From patryk at debian.org Thu Sep 1 06:11:30 2011 From: patryk at debian.org (Patryk Cisek) Date: Thu, 1 Sep 2011 06:11:30 +0200 Subject: Migrating to Smartcards In-Reply-To: References: Message-ID: <20110901041130.GB4004@patryks-laptop.softexor.net> On Tue, Aug 30, 2011 at 10:56:02PM +0200, Richard wrote: > Thanks for all your help! > > I just noticed that on my mobile computer (running Mac OS X) I am > still stuck with GnuPG 2.0.17 since MacGPG2 has not yet been updated. > I will have to wait for an updated package before I can start moving > my keys to smartcards. Or just go ahead and compile it yourself. -- Patryk Cisek From richard at r-selected.de Thu Sep 1 10:13:58 2011 From: richard at r-selected.de (Richard) Date: Thu, 1 Sep 2011 10:13:58 +0200 Subject: Migrating to Smartcards In-Reply-To: <20110901041130.GB4004@patryks-laptop.softexor.net> References: <20110901041130.GB4004@patryks-laptop.softexor.net> Message-ID: On Thu, Sep 1, 2011 at 06:11, Patryk Cisek wrote: > Or just go ahead and compile it yourself. Unfortunately I only have a 64 Gig hard drive and no space left to install XCode :( From marco+gnupg at websource.ch Thu Sep 1 13:32:22 2011 From: marco+gnupg at websource.ch (Marco Steinacher) Date: Thu, 01 Sep 2011 13:32:22 +0200 Subject: Migrating to Smartcards In-Reply-To: <87vctepwu2.fsf@vigenere.g10code.de> References: <87vctepwu2.fsf@vigenere.g10code.de> Message-ID: <4E5F6D46.4020306@websource.ch> On 30.08.2011 20:40, Werner Koch wrote: > On Tue, 30 Aug 2011 17:54, richard at r-selected.de said: > >> keytocard, restore the backup, insert card #2, issue keytocard again. >> Will that cause any problems in later GnuPG use as the cards' IDs are > > Possible. It will be easy to disable the check or - if the second > card is used as a backup - to generate a new key -stub with the new > serial number. It is not cryptographically locked. I use two smartcards with the same keys. When I switch from one card to the other, I run the following script: -- switch-card.sh -- #!/bin/sh echo "Removing and re-importing secret key stubs" gpg --delete-secret-key gpg --card-status echo "Removing key from private-keys files (used by ssh-agent)" rm -v ~/.gnupg/private-keys-v1.d/.key -------------------- That works perfectly for me. Cheers, Marco -- OpenPGP Key ID: 0x62937F7F -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Thu Sep 1 17:53:36 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 01 Sep 2011 08:53:36 -0700 Subject: How to install gnupg-2.0.18 and decrypt gpg files In-Reply-To: <34272.69.31.50.32.1314725051.squirrel@utservm.ut.ac.ir> References: <34272.69.31.50.32.1314725051.squirrel@utservm.ut.ac.ir> Message-ID: > I have downloaded gnupg-2.0.18 to decrypt some files formatted .gz.gpg > (e.g. 70195_B11_WTCCCT444825.CEL.gz.gpg). You appear to have downloaded a package containing the GnuPG source code, not the GnuPG executables. If you go to http://www.gpg4win.org, you will be able to download the GnuPG executables. These work well with Windows 7: I've used them successfully on Win7 and Win7/64. Good luck! From johanw at vulcan.xs4all.nl Thu Sep 1 18:24:33 2011 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu, 01 Sep 2011 18:24:33 +0200 Subject: Decrypting WikiLeaks insurance file In-Reply-To: <87y5ygrxy2.fsf@vigenere.g10code.de> References: <4E5668A3.7090104@TheHaverkamps.net> <87liuhv1dk.fsf@vigenere.g10code.de> <4E57609A.1000800@adversary.org> <87bovctjb0.fsf@vigenere.g10code.de> <4E57A628.10203@vulcan.xs4all.nl> <87y5ygrxy2.fsf@vigenere.g10code.de> Message-ID: <4E5FB1C1.8050208@vulcan.xs4all.nl> Hello, I read that the password for the insurance.aes256 file WikiLeaks distributed some time agoo has been revealed to be CollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay# (talk about a long password). However, which tool is used to encrypt it? I tried decrypting it with gpg (no valid OpenPGP data found) and with openssl with the command openssl enc -d -aes256 -in insurance.aes256 > out.dec which gives an error after copying almost the entire file to out.dec. Does someone know which tool to use? And yes, I know the decrypted file can be downloaded from TPB but I'm just curious about the encryption. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jhs at berklix.com Thu Sep 1 19:02:50 2011 From: jhs at berklix.com (Julian H. Stacey) Date: Thu, 01 Sep 2011 19:02:50 +0200 Subject: Decrypting WikiLeaks insurance file In-Reply-To: Your message "Thu, 01 Sep 2011 18:24:33 +0200." <4E5FB1C1.8050208@vulcan.xs4all.nl> Message-ID: <201109011702.p81H2oQR017809@fire.js.berklix.net> > (talk about a long password). However, which tool is used to encrypt it? Would running the unix 'file' command give a clue ? Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below, not above; Indent with "> "; Cumulative like a play script. Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. http://www.softwarefreedomday.org 17th Sept, http://berklix.org/sfd/ Oct. From ben at adversary.org Thu Sep 1 20:04:45 2011 From: ben at adversary.org (Ben McGinnes) Date: Fri, 02 Sep 2011 04:04:45 +1000 Subject: Decrypting WikiLeaks insurance file In-Reply-To: <4E5FB1C1.8050208@vulcan.xs4all.nl> References: <4E5668A3.7090104@TheHaverkamps.net> <87liuhv1dk.fsf@vigenere.g10code.de> <4E57609A.1000800@adversary.org> <87bovctjb0.fsf@vigenere.g10code.de> <4E57A628.10203@vulcan.xs4all.nl> <87y5ygrxy2.fsf@vigenere.g10code.de> <4E5FB1C1.8050208@vulcan.xs4all.nl> Message-ID: <4E5FC93D.8000408@adversary.org> On 2/09/11 2:24 AM, Johan Wevers wrote: > Hello, > > I read that the password for the insurance.aes256 file WikiLeaks > distributed some time agoo has been revealed to be It's not the insurance.aes256 file which the password has been revealed for, it's an unredacted version of the Cablegate data. The file name for that, at least the one currently in the wild, is called z.gpg. It uses symmetric GPG encryption and decrypts to z.7z (368Mb). When extracted with 7z/p7zip it expands to cables.csv (1.73Gb). The password or passphrase for insurance.aes256 has not yet been revealed, but that file is believed to have been encrypted with either TrueCrypt or OpenSSL, probably the latter. Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: From ben at adversary.org Thu Sep 1 21:45:33 2011 From: ben at adversary.org (Ben McGinnes) Date: Fri, 02 Sep 2011 05:45:33 +1000 Subject: Decrypting WikiLeaks insurance file In-Reply-To: <201109011702.p81H2oQR017809@fire.js.berklix.net> References: <201109011702.p81H2oQR017809@fire.js.berklix.net> Message-ID: <4E5FE0DD.5000306@adversary.org> On 2/09/11 3:02 AM, Julian H. Stacey wrote: >> (talk about a long password). However, which tool is used to encrypt it? > > Would running the unix 'file' command give a clue ? Nope, it just comes up as "data" and the only clue as to what type is the .aes256 extension it's been given. Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: From atom at smasher.org Fri Sep 2 03:41:47 2011 From: atom at smasher.org (Atom Smasher) Date: Fri, 2 Sep 2011 13:41:47 +1200 (NZST) Subject: Decrypting WikiLeaks insurance file In-Reply-To: <4E5FC93D.8000408@adversary.org> References: <4E5668A3.7090104@TheHaverkamps.net> <87liuhv1dk.fsf@vigenere.g10code.de> <4E57609A.1000800@adversary.org> <87bovctjb0.fsf@vigenere.g10code.de> <4E57A628.10203@vulcan.xs4all.nl> <87y5ygrxy2.fsf@vigenere.g10code.de> <4E5FB1C1.8050208@vulcan.xs4all.nl> <4E5FC93D.8000408@adversary.org> Message-ID: <1109021339230.2578@smasher> On Fri, 2 Sep 2011, Ben McGinnes wrote: > The password or passphrase for insurance.aes256 has not yet been > revealed, but that file is believed to have been encrypted with either > TrueCrypt or OpenSSL, probably the latter. ============== i'm not sure about TrueCrypt, but OpenSSL usually leaves this clue... $ strings file.enc | head -1 Salted__ -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The laws of Congress and the laws of physics have grown increasingly divergent, and the laws of physics are not likely to yield." -- Bill McKibben From ben at adversary.org Fri Sep 2 08:07:41 2011 From: ben at adversary.org (Ben McGinnes) Date: Fri, 02 Sep 2011 16:07:41 +1000 Subject: Decrypting WikiLeaks insurance file In-Reply-To: <1109021339230.2578@smasher> References: <4E5668A3.7090104@TheHaverkamps.net> <87liuhv1dk.fsf@vigenere.g10code.de> <4E57609A.1000800@adversary.org> <87bovctjb0.fsf@vigenere.g10code.de> <4E57A628.10203@vulcan.xs4all.nl> <87y5ygrxy2.fsf@vigenere.g10code.de> <4E5FB1C1.8050208@vulcan.xs4all.nl> <4E5FC93D.8000408@adversary.org> <1109021339230.2578@smasher> Message-ID: <4E6072AD.9020401@adversary.org> On 2/09/11 11:41 AM, Atom Smasher wrote: > > i'm not sure about TrueCrypt, but OpenSSL usually leaves this clue... > > $ strings file.enc | head -1 > Salted__ I didn't know that, thanks. Anyway, I've just had a look and the WL insurance file is using OpenSSL. Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: From Dave.Smith at st.com Fri Sep 2 09:59:23 2011 From: Dave.Smith at st.com (David Smith) Date: Fri, 2 Sep 2011 08:59:23 +0100 Subject: Decrypting WikiLeaks insurance file In-Reply-To: <4E5FE0DD.5000306@adversary.org> References: <201109011702.p81H2oQR017809@fire.js.berklix.net> <4E5FE0DD.5000306@adversary.org> Message-ID: <4E608CDB.8070601@st.com> Ben McGinnes wrote: > On 2/09/11 3:02 AM, Julian H. Stacey wrote: >>> (talk about a long password). However, which tool is used to encrypt it? >> Would running the unix 'file' command give a clue ? > > Nope, it just comes up as "data" and the only clue as to what type is > the .aes256 extension it's been given. Perhaps it is just encrypted with the basic AES256 cipher with no OpenPGP wrapping? I'm not sure whether GnuPG can decrypt raw AES data, but if not, you should be able to download an AES256 algorithm from the net and compile it into an application. There might even be Perl/Tcl/etc. versions that don't even require compilation. From djpeterrobertson at gmail.com Sat Sep 3 10:51:58 2011 From: djpeterrobertson at gmail.com (David Robertson) Date: Sat, 03 Sep 2011 09:51:58 +0100 Subject: OpenPGP card not working In-Reply-To: <4E61E694.7000903@gmail.com> References: <4E61E694.7000903@gmail.com> Message-ID: <4E61EAAE.20704@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I've just bought myself a Gemplus/Gemalto GemPC twin USB smartcard reader and a V2.0 OpenPGP card. I'm running Debian Squeeze. I've set up udev rules as described here http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html . However, when I insert my card and type gpg --card-status I get (gpg 1.4.10) gpg: selecting openpgp failed: ec=6.108 gpg: OpenPGP card not available: general error Using gpg2 (2.0.14), I get gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error If i su into root, I get a different output for gpg 1.4.10: gpg: pcsc_establish_context failed: no service (0x8010001d) gpg: card reader not available gpg: OpenPGP card not available: general error How can I fix this? Thanks in advance, David Robertson. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOYequAAoJEHP25tEc6goYjMAH/2OC+7ekM3CJtnKqFtfOtjKN Sdv5LkdNMymmtM/czlHwm4oBAcpgBtvCgBrF39Ouw4H/V/HX1jFmntE3Rileryeq 8g4XABCIIJSfR9+PZNNTzfCjmsUKL2YE/3SX5SCltH+DpTp6mMtiwxFelcPX3qEe YnxCumBW3NOUn5jfdy+HZ+xYmwy5zK3LdV6PtvQEwM7ym0GQOpdkdgAGrkdckMKC y+igvk+0ohVpO+xscjfbZe2h1/57LWbCuvL7EqkkKjddh+pEatPARnKxbbyb4yHK /wXxoy34g2dUyAKt/nfo7DgKX/DbFtWgp0NEUhQoel8vCOnSkTLlylvYJRFS53g= =h2o+ -----END PGP SIGNATURE----- From m.aflakparast at ut.ac.ir Sat Sep 3 09:22:35 2011 From: m.aflakparast at ut.ac.ir (m.aflakparast at ut.ac.ir) Date: Sat, 3 Sep 2011 11:52:35 +0430 (IRDT) Subject: Decryption error Message-ID: <45075.69.22.170.100.1315034555.squirrel@utservm.ut.ac.ir> Greetings, I already installed gpg4win-2.1.0.exe, and constructed my certification and I got the passphrase. Now, for decrypting "70195_B11_WTCCCT444825.CEL.gz.gpg", I opended Kleopatra window and clicked on File option then clicked on "Decrypte/Verify files" and then I entered my file's path then Decrypt/Verify window is opened and I checked on the second choice "Input file is an archive..", after clicking on Decrypt/Verify bottom I enter passphrase then after a couple of seconds I face an error " Decryption failed". I wonder how to resolve this problem. -Mehran From djpeterrobertson at gmail.com Sat Sep 3 10:34:28 2011 From: djpeterrobertson at gmail.com (David Robertson) Date: Sat, 03 Sep 2011 09:34:28 +0100 Subject: OpenPGP card not working Message-ID: <4E61E694.7000903@gmail.com> Hello, I've just bought myself a Gemplus/Gemalto GemPC twin USB smartcard reader and a V2.0 OpenPGP card. I'm running Debian Squeeze. I've set up udev rules as described here http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html . However, when I insert my card and type gpg --card-status I get (gpg 1.4.10) gpg: selecting openpgp failed: ec=6.108 gpg: OpenPGP card not available: general error Using gpg2 (2.0.14), I get gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error If i su into root, I get a different output for gpg 1.4.10: gpg: pcsc_establish_context failed: no service (0x8010001d) gpg: card reader not available gpg: OpenPGP card not available: general error How can I fix this? Thanks in advance, David Robertson. From gollo at fsfe.org Sat Sep 3 21:42:36 2011 From: gollo at fsfe.org (Martin Gollowitzer) Date: Sat, 3 Sep 2011 21:42:36 +0200 Subject: OpenPGP card not working In-Reply-To: <4E61EAAE.20704@gmail.com> References: <4E61E694.7000903@gmail.com> <4E61EAAE.20704@gmail.com> Message-ID: <20110903194236.GC3613@wingback.gollo.at> * David Robertson [110903 11:18, mID <4E61EAAE.20704 at gmail.com>]: > Hello, > I've just bought myself a Gemplus/Gemalto GemPC twin USB smartcard > reader and a V2.0 OpenPGP card. I'm running Debian Squeeze. I've set up > udev rules as described here > http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html . > However, when I insert my card and type gpg --card-status I get (gpg > 1.4.10) My first guess: The Gemalto reader is actually not listed in that udev file. Can you send me the output of $ lsusb so I can check? There is also a script [1] that does the udev stuff automatically. I always try to integrate new readers into the script if someone tells me the USB device ID :-) Also, you might want to try out the Card howto [2] which is probably the most up-to-date one around. [1] http://download.fsfe.org/tools/cardreader/udev-howto-automatization.sh [2] http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups Thanks, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: not available URL: From djpeterrobertson at gmail.com Sat Sep 3 22:05:33 2011 From: djpeterrobertson at gmail.com (David Robertson) Date: Sat, 03 Sep 2011 21:05:33 +0100 Subject: OpenPGP card not working In-Reply-To: <4E628782.4020907@gmail.com> References: <4E628782.4020907@gmail.com> Message-ID: <4E62888D.50009@gmail.com> On 03/09/11 20:42, Martin Gollowitzer wrote: > * David Robertson [110903 11:18, > mID <4E61EAAE.20704 at gmail.com>]: > >> Hello, >> I've just bought myself a Gemplus/Gemalto GemPC twin USB smartcard >> reader and a V2.0 OpenPGP card. I'm running Debian Squeeze. I've set up >> udev rules as described here >> http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html . >> However, when I insert my card and type gpg --card-status I get (gpg >> 1.4.10) > > My first guess: The Gemalto reader is actually not listed in that udev > file. Can you send me the output of > > $ lsusb > > so I can check? There is also a script [1] that does the udev stuff > automatically. I always try to integrate new readers into the script if > someone tells me the USB device ID :-) > Also, you might want to try out the Card howto [2] which is probably the > most up-to-date one around. > > [1] http://download.fsfe.org/tools/cardreader/udev-howto-automatization.sh > [2] http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups > > Thanks, > Martin It's in the output of lsusb: $ lsusb Bus 007 Device 002: ID 08e6:3437 Gemplus GemPC Twin SmartCard Reader Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 006 Device 003: ID 0518:0002 EzKEY Corp. EZ-9900C Keyboard Bus 006 Device 002: ID 15d9:0a41 Trust International B.V. MI-2540D [Optical mouse] Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 003 Device 005: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter Bus 003 Device 002: ID 0644:0200 TEAC Corp. All-In-One Multi-Card Reader CA200/B/S Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub I'll take a look at those links now. Thanks, David Robertson. P.S. Sorry for sending that to you directly Martin, accidentally hit reply rather than reply list. From rjh at sixdemonbag.org Mon Sep 5 01:36:19 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 04 Sep 2011 19:36:19 -0400 Subject: kernel.org compromise Message-ID: <4E640B73.5070703@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Due to the kernel.org compromise, their sysadmin staff (H. Peter Anvin and John Hawley) are revoking their certificates and issuing new ones. I just got off the phone with John: effective immediately he's using certificate 0x2B466D9D. It's been uploaded to the keyserver network and is currently propagating around. If you're depending on kernel.org GnuPG signatures for anything, please update your certificates appropriately. -----BEGIN PGP SIGNATURE----- iFYEAREIAAYFAk5kC3MACgkQI4Br5da5jhAjPQDgsaWnNa+NlAZ1KFumD884oBVf kBgv4JGoAwWtIwDeMbnJwJVHZf78wBUUziTeLoAJHGslDti7AuhRzA== =/3nL -----END PGP SIGNATURE----- From benchoff at bev.net Mon Sep 5 18:38:16 2011 From: benchoff at bev.net (Phil Benchoff) Date: Mon, 5 Sep 2011 12:38:16 -0400 Subject: Signature validation in a script Message-ID: <20110905163816.GA1931@groupw.cns.vt.edu> I'm trying to write a shell script to verify a file signed with a detached signature. I want to test for a valid signature from a key in a keyring that I specify. I want to be sure that no user options files, additional keyrings, or environment variables can override what happens. I have come up with the following options: $GPG_BIN --trust-model always --no-default-keyring --keyring $KEYRING \ --no-auto-key-locate --no-use-agent --batch --no-options \ --verify $SIG_FILE $DATA_FILE I am looking for a return value of 0 to indicate a valid signature. It looks like this will work with both gpg and gpg2 even though all of the options aren't necessary. Are there any other options I should use? Phil From wk at gnupg.org Mon Sep 5 21:58:21 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 05 Sep 2011 21:58:21 +0200 Subject: Signature validation in a script In-Reply-To: <20110905163816.GA1931@groupw.cns.vt.edu> (Phil Benchoff's message of "Mon, 5 Sep 2011 12:38:16 -0400") References: <20110905163816.GA1931@groupw.cns.vt.edu> Message-ID: <87y5y23go2.fsf@vigenere.g10code.de> On Mon, 5 Sep 2011 18:38, benchoff at bev.net said: > signature. I want to test for a valid signature from a key in a keyring > that I specify. I want to be sure that no user options files, additional What you want is gpgv or gpgv2: NAME gpgv - Verify OpenPGP signatures SYNOPSIS gpgv [options] signed_files DESCRIPTION gpgv is an OpenPGP signature verification tool. This program is actually a stripped-down version of gpg which is only able to check signatures. It is somewhat smaller than the fully-blown gpg and uses a different (and simpler) way to check that the public keys used to make the signature are valid. There are no configuration files and only a few options are implemented. gpgv assumes that all keys in the keyring are trustworthy. By default it uses a keyring named `trustedkeys.gpg' which is assumed to be in the home directory as defined by GnuPG or set by an option or an environment variable. An option may be used to specify another keyring or even mul tiple keyrings. RETURN VALUE The program returns 0 if everything is fine, 1 if at least one signature was bad, and other error codes for fatal errors. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From benchoff at bev.net Mon Sep 5 22:16:14 2011 From: benchoff at bev.net (Phil Benchoff) Date: Mon, 5 Sep 2011 16:16:14 -0400 Subject: Signature validation in a script In-Reply-To: <87y5y23go2.fsf@vigenere.g10code.de> References: <20110905163816.GA1931@groupw.cns.vt.edu> <87y5y23go2.fsf@vigenere.g10code.de> Message-ID: <20110905201614.GA3719@groupw.cns.vt.edu> On Mon, Sep 05, 2011 at 09:58:21PM +0200, Werner Koch wrote: > On Mon, 5 Sep 2011 18:38, benchoff at bev.net said: > > > signature. I want to test for a valid signature from a key in a keyring > > that I specify. I want to be sure that no user options files, additional > > What you want is gpgv or gpgv2: That seems to do what I want if I include --homedir /dev/null. No default keyring and the environment variable for GNUPGHOME is ignored. Thanks! Phil From wk at gnupg.org Tue Sep 6 20:17:37 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 06 Sep 2011 20:17:37 +0200 Subject: Decryption error In-Reply-To: <45075.69.22.170.100.1315034555.squirrel@utservm.ut.ac.ir> (m. aflakparast's message of "Sat, 3 Sep 2011 11:52:35 +0430 (IRDT)") References: <45075.69.22.170.100.1315034555.squirrel@utservm.ut.ac.ir> Message-ID: <8762l5358e.fsf@vigenere.g10code.de> On Sat, 3 Sep 2011 09:22, m.aflakparast at ut.ac.ir said: > Now, for decrypting "70195_B11_WTCCCT444825.CEL.gz.gpg", I opended > Kleopatra window and clicked on File option then clicked on > "Decrypte/Verify files" and then I entered my file's path then > Decrypt/Verify window is opened and I checked on the second choice "Input > file is an archive..", after clicking on Decrypt/Verify bottom I enter A plain *.gz file (which is the result of decrypting *.gz.gpg) is not an archive. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From tiago at xroot.org Wed Sep 7 03:13:44 2011 From: tiago at xroot.org (Tiago Faria) Date: Wed, 7 Sep 2011 02:13:44 +0100 Subject: WARNING: digest algorithm MD5 is deprecated Message-ID: <20110907021344.3ceba81e@x41.lan> Hi everyone, After a few searches I decided to ask the list if they can provide some help on this matter. While refreshing the keys, I get the warning mentioned on the subject while updating my own public key. My preferences are set to SHA512, SHA384, SHA256, SHA224, SHA1 or H10 H9 H8 H11, so I don't understand why it's complaining about MD5. I'm most certainly am missing something, and I would appreciate any help. Thank you. Regards, Tiago -- Tiago Faria | http://xroot.org OpenPGP Key ID: 0xB9466FB4 | http://xroot.org/contact FingerPrint: 27FB1E3581B856269450EAFC25178AB4B9466FB4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From dkg at fifthhorseman.net Wed Sep 7 14:36:39 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 07 Sep 2011 08:36:39 -0400 Subject: WARNING: digest algorithm MD5 is deprecated In-Reply-To: <20110907021344.3ceba81e@x41.lan> References: <20110907021344.3ceba81e@x41.lan> Message-ID: <4E676557.2070801@fifthhorseman.net> On 09/06/2011 09:13 PM, Tiago Faria wrote: > Hi everyone, > > After a few searches I decided to ask the list if they can provide some > help on this matter. > > While refreshing the keys, I get the warning mentioned on the subject > while updating my own public key. > > My preferences are set to SHA512, SHA384, SHA256, SHA224, SHA1 or H10 H9 > H8 H11, so I don't understand why it's complaining about MD5. fetching your key from the keyservers and inspecting it with pgpdump, i see nothing about MD5 either. here's what i did: gpg --recv 27FB1E3581B856269450EAFC25178AB4B9466FB4 gpg --export 27FB1E3581B856269450EAFC25178AB4B9466FB4 | \ pgpdump | grep 'Hash alg' Can you show a full transcript [0] of what you did that produced the warning? --dkg [0] https://support.mayfirst.org/wiki/terminal_transcripts -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From djpeterrobertson at gmail.com Wed Sep 7 22:13:45 2011 From: djpeterrobertson at gmail.com (David Robertson) Date: Wed, 07 Sep 2011 21:13:45 +0100 Subject: OpenPGP card issues Message-ID: <4E67D079.3080905@gmail.com> I posted this earlier: >Hello, >I've just bought myself a Gemplus/Gemalto GemPC twin USB smartcard >reader and a V2.0 OpenPGP card. I'm running Debian Squeeze. I've set up >udev rules as described here >http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html . >However, when I insert my card and type gpg --card-status I get (gpg >1.4.10) > >gpg: selecting openpgp failed: ec=6.108 >gpg: OpenPGP card not available: general error > >Using gpg2 (2.0.14), I get > >gpg: selecting openpgp failed: Card error >gpg: OpenPGP card not available: Card error > >If i su into root, I get a different output for gpg 1.4.10: > >gpg: pcsc_establish_context failed: no service (0x8010001d) >gpg: card reader not available >gpg: OpenPGP card not available: general error > I had it up and running since I posted this but yesterday it spontaneously stopped working again. I've since been emailing Martin Gollowitzer from this list as he helped me get it to work in the first place, but he ran out of ideas of how to fix it. Anyway, some background info: * The reader is a Gemalto/gemplus GemPC twin (USB) * The card is an OpenPGP V2.0 bought from kernelconcepts * I'm pretty sure I've got all of the udev stuff set up fine, No changes were made to anything udev when it broke, and I tried removing the relevant rules and adding them with Martin's script from here http://download.fsfe.org/tools/cardreader/udev-howto-automatization.sh * Now, the outputs of gpg --card-status and gpg2 --card-status are as follows: david at david-desktop-debian:~$ gpg2 --card-status gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error david at david-desktop-debian:~$ gpg --card-status gpg: selecting openpgp failed: ec=6.108 gpg: OpenPGP card not available: general error david at david-desktop-debian:~$ * And as root: david at david-desktop-debian:/$ sudo su [sudo] password for david: root at david-desktop-debian:/# gpg --card-status gpg: pcsc_establish_context failed: comm error (0x80100013) gpg: card reader not available gpg: OpenPGP card not available: general error root at david-desktop-debian:/# gpg2 --card-status can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory scdaemon[6852]: PC/SC OPEN failed: comm error gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error root at david-desktop-debian:/# scdaemon[6852]: scdaemon (GnuPG) 2.0.14 stopped * pcscd and gpg-agent are definatly running Any ideas anyone? -- Thanks, David Robertson. david at davidr.me | djpeterrobertson at gmail.com From tiago at xroot.org Wed Sep 7 23:56:41 2011 From: tiago at xroot.org (Tiago Faria) Date: Wed, 7 Sep 2011 22:56:41 +0100 Subject: WARNING: digest algorithm MD5 is deprecated In-Reply-To: <4E676557.2070801@fifthhorseman.net> References: <20110907021344.3ceba81e@x41.lan> <4E676557.2070801@fifthhorseman.net> Message-ID: <20110907225641.48ee85e3@stacker.local> On Wed, 07 Sep 2011 08:36:39 -0400 Daniel Kahn Gillmor wrote: > fetching your key from the keyservers and inspecting it with pgpdump, > i see nothing about MD5 either. here's what i did: > > gpg --recv 27FB1E3581B856269450EAFC25178AB4B9466FB4 > gpg --export 27FB1E3581B856269450EAFC25178AB4B9466FB4 | \ > pgpdump | grep 'Hash alg' > > Can you show a full transcript [0] of what you did that produced the > warning? > > --dkg Hi Daniel, Thanks for getting back to me. Here is a report of what I done: $ gpg --refresh-keys gpg: refreshing 37 keys from hkp://pool.sks-keyservers.net (...) gpg: key B9466FB4: "Tiago Faria " not changed gpg: WARNING: digest algorithm MD5 is deprecated (...) Hope this is enough, if not I'll send the full transcript as soon as I get home. Thank you. Tiago -- Tiago Faria | http://xroot.org OpenPGP Key ID: 0xB9466FB4 | http://xroot.org/contact FingerPrint: 27FB1E3581B856269450EAFC25178AB4B9466FB4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From david at systemoverlord.com Thu Sep 8 00:15:42 2011 From: david at systemoverlord.com (David Tomaschik) Date: Wed, 07 Sep 2011 18:15:42 -0400 Subject: OpenPGP card issues In-Reply-To: <4E67D079.3080905@gmail.com> References: <4E67D079.3080905@gmail.com> Message-ID: <4E67ED0E.7080106@systemoverlord.com> On 09/07/2011 04:13 PM, David Robertson wrote: > I posted this earlier: > >> Hello, >> I've just bought myself a Gemplus/Gemalto GemPC twin USB smartcard >> reader and a V2.0 OpenPGP card. I'm running Debian Squeeze. I've set up >> udev rules as described here >> http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html . >> However, when I insert my card and type gpg --card-status I get (gpg >> 1.4.10) >> >> gpg: selecting openpgp failed: ec=6.108 >> gpg: OpenPGP card not available: general error >> >> Using gpg2 (2.0.14), I get >> >> gpg: selecting openpgp failed: Card error >> gpg: OpenPGP card not available: Card error >> >> If i su into root, I get a different output for gpg 1.4.10: >> >> gpg: pcsc_establish_context failed: no service (0x8010001d) >> gpg: card reader not available >> gpg: OpenPGP card not available: general error >> > I had it up and running since I posted this but yesterday it > spontaneously stopped working again. > > I've since been emailing Martin Gollowitzer from this > list as he helped me get it to work in the first place, but he ran out > of ideas of how to fix it. > > Anyway, some background info: > * The reader is a Gemalto/gemplus GemPC twin (USB) > * The card is an OpenPGP V2.0 bought from kernelconcepts > * I'm pretty sure I've got all of the udev stuff set up fine, No changes > were made to anything udev when it broke, and I tried removing the > relevant rules and adding them with Martin's script from here > http://download.fsfe.org/tools/cardreader/udev-howto-automatization.sh > * Now, the outputs of gpg --card-status and gpg2 --card-status are as > follows: > david at david-desktop-debian:~$ gpg2 --card-status > gpg: selecting openpgp failed: Card error > gpg: OpenPGP card not available: Card error > david at david-desktop-debian:~$ gpg --card-status > gpg: selecting openpgp failed: ec=6.108 > gpg: OpenPGP card not available: general error > david at david-desktop-debian:~$ > * And as root: > david at david-desktop-debian:/$ sudo su > [sudo] password for david: > root at david-desktop-debian:/# gpg --card-status > gpg: pcsc_establish_context failed: comm error (0x80100013) > gpg: card reader not available > gpg: OpenPGP card not available: general error > root at david-desktop-debian:/# gpg2 --card-status > can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory > scdaemon[6852]: PC/SC OPEN failed: comm error > gpg: selecting openpgp failed: Card error > gpg: OpenPGP card not available: Card error > root at david-desktop-debian:/# scdaemon[6852]: scdaemon (GnuPG) 2.0.14 > stopped > * pcscd and gpg-agent are definatly running > > > Any ideas anyone? > I'd meant to respond to your first message when I saw it on my phone, but then promptly forgot. It looks like gpg2 can't find your gpg-agent socket. Try adding "use-standard-socket" to ~/.gnupg/gpg-agent.conf (or starting gpg-agent with --use-standard-socket) and see if that helps. Also, make sure seahorse and other gnome utilities aren't getting in the way. I've run into their "pseudo-gpg-agent" too many times. David -- David Tomaschik, RHCE, LPIC-1 System Administrator/Open Source Advocate OpenPGP: 0x5DEA789B http://systemoverlord.com david at systemoverlord.com From wk at gnupg.org Thu Sep 8 11:48:59 2011 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Sep 2011 11:48:59 +0200 Subject: WARNING: digest algorithm MD5 is deprecated In-Reply-To: <20110907225641.48ee85e3@stacker.local> (Tiago Faria's message of "Wed, 7 Sep 2011 22:56:41 +0100") References: <20110907021344.3ceba81e@x41.lan> <4E676557.2070801@fifthhorseman.net> <20110907225641.48ee85e3@stacker.local> Message-ID: <87y5xzz7n8.fsf@vigenere.g10code.de> On Wed, 7 Sep 2011 23:56, tiago at xroot.org said: > gpg: key B9466FB4: "Tiago Faria " not changed > gpg: WARNING: digest algorithm MD5 is deprecated Please set a breakpoint at print_digest_algo_note and then show us a backtrace (gdb command: bt full). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From vedaal at nym.hush.com Thu Sep 8 20:54:05 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 08 Sep 2011 14:54:05 -0400 Subject: displaying decrypted plaintext on screen instead of output to file Message-ID: <20110908185406.1035F6F442@smtp.hushmail.com> Is there an option in gnupg like the '-m' option in pgp which allows the display of decrypted plaintext on the screen instead of saving to file, even when the file is encrypted 'without' the '--for-your-eyes- only' option? I tried: gpg --for-your-eyes-only file.asc but gnupg decrypts and saves it to file.txt and doesn't display the plaintext. Also, is it possible to encrypt a short message by entering the plaintext string without entering a plaintext filename? (It wouldn't matter if gnupg saves the ciphertext as an output file.) (I know it is trivial to do with a front end that just encrypts anything copied to clipboard, but can it be done just from the gnupg commandline?) Thanks, vedaal From dkg at fifthhorseman.net Thu Sep 8 21:02:32 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 08 Sep 2011 15:02:32 -0400 Subject: displaying decrypted plaintext on screen instead of output to file In-Reply-To: <20110908185406.1035F6F442@smtp.hushmail.com> References: <20110908185406.1035F6F442@smtp.hushmail.com> Message-ID: <4E691148.2050607@fifthhorseman.net> On 09/08/2011 02:54 PM, vedaal at nym.hush.com wrote: > Is there an option in gnupg like the '-m' option in pgp which > allows the display of decrypted plaintext on the screen instead of > saving to file, you could try using stdin and stdout. For example: gpg --decrypt < file.asc (or pipe that into your favorite non-caching pager, e.g. /usr/bin/less) gpg --encrypt --armor -r $recipient (then type your message, and end with a ctrl-D after the last newline) hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From vedaal at nym.hush.com Thu Sep 8 22:21:55 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 08 Sep 2011 16:21:55 -0400 Subject: displaying decrypted plaintext on screen instead of output to file Message-ID: <20110908202155.DF4066F446@smtp.hushmail.com> On Thu, 08 Sep 2011 15:02:32 -0400 Daniel Kahn Gillmor wrote: >On 09/08/2011 02:54 PM, vedaal at nym.hush.com wrote: >> Is there an option in gnupg like the '-m' option in pgp which >> allows the display of decrypted plaintext on the screen instead >of >> saving to file, > gpg --encrypt --armor -r $recipient > > (then type your message, and end with a ctrl-D after the last >newline) ----- can't get it to work, this is what happens (using cygwin on winxp): First, with your suggestion: $ gpg --encrypt --armor -r testkey just a test gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information usage: gpg [options] --encrypt [filename] then trying, $ gpg --encrypt --armor -r testkey 'just a test' gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: can't open `just a test': No such file or directory gpg: just a test: encryption failed: file open error then trying, $ gpg --encrypt --armor -o c:/ptt.asc -r testkey 'just a test' gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: can't open `just a test': No such file or directory gpg: just a test: encryption failed: file open error then, just as a control, which did work, $ gpg -r testkey -o c:/f2.asc -a -e c:/f1.txt gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information as expected, gnupg produced f2.asc as the desired ciphertext, but only by encrypting the plaintext in the input file f1.txt If you, (or anyone else here), were able to get this to work, could you please list all the steps and the gpg output? Thanks! vedaal From dkg at fifthhorseman.net Thu Sep 8 22:33:38 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 08 Sep 2011 16:33:38 -0400 Subject: displaying decrypted plaintext on screen instead of output to file In-Reply-To: <20110908202155.DF4066F446@smtp.hushmail.com> References: <20110908202155.DF4066F446@smtp.hushmail.com> Message-ID: <4E6926A2.7050207@fifthhorseman.net> On 09/08/2011 04:21 PM, vedaal at nym.hush.com wrote: > On Thu, 08 Sep 2011 15:02:32 -0400 Daniel Kahn Gillmor > wrote: >> On 09/08/2011 02:54 PM, vedaal at nym.hush.com wrote: >>> Is there an option in gnupg like the '-m' option in pgp which >>> allows the display of decrypted plaintext on the screen instead >> of >>> saving to file, > >> gpg --encrypt --armor -r $recipient >> >> (then type your message, and end with a ctrl-D after the last >> newline) > can't get it to work, > > this is what happens (using cygwin on winxp): it looks like you didn't hit return after the recipient address? hitting return on just the command i wrote invokes gpg, which will be waiting for data on its standard input. Then, you type what you want to encrypt, hit return, and then ctrl-d to indicate end-of-file. gpg realizes its input is done, processes the material, and dumps the encrypted output to