72 40
Fax. +49-(0)40 851 72 479
www.sevencs.com

Handelsregister: Amtsgericht Hamburg HRB 102941
Gesch?ftsf?hrer: John Humphrey



From dafidof123456789 at hotmail.com  Sat Oct 24 00:38:59 2009
From: dafidof123456789 at hotmail.com (sari Al-alem)
Date: Fri, 23 Oct 2009 22:38:59 +0000
Subject: A Couple of Questions...
Message-ID: <SNT109-W26D270F63FFF176F9B719199BD0@phx.gbl>


Hi....

I dont know if this is the right place but im new to this encryption software and i would like to ask some questions:
1- does GPG have to be installed on all users who will recieve my mail?
2- does it have to be installed on the mail server?

Thanks in advance.
 		 	   		  
_________________________________________________________________
Windows 7: It works the way you want. Learn more.
http://www.microsoft.com/Windows/windows-7/default.aspx?ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_evergreen2:102009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091023/48642d72/attachment.htm>

From jmoore3rd at bellsouth.net  Sun Oct 25 13:20:00 2009
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Sun, 25 Oct 2009 08:20:00 -0400
Subject: A Couple of Questions...
In-Reply-To: <SNT109-W26D270F63FFF176F9B719199BD0@phx.gbl>
References: <SNT109-W26D270F63FFF176F9B719199BD0@phx.gbl>
Message-ID: <4AE44270.5080805@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

sari Al-alem wrote:

> I dont know if this is the right place but im new to this encryption
> software and i would like to ask some questions:
> 1- does GPG have to be installed on all users who will recieve my mail?

Short Answer = Yes.  Long Answer = every Recipient will require an
OpenPGP Application of some variety.  GnuPG is the superior one, IMHO.
PGP is also used by many but is available only for Windows.

> 2- does it have to be installed on the mail server?

No.  Of course every Rule has it's exception and My understanding is
that at present, use of OpenPGP on the RIM Blackberry Smartphone does
require PGP to be installed on the Blackberry Email PUSH Server.

HTH

JOHN ;)
Timestamp: Sunday 25 Oct 2009, 08:19  --400 (Eastern Daylight Time)
- -- 
http://tinyurl.com/6hztec
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: http://www.gswot.org
Comment: Personal Web Page:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJK5EJuAAoJEBCGy9eAtCsPnMwH/3+Ve0u6lG+bJ9wvUb3n1CoL
IGP5/OmDc9KR7p1Wfauojzj4LxDIeVvWwKlQUsawdnPyLRT6c3aFU7bsWDQkG2sG
DT/SONrWBl5Cvbu0L1tYZZMlaaHBmGqYDi46Nzu1jZJw0cK/gc/Iy3lCcSBIsGAe
uyErXVanEzUu/2pewAOcxTUV8RKurmgtUbnDI+tbBYy8Gdv1o7PWjqtK99MaA03C
sXdK8LWMIkvmE7dw1OvQODZ+LKW+anXC2sw9QQUxdBgmXkeD1Z67hRlb+XAnCNea
w1ZZnERCOU5hhkqJGrHMC2KQKdKbyNTYhjFmaUufZCzE/+wht7IeKCEs9BiZQGM=
=DQ9g
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Sun Oct 25 16:19:10 2009
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 25 Oct 2009 11:19:10 -0400
Subject: A Couple of Questions...
In-Reply-To: <SNT109-W26D270F63FFF176F9B719199BD0@phx.gbl>
References: <SNT109-W26D270F63FFF176F9B719199BD0@phx.gbl>
Message-ID: <4AE46C6E.2070308@sixdemonbag.org>

sari Al-alem wrote:
> 1- does GPG have to be installed on all users who will recieve my
> mail?

No: only those users who want to be able to verify your signatures, or
who want you to be able to send them encrypted email.

> 2- does it have to be installed on the mail server?

No.




From dshaw at jabberwocky.com  Sun Oct 25 16:31:18 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 25 Oct 2009 11:31:18 -0400
Subject: A Couple of Questions...
In-Reply-To: <SNT109-W26D270F63FFF176F9B719199BD0@phx.gbl>
References: <SNT109-W26D270F63FFF176F9B719199BD0@phx.gbl>
Message-ID: <81D26D57-318C-4AA6-9C70-B184F91E526A@jabberwocky.com>

On Oct 23, 2009, at 6:38 PM, sari Al-alem wrote:

> Hi....
>
> I dont know if this is the right place but im new to this encryption  
> software and i would like to ask some questions:
> 1- does GPG have to be installed on all users who will recieve my  
> mail?
> 2- does it have to be installed on the mail server?

It depends.  In common use #1 is "yes", and #2 is "no".  However,  
there are some setups where you would install it on the mail server so  
the server can decrypt your mail / verify signatures and then provide  
the mail, unencrypted, to you.  This is useful for dealing with mail  
programs that can't or don't handle OpenPGP encrypted mail (for  
example, most cell phones).  This does change the security situation  
to some extent, of course, since your mail server will contain an  
unencrypted copy of the mail.

A good way to look at this is the thing that does the decrypting/ 
verifying needs GPG.  If that thing is your local machinse, then your  
local machines need GPG.  If that thing is the mail server, then your  
mail server needs GPG.

David



From josselin.jacquard at gmail.com  Mon Oct 26 00:36:53 2009
From: josselin.jacquard at gmail.com (Josselin Jacquard)
Date: Mon, 26 Oct 2009 00:36:53 +0100
Subject: gpgme error no data for op_verify
In-Reply-To: <8fc486710910230155r79d0590ag3ae51207c7cb52c0@mail.gmail.com>
References: <8fc486710910211352s7100465dtcc9ce2b49449d945@mail.gmail.com>
	<8fc486710910220002h157c9933h130b93a0d5b8eff1@mail.gmail.com>
	<8fc486710910230155r79d0590ag3ae51207c7cb52c0@mail.gmail.com>
Message-ID: <8fc486710910251636y1410fb7br1e3c33b60dffe0ec@mail.gmail.com>

Ok I found that the gpgme engine is set to gpg for my system.
I set it explicitely to gpg2 and now it's working using
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP, "/usr/bin/gpg2", NULL))
Should this work on Mac too ?

Does someone now how to change the gpgme lib to use gpg2 by default on my
system (archlinux)

Bye

2009/10/23 Josselin Jacquard <josselin.jacquard at gmail.com>

> I've working on my problem, and the data allocation seem solved. (Or maybe
> it never appeared and I misjudge the debug info)
>
> Now it's the gpg engine which throws a no data error. I've got this gpgme
> debug output, can someone ather information from it (I myself don't
> understand it quite well).
>
> For information, before this op_verify call, my program is making calls for
> keys and web of trust management without problems.
>
> Thx in advance.
>
> _gpgme_io_pipe (filedes=0xa2a632c): enter: inherit_idx=1 (GPGME uses it for
> reading)
> _gpgme_io_pipe (filedes=0xa2a632c): leave: read=0x6, write=0x7
> _gpgme_io_set_close_notify (fd=0x6): enter:
> close_handler=0xb7e7722c/0xa2a6318
> _gpgme_io_set_close_notify (fd=0x6): leave: result=0
> _gpgme_io_set_close_notify (fd=0x7): enter:
> close_handler=0xb7e7722c/0xa2a6318
> _gpgme_io_set_close_notify (fd=0x7): leave: result=0
> _gpgme_io_pipe (filedes=0xbfd2e1c8): enter: inherit_idx=0 (GPGME uses it
> for writing)
> _gpgme_io_pipe (filedes=0xbfd2e1c8): leave: read=0x8, write=0x9
> _gpgme_io_set_close_notify (fd=0x8): enter:
> close_handler=0xb7e7722c/0xa2a6318
> _gpgme_io_set_close_notify (fd=0x8): leave: result=0
> _gpgme_io_set_close_notify (fd=0x9): enter:
> close_handler=0xb7e7722c/0xa2a6318
> _gpgme_io_set_close_notify (fd=0x9): leave: result=0
> _gpgme_io_pipe (filedes=0xbfd2e1c8): enter: inherit_idx=0 (GPGME uses it
> for writing)
> _gpgme_io_pipe (filedes=0xbfd2e1c8): leave: read=0xb, write=0xc
> _gpgme_io_set_close_notify (fd=0xb): enter:
> close_handler=0xb7e7722c/0xa2a6318
> _gpgme_io_set_close_notify (fd=0xb): leave: result=0
> _gpgme_io_set_close_notify (fd=0xc): enter:
> close_handler=0xb7e7722c/0xa2a6318
> _gpgme_io_set_close_notify (fd=0xc): leave: result=0
> _gpgme_io_spawn (path=0xa286c30): enter: path=/usr/bin/gpg
> _gpgme_io_spawn (path=0xa286c30): check: argv[ 0] = gpg
> _gpgme_io_spawn (path=0xa286c30): check: argv[ 1] =
> --enable-special-filenames
> _gpgme_io_spawn (path=0xa286c30): check: argv[ 2] = --use-agent
> _gpgme_io_spawn (path=0xa286c30): check: argv[ 3] = --batch
> _gpgme_io_spawn (path=0xa286c30): check: argv[ 4] = --no-sk-comment
> _gpgme_io_spawn (path=0xa286c30): check: argv[ 5] = --lc-messages
> _gpgme_io_spawn (path=0xa286c30): check: argv[ 6] = fr_FR.UTF-8
> _gpgme_io_spawn (path=0xa286c30): check: argv[ 7] = --lc-ctype
> _gpgme_io_spawn (path=0xa286c30): check: argv[ 8] = fr_FR.UTF-8
> _gpgme_io_spawn (path=0xa286c30): check: argv[ 9] = --status-fd
> _gpgme_io_spawn (path=0xa286c30): check: argv[10] = 7
> _gpgme_io_spawn (path=0xa286c30): check: argv[11] = --no-tty
> _gpgme_io_spawn (path=0xa286c30): check: argv[12] = --charset
> _gpgme_io_spawn (path=0xa286c30): check: argv[13] = utf8
> _gpgme_io_spawn (path=0xa286c30): check: argv[14] =
> --enable-progress-filter
> _gpgme_io_spawn (path=0xa286c30): check: argv[15] = --display
> _gpgme_io_spawn (path=0xa286c30): check: argv[16] = :0.0
> _gpgme_io_spawn (path=0xa286c30): check: argv[17] = --verify
> _gpgme_io_spawn (path=0xa286c30): check: argv[18] = --
> _gpgme_io_spawn (path=0xa286c30): check: argv[19] = -&8
> _gpgme_io_spawn (path=0xa286c30): check: argv[20] = -&11
> _gpgme_io_spawn (path=0xa286c30): check: fd[0] = 0x7
> _gpgme_io_spawn (path=0xa286c30): check: fd[1] = 0x8
> _gpgme_io_spawn (path=0xa286c30): check: fd[2] = 0xb
> gpgme:max_fds (((void *)0)=0x0): call: max fds=1024 (RLIMIT_NOFILE)
> _gpgme_io_spawn (path=0xa286c30): check: waiting for child process
> pid=22801
> _gpgme_io_close (fd=0x7): enter
> _gpgme_io_close (fd=0x7): check: invoking close handler
> 0xb7e7722c/0xa2a6318
> _gpgme_io_close (fd=0x7): leave: result=0
> _gpgme_io_close (fd=0x8): enter
> _gpgme_io_close (fd=0x8): check: invoking close handler
> 0xb7e7722c/0xa2a6318
> _gpgme_io_close (fd=0x8): leave: result=0
> _gpgme_io_close (fd=0xb): enter
> _gpgme_io_close (fd=0xb): check: invoking close handler
> 0xb7e7722c/0xa2a6318
> _gpgme_io_close (fd=0xb): leave: result=0
> _gpgme_io_spawn (path=0xa286c30): leave: result=0
> _gpgme_add_io_cb (ctx=0xa285d48): call: fd 6, dir=1 -> tag=0xa286c20
> _gpgme_add_io_cb (ctx=0xa285d48): call: fd 9, dir=0 -> tag=0xa2a6400
> _gpgme_io_set_nonblocking (fd=0x9): enter
> _gpgme_io_set_nonblocking (fd=0x9): leave: result=0
> _gpgme_add_io_cb (ctx=0xa285d48): call: fd 12, dir=0 -> tag=0xa2a6428
> _gpgme_io_set_nonblocking (fd=0xc): enter
> _gpgme_io_set_nonblocking (fd=0xc): leave: result=0
> gpgme:gpg_io_event (gpg=0xa2a6318): call: event 0xb7e6bb9c, type 0,
> type_data (nil)
>
> 2009/10/22 Josselin Jacquard <josselin.jacquard at gmail.com>
>
> Hi,
>> I've got a bug and I can't find the solution.
>>
>> I'm calling gpgme_op_verify with a non empty signature and a non empty
>> plain text, but the gpgme returns a no data error.
>>
>> It looks like when debugging that the _gpgme_op_data_lookup return this
>> error (called by _gpgme_op_verify_init_result)
>>
>> The line 48 - 49 throws the error :
>>
>> data = calloc (1, sizeof (struct ctx_op_data) + size);
>>
>> if (!data)
>>
>>
>> data is initialized by
>> *data = ctx->op_data
>>
>> It looks like data is always null pointer during my debugs.
>>
>>
>> Thanks in advance,
>>
>>
>> Joss
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091026/ffa32b79/attachment.htm>

From listac at nebelschwaden.de  Tue Oct 27 10:49:22 2009
From: listac at nebelschwaden.de (listac at nebelschwaden.de)
Date: Tue, 27 Oct 2009 10:49:22 +0100
Subject: gnupg and smartcard -> recovery issues
Message-ID: <dbcd27a7c255916d9e23f489cbd58d0e.squirrel@drachentor.dyndns.org>

Hello,

I am currently struggeling with smartcard and gnupg. The basic stuff
works, but where it gets interesting the howtos I've found end and I am
not able to figure out how to do it correctly:


Scenario 1:
I have created a key on the disk (ordinary way, without card) and now
decide, that I want to use the card instead. And only the card. So I issue
an --edit-key <ID> and toggle && keytocard.

I remove the card and try to decrypt a file. Decrypting still works
without a card being inserted and the password instead of the PIN. Ok, not
what I intended, but somewhat comprehendible, as the key is still on
drive.

No problem, so I completely remove the .gnupg folder, do a --list-key for
it to be recreated, insert the card and try to decrypt the file. Gnupg
complains about "no valid OpenPGP Data found" (translated from german).
Even though the key is visible with --card-status.

Now, what is really most important to me and what I would like to know: 
What to do / how to use the card on a virgin system?


Scenario 2:
Virgin System again, I create the key on the card with the backup key
written to disk. Now I have some cryptical_name.gpg file.

However, someday, that's all I have left. I've lost the card, I've lost
the .gnupg folder and all my backup tapes.

All I have is the cryptical_name.gpg on some rescued USB stick. Just, how
do I get this key back on my card please?

#gpg --import sk_13510880590EE2D4.gpg
gpg: key 590EE2D4: no user ID
gpg: Total number processed: 1
gpg:       secret keys read: 1

#gpg --allow-secret-key-import sk_13510880590EE2D4.gpg
sec  1024R/590EE2D4 2009-10-27

#gpg --allow-secret-key-import --import sk_13510880590EE2D4.gpg
gpg: key 590EE2D4: no user ID
gpg: Total number processed: 1
gpg:       secret keys read: 1


But: gpg --list[-secret-key] does never show anything.

This behaviour is true for gnupg1.4x on linux as well as the latest
gpg4win, using gnupg2.0.12.
I haven't managed to find any linux distribution so far, where gnupg2 is
working with my card or reader. But that'll be another post.
Card is the kernelconcepts gnupg card v2.0. Reader a Dell Keyboard reader.