stdout. Alternately, you could feed your data directly on stdin from the command line with a pipe, like this: printf "just a test" | gpg --encrypt --armor -r $recipient If you're not down with these patterns, i recommend getting comfortable with stdin and stdout. The time spent will be repaid immensely if you plan to work with UNIX-like systems in the future. I recommend reading up on the basics of the concept: http://www.linfo.org/standard_input.html http://www.linfo.org/standard_output.html https://secure.wikimedia.org/wikipedia/en/wiki/Standard_streams and maybe also searching around on the 'net for some tutorials. Playing with pipes and redirection in your favorite shell is probably the best way to really internalize the concept, of course. hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From vedaal at nym.hush.com Thu Sep 8 22:42:27 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 08 Sep 2011 16:42:27 -0400 Subject: displaying decrypted plaintext on screen instead of output to file Message-ID: <20110908204227.42EB76F442@smtp.hushmail.com> On Thu, 08 Sep 2011 16:33:38 -0400 Daniel Kahn Gillmor wrote: >Alternately, you could feed your data directly on stdin from the >command >line with a pipe, like this: > > printf "just a test" | gpg --encrypt --armor -r $recipient Thanks! worked perfectly. $ printf "just a test" | gpg --encrypt --armor -r testkey gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (Cygwin) hQEMA3MYof8tow73AQf/S2AzTh6+dtXW7Gj555s2JdPT2tLyzn7C2yyIGOi/YyiA jvT5f2WKU4xBE4dZ9/R9vm5twbhz2wteKh6p4yVPbVcuYOj6cQoCS6OxzlHqe9cs NZBB/3rmhOxUAKFdSFw7PxKnRxySyTex+CEkSy6k+wkjOIv+xoU896FHVrr7U2aS LnHIkyuYmJAedgF/1u0behTwHbLPCcSHJ//GLrmyr/sr1uERmR3yhrbFBktqI7kD AmCSYFCG6jAtoYdS9flFW6v1DwWifQcXyHrIr6lT/yZZrcIvsy18pUDAxk0bwN8n Y0hh3CN7r+HeB/WwjhTwtcJZuh6/u4qaakcqeBlsL9JGAb7nQdGat0TZ8mjZEX3m WvTSV/Z0StTNmJu1m824pqAX7ECAghve/4Wn1mElprJcwLOH+onbh+vAp57s+r1q 0p/Lu5DD0A== =nDWv -----END PGP MESSAGE----- > >If you're not down with these patterns, i recommend getting >comfortable >with stdin and stdout. The time spent will be repaid immensely if >you >plan to work with UNIX-like systems in the future. I recommend >reading >up on the basics of the concept: > > http://www.linfo.org/standard_input.html > http://www.linfo.org/standard_output.html > https://secure.wikimedia.org/wikipedia/en/wiki/Standard_streams > >and maybe also searching around on the 'net for some tutorials. >Playing >with pipes and redirection in your favorite shell is probably the >best >way to really internalize the concept, of course. Thanks Again, vedaal From vedaal at nym.hush.com Thu Sep 8 23:26:51 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 08 Sep 2011 17:26:51 -0400 Subject: displaying decrypted plaintext on screen instead of output to file Message-ID: <20110908212651.6326D6F443@smtp.hushmail.com> On Thu, 08 Sep 2011 17:02:07 -0400 Jean-David Beyer wrote: >vedaal at nym.hush.com wrote: >> On Thu, 08 Sep 2011 16:33:38 -0400 Daniel Kahn Gillmor >> wrote: >> >>> Alternately, you could feed your data directly on stdin from >the >>> command >>> line with a pipe, like this: >>> >>> printf "just a test" | gpg --encrypt --armor -r $recipient >> >> Thanks! >> worked perfectly. >> >Why send it to me encrypted, when I you did not use my public key >to >encrypt it? Alternatively, you need to send me your private key. >You >would be an idiot to send anyone your private key. ----- It was just to see if gnupg could encrypt the plaintext as input on the screen, and showing that DGK' suggestion worked, so I encrypted it to a testkey. The same principle works very easily with: $ printf "just a test" | gpg -c -a -o filesave.asc or $ printf "just a test" | gpg -a -r yourkey -o filesave.asc which is something I would not have known before DGK's suggestion. vedaal From djpeterrobertson at gmail.com Fri Sep 9 00:14:24 2011 From: djpeterrobertson at gmail.com (David Robertson) Date: Thu, 8 Sep 2011 23:14:24 +0100 Subject: OpenPGP card issues In-Reply-To: <4E67ED0E.7080106@systemoverlord.com> References: <4E67D079.3080905@gmail.com> <4E67ED0E.7080106@systemoverlord.com> Message-ID: I don't have a ~/.gnupg/gpg-agent.conf and starting gpg-agent with --use-standard-socket doesn't work: david at david-desktop-debian:/$ gpg-agent --use-standard-socket gpg-agent[4092]: can't connect to `/tmp/gpg-ZGPhgS/S.gpg-agent': No such file or directory gpg-agent[4092]: can't connect to `/home/david/.gnupg/S.gpg-agent': No such file or directory gpg-agent: can't connect to the agent: IPC connect call failed david at david-desktop-debian:/$ sudo su [sudo] password for david: root at david-desktop-debian:/# gpg-agent --use-standard-socket gpg-agent[4104]: can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory gpg-agent: no gpg-agent running in this session I've completely removed seahorse and that's done nothing either, so I've reinstalled it for now. Also it seemed originally I only couldn't connect to gpg-agent when I had SUed to root, now I seem to get this: david at david-desktop-debian:/$ gpg2 --card-status can't connect to `/tmp/gpg-ZGPhgS/S.gpg-agent': No such file or directory gpg: can't connect to the agent - trying fall back can't connect to `/home/david/.gnupg/S.gpg-agent': No such file or directory scdaemon[4301]: PC/SC OPEN failed: comm error gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error david at david-desktop-debian:/$ scdaemon[4301]: scdaemon (GnuPG) 2.0.14 stopped -- Thanks, David Robertson. djpeterrobertson at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From email at sven-radde.de Fri Sep 9 07:14:59 2011 From: email at sven-radde.de (Sven Radde) Date: Fri, 09 Sep 2011 07:14:59 +0200 Subject: displaying decrypted plaintext on screen instead of output to file In-Reply-To: <20110908185406.1035F6F442@smtp.hushmail.com> References: <20110908185406.1035F6F442@smtp.hushmail.com> Message-ID: <4E69A0D3.6050003@sven-radde.de> Am -10.01.-28163 20:59, schrieb vedaal at nym.hush.com: > Is there an option in gnupg like the '-m' option in pgp which > allows the display of decrypted plaintext on the screen instead of > saving to file, Use "-" as the output filename and pipe that into more/less/..., as in gpg -o - file.gpg | more It doesn't look too good if gpg's output includes metadata like "Good signature from ...", though. cu, Sven From wk at gnupg.org Fri Sep 9 11:12:45 2011 From: wk at gnupg.org (Werner Koch) Date: Fri, 09 Sep 2011 11:12:45 +0200 Subject: OpenPGP card issues In-Reply-To: (David Robertson's message of "Thu, 8 Sep 2011 23:14:24 +0100") References: <4E67D079.3080905@gmail.com> <4E67ED0E.7080106@systemoverlord.com> Message-ID: <87pqjayt82.fsf@vigenere.g10code.de> On Fri, 9 Sep 2011 00:14, djpeterrobertson at gmail.com said: > david at david-desktop-debian:/$ gpg-agent --use-standard-socket To start the agent you need to add the --daemon argument. For testing you may use this: gpg-agent --use-standard --daemon sh which opens a new shell and sets up everything. You need to make sure that no other agent is running and controlling the card. You should also unset the GPG_AGENT_INFO ebvar which might have been set by another script. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From vedaal at nym.hush.com Fri Sep 9 15:44:54 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 09 Sep 2011 09:44:54 -0400 Subject: displaying decrypted plaintext on screen instead of output to file Message-ID: <20110909134454.9F13B6F442@smtp.hushmail.com> On Fri, 09 Sep 2011 01:14:59 -0400 Sven Radde wrote:>Am -10.01.-28163 20:59, schrieb vedaal at nym.hush.com: >Use "-" as the output filename and pipe that into more/less/..., >as in > >gpg -o - file.gpg | more Thanks! works perfectly, and shorter than --for-your-eyes-only ;-) vedaal From djpeterrobertson at gmail.com Fri Sep 9 21:00:32 2011 From: djpeterrobertson at gmail.com (David Robertson) Date: Fri, 09 Sep 2011 20:00:32 +0100 Subject: OpenPGP card issues In-Reply-To: <87pqjayt82.fsf@vigenere.g10code.de> References: <4E67D079.3080905@gmail.com> <4E67ED0E.7080106@systemoverlord.com> <87pqjayt82.fsf@vigenere.g10code.de> Message-ID: <4E6A6250.2030900@gmail.com> > To start the agent you need to add the --daemon argument. For > testing you may use this: > > gpg-agent --use-standard --daemon sh > > which opens a new shell and sets up everything. You need to make > sure that no other agent is running and controlling the card. > > You should also unset the GPG_AGENT_INFO ebvar which might have > been set by another script. I tried this: david at david-desktop-debian:~$ unset GPG_AGENT_INFO david at david-desktop-debian:~$ gpg-agent --use-standard --daemon sh gpg-agent[7657]: a gpg-agent is already running - not starting a new one david at david-desktop-debian:~$ pkill gpg-agent david at david-desktop-debian:~$ gpg-agent --use-standard --daemon sh $ gpg2 --card-status gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error $ -- Thanks, David Robertson. david at davidr.me | djpeterrobertson at gmail.com From peter.spatz at xchanging.com Thu Sep 8 09:01:29 2011 From: peter.spatz at xchanging.com (Peter Spatz) Date: Thu, 8 Sep 2011 09:01:29 +0200 Subject: Compiling: Make fails libjn Message-ID: <699B941ACF3F324F90C4ABAA8D8D90E516C6FBB1@SRV50005.ad.xglobal.com> Hello, Compiling fails: OS: SunOS 5.10 Generic_144489-11 i86pc i386 i86pc gcc version 3.4.6 GNU Make 3.81 Configure without failure. Make: gcc -DJNLIB_IN_JNLIB -I/opt/XTBgnupg/include -g -O2 -Wall -Wpointer-arith -o t-stringhelp t-stringhelp.o t-support.o libjnlib.a -lintl gcc: libjnlib.a: No such file or directory make[2]: *** [t-stringhelp] Error 1 make[2]: Leaving directory `/mnt/devel/compile/i86pc/sol10/gnupg-2.0.18/jnlib' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/mnt/devel/compile/i86pc/sol10/gnupg-2.0.18' make: *** [all] Error 2 As long i?m not in subscription, send CC. Mit freundlichen Gr??en / Best Regards Peter Spatz Xchanging Transaction Bank GmbH Technology Financial Services IT Production / Data Center Operations XTB --------------------------------------------------------------- Wilhelm-Fay-Stra?e 31-37 65936 Frankfurt Germany IT Service Desk: +49 (0) 69 12012 64446 Fax: +49 (0) 69 12012 68825 Hotline Mailbox: mailto:pchelp at xchanging.com E-mail: mailto:peter.spatz at xchanging.com Web: http://www.xchanging.de Xchanging - inspiring innovation Bitte denken Sie an die Umwelt, bevor Sie diese E-Mail ausdrucken. Xchanging Transaction Bank GmbH - HRB 58 951 - Sitz Frankfurt - Amtsgericht Frankfurt am Main Vorsitzender des Aufsichtsrats: Johannes Maret - Geschaeftsfuehrer: Joerg Brand, Andreas Povel, Catrin E. Roethe -------------------------------------------------------------------------------------------- "Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden." -------------- next part -------------- An HTML attachment was scrubbed... URL: From vedaal at nym.hush.com Tue Sep 13 16:41:20 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 13 Sep 2011 10:41:20 -0400 Subject: windows binary for gnupg 1.4.11 // link no longer on gnupg site? Message-ID: <20110913144120.6633CA6E3F@smtp.hushmail.com> On the gnupg download site, http://gnupg.org/download/ There is no link for a windows binary for 1.4.11, only a link to the gpg4win site (a GREAT site and program, btw, but only for gnupg 2.x). Is there going to be a a windows binary for future builds of the gnupg 1.x branch? (I'm interested primarily in order to update Maxine Brandt's Torduninja site that I recreated, as no one had access to her old site after she passed on) http://www.angelfire.com/mb2/mbgpg2go/tp.html Thanks, vedaal From thajsta at gmail.com Tue Sep 13 16:48:48 2011 From: thajsta at gmail.com (Jonathan Ely) Date: Tue, 13 Sep 2011 10:48:48 -0400 Subject: windows binary for gnupg 1.4.11 // link no longer on gnupg site? In-Reply-To: <20110913144120.6633CA6E3F@smtp.hushmail.com> References: <20110913144120.6633CA6E3F@smtp.hushmail.com> Message-ID: <4E6F6D50.9080404@gmail.com> It is no longer shown but it is available at ftp.gnupg.org/gnupg/binaries or something of the sort. Copy one of the link locations that link to the source code and modify that path in the location bar. It is inconvenient no doubt but it works. I hope there will be updates to the 1.x branch because I use it with Enigmail and have no use for the PGP agent that I read is mandatory in the 2.x branch. On 13/09/2011 10:41 AM, vedaal at nym.hush.com wrote: > On the gnupg download site, > http://gnupg.org/download/ > > There is no link for a windows binary for 1.4.11, only a link to > the gpg4win site (a GREAT site and program, btw, but only for gnupg > 2.x). > > Is there going to be a a windows binary for future builds of the > gnupg 1.x branch? > > (I'm interested primarily in order to update Maxine Brandt's > Torduninja site that I recreated, as no one had access to her old > site after she passed on) > > http://www.angelfire.com/mb2/mbgpg2go/tp.html > > Thanks, > > vedaal > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Brotha J. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xDA74EEF3.asc Type: application/pgp-keys Size: 3102 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 834 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Sep 13 20:59:03 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 13 Sep 2011 20:59:03 +0200 Subject: windows binary for gnupg 1.4.11 // link no longer on gnupg site? In-Reply-To: <20110913144120.6633CA6E3F@smtp.hushmail.com> (vedaal@nym.hush.com's message of "Tue, 13 Sep 2011 10:41:20 -0400") References: <20110913144120.6633CA6E3F@smtp.hushmail.com> Message-ID: <8739g0w9oo.fsf@vigenere.g10code.de> On Tue, 13 Sep 2011 16:41, vedaal at nym.hush.com said: > Is there going to be a a windows binary for future builds of the > gnupg 1.x branch? I am not sure whether it is worth my time to build future 1.4 binaries; there are only a very few use cases very it does make sense - if there is one at all (Anyone still using NT 3.5 or so?). In particular the collected donations of exactly 1 Euro received in the 6 weeks since we have a donation button is not encouraging me to work on a special binary release for an OS and GnuPG version I have no need for. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From rjh at sixdemonbag.org Tue Sep 13 21:10:24 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 13 Sep 2011 12:10:24 -0700 Subject: windows binary for gnupg 1.4.11 // link no longer on gnupg =?UTF-8?Q?site=3F?= In-Reply-To: <8739g0w9oo.fsf@vigenere.g10code.de> References: <20110913144120.6633CA6E3F@smtp.hushmail.com> <8739g0w9oo.fsf@vigenere.g10code.de> Message-ID: <5c06a82e7fe9b064884d0491679baba2@localhost> > In particular the collected donations of exactly 1 Euro received in the > 6 weeks since we have a donation button is not encouraging me to work on > a special binary release for an OS and GnuPG version I have no need for. Wait, we have a donation button now? Where? From vedaal at nym.hush.com Tue Sep 13 21:43:05 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 13 Sep 2011 15:43:05 -0400 Subject: windows binary for gnupg 1.4.11 // link no longer on gnupg site? Message-ID: <20110913194305.3F42CA6E34@smtp.hushmail.com> On Tue, 13 Sep 2011 14:59:03 -0400 Werner Koch wrote: >>I am not sure whether it is worth my time to build future 1.4 >binaries; >there are only a very few use cases very it does make sense - if >there >is one at all (Anyone still using NT 3.5 or so?). > >In particular the collected donations of exactly 1 Euro received >in the >6 weeks since we have a donation button is not encouraging me to >work on >a special binary release for an OS and GnuPG version I have no >need for. For all the work that you DO do, you certainly shouldn't have to do anything EXTRA you have np need for. So, if I can make things even a little easier, I was able to compile a windows binary for gnupg.1.4.11 from the listed sourcecode without too much difficulty, so am posting this for whomever it might be helpful. If anyone has any corrections please post, Thanks. ----- Compiling your own windows binary on windows (for people who never used a compiler): First, download the gnupg 1.x source code from the gnupg.org site, and verify the signature and checksum. Then download MINGW and MSYS from sourceforge, http://sourceforge.net/projects/mingw/files/ (click on 'Download mingw-get-inst-20110802.exe (579.4 kB)' , this will install all the necessary files). When installing, make sure that MSYS is checked off in the installer. The default is NOT to install it. It is much easier to compile things once MSYS is installed, as it allows the './configure' command to use the gnupg sourcecode to produce everything necessary for the makefile. The Installer links MSYS to MINGW automatically. By default, the installer installs to C:\MinGW and installs msys as a subdirectory of C:\MinGW. Unpack the sourcecode, and for the sake of example in these instructions, rename it gnupgxyzFMC and copy it to c:\gnupgxyzFMC (FMC = For Mingw Compiling ;-) ) Go to the msys subdirectory of c:\MinGW and click on the subdirectory of 1.0, then on msys.bat. The MinGW-Msys compiler window opens and lists your logon name, Type: cd /c:/gnupgxyzFMC and press enter. Type: ./configure --prefix=/mingw and press enter. The compiler checks the sourcecode files for the downloaded 1.x gnupg version and configures it for compilation on windows using minGW, and after many many lines, ends with the following: config.status: creating po/Makefile Version info: gnupg 1.4.11 Configured for MingW32 (i686-pc-minw32) (n.b. if you're on 64 bit windows, the above line may be different) type: make and press enter. After the compiler finishes and the $ prompt is shown again, the only thing left to do is to, is to type: make install and press enter. After the compiler finishes, type: gpg --version and press enter, and it displays: gpg (GnuPG) 1.4.11 The compiler has succesfully installed gpg.exe, gpgsplit.exe, gpgv.exe, and gpg-zip into C:\MinGW\bin and these can now be copied into whatever homedirectory you want. Again, my primary interest in this is to update Maxine Brandt's GPG- to-GO site, in the event that windows binaries for 1.x might not available. If anyone has a simpler way of doing this, or any other suggestions, please post, Thanks, vedaal From ben at adversary.org Tue Sep 13 22:16:52 2011 From: ben at adversary.org (Ben McGinnes) Date: Wed, 14 Sep 2011 06:16:52 +1000 Subject: windows binary for gnupg 1.4.11 // link no longer on gnupg site? In-Reply-To: <5c06a82e7fe9b064884d0491679baba2@localhost> References: <20110913144120.6633CA6E3F@smtp.hushmail.com> <8739g0w9oo.fsf@vigenere.g10code.de> <5c06a82e7fe9b064884d0491679baba2@localhost> Message-ID: <4E6FBA34.20003@adversary.org> On 14/09/11 5:10 AM, Robert J. Hansen wrote: >> In particular the collected donations of exactly 1 Euro received in the >> 6 weeks since we have a donation button is not encouraging me to work on >> a special binary release for an OS and GnuPG version I have no need for. > > Wait, we have a donation button now? Where? It's on the download page and links to: http://www.gnupg.org/misc/donations.en.html Which gives a brief plea for funds and then links to: http://g10code.com/gnupg-donation.html Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: From melvincarvalho at gmail.com Tue Sep 13 23:41:07 2011 From: melvincarvalho at gmail.com (Melvin Carvalho) Date: Tue, 13 Sep 2011 23:41:07 +0200 Subject: Adding Parameters to a Public Key Message-ID: I've noticed that some apps add some fields on the end of your public key e.g. in Retroshare, the end of my key looks like this: -----END PGP PUBLIC KEY BLOCK----- --SSLID--5bcc296e6b3e40c859a031dd6c0d07b3;--LOCATION--home; In this case: SSLID=5bcc296e6b3e40c859a031dd6c0d07b3 LOCATION=home Am I right to say that -- is used to represent a comment? Is this kind of tagging extra data onto a public key allowed, or is it possible to break things? From wk at gnupg.org Wed Sep 14 09:19:14 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 14 Sep 2011 09:19:14 +0200 Subject: Adding Parameters to a Public Key In-Reply-To: (Melvin Carvalho's message of "Tue, 13 Sep 2011 23:41:07 +0200") References: Message-ID: <87y5xrvbf1.fsf@vigenere.g10code.de> On Tue, 13 Sep 2011 23:41, melvincarvalho at gmail.com said: > Is this kind of tagging extra data onto a public key allowed, or is it > possible to break things? You may put any kind of data after the "-----END...." line. It is not part of OpenPGP specs. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From ba at verisat.no Wed Sep 14 13:19:52 2011 From: ba at verisat.no (Bastien Auneau) Date: Wed, 14 Sep 2011 11:19:52 +0000 Subject: Problem when decrypting PGP messages Message-ID: <4E708DD8.2040603@verisat.no> Hi Every time I receive a message from a customer. I get : OpenPGP Security Info gpg command line and output: C:\Program Files (x86)\GNU\GnuPG\pub\gpg.exe gpg: invalid armor header: www.pgp.com\r\n gpg: invalid radix64 character 2E skipped gpg: invalid radix64 character 2E skipped gpg: CRC error; 8C9731 - CA3995 gpg: packet(3) with unknown version 41 Also, the workaround I found is to forward the message to myself, removing : Version: PGP Desktop 10.1.2 (Build 9) - not licensed for commercial use: www.pgp.com Charset: utf-8 which is just after -----BEGIN PGP MESSAGE----- and just before the crypted message Is there a way to ingnore these 'headers' by default ? Thanks and regards Bastien From david at systemoverlord.com Wed Sep 14 21:29:59 2011 From: david at systemoverlord.com (David Tomaschik) Date: Wed, 14 Sep 2011 15:29:59 -0400 Subject: Problem when decrypting PGP messages In-Reply-To: <4E708DD8.2040603@verisat.no> References: <4E708DD8.2040603@verisat.no> Message-ID: On Wed, Sep 14, 2011 at 7:19 AM, Bastien Auneau wrote: > Hi > > Every time I receive a message from a customer. I get : > OpenPGP Security Info > > gpg command line and output: > C:\Program Files (x86)\GNU\GnuPG\pub\gpg.exe > gpg: invalid armor header: www.pgp.com\r\n > > gpg: invalid radix64 character 2E skipped > gpg: invalid radix64 character 2E skipped > gpg: CRC error; 8C9731 - CA3995 > gpg: packet(3) with unknown version 41 > > Also, the workaround I found is to forward the message to myself, removing : > > Version: PGP Desktop 10.1.2 (Build 9) - not licensed for commercial use: > www.pgp.com > Charset: utf-8 > > which is just after > -----BEGIN PGP MESSAGE----- > > and just before the crypted message > > Is there a way to ingnore these 'headers' by default ? > Thanks and regards > Bastien It looks like the "Version" header is too long and is wrapping onto a 2nd line. The 2nd line is not a valid header, and is confusing gpg. Most likely, this is caused by the email client on the sending side wrapping the text. (Although maybe some receiving clients re-wrap text, I'm not aware of any.) Can you provide information on the client(s) in use? -- David Tomaschik, RHCE, LPIC-1 System Administrator/Open Source Advocate OpenPGP: 0x5DEA789B http://systemoverlord.com david at systemoverlord.com From ba at verisat.no Thu Sep 15 11:25:53 2011 From: ba at verisat.no (Bastien Auneau) Date: Thu, 15 Sep 2011 09:25:53 +0000 Subject: Problem when decrypting PGP messages In-Reply-To: References: <4E708DD8.2040603@verisat.no> Message-ID: <4E71C4A1.4010401@verisat.no> Hi Thanks for the answer I'm using Thunderbird 6.0.2 on Windows 7 64bit. The account I connect to is a google account Regards Bastien On 14/09/2011 19:29, David Tomaschik wrote: > On Wed, Sep 14, 2011 at 7:19 AM, Bastien Auneau wrote: >> Hi >> >> Every time I receive a message from a customer. I get : >> OpenPGP Security Info >> >> gpg command line and output: >> C:\Program Files (x86)\GNU\GnuPG\pub\gpg.exe >> gpg: invalid armor header: www.pgp.com\r\n >> >> gpg: invalid radix64 character 2E skipped >> gpg: invalid radix64 character 2E skipped >> gpg: CRC error; 8C9731 - CA3995 >> gpg: packet(3) with unknown version 41 >> >> Also, the workaround I found is to forward the message to myself, removing : >> >> Version: PGP Desktop 10.1.2 (Build 9) - not licensed for commercial use: >> www.pgp.com >> Charset: utf-8 >> >> which is just after >> -----BEGIN PGP MESSAGE----- >> >> and just before the crypted message >> >> Is there a way to ingnore these 'headers' by default ? >> Thanks and regards >> Bastien > It looks like the "Version" header is too long and is wrapping onto a > 2nd line. The 2nd line is not a valid header, and is confusing gpg. > Most likely, this is caused by the email client on the sending side > wrapping the text. (Although maybe some receiving clients re-wrap > text, I'm not aware of any.) > > Can you provide information on the client(s) in