Last question:
Is there any way, to the copy the key on the card to the drive? Or do a
backup after generation?

Thanks to anyone who took time to read and tries to help.



From wk at gnupg.org  Wed Oct 28 19:35:21 2009
From: wk at gnupg.org (Werner Koch)
Date: Wed, 28 Oct 2009 19:35:21 +0100
Subject: gnupg and smartcard -> recovery issues
In-Reply-To: <dbcd27a7c255916d9e23f489cbd58d0e.squirrel@drachentor.dyndns.org>
	(listac@nebelschwaden.de's message of "Tue, 27 Oct 2009 10:49:22
	+0100")
References: <dbcd27a7c255916d9e23f489cbd58d0e.squirrel@drachentor.dyndns.org>
Message-ID: <87d447z7rq.fsf@vigenere.g10code.de>

On Tue, 27 Oct 2009 10:49, listac at nebelschwaden.de said:

> Scenario 1:

> I remove the card and try to decrypt a file. Decrypting still works
> without a card being inserted and the password instead of the PIN. Ok,

That is because you copied the key to the card and the on-disk key is
still available.  Use

   gpg --delete-secret-key KEYID

to remove the secret parts of the key.  The run 

   gpg --card-status

so that gpg can create a "secret key stub" which is required to manage
the card. 

Note that the card only stores the real parts of the key but not the
OpenPGP key info: the certificate/keyblob (i.e. user IDs and
self-signatures).  That is for size reasons.  The upshot is that you
need to safe the public parts of the key somewhere - the card references
them using the fingerprint which is stored on the card.

> it to be recreated, insert the card and try to decrypt the file. Gnupg
> complains about "no valid OpenPGP Data found" (translated from german).

Run

  LANG=C gpg xxxx

to get English messages.

> Now, what is really most important to me and what I would like to know: 
> What to do / how to use the card on a virgin system?

Import the public key and run "gpg --card-status" once.  The URL field
of the card along with the --edit-card "fetch" command are pretty useful
here.


> Scenario 2:
> Virgin System again, I create the key on the card with the backup key
> written to disk. Now I have some cryptical_name.gpg file.

> All I have is the cryptical_name.gpg on some rescued USB stick. Just, how
> do I get this key back on my card please?

Import the public key and run

  gpg --edit-key KEYID

the enter the command "bkuptocard". 

> Last question:
> Is there any way, to the copy the key on the card to the drive? Or do a
> backup after generation?

The whole point of using a smartcard is that this it is not possible.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From danm at prime.gushi.org  Thu Oct 29 06:52:48 2009
From: danm at prime.gushi.org (Dan Mahoney, System Admin)
Date: Thu, 29 Oct 2009 01:52:48 -0400 (EDT)
Subject: Howto For DNS Key publishing.
Message-ID: <alpine.BSF.2.00.0910290145200.37612@prime.gushi.org>

All,

I've written a pretty conclusive howto on how to publish keys in DNS, 
including detailing the advantages and disadvantages of each method, with 
full examples, details on testing, and real-world output.

I've also re-implemented make-dns-cert as a shell script, so that it's 
more easily available to people who don't have the source, but who 
installed via a binary package (that's most people), including comments, 
cleaner record handling, auto-fingerprinting, etc.  One command, three 
arguments, and you get all three record types.

I cited credit where possible, but if I missed your name, let me know.

Suggestions, feedback, requests, corrections, are all welcome.

Initial publishing is to my livejournal, but I'm planning to wrap the 
whole thing to my webpage during a revamp.

http://gushi.livejournal.com/524199.html

Regards,

-Dan Mahoney

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



From David.Gray at turpin-distribution.com  Thu Oct 29 12:25:30 2009
From: David.Gray at turpin-distribution.com (David Gray)
Date: Thu, 29 Oct 2009 11:25:30 -0000
Subject: can't connect to `C:/Program Files/GNU/GnuPG//S.gpg-agent'
Message-ID: <33CE89420E3A834A82E48C2C747A706102923A54@HERMES.turpin-bg.local>

Hi, 

Has anyone got any idea how to resolve the following error: 

can't connect to `C:/Program Files/GNU/GnuPG//S.gpg-agent'

I get this error when issuing the following command 

gpg --passphrase-fd 0 --batch --output out.dat --decrypt in.pgp

This worked fine until a few days ago but now it won't work at all.  

There's nothing wrong with the file because it decrypts fine without the

passphrase-fd argument. 

Setup is Windows XP Pro and PGP is...

C:\Program Files\GNU\GnuPG\Work>gpg --version
gpg (GnuPG) 2.0.12 (Gpg4win 2.0.0)
libgcrypt 1.4.4
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Program Files/GNU/GnuPG/
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Regards
Dave 

Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. ***** Registered in England No. 1331778 ***** This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software.


From ciprian.craciun at gmail.com  Thu Oct 29 12:42:37 2009
From: ciprian.craciun at gmail.com (Ciprian Dorin, Craciun)
Date: Thu, 29 Oct 2009 13:42:37 +0200
Subject: Howto For DNS Key publishing.
In-Reply-To: <alpine.BSF.2.00.0910290145200.37612@prime.gushi.org>
References: <alpine.BSF.2.00.0910290145200.37612@prime.gushi.org>
Message-ID: <8e04b5820910290442j200eb60au6da019640a9df906@mail.gmail.com>

On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
<danm at prime.gushi.org> wrote:
> All,
>
> I've written a pretty conclusive howto on how to publish keys in DNS,
> including detailing the advantages and disadvantages of each method, with
> full examples, details on testing, and real-world output.
>
> I've also re-implemented make-dns-cert as a shell script, so that it's more
> easily available to people who don't have the source, but who installed via
> a binary package (that's most people), including comments, cleaner record
> handling, auto-fingerprinting, etc. ?One command, three arguments, and you
> get all three record types.
>
> I cited credit where possible, but if I missed your name, let me know.
>
> Suggestions, feedback, requests, corrections, are all welcome.
>
> Initial publishing is to my livejournal, but I'm planning to wrap the whole
> thing to my webpage during a revamp.
>
> http://gushi.livejournal.com/524199.html
>
> Regards,
>
> -Dan Mahoney

    Hello!

    Nice tutorial! I've tried to apply your methods (for now I'm just
at the PKA method).

    But it seems that there is a problem with auto-key-locate option.
For example for the following command:
~~~~
        mkdir /tmp/gpg-test
        gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient
ciprian at volution.ro --encrypt /dev/null
~~~~

    it gives me the following error:
~~~~
gpg: requesting key A6FD8839 from http server stores.volution.ro
gpg: /tmp/gpg-test/trustdb.gpg: trustdb created
gpg: key A6FD8839: public key "Ciprian Dorin Craciun
<ciprian at volution.ro>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
gpg: error retrieving `ciprian at volution.ro' via PKA: Unusable public key
gpg: ciprian at volution.ro: skipped: No public key
gpg: /dev/null: encryption failed: No public key
~~~~

    Now, searching on the net for a solution, I've stumbled upon the
following thread:
        http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html

    It seems that there was a bug in GnuPG. So the question is:
    * am I doing something wrong?
    * or is the bug still present in GnuPG?

    Thanks,
    Ciprian.


From listac at nebelschwaden.de  Thu Oct 29 13:59:21 2009
From: listac at nebelschwaden.de (listac at nebelschwaden.de)
Date: Thu, 29 Oct 2009 13:59:21 +0100
Subject: can't connect to `C:/Program Files/GNU/GnuPG//S.gpg-agent'
In-Reply-To: <33CE89420E3A834A82E48C2C747A706102923A54@HERMES.turpin-bg.local>
References: <33CE89420E3A834A82E48C2C747A706102923A54@HERMES.turpin-bg.local>
Message-ID: <25fc8801398aaf0f15d76991c396671c.squirrel@drachentor.dyndns.org>

I pretty much have a similar problem. WIth gpg4win as well as with linux.
However, using gpg4win I do not see any usage problem asides this message.

When using linux, even when I start gpg-agent --daemon, it creates it's
socket under /tmp/<cryptdir>, while gpg searches for .gnupg/S.gpg-agent.
The environment the daemon exports seems to be ignored.

So I have to manually link .gnupg/S.gpg-agent to theat file below /tmp to
be able to work with a smartcard at all.


# gpg-agent --daemon
GPG_AGENT_INFO=/tmp/gpg-mS2h6N/S.gpg-agent:1510:1; export GPG_AGENT_INFO;

# gpg2 --card-status
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory

-> Same error message as if no gpg-agent has been started manually at all

# ln -s /tmp/gpg-mS2h6N/S.gpg-agent /root/.gnupg/S.gpg-agent
# gpg2 --card-status
gpg: selecting openpgp failed: Card not present




> Hi,
>
> Has anyone got any idea how to resolve the following error:
>
> can't connect to `C:/Program Files/GNU/GnuPG//S.gpg-agent'
>
> I get this error when issuing the following command
>
> gpg --passphrase-fd 0 --batch --output out.dat --decrypt in.pgp
>
> This worked fine until a few days ago but now it won't work at all.
>
> There's nothing wrong with the file because it decrypts fine without the
>
> passphrase-fd argument.
>
> Setup is Windows XP Pro and PGP is...
>
> C:\Program Files\GNU\GnuPG\Work>gpg --version
> gpg (GnuPG) 2.0.12 (Gpg4win 2.0.0)
> libgcrypt 1.4.4
> Copyright (C) 2009 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Home: C:/Program Files/GNU/GnuPG/
> Supported algorithms:
> Pubkey: RSA, ELG, DSA
> Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
> CAMELLIA128,
>         CAMELLIA192, CAMELLIA256
> Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2
>
> Regards
> Dave
>
> Registered Office: Turpin Distribution Services Ltd, Pegasus Drive,
> Stratton Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. *****
> Registered in England No. 1331778 ***** This email may contain
> confidential information and/or copyright material. This email is intended
> for the use of the addressee only. Any unauthorised use may be unlawful.
> If you receive this email by mistake, please advise the sender immediately
> by using the reply facility in your email software.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>




From listac at nebelschwaden.de  Thu Oct 29 15:29:27 2009
From: listac at nebelschwaden.de (listac at nebelschwaden.de)
Date: Thu, 29 Oct 2009 15:29:27 +0100
Subject: gnupg and smartcard -> recovery issues
In-Reply-To: <87d447z7rq.fsf@vigenere.g10code.de>
References: <dbcd27a7c255916d9e23f489cbd58d0e.squirrel@drachentor.dyndns.org>
	<87d447z7rq.fsf@vigenere.g10code.de>
Message-ID: <9c27a1db16f552860b6f42c82db5e6a4.squirrel@drachentor.dyndns.org>

First of all, thanks very much for your time.

> That is because you copied the key to the card and the on-disk key is
> still available.  Use
>
>    gpg --delete-secret-key KEYID
>
> to remove the secret parts of the key.  The run
>
>    gpg --card-status
>
> so that gpg can create a "secret key stub" which is required to manage
> the card.

This does not work. Maybe the problem is somwhere else. When I issue a
toggle & keytocard, I only can chose between Signature Key(1) or
Authentication Key (3). The encryption key (2) is not offered.

However I do get asked, wether I want to replace the main key, what I
considered as the encryption key so far.
No matter wether I choose (1) or (3), after removal of the secret key from
the ring I cannot decrypt any file. Natural, if the encryption key has not
been transferred.

bkuptocard requires a filename, which I do not have. Unless I export the
secret key before, but haven't tried this yet.

>   LANG=C gpg xxxx
>
> to get English messages.

As I am currently using gpg4win due to the fact, that no linux gnupg2 I
tested so far does work reliably with the smartcard, this does
unfortunately not work.

> Import the public key and run "gpg --card-status" once.  The URL field
> of the card along with the --edit-card "fetch" command are pretty useful
> here.

The URL field is empty (not set). Also I can see the card owner, but not
to whom the key was issued. However, I am not using any keyserver nor do I
plan to.

>> All I have is the cryptical_name.gpg on some rescued USB stick. Just,
>> how
>> do I get this key back on my card please?
>
> Import the public key and run
>
>   gpg --edit-key KEYID
>
> the enter the command "bkuptocard".

I did try this, however, this does not work. When I import the public key
into a virgin system and edit that key, the bkuptocard menuitem does not
appear and entering "toggle" as well as "bkuptocards" complain: "no secret
key found" or "secret key needed".
Running "gpg --card-status" before does not change this behaviour.

To be able to get the key back on the card I currently do need both, the
secret key, which is most likely more a stub, and the publc key.

> The whole point of using a smartcard is that this it is not possible.

Jep. After some thinking on my side this is absolutely correct.




From listac at nebelschwaden.de  Thu Oct 29 16:07:50 2009
From: listac at nebelschwaden.de (listac at nebelschwaden.de)
Date: Thu, 29 Oct 2009 16:07:50 +0100
Subject: gnupg and smartcard -> recovery issues
In-Reply-To: <9c27a1db16f552860b6f42c82db5e6a4.squirrel@drachentor.dyndns.org>
References: <dbcd27a7c255916d9e23f489cbd58d0e.squirrel@drachentor.dyndns.org>
	<87d447z7rq.fsf@vigenere.g10code.de>
	<9c27a1db16f552860b6f42c82db5e6a4.squirrel@drachentor.dyndns.org>
Message-ID: <7b888e7fd0f2a71afd105a4d3efca925.squirrel@drachentor.dyndns.org>

>>> All I have is the cryptical_name.gpg on some rescued USB stick. Just,
>>> how
>>> do I get this key back on my card please?
>>
>> Import the public key and run
>>
>>   gpg --edit-key KEYID
>>
>> the enter the command "bkuptocard".

Thanks to the help of Mr. Donnachie I am now able to run gnupg2 under
linux, even though gpg-agent regularily dies. Maybe as well be a
distribution issue.

And now the restore with just the public key and the --card-status works.
Either gpg4win behaves differently or maybe I am running into a gpg-agent
issue, too.

However, transfering a disk based secret encryption key to smart card
still does not.



From Sejla.Kalinic at unicreditgroup.zaba.hr  Thu Oct 29 16:01:52 2009
From: Sejla.Kalinic at unicreditgroup.zaba.hr (Sejla Kalinic)
Date: Thu, 29 Oct 2009 16:01:52 +0100
Subject: No subject
Message-ID: <OF4F56FC39.D2AF35D2-ONC125765E.005291D7-C125765E.005291D8@unicreditgroup.zaba.hr>


I will be out of the office starting  26.10.2009 and will not return until
30.10.2009.




Disclaimer :

Ova elektroni?ka poruka je povjerljiva i mo?e sadr?avati povla?tene 
informacije. Ako niste nazna?eni primatelj, niste ovla?teni ?itati, 
printati, pohraniti, obra?ivati ili priop?avati ovu poruku. Ako ste ovu 
poruku primili gre?kom, molimo Vas da o tome odmah obavijestite 
po?iljatelja i izbri?ete ovu poruku, njene privitke i kopije. Zagreba?ka 
banka d.d. ne preuzima nikakvu odgovornost s obzirom na bilo koju mogu?u 
neto?nost bilo kojeg podatka koji je sadr?an u ovoj poruci ako takav 
podatak nije povezan s registriranim predmetom poslovanja Zagreba?ke 
banke d.d. Stajali?ta izra?ena u ovoj poruci ne odra?avaju nu?no slu?bena 
stajali?ta Zagreba?ke banke d.d. Hvala!