use? > > > From gnupg.user at seibercom.net Thu Sep 15 13:21:19 2011 From: gnupg.user at seibercom.net (Jerry) Date: Thu, 15 Sep 2011 07:21:19 -0400 Subject: Problem when decrypting PGP messages In-Reply-To: <4E71C4A1.4010401@verisat.no> References: <4E708DD8.2040603@verisat.no> <4E71C4A1.4010401@verisat.no> Message-ID: <20110915072119.0714574e@scorpio> On Thu, 15 Sep 2011 09:25:53 +0000 Bastien Auneau articulated: > On 14/09/2011 19:29, David Tomaschik wrote: > > On Wed, Sep 14, 2011 at 7:19 AM, Bastien Auneau > > wrote: > >> Hi > >> > >> Every time I receive a message from a customer. I get : > >> OpenPGP Security Info > >> > >> gpg command line and output: > >> C:\Program Files (x86)\GNU\GnuPG\pub\gpg.exe > >> gpg: invalid armor header: www.pgp.com\r\n > >> > >> gpg: invalid radix64 character 2E skipped > >> gpg: invalid radix64 character 2E skipped > >> gpg: CRC error; 8C9731 - CA3995 > >> gpg: packet(3) with unknown version 41 > >> > >> Also, the workaround I found is to forward the message to myself, > >> removing : > >> > >> Version: PGP Desktop 10.1.2 (Build 9) - not licensed for > >> commercial use: www.pgp.com > >> Charset: utf-8 > >> > >> which is just after > >> -----BEGIN PGP MESSAGE----- > >> > >> and just before the crypted message > >> > >> Is there a way to ingnore these 'headers' by default ? > >> Thanks and regards > >> Bastien > > It looks like the "Version" header is too long and is wrapping onto > > a 2nd line. The 2nd line is not a valid header, and is confusing > > gpg. Most likely, this is caused by the email client on the sending > > side wrapping the text. (Although maybe some receiving clients > > re-wrap text, I'm not aware of any.) > > > > Can you provide information on the client(s) in use? > Thanks for the answer > I'm using Thunderbird 6.0.2 on Windows 7 64bit. The account I connect > to is a google account > > Regards > Bastien > {Bastien, don't top post, it makes following the thread a lot harder than necessary} It would be my opinion that Google was at fault. They have screwed up GPG before on me. -- Jerry ? GNUPG.user at seibercom.net _____________________________________________________________________ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. In Tulsa, Oklahoma, it is against the law to open a soda bottle without the supervision of a licensed engineer. From jerome+person at jeromebaum.com Thu Sep 15 23:01:41 2011 From: jerome+person at jeromebaum.com (Jerome Baum) Date: Thu, 15 Sep 2011 23:01:41 +0200 Subject: Problem when decrypting PGP messages In-Reply-To: <20110915072119.0714574e@scorpio> References: <4E708DD8.2040603@verisat.no> <4E71C4A1.4010401@verisat.no> <20110915072119.0714574e@scorpio> Message-ID: <4E7267B5.7020209@jeromebaum.com> On 2011-09-15 13:21, Jerry wrote: > On Thu, 15 Sep 2011 09:25:53 +0000 > Bastien Auneau articulated: >> I'm using Thunderbird 6.0.2 on Windows 7 64bit. The account I connect >> to is a google account >> > It would be my opinion that Google was at fault. They have screwed up > GPG before on me. I'm using the exact same configuration (though with a Google Apps account, not sure if there's a difference from Google Mail). Google is working fine for me. However I have conversation view switched off and various other "special" options set so you might want to go through your settings and see if you can tweak them a bit. Conversation view is a real mess. -- Q: What is your secret word? A: That's right. Q: What's right? A: Yes. Q: Sir, you're going to have to tell me your secret word. A: What? Q: I said please tell me your secret word. A: What? Q: What's your secret word? A: Yes. Q: Sorry, "yes" is not your secret word. You have two more chances. A: I said what? Q: Yes. A: Right, so you admit I said it. Q: No, you said "yes." A: No, "what!" Q: When? A: When you asked for my secret word! Q: What? A: Yes! Q: I'm sorry, that's incorrect. You have one more chance to say your secret word. A: I'd like to speak to your supervisor. Q: Very well, I'll transfer you. His name is Hu. (http://boingboing.net/2010/05/03/fun-with-a-banks-sec.html) From vedaal at nym.hush.com Fri Sep 16 17:17:27 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 16 Sep 2011 11:17:27 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted Message-ID: <20110916151727.882FF14DBA6@smtp.hushmail.com> >Compiling your own windows binary on windows >(for people who never used a compiler): Reviewed the instructions, and tested them on windows 64 bit systems, and no modifications are necessary. Posted the 'How To' on Maxine Brandt's restored site, here: http://www.angelfire.com/mb2/mbgpg2go/cyowb.html As expected, the compilation does not include iconv.dll, so a link to the gnupg.org iconv.dll download and instructions, http://www.gnupg.org/download/iconv.en.html , is also provided. If anyone has any suggestions for improvement, please post, Thanks, vedaal From johanw at vulcan.xs4all.nl Fri Sep 16 20:28:52 2011 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri, 16 Sep 2011 20:28:52 +0200 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <20110916151727.882FF14DBA6@smtp.hushmail.com> References: <20110916151727.882FF14DBA6@smtp.hushmail.com> Message-ID: <4E739564.8080000@vulcan.xs4all.nl> On 16-09-2011 17:17, vedaal at nym.hush.com wrote: > Posted the 'How To' on Maxine Brandt's restored site, here: > http://www.angelfire.com/mb2/mbgpg2go/cyowb.html Why not also host a copy of the existing binary? -- Met vriendelijke groet, Johan Wevers From vedaal at nym.hush.com Fri Sep 16 20:49:09 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 16 Sep 2011 14:49:09 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted Message-ID: <20110916184909.237D614DBD4@smtp.hushmail.com> Johan Wevers johanw at vulcan.xs4all.nl Fri Sep 16 20:28:52 CEST 2011 wrote: >Why not also host a copy of the existing binary? Because then who is to say that it wasn't tampered with? The whole point is to start with gnupg.org signed and verified material, and then let the user take it from there. Although, [and am over my head here, so please correct if wrong], if there *could* be a way of providing instructions on compiling, so that the resultant compiled file would always have the same hash, then it might make sense to host the compiled binary and the hash. My understanding, (which may be outdated), is that there are too many variations in individual user systems, so that the compiled files would never have 'exactly' the same hash independent of where they are compiled. Is there any way to ensure that if the same source code and the same compiler is used, that the resultant files have the same hash? Thanks, vedaal From johanw at vulcan.xs4all.nl Fri Sep 16 21:42:58 2011 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri, 16 Sep 2011 21:42:58 +0200 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <20110916184909.237D614DBD4@smtp.hushmail.com> References: <20110916184909.237D614DBD4@smtp.hushmail.com> Message-ID: <4E73A6C2.8080606@vulcan.xs4all.nl> On 16-09-2011 20:49, vedaal at nym.hush.com wrote: >> Why not also host a copy of the existing binary? > > Because then who is to say that it wasn't tampered with? OK, then what about a direct link to the version of the installer still present on ftp.gnupg.org? > Although, > [and am over my head here, so please correct if wrong], > if there *could* be a way of providing instructions on compiling, > so that the resultant compiled file would always have the same > hash, Unlikely, since tyhe Windows executable file format contains a timestamp within the binary. -- Met vriendelijke groet / With kind regards, Johan Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From crimer at crimer90.co.cc Fri Sep 16 21:30:50 2011 From: crimer at crimer90.co.cc (Simone Cianfriglia) Date: Fri, 16 Sep 2011 21:30:50 +0200 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <20110916184909.237D614DBD4@smtp.hushmail.com> References: <20110916184909.237D614DBD4@smtp.hushmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello veidaal and gnupg-users list. > My understanding, (which may be outdated), > is that there are too many variations in individual user systems, > so that the compiled files would never have 'exactly' the same > hash independent of where they are compiled. > > Is there any way to ensure that if the same source code and the > same compiler is used, that the resultant files have the same hash? To achieve your desired result, it's required to run the exactly same compiler, including the version, with the same options targeting the correct architecture. Also a minor tweak in architecture settings could change the result, see for example the --march and --mtune directives of GCC to see how many choices there are. Regards, Simone -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCgAGBQJOc6QBAAoJEGfVQEsGVc2A/6YP/0gdn7HlVslErJ6SVMqxn7Wo RO2tAubYkDdWMvaKK4mTfH7Hx3VTLT/0LTdN1W3knNMSgJonuV54OCd2z26lfPTz +uQknj0dTh4RqfWQriBu0qTUxYVsZBNrRSUQ4RwCE9R1a2+UioIzCQ07G3r/+mfS gM7m07cafLeBqzX4pNfiB6WPTr1uuQi4nuuIH0lmhmXgnnwNeBogNrGOMkTDdoud GDkoV0NBTXuJMWgRyak5A0CbiEv6+vjUO3zFhnITkxjeWhIPrP1bpMkwAgASUnbg 9YpQnwVfitBRf72T6dpRpKjIoA5ZMDlgYIxW7MSXWFAPgysOP7agkrhItIrs77Xj +1ofVMZqmyUk+fn6RVNwoAABCqRPP7NMThtZVqKxbcd/K2G9bRsxSMkhp1qjG2A/ 6UQX4Za0SUioINyWWB56pcgsSSwGGPh6SjTQm+GHuFQq19gRbe1kKO6TENbBRLMq 5cFNC2ld+YnWoIdJjFv4SfgWmgjfKUYSTvblGVnS4kp/omhv1w3l2S5utiQYDPNF giC34GTZRrgZnm+MnHz496+KB9HfHJ2b88QF62Ij/3GG3Jyi0sfYChuuM5dNNjTX Mp8zbFZ1X9eEesDsaHkolln0zn6aMFc74lOpvs0ZUo/NF7qwsRIqJtwWM/GtCY0n VGu2FluDoAGBAUPAv0NQ =uXas -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Sep 16 22:26:33 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 16 Sep 2011 16:26:33 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <20110916184909.237D614DBD4@smtp.hushmail.com> References: <20110916184909.237D614DBD4@smtp.hushmail.com> Message-ID: <4E73B0F9.1000305@sixdemonbag.org> On 9/16/2011 2:49 PM, vedaal at nym.hush.com wrote: > Because then who is to say that it wasn't tampered with? Who's to say the one on ftp.gnupg.org wasn't tampered with? It would be fairly easy to make a version of GnuPG that always reported itself as having a good signature. (See, e.g., Ken Thompson, _Reflections on Trusting Trust_. David A. Wheeler had an interesting solution to Thompson's problem, but in the main Thompson's remarks are still quite applicable. [1]) And if you're downloading source code and compiling from source -- how do you know the source wasn't tampered with? A back door could be hidden inside the code, making sure that whenever you attempted to verify... etc., etc. > The whole point is to start with gnupg.org signed and verified > material, and then let the user take it from there. You can't. I hate to rain on the parade, but this is simply not achievable. At some point you have to accept something on faith. The only question is what you'll accept. In the extreme case, let's say GnuPG hosts a Windows binary and posts an MD5 sum of it. How do you know the MD5 sum that's posted is accurate? Werner's signature on it is meaningless: you don't have a trusted copy of GnuPG you can use to verify the signature. The posted MD5 sum could have been tampered with and you wouldn't know. Etc., etc. Ultimately, you have to take something on faith -- whether it's "I believe this MD5 sum is correct," or "I believe this binary is correct," or what-have-you. That initial trust decision is what bootstraps the entire process. If an initial trust decision is necessary, why not host your own GnuPG binary, or link to the binary on the ftp.gnupg.org site, or...? > Although, [and am over my head here, so please correct if wrong], if > there *could* be a way of providing instructions on compiling, so > that the resultant compiled file would always have the same hash, > then it might make sense to host the compiled binary and the hash. This is technically possible but highly daunting. It involves opening up a PE/COFF executable in a hex editor and looking at specific offsets for timestamps, machine-specific identifiers, and so on -- and then hard-coding those back to the values present in the original binary. If the resulting binary is bit-for-bit identical to the original, then you've got a perfect copy. This is generally not worth doing unless you're in some way-beyond-the-next-level environment where you take