This e-mail is confidential and may also contain privileged information. 
If you are not the intended recipient, you are not authorised to read, 
print, save, process or disclose this message. If you have received this 
message by mistake, please inform the sender immediately and delete this 
e-mail, its attachments and any copies. Zagrebacka banka d.d. does not 
take any responsibility with regards to any possible inaccuracy of any 
data contained in this e-mail if such data do not relate to the 
registered operations of Zagrebacka banka d.d. The opinions expressed in 
this e-mail do not necessarily reflect the official positions of 
Zagrebacka banka d.d.. Thank you!

From grawity at gmail.com  Thu Oct 29 17:27:18 2009
From: grawity at gmail.com (=?UTF-8?B?TWFudGFzIE1pa3VsxJduYXM=?=)
Date: Thu, 29 Oct 2009 18:27:18 +0200
Subject: can't connect to `C:/Program Files/GNU/GnuPG//S.gpg-agent'
In-Reply-To: <25fc8801398aaf0f15d76991c396671c.squirrel@drachentor.dyndns.org>
References: <33CE89420E3A834A82E48C2C747A706102923A54@HERMES.turpin-bg.local>
	<25fc8801398aaf0f15d76991c396671c.squirrel@drachentor.dyndns.org>
Message-ID: <4AE9C266.8040007@gmail.com>

On 2009-10-29 14:59, listac at nebelschwaden.de wrote:
> When using linux, even when I start gpg-agent --daemon, it creates it's
> socket under /tmp/<cryptdir>, while gpg searches for .gnupg/S.gpg-agent.
> The environment the daemon exports seems to be ignored.
> 
> So I have to manually link .gnupg/S.gpg-agent to theat file below /tmp to
> be able to work with a smartcard at all.
> 
> # gpg-agent --daemon
> GPG_AGENT_INFO=/tmp/gpg-mS2h6N/S.gpg-agent:1510:1; export GPG_AGENT_INFO;
> 
> # gpg2 --card-status
> can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory

Because it doesn't export anything. A program cannot modify the
environment of its parent, so gpg-agent has to be executed like this:

? eval $(gpg-aget --daemon)

? echo $GPG_AGENT_INFO
/tmp/gpg-dbASrL/S.gpg-agent:1762:1

The 'eval $(foo)' part is tells your shell (bash, zsh) to interpret
gpg-agent's output as commands; without it, all gpg-agent can do is
print them to stdout.

-- 
Mantas Mikul?nas <grawity at gmail.com> / PGP 0xCA07F3A91C9F7C03
ASCII ribbon campaign - stop HTML mail


From moses.mason at gmail.com  Fri Oct 30 02:51:41 2009
From: moses.mason at gmail.com (Moses)
Date: Fri, 30 Oct 2009 09:51:41 +0800
Subject: How to make GnuPG 1.4.10b binary work on Windows 7?
Message-ID: <87bcf3800910291851k5f6b1d8by587269a2463c39da@mail.gmail.com>

Hi,

GPG 1.4.10b does not work on Windows 7, does anyone know how to make it
work?


Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20091030/0ba2ebb1/attachment.htm>

From danm at prime.gushi.org  Fri Oct 30 10:31:23 2009
From: danm at prime.gushi.org (Dan Mahoney, System Admin)
Date: Fri, 30 Oct 2009 05:31:23 -0400 (EDT)
Subject: Howto For DNS Key publishing.
In-Reply-To: <8e04b5820910290442j200eb60au6da019640a9df906@mail.gmail.com>
References: <alpine.BSF.2.00.0910290145200.37612@prime.gushi.org>
	<8e04b5820910290442j200eb60au6da019640a9df906@mail.gmail.com>
Message-ID: <alpine.BSF.2.00.0910300519080.20859@prime.gushi.org>

On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote:

> On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
> <danm at prime.gushi.org> wrote:
>> All,
>>
>> I've written a pretty conclusive howto on how to publish keys in DNS,
>> including detailing the advantages and disadvantages of each method, with
>> full examples, details on testing, and real-world output.
>>
>> I've also re-implemented make-dns-cert as a shell script, so that it's more
>> easily available to people who don't have the source, but who installed via
>> a binary package (that's most people), including comments, cleaner record
>> handling, auto-fingerprinting, etc.  One command, three arguments, and you
>> get all three record types.
>>
>> I cited credit where possible, but if I missed your name, let me know.
>>
>> Suggestions, feedback, requests, corrections, are all welcome.
>>
>> Initial publishing is to my livejournal, but I'm planning to wrap the whole
>> thing to my webpage during a revamp.
>>
>> http://gushi.livejournal.com/524199.html
>>
>> Regards,
>>
>> -Dan Mahoney
>
>    Hello!
>
>    Nice tutorial! I've tried to apply your methods (for now I'm just
> at the PKA method).
>
>    But it seems that there is a problem with auto-key-locate option.
> For example for the following command:
> ~~~~
>        mkdir /tmp/gpg-test
>        gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient
> ciprian at volution.ro --encrypt /dev/null
> ~~~~
>
>    it gives me the following error:
> ~~~~
> gpg: requesting key A6FD8839 from http server stores.volution.ro
> gpg: /tmp/gpg-test/trustdb.gpg: trustdb created
> gpg: key A6FD8839: public key "Ciprian Dorin Craciun
> <ciprian at volution.ro>" imported
> gpg: no ultimately trusted keys found
> gpg: Total number processed: 1
> gpg:               imported: 1
> gpg: error retrieving `ciprian at volution.ro' via PKA: Unusable public key
> gpg: ciprian at volution.ro: skipped: No public key
> gpg: /dev/null: encryption failed: No public key
> ~~~~
>
>    Now, searching on the net for a solution, I've stumbled upon the
> following thread:
>        http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html
>
>    It seems that there was a bug in GnuPG. So the question is:
>    * am I doing something wrong?
>    * or is the bug still present in GnuPG?
>
>    Thanks,
>    Ciprian.

Okay, so here's what I've learned.  I've manually retrieved your key, and 
imported it manually to my machine with gpg --import < file

And I then get this:

dmahoney at dmahoney-laptop:~/Desktop$ echo "foo" | gpg --encrypt -r 
ciprian at volution.ro
gpg: ciprian at volution.ro: skipped: unusable public key
gpg: [stdin]: encryption failed: unusable public key

So it's not the PKA record.  Upon examining it a little further, I see 
this:

dmahoney at dmahoney-laptop:~/Desktop$ gpg --list-keys ciprian at volution.ro
pub   3072D/A6FD8839 2008-10-19 [expires: 2009-11-21]
uid                  Ciprian Dorin Craciun <ciprian at volution.ro>
uid                  Ciprian Dorin Craciun <ccraciun at cci.uvt.ro>
uid                  Ciprian Dorin Craciun <ciprian.craciun at gmail.com>
uid                  Ciprian Dorin Craciun <ccraciun at info.uvt.ro>

dmahoney at dmahoney-laptop:~/Desktop$ gpg <ciprian at volution.ro.pub.gpg
pub  3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun <ciprian at volution.ro>
uid                            Ciprian Dorin Craciun <ccraciun at cci.uvt.ro>
uid                            Ciprian Dorin Craciun 
<ciprian.craciun at gmail.com>
uid                            Ciprian Dorin Craciun 
<ccraciun at info.uvt.ro>
sub  4096g/15F68B01 2008-10-19 [expires: 2009-10-19]

Looks like your subkey that I'd use to encrypt to you has expired, and 
thus my GPG didn't import it.



-- 

"Man, this is such a trip"

-Dan Mahoney, October 25, 1997

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

From ciprian.craciun at gmail.com  Fri Oct 30 10:55:55 2009
From: ciprian.craciun at gmail.com (Ciprian Dorin, Craciun)
Date: Fri, 30 Oct 2009 11:55:55 +0200
Subject: Howto For DNS Key publishing.
In-Reply-To: <alpine.BSF.2.00.0910300519080.20859@prime.gushi.org>
References: <alpine.BSF.2.00.0910290145200.37612@prime.gushi.org>
	<8e04b5820910290442j200eb60au6da019640a9df906@mail.gmail.com>
	<alpine.BSF.2.00.0910300519080.20859@prime.gushi.org>
Message-ID: <8e04b5820910300255k12935caau63d04ff43adec3e0@mail.gmail.com>

On Fri, Oct 30, 2009 at 11:31 AM, Dan Mahoney, System Admin
<danm at prime.gushi.org> wrote:
> On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote:
>
>> On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin
>> <danm at prime.gushi.org> wrote:
>>>
>>> All,
>>>
>>> I've written a pretty conclusive howto on how to publish keys in DNS,
>>> including detailing the advantages and disadvantages of each method, with
>>> full examples, details on testing, and real-world output.
>>>
>>> I've also re-implemented make-dns-cert as a shell script, so that it's
>>> more
>>> easily available to people who don't have the source, but who installed
>>> via
>>> a binary package (that's most people), including comments, cleaner record
>>> handling, auto-fingerprinting, etc. ?One command, three arguments, and
>>> you
>>> get all three record types.
>>>
>>> I cited credit where possible, but if I missed your name, let me know.
>>>
>>> Suggestions, feedback, requests, corrections, are all welcome.
>>>
>>> Initial publishing is to my livejournal, but I'm planning to wrap the
>>> whole
>>> thing to my webpage during a revamp.
>>>
>>> http://gushi.livejournal.com/524199.html
>>>
>>> Regards,
>>>
>>> -Dan Mahoney
>>
>> ? Hello!
>>
>> ? Nice tutorial! I've tried to apply your methods (for now I'm just
>> at the PKA method).
>>
>> ? But it seems that there is a problem with auto-key-locate option.
>> For example for the following command:
>> ~~~~
>> ? ? ? mkdir /tmp/gpg-test
>> ? ? ? gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient
>> ciprian at volution.ro --encrypt /dev/null
>> ~~~~
>>
>> ? it gives me the following error:
>> ~~~~
>> gpg: requesting key A6FD8839 from http server stores.volution.ro
>> gpg: /tmp/gpg-test/trustdb.gpg: trustdb created
>> gpg: key A6FD8839: public key "Ciprian Dorin Craciun
>> <ciprian at volution.ro>" imported
>> gpg: no ultimately trusted keys found
>> gpg: Total number processed: 1
>> gpg: ? ? ? ? ? ? ? imported: 1
>> gpg: error retrieving `ciprian at volution.ro' via PKA: Unusable public key
>> gpg: ciprian at volution.ro: skipped: No public key
>> gpg: /dev/null: encryption failed: No public key
>> ~~~~
>>
>> ? Now, searching on the net for a solution, I've stumbled upon the
>> following thread:
>> ? ? ? http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html
>>
>> ? It seems that there was a bug in GnuPG. So the question is:
>> ? * am I doing something wrong?
>> ? * or is the bug still present in GnuPG?
>>
>> ? Thanks,
>> ? Ciprian.
>
> Okay, so here's what I've learned. ?I've manually retrieved your key, and
> imported it manually to my machine with gpg --import < file
>
> And I then get this:
>
> dmahoney at dmahoney-laptop:~/Desktop$ echo "foo" | gpg --encrypt -r
> ciprian at volution.ro
> gpg: ciprian at volution.ro: skipped: unusable public key
> gpg: [stdin]: encryption failed: unusable public key
>
> So it's not the PKA record. ?Upon examining it a little further, I see this:
>
> dmahoney at dmahoney-laptop:~/Desktop$ gpg --list-keys ciprian at volution.ro
> pub ? 3072D/A6FD8839 2008-10-19 [expires: 2009-11-21]
> uid ? ? ? ? ? ? ? ? ?Ciprian Dorin Craciun <ciprian at volution.ro>
> uid ? ? ? ? ? ? ? ? ?Ciprian Dorin Craciun <ccraciun at cci.uvt.ro>
> uid ? ? ? ? ? ? ? ? ?Ciprian Dorin Craciun <ciprian.craciun at gmail.com>
> uid ? ? ? ? ? ? ? ? ?Ciprian Dorin Craciun <ccraciun at info.uvt.ro>
>
> dmahoney at dmahoney-laptop:~/Desktop$ gpg <ciprian at volution.ro.pub.gpg
> pub ?3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun <ciprian at volution.ro>
> uid ? ? ? ? ? ? ? ? ? ? ? ? ? ?Ciprian Dorin Craciun <ccraciun at cci.uvt.ro>
> uid ? ? ? ? ? ? ? ? ? ? ? ? ? ?Ciprian Dorin Craciun
> <ciprian.craciun at gmail.com>
> uid ? ? ? ? ? ? ? ? ? ? ? ? ? ?Ciprian Dorin Craciun <ccraciun at info.uvt.ro>
> sub ?4096g/15F68B01 2008-10-19 [expires: 2009-10-19]
>
> Looks like your subkey that I'd use to encrypt to you has expired, and thus
> my GPG didn't import it.
>
> --
>
> "Man, this is such a trip"
>
> -Dan Mahoney, October 25, 1997


    Ops! Sorry!

    Yesterday evening I came upon the same conclusion and prolonged
the expiration date... (But I didn't connect the dots with my
report..)
    Sorry for wasting time! :)

    Anyway, good tutorial! Thanks!


From David.Gray at turpin-distribution.com  Fri Oct 30 15:24:45 2009
From: David.Gray at turpin-distribution.com (David Gray)
Date: Fri, 30 Oct 2009 14:24:45 -0000
Subject: No secret key under different account
Message-ID: <33CE89420E3A834A82E48C2C747A706102923A60@HERMES.turpin-bg.local>

Hello all, 

GPG 2.0.12
Windows Server 2003  



I've written a C# application which scans for input files and decrypts using
GPG. 
This applications works fine when run under the account (Administrator) that
GPG was installed 
under but when run from a different account (SQLService) I get this error. 

gpg: encrypted with ELG key, ID 891AB7E7  gpg: decryption failed: No secret
key    
Error Decrypting C:\Program
Files\GNU\GnuPG\work\KLIOLB_20091002_11235900.PGP

I've given full permissions to the SQLService account. 

Are there any permissions I need to set within GPG or do I need to specify 
anything else on the command line when running under a different account? 

The GPG command looks like this

gpg --passphrase-fd 0 --batch --output KLIOLB_20091005_10021900.TMP
--decrypt KLIOLB_20091005_10021900.PGP

Thanks in advance. 

Dave  





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3388 bytes
Desc: not available
URL: </pipermail/attachments/20091030/4e764bd7/attachment.bin>

From christoph.anton.mitterer at physik.uni-muenchen.de  Fri Oct 30 15:10:09 2009
From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer)
Date: Fri, 30 Oct 2009 15:10:09 +0100
Subject: entering both, password and message via standard input
Message-ID: <20091030151009.186112dudmjgwse8@webmail.physik.uni-muenchen.de>

Hi.

I have a case where I need to enter both, the passphrase and a message  
(that should be decrypted), via standard input.
(Well, in principle it another non-interactive way for the passphrase  
would be ok, too, but not --passphrase-fd and neither --passphrase  
string).

It seems that the following works:
printf "%s\n%s" $passphrase $message | gpg --passphrase-fd 0 --decrypt
So I assume the first line is taken as passphrase, removed, and  
everything else as the message.

Is this the intended behaviour and is it kept like that in future  
versions,.. or is it just working like that "by accident"?

Should I add other options, like --batch or --no-tty?