supply-chain assurance to crazed levels. [1] ... And David Shaw was the one who pointed me towards Wheeler's paper in the first place, some time ago -- thanks. :) From vedaal at nym.hush.com Fri Sep 16 22:59:32 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 16 Sep 2011 16:59:32 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted Message-ID: <20110916205932.60ED914DBA6@smtp.hushmail.com> Thanks, Simone, Johan and Robert, well, there goes that idea ... (but it's nice to know, that it's *possible* if there ever were some extreme need for it) ;-) Johan, as per your excellent suggestion, the link to the ftp is hosted: http://www.angelfire.com/mb2/mbgpg2go/download.html (I'm reasonably certain that Maxine would have accepted the ftp of the bunary and its sig, 'on faith') ;-) vedaal From johanw at vulcan.xs4all.nl Sat Sep 17 00:15:25 2011 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sat, 17 Sep 2011 00:15:25 +0200 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: References: <20110916184909.237D614DBD4@smtp.hushmail.com> Message-ID: <4E73CA7D.1020801@vulcan.xs4all.nl> On 16-09-2011 21:30, Simone Cianfriglia wrote: > To achieve your desired result, it's required to run the exactly same > compiler, including the version, with the same options targeting the > correct architecture. Also a minor tweak in architecture settings > could change the result, see for example the --march and --mtune > directives of GCC to see how many choices there are. Which makes me wonder how hard it would be to build GnuPG 1.4.11 with MS Visual Studio. Back in the pgp 2 days I put a VS 5 (antique version) project file for pgp 2.6.3ia on my site to create a win2 binary - better than the distributed MS-DOS binary, at least it could handle long filenames. That was easy - just put all the .c files in the project. I'll just have to try. -- Met vriendelijke groet / With kind regards, Johan Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From rjh at sixdemonbag.org Sat Sep 17 01:20:31 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 16 Sep 2011 19:20:31 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <4E73CA7D.1020801@vulcan.xs4all.nl> References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73CA7D.1020801@vulcan.xs4all.nl> Message-ID: <4E73D9BF.9000607@sixdemonbag.org> On 9/16/2011 6:15 PM, Johan Wevers wrote: > Which makes me wonder how hard it would be to build GnuPG 1.4.11 with > MS Visual Studio. With MS Visual Studio, or with the command-line cl.exe compiler? The last I heard from the Autotools fellows (Ralf Wildenhues, et. al.) several months ago, they were really close to having a version that would work with MS tools from within MinGW. If this reached a usable version, that would seem like the most obvious way to get a GnuPG version built with the MS compilers. My question, though, is -- why? What do the MS compilers give us? I can't see any compelling reason to do this. From makrober at gmail.com Sat Sep 17 06:00:42 2011 From: makrober at gmail.com (M.R.) Date: Sat, 17 Sep 2011 04:00:42 +0000 Subject: MS windows and gnupg In-Reply-To: <4E73D9BF.9000607@sixdemonbag.org> References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73CA7D.1020801@vulcan.xs4all.nl> <4E73D9BF.9000607@sixdemonbag.org> Message-ID: <4E741B6A.7030609@gmail.com> On 16/09/11 23:20, Robert J. Hansen wrote: > My question, though, is -- why? What do the MS compilers give us? > I can't see any compelling reason to do this. How about a large user base that already has that tool set at hand, and has a natural resistance to install another tool set they are not familiar with and have no use for other than to build one single application package? MS compilers give ~us~ (you and me, I guess) nothing, but we must not look at the world through ~our~ keyhole. I very much believe gnupg should be available to the users of MS operating systems, and it is not this that our discussion here is all about. Selection of an operating system is a complex matter, often influenced by factors outside the user's control, and it is naive of the application creator to assume that someone's decision on what OS he chooses will be driven by his particular application. It should also be a matter of craft pride on the part of a programmer that his clean C shell program will build with no errors in a simple shell script on all three major platforms with the most common compiler and link-editor found on it. Something like that should be especially important with security applications, where it is advantageous - if not mandatory - that the end user has the ability to crate his the executable from the source code. Mark R. From rjh at sixdemonbag.org Sat Sep 17 07:56:01 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 17 Sep 2011 01:56:01 -0400 Subject: MS windows and gnupg In-Reply-To: <4E741B6A.7030609@gmail.com> References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73CA7D.1020801@vulcan.xs4all.nl> <4E73D9BF.9000607@sixdemonbag.org> <4E741B6A.7030609@gmail.com> Message-ID: <4E743671.4010302@sixdemonbag.org> On 9/17/2011 12:00 AM, M.R. wrote: > How about a large user base that already has that tool set at hand, > and has a natural resistance to install another tool set they are not > familiar with and have no use for other than to build one single > application package? Please forgive my skepticism, but -- well -- I'm skeptical. I don't think we've seen a single person post to this list saying "I have the Visual Studio toolchain installed and need to build GnuPG from source, but can't, since it's an Autotools-based build: could I get a version that has a .sln buildfile and works with the Visual Studio compiler?" I'm generally not in favor of making changes to codebases based on hypothetical use-cases. I think changing codebases to accommodate hypothesized users quickly leads to a deterioration in overall product quality. > I very much believe gnupg should be available to the users of MS > operating systems Sure, but it already is. Nobody's arguing that GnuPG shouldn't be available to MS users. The question is whether (a) porting to the Visual Studio toolchain needs to be done and (b) if so, who will do it. My answer to (a) is "no." My answer to (b) is, "all the people I know who could do this, won't do it, for one reason or another -- so isn't this kind of a dead letter?" > It should also be a matter of craft pride on the part of a programmer > that his clean C shell program will build with no errors in a simple > shell script on all three major platforms with the most common > compiler and link-editor found on it. I don't share in this view, not at all. Cross-platform build environments are *hard*. Even something like CMake doesn't work very well: although CMake works well enough for UNIX platforms and MingW, its Visual Studio solution output looks like something that shambled out of Frankenstein's laboratory. For a while I was stuck maintaining a codebase that was 100% ISO C++. The codebase was clean as could be, and was quite a point of pride. Then came the mission to "support MS," and the Autotools system compiled out-of-the-box on MinGW: it was beautiful. Then came the mission to "support MS under Visual Studio," we switched to CMake, and I immediately spent more time maintaining our fragile build environment than I spent maintaining the codebase. I suspect GnuPG would be in the exact same boat if it went this route. This is why I think it's really important that there be no changes until we hear from actual users who are being adversely impacted by the Autotools dependency. Let's not make things more fragile unless we've got a clear and compelling need. (Oh, and for the "we must support MS under Visual Studio" project? The users who were clamoring for VS support overwhelmingly ignored us when we had our VS-enabled build. As near as I can tell, a lot more people *said* they were interested in building it under VS than ever actually did it. In this respect, too, I think GnuPG's experience would likely be similar. That's why I think we need to insist on real users with clear and compelling needs.) From makrober at gmail.com Sat Sep 17 09:51:38 2011 From: makrober at gmail.com (M.R.) Date: Sat, 17 Sep 2011 07:51:38 +0000 Subject: MS windows and gnupg In-Reply-To: <4E743671.4010302@sixdemonbag.org> References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73CA7D.1020801@vulcan.xs4all.nl> <4E73D9BF.9000607@sixdemonbag.org> <4E741B6A.7030609@gmail.com> <4E743671.4010302@sixdemonbag.org> Message-ID: <4E74518A.9070007@gmail.com> I agree with you to some extent. I also happen to believe there are ways of tamper-resistant distribution of binaries that require the trust in the application provider and no one else; at least not someone else in the distribution channel. In addition, the ability of an average end-user to inspect the source is long gone. There is however one point on which I'd like to comment: > For a while I was stuck maintaining a codebase that was 100% ISO C++. > The codebase was clean as could be, and was quite a point of pride. > Then came the mission to "support MS," and the Autotools system > compiled > out-of-the-box on MinGW: it was beautiful. Then came the mission to > "support MS under Visual Studio," we switched to CMake, and I > immediately spent more time maintaining our fragile build environment > than I spent maintaining the codebase. Indeed, while code can be "standard" and "cross-platform", build environments (i.e., innumerable variants of "make") are not. We have no option of avoiding them in ~application development~ but I firmly believe this is quite different cattle of fish from ~application distribution~. In the hands of "end-user-source-recipient" *all* components are compiled in a linear fashion, and any error is typically terminal. This situation calls for simple shell scripts and not makefiles. Even if we assume that end user has the ability to intervene in a failed build process, he will much sooner be able to do so with a native (i.e., to his run-time OS) shell script than an arcane file he is probbaly totally unfamiliar with. Mark R. From rjh at sixdemonbag.org Sat Sep 17 10:33:54 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 17 Sep 2011 04:33:54 -0400 Subject: MS windows and gnupg In-Reply-To: <4E74518A.9070007@gmail.com> References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73CA7D.1020801@vulcan.xs4all.nl> <4E73D9BF.9000607@sixdemonbag.org> <4E741B6A.7030609@gmail.com> <4E743671.4010302@sixdemonbag.org> <4E74518A.9070007@gmail.com> Message-ID: <4E745B72.5060808@sixdemonbag.org> On 9/17/2011 3:51 AM, M.R. wrote: > I agree with you to some extent. I also happen to believe there are > ways of tamper-resistant distribution of binaries that require the > trust in the application provider and no one else; at least not > someone else in the distribution channel. In addition, the ability > of an average end-user to inspect the source is long gone. This is why we have code signing. Solved problem. (You can argue that GnuPG should distribute Authenticode-signed Windows binaries, and there might be some merit to that argument: but the existing setup of MD5 hashes and GnuPG signatures posted for releases serves the same purpose.) > I firmly believe this is quite different cattle of fish from > ~application distribution~. App distribution should be as an installer package appropriate for the OS in question, which GnuPG does via NSIS. Again, I don't see the problem. Code distribution should be as a build environment that can be used without undue effort by a modestly skilled programmer. Again, I don't see the problem with Autotools: I've yet to meet a Windows C/C++ developer who was unable to get MinGW set up, especially since MinGW moved to a much more convenient installer model. > This situation calls for simple shell scripts and not makefiles. Oh, *hell* no. Forgive my visceral reaction there, but whenever anyone suggests going back to the bad old days I get a case of the flaming, fiery heebie-jeebies. Quoting John Calcote's excellent Autotools book: "Originally, configuration scripts were hand-coded shell scripts designed to set variables based on platform-specific characteristics. They also allowed users to configure package options before running make. This approach worked well for decades, but as the