Thanks,
Chris.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



From dshaw at jabberwocky.com  Fri Oct 30 15:42:22 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 30 Oct 2009 10:42:22 -0400
Subject: No secret key under different account
In-Reply-To: <33CE89420E3A834A82E48C2C747A706102923A60@HERMES.turpin-bg.local>
References: <33CE89420E3A834A82E48C2C747A706102923A60@HERMES.turpin-bg.local>
Message-ID: <9223F086-77BD-4FEA-949B-17183D0A94D1@jabberwocky.com>

On Oct 30, 2009, at 10:24 AM, David Gray wrote:

> Hello all,
>
> GPG 2.0.12
> Windows Server 2003
>
>
>
> I've written a C# application which scans for input files and  
> decrypts using
> GPG.
> This applications works fine when run under the account  
> (Administrator) that
> GPG was installed
> under but when run from a different account (SQLService) I get this  
> error.
>
> gpg: encrypted with ELG key, ID 891AB7E7  gpg: decryption failed: No  
> secret
> key
> Error Decrypting C:\Program
> Files\GNU\GnuPG\work\KLIOLB_20091002_11235900.PGP
>
> I've given full permissions to the SQLService account.
>
> Are there any permissions I need to set within GPG or do I need to  
> specify
> anything else on the command line when running under a different  
> account?

Most likely your keyring is stored under the Administrator account, so  
when run as SQLService, you can't find the keys.

Look at the .gnupg directory in the Administrator account - it needs  
to be available to the SQLService user.  See also the --homedir option  
to GPG, which allows you to specify where the keyrings and config  
files go.

David


From David.Gray at turpin-distribution.com  Fri Oct 30 15:57:57 2009
From: David.Gray at turpin-distribution.com (David Gray)
Date: Fri, 30 Oct 2009 14:57:57 -0000
Subject: No secret key under different account
In-Reply-To: <BE1426EE8FF66A42ADBCFDDA7B2B434B1A8B27CC@EXCHVS2.medctr.ad.wfubmc.edu>
References: <33CE89420E3A834A82E48C2C747A706102923A60@HERMES.turpin-bg.local>
	<BE1426EE8FF66A42ADBCFDDA7B2B434B1A8B27CC@EXCHVS2.medctr.ad.wfubmc.edu>
Message-ID: <33CE89420E3A834A82E48C2C747A706102923A63@HERMES.turpin-bg.local>


Hi, 
Thanks for the info, that makes sense. 

That does however mean that I will end up with two sets of keyring
files,
does anyone know a way to share them to certain priv'd users on a
server. 

Regards
Dave 


-----Original Message-----
From: Robert Hill [mailto:rhill at wfubmc.edu] 
Sent: 30 October 2009 14:43
To: David Gray
Subject: RE: No secret key under different account

Logon to the server as the account you wish to use to encrypt the files.
Import public key as you did prior and sign the key as you did prior.
This worked for me.  I am not in my office, but there are 2 command line
steps that need to be done, on is import and the other I think is sign.
It appears that each user that is to encrypt has to follow this
procedure.

-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of David Gray
Sent: Friday, October 30, 2009 10:25 AM
To: gnupg-users at gnupg.org
Subject: No secret key under different account

Hello all, 

GPG 2.0.12
Windows Server 2003  



I've written a C# application which scans for input files and decrypts
using GPG. 
This applications works fine when run under the account (Administrator)
that GPG was installed under but when run from a different account
(SQLService) I get this error. 

gpg: encrypted with ELG key, ID 891AB7E7  gpg: decryption failed: No
secret
key    
Error Decrypting C:\Program
Files\GNU\GnuPG\work\KLIOLB_20091002_11235900.PGP

I've given full permissions to the SQLService account. 

Are there any permissions I need to set within GPG or do I need to
specify anything else on the command line when running under a different
account? 

The GPG command looks like this

gpg --passphrase-fd 0 --batch --output KLIOLB_20091005_10021900.TMP
--decrypt KLIOLB_20091005_10021900.PGP

Thanks in advance. 

Dave  





Registered Office: Turpin Distribution Services Ltd, Pegasus Drive, Stratton Business Park, Biggleswade, Bedfordshire, SG18 8TQ, UK. ***** Registered in England No. 1331778 ***** This email may contain confidential information and/or copyright material. This email is intended for the use of the addressee only. Any unauthorised use may be unlawful. If you receive this email by mistake, please advise the sender immediately by using the reply facility in your email software.


From faramir.cl at gmail.com  Fri Oct 30 19:10:44 2009
From: faramir.cl at gmail.com (Faramir)
Date: Fri, 30 Oct 2009 15:10:44 -0300
Subject: Question about syntax of a command
Message-ID: <4AEB2C24.4040508@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,
	In the hypothetical case I want to encrypt a file, using 3DES symmetric
algo, and without using asymmetric encryption (the file would just be
encrypted with 3DES and a password provided by the user), how would it
be the syntax I must enter? I read the manual, but got confused about
that...

	Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJK6ywkAAoJEMV4f6PvczxA1vkH/idJj4a0qbak0L3ukaPARB5I
TTN75xGE45X2ag2GOh4UR4wTamn9/x5ukry/br1T8dQ3sZJEEx7Bg/GBz3uvi37V
1yIwTr83H/qKGofQoi+5THGDWrBFAYUYpxshIxD7p60pBYLnb3+c9Ni7XaXBNG/V
Ip20LWt+z+YuNtVRJsvrpGWnZfoWj+zKvleNti4huvlVuRb0SbEzTDPSiQHA9DU7
gm5LtKdmIM5ggwAIinlGgq4VmXIYr16VA6E5a1XhMCBtwlxWZeWvbqWX+EdwdDNV
UmHoKJxN7VU0HGtrYkZr3jTrRIee/l35mZuT25tXwDzQ6kZHyGOXa760yZZUG2o=
=Xzc5
-----END PGP SIGNATURE-----


From dkg at fifthhorseman.net  Fri Oct 30 19:22:35 2009
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Fri, 30 Oct 2009 14:22:35 -0400
Subject: Question about syntax of a command
In-Reply-To: <4AEB2C24.4040508@gmail.com>
References: <4AEB2C24.4040508@gmail.com>
Message-ID: <4AEB2EEB.5070008@fifthhorseman.net>

On 10/30/2009 02:10 PM, Faramir wrote:
> 	In the hypothetical case I want to encrypt a file, using 3DES symmetric
> algo, and without using asymmetric encryption (the file would just be
> encrypted with 3DES and a password provided by the user), how would it
> be the syntax I must enter? I read the manual, but got confused about
> that...

I think you want:

 gpg --cipher-algo 3DES --symmetric test.txt

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091030/800ea326/attachment.pgp>

From dshaw at jabberwocky.com  Fri Oct 30 19:20:28 2009
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 30 Oct 2009 14:20:28 -0400
Subject: Question about syntax of a command
In-Reply-To: <4AEB2C24.4040508@gmail.com>
References: <4AEB2C24.4040508@gmail.com>
Message-ID: <7D1E679A-6E38-4D53-8FC7-D8A7026EA219@jabberwocky.com>

On Oct 30, 2009, at 2:10 PM, Faramir wrote:

> Hello,
> 	In the hypothetical case I want to encrypt a file, using 3DES  
> symmetric
> algo, and without using asymmetric encryption (the file would just be
> encrypted with 3DES and a password provided by the user), how would it
> be the syntax I must enter? I read the manual, but got confused about
> that...

gpg --cipher-algo 3des --symmetric <your-file-here>

David



From faramir.cl at gmail.com  Fri Oct 30 19:39:11 2009
From: faramir.cl at gmail.com (Faramir)
Date: Fri, 30 Oct 2009 15:39:11 -0300
Subject: Question about syntax of a command
In-Reply-To: <7D1E679A-6E38-4D53-8FC7-D8A7026EA219@jabberwocky.com>
References: <4AEB2C24.4040508@gmail.com>
	<7D1E679A-6E38-4D53-8FC7-D8A7026EA219@jabberwocky.com>
Message-ID: <4AEB32CF.2060804@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

David Shaw escribi?:
> On Oct 30, 2009, at 2:10 PM, Faramir wrote:
> 
>> Hello,
>>     In the hypothetical case I want to encrypt a file, using 3DES
>> symmetric
...

> gpg --cipher-algo 3des --symmetric <your-file-here>

  Thanks, David (and Daniel), I was used to --command-option, and never
had to add a second command. Also, usually I rely on a GUI.

   Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJK6zLOAAoJEMV4f6PvczxAW7EH/3mqAqxsIU39RWYagYnCJ6cn
jyEsARtPHR11YLDNHwAoxX7y59jQNqZWP0QJ7gUSqgC6VLK/n/bu8GZPixPa2tTi
PTWNre5aggZCBvcm28iTOBaICgnIb6HOz9WGyGvdUCkohqJGOmc0muWaTA/lkkms
+w3v0BnQpNLwsYHzE5fB6VzN1e/bjUiHGEGgQMQWwlGsvBlWyZzMUoL0x9qEwDel
nlIv0hFeeRhXw64A3V7CHzD54QwrXYHqKmMYUCJ9etTIJxIfIq8TCfYg9XTuP0tZ
HRANO6JKwLcts0bEVQoMuHNLyEX7u28ueldqcpSFf+/WJVQkWhaAFAh2C7YrLvU=
=sbre
-----END PGP SIGNATURE-----


From John at Mozilla-Enigmail.org  Fri Oct 30 22:27:18 2009
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Fri, 30 Oct 2009 16:27:18 -0500
Subject: No secret key under different account
In-Reply-To: <33CE89420E3A834A82E48C2C747A706102923A63@HERMES.turpin-bg.local>
References: <33CE89420E3A834A82E48C2C747A706102923A60@HERMES.turpin-bg.local>	<BE1426EE8FF66A42ADBCFDDA7B2B434B1A8B27CC@EXCHVS2.medctr.ad.wfubmc.edu>
	<33CE89420E3A834A82E48C2C747A706102923A63@HERMES.turpin-bg.local>
Message-ID: <4AEB5A36.9030302@Mozilla-Enigmail.org>

David Gray wrote:
> 
> Hi, 
> Thanks for the info, that makes sense. 
> 
> That does however mean that I will end up with two sets of keyring files, 
> does anyone know a way to share them to certain priv'd users on a server.

Add the extra keyring(s) with 'keyring <keyring-filename>' or
'secret-keyring <keyring-filename>' line(s) in those users' gpg.conf file


-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 679 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091030/90f2a755/attachment.pgp>

From laurent.jumet at skynet.be  Sat Oct 31 00:17:29 2009
From: laurent.jumet at skynet.be (Laurent Jumet)
Date: Sat, 31 Oct 2009 01:17:29 +0200
Subject: Question about syntax of a command
In-Reply-To: <4AEB2C24.4040508@gmail.com>
Message-ID: <GED4AEB7B6F@laurent.jumet.skynet.be>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


Hello Faramir !

Faramir <faramir.cl at gmail.com> wrote:

>  In the hypothetical case I want to encrypt a file, using 3DES symmetric
> algo, and without using asymmetric encryption (the file would just be
> encrypted with 3DES and a password provided by the user), how would it
> be the syntax I must enter? I read the manual, but got confused about
> that...

gpg --symmetric [--sign] --cipher-algo 3DES [--no-options] <FILE>

- -- 
Laurent Jumet
      KeyID: 0xCFAF704C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iHEEAREDADEFAkrre2YqGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB
RjcwNEMuYXNjAAoJEPUdbaDPr3BMlEQAoLaW7KMZIlXCGLN3sZnjrwQ7IFiWAKDW
dlqCRXBwNsHRTnfEy3eYz7/SYw==
=I+3V
-----END PGP SIGNATURE-----


From laredotornado at gmail.com  Wed Oct 28 17:56:40 2009
From: laredotornado at gmail.com (laredotornado)
Date: Wed, 28 Oct 2009 09:56:40 -0700 (PDT)
Subject: Newbie question:  Where do I put my trusted key?
Message-ID: <26098224.post@talk.nabble.com>


Hi,

I'm new to gpg and I just installed gpg and gpg-agent for Mac OS 10.5.6. 
Whenever I run the gpg command, I'm prompted for the passphrase.  Is there
any skip that if I am running the command as a particular user for a
particular key?  Here is an example interaction below ...


ocho:~ dalvarado$ /opt/local/bin/gpg --trust-model always --sign --force-mdc
-e -a --homedir /Users/dalvarado/.gnupg --recipient 23AC19FF

You need a passphrase to unlock the secret key for
user: "Dave Alvarado <dalvarado at www.colorado.gov>"
2048-bit RSA key, ID A34ED8DD, created 2009-09-30

gpg: gpg-agent is not available in this session
Enter passphrase:


What is also odd is that I'm told, "gpg: gpg-agent is not available in this
session" but I just installed the agent.  Any help in troubleshooting is
appreciated, - Dave

-- 
View this message in context: http://www.nabble.com/Newbie-question%3A--Where-do-I-put-my-trusted-key--tp26098224p26098224.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From shavital at mac.com  Sat Oct 31 14:11:54 2009
From: shavital at mac.com (Charly Avital)
Date: Sat, 31 Oct 2009 09:11:54 -0400
Subject: Newbie question:  Where do I put my trusted key?
In-Reply-To: <26098224.post@talk.nabble.com>
References: <26098224.post@talk.nabble.com>
Message-ID: <4AEC379A.7080102@mac.com>

laredotornado wrote the following on 10/28/09 12:56 PM:


> What is also odd is that I'm told, "gpg: gpg-agent is not available in this
> session" but I just installed the agent.  Any help in troubleshooting is
> appreciated, - Dave
> 

Dave,

I'm afraid the key words in your e-mail are '/opt/local/bin/gpg'.
They suggest that you have installed gpg2 via Darwin Ports.

If it is so, Darwin Ports install a version of gpg-agent and pinentry
(required by gpg-agent) that are not compatible with MacOSX.

Please check the MacGPG2 Project at:
<http://sourceforge.net/projects/macgpg2/>
The current installer for NacGPG2 2.0.12 is available. It will install a
Mac native pinentry application.

Charly
MacOSX 10.6.1 32bits MacBook5,1 - 0xA57A8EFA Gnupg 1.4.10 - MacGPG2
2.0.13 (testing) -  Running Enigmail version 0.97b (20091027-0956) with
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre)
Gecko/20090915 Thunderbird/3.0b4




From benjamin at py-soft.co.uk  Sat Oct 31 14:19:58 2009
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Sat, 31 Oct 2009 13:19:58 +0000
Subject: Newbie question: Where do I put my trusted key?
In-Reply-To: <4AEC379A.7080102@mac.com>
References: <26098224.post@talk.nabble.com> <4AEC379A.7080102@mac.com>
Message-ID: <732076a80910310619k20041575sab696e192590e9e1@mail.gmail.com>

2009/10/31 Charly Avital <shavital at mac.com>:
> Please check the MacGPG2 Project at:
> <http://sourceforge.net/projects/macgpg2/>
> The current installer for MacGPG2 2.0.12 is available. It will install a
> Mac native pinentry application.

An updated version for v2.0.13 will be available in a few days (work
and broken SAN permitting).

Ben


From haloris-tx at yahoo.co.uk  Sat Oct 31 14:43:24 2009
From: haloris-tx at yahoo.co.uk (Carson Hewitt)
Date: Sat, 31 Oct 2009 14:43:24 +0100
Subject: Can't verify signature made by PGP
Message-ID: <haloris-tx-C36CB3.14432231102009@snews.gmane.org>

Hello,

Someone must have run into this before:

I can't verify a signature made by PGP using GnuPG 1.4.10 (on mac os 10.6.1).

The idea is to send a detached signature to the PGP Timestamping service at pgp 
_AT_ stamper.itconsult.co.uk, which signs it.

gpg --verify emits a warning saying that only the first signature in the reply 
will be verified (the other one is the one I made), then the verification fails 
(bad signature).

Is giving up using the service for that scenario the only thing to do ?

 -- Carson