number of Linux distributions and custom Unix systems grew, the variety of features and installation and configuration options exploded, so it became very difficult to write a decent portable configuration script. In fact, it was much more difficult to write a portable configuration script than it was to write Makefiles for a new project. ... In the early 1990s it was apparent to many open-source developers that project configuration would become painful if something wasn't done to ease the burden of writing massive shell scripts to manage configuration options. The number of GNU project packages had grown to hundreds, and maintaining consistency between their separate build systems had become more time consuming than simply maintaining the code for these projects. These problems had to be solved." John is a dinosaur, in the best possible sense of the word: he remembers the bad old days of "simple shell scripts" driving builds, and he remembers how they turned into complex, unportable messes. This was one of the major driving forces behind the development of modern build systems. Let's not turn back the clock on progress. From wk at gnupg.org Sat Sep 17 12:06:49 2011 From: wk at gnupg.org (Werner Koch) Date: Sat, 17 Sep 2011 12:06:49 +0200 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <4E73A6C2.8080606@vulcan.xs4all.nl> (Johan Wevers's message of "Fri, 16 Sep 2011 21:42:58 +0200") References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73A6C2.8080606@vulcan.xs4all.nl> Message-ID: <87d3eztrd2.fsf@vigenere.g10code.de> On Fri, 16 Sep 2011 21:42, johanw at vulcan.xs4all.nl said: > OK, then what about a direct link to the version of the installer still > present on ftp.gnupg.org? It was removed on purpose. We - and this includes Enigmail developers - want users to use the modern version. Those how have a valid reason to continue use of 1.4 know what an ftp server is and there first reaction will anyway be lftp ftp.gnupg.org cd to GnuPG (or gcrypt), read README and immediatley notice binary/ Compiled versions for MS Windows. If they don't find this, I doubt that they have any need for 1.4. 1.4 is not aimed for desktop users but for vintage Unix versions and maybe for servers. Admins should still kknow that tehre is a thing called ftp. > Unlikely, since tyhe Windows executable file format contains a timestamp > within the binary. And cpp may also insert timestamps into the source code. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From Matthew561 at aol.com Sat Sep 17 16:29:04 2011 From: Matthew561 at aol.com (Matthew Mark Drew) Date: Sat, 17 Sep 2011 09:29:04 -0500 Subject: 2.0.18/GOG4Win Message-ID: <4E74AEB0.4030906@aol.com> Any idea when 2.0.18 will available via GPG4Win? Thanks From faramir.cl at gmail.com Mon Sep 19 00:49:05 2011 From: faramir.cl at gmail.com (Faramir) Date: Sun, 18 Sep 2011 19:49:05 -0300 Subject: Easiest way to migrate from GPG 1.4.11 to 2.x? Message-ID: <4E767561.3000703@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, I've been a very happy user of 1.4.x branch for some years. Now I'm thinking about moving to 2.x, which would mean GPG4Win. How do I migrate my keyrings to 2.x? Simple copy/paste? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJOdnVhAAoJEMV4f6PvczxAe5EIAKmZYSwgI+I4YpZIj5nl5pPM kJGK4fw+HWtdO+/UtdAr5UQryJP73outnE4kX62973Nbykdnqo/aXDX7slFUwWH4 imBIHBL/QYz+hTgkmF2oCO7QTNbZNmlz7QUdarTklE6blTnzSb4yHu/jlOawle/+ +B7msyJ5L4OgJHUSYSV7ZBIyqDwec/hpuQYzurxee7pzzYrqrGLjaJRkVZ6kKThr fpsjf6MH6uvGTHjoj5p8LEIUXvEytf7duUVaTOvXFQuDAyr2+LqyWN1K8R0kAJdA DGn6v1N0DjCYmWrfGQkAWTbhDXEC/L2svd303DpMXdhAfNRwX3KoxGno7/Ua8wI= =XmEm -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Mon Sep 19 00:28:09 2011 From: JPClizbe at tx.rr.com (John Clizbe) Date: Sun, 18 Sep 2011 17:28:09 -0500 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <4E73CA7D.1020801@vulcan.xs4all.nl> References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73CA7D.1020801@vulcan.xs4all.nl> Message-ID: <4E767079.5010806@tx.rr.com> Johan Wevers wrote: > On 16-09-2011 21:30, Simone Cianfriglia wrote: > >> To achieve your desired result, it's required to run the exactly same >> compiler, including the version, with the same options targeting the >> correct architecture. Also a minor tweak in architecture settings >> could change the result, see for example the --march and --mtune >> directives of GCC to see how many choices there are. > > Which makes me wonder how hard it would be to build GnuPG 1.4.11 with MS > Visual Studio. Back in the pgp 2 days I put a VS 5 (antique version) > project file for pgp 2.6.3ia on my site to create a win2 binary - better > than the distributed MS-DOS binary, at least it could handle long > filenames. That was easy - just put all the .c files in the project. > > I'll just have to try. > You're much better off with MinGW and dependencies or Cygwin. There was a move to try to write project files for Visual Studio some long time ago, but I don't think anything became of it. I have my own scripts, tuned bit by bit since 2004, but they are tailored to my use. -- John P. Clizbe Inet: John ( a ) Enigmail DAWT NET FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" From dougb at dougbarton.us Mon Sep 19 03:35:57 2011 From: dougb at dougbarton.us (Doug Barton) Date: Sun, 18 Sep 2011 18:35:57 -0700 Subject: Easiest way to migrate from GPG 1.4.11 to 2.x? In-Reply-To: <4E767561.3000703@gmail.com> References: <4E767561.3000703@gmail.com> Message-ID: <4E769C7D.2090907@dougbarton.us> On 09/18/2011 15:49, Faramir wrote: > Hello, > I've been a very happy user of 1.4.x branch for some years. Now > I'm thinking about moving to 2.x, which would mean GPG4Win. How do I > migrate my keyrings to 2.x? Simple copy/paste? No need to migrate anything at this point. The two are interchangeable. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From wk at gnupg.org Mon Sep 19 10:28:56 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 19 Sep 2011 10:28:56 +0200 Subject: 2.0.18/GOG4Win In-Reply-To: <4E74AEB0.4030906@aol.com> (Matthew Mark Drew's message of "Sat, 17 Sep 2011 09:29:04 -0500") References: <4E74AEB0.4030906@aol.com> Message-ID: <874o09szp3.fsf@vigenere.g10code.de> On Sat, 17 Sep 2011 16:29, Matthew561 at aol.com said: > Any idea when 2.0.18 will available via GPG4Win? No concrete plans. 2.0.18 has no useful changes for Windows anyway. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Sep 19 10:28:06 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 19 Sep 2011 10:28:06 +0200 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <4E767079.5010806@tx.rr.com> (John Clizbe's message of "Sun, 18 Sep 2011 17:28:09 -0500") References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73CA7D.1020801@vulcan.xs4all.nl> <4E767079.5010806@tx.rr.com> Message-ID: <878vplszqh.fsf@vigenere.g10code.de> Hi, there is a thing for Windows called System Services for Unix (SFU). It is a modern POSIX implementation on top of the NT kernel but very different to the old we-need-to-be-compliant-to-gov-ITBs Posix subsystem. Did anyone ever tried to build a GnuPG on it? AFAICS this would use MSC but on a native Windows supported POSIX platform. Cygwin is based on on the Win32 API (which is the common API used on top the NT kernel) and thus has some problems with complete integration into the system. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From vedaal at nym.hush.com Mon Sep 19 23:26:44 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Mon, 19 Sep 2011 17:26:44 -0400 Subject: MS windows and gnupg Message-ID: <20110919212644.6C935E672D@smtp.hushmail.com> Robert J. Hansen rjh at sixdemonbag.org wrote on Sat Sep 17 10:33:54 CEST 2011 : >I've yet to meet a Windows C/C++ >developer who was unable to get MinGW set up, especially since MinGW >moved to a much more convenient installer model Apparently, the installer model is so good, that it installs ALL the necessary files within the C:\Mingw folder. I copied the entire folder to a flash drive, and put the flash drive into another windows machine that had no MingW or Cygwin on it, and was able to compile, make, and install GnuPG 1.4.11 directly into the flashdrive (into the flashdrive's MingW\bin folder). So, as long as you don't need permission to run msys.bat from a flashdrive (Norton and some other antivirus software sometimes get upset with this), you can have a portable MingW-MSYS compiler that works on windows machines). vedaal From JPClizbe at tx.rr.com Mon Sep 19 23:28:00 2011 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 19 Sep 2011 16:28:00 -0500 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <878vplszqh.fsf@vigenere.g10code.de> References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73CA7D.1020801@vulcan.xs4all.nl> <4E767079.5010806@tx.rr.com> <878vplszqh.fsf@vigenere.g10code.de> Message-ID: <4E77B3E0.1050602@tx.rr.com> Werner Koch wrote: > Hi, > > there is a thing for Windows called System Services for Unix (SFU). It > is a modern POSIX implementation on top of the NT kernel but very > different to the old we-need-to-be-compliant-to-gov-ITBs Posix > subsystem. Did anyone ever tried to build a GnuPG on it? > > AFAICS this would use MSC but on a native Windows supported POSIX > platform. Cygwin is based on on the Win32 API (which is the common API > used on top the NT kernel) and thus has some problems with complete > integration into the system. > The last version I used was SFU 3.5. cc looks for CL.EXE on the PATH. gcc 3.3 was also included. Many tools such as autoconf have to be installed from the Interix community site. From wk at gnupg.org Tue Sep 20 09:17:20 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 20 Sep 2011 09:17:20 +0200 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <4E77B3E0.1050602@tx.rr.com> (John Clizbe's message of "Mon, 19 Sep 2011 16:28:00 -0500") References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73CA7D.1020801@vulcan.xs4all.nl> <4E767079.5010806@tx.rr.com> <878vplszqh.fsf@vigenere.g10code.de> <4E77B3E0.1050602@tx.rr.com> Message-ID: <87ty87smwv.fsf@vigenere.g10code.de> On Mon, 19 Sep 2011 23:28, JPClizbe at tx.rr.com said: > Many tools such as autoconf have to be installed from the Interix community site. To build gnupg you don't need autoconf. A bare bones development system is always sufficient. autoconf is only used to create the configure script which is then ioncluded in the tarball. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From M8R-6mgbf6 at sogetthis.com Tue Sep 20 05:15:09 2011 From: M8R-6mgbf6 at sogetthis.com (zerious) Date: Mon, 19 Sep 2011 20:15:09 -0700 (PDT) Subject: Verifying Encryption Algorithms Message-ID: <32500003.post@talk.nabble.com> Hi. I am relatively new to gpg and i have a few questions about it. I'm using 1.4.11 on Ubuntu and 2.0.17 on windows(gpg4win). My main question is: how can i get a warm fuzzy that a file has [i]really[/i] been encrypted using the cipher and digest that i specify and not something else? I was thinking there might be some kind of -vv decrypt mode that would show in detail what it's using to decrypt a file or some file metadata or something. So far, based on some reading and experimentation, ive found that i can use --list-packets to get some of this information. For symmetric files, it will show the cipher-algo, the s2k mode, the s2k-digest-algo, the s2k-count, and compression-algo. This is very helpful, but it doesn't confirm the digest-algo that is being used. This is important to me because I want to make sure it isn't somehow using SHA1 or MD5 behind my back. With asymmetric, i get even less information: just the type of key used(RSA 2048) and maybe the compression algorithm. As you probably know, gpg does 2 layers of encryption: it symmetrically encrypts your data, then asymmetrically encrypts the symmetric keys(the session keys). Right now, --list-packets shows me that the session keys are encrypted using the correct asymmetric algorithm, but I want to see that the symmetric portion of the output used the correct cipher-algo, digest-algo, s2k-digest-algo, s2k-mode, s2k-count. I'm not sure that the s2k stuff is applicable because the session keys are randomly generated on the spot, is that right? I think i've found a good way to verify the cipher-algo using --show-session-key. the first digit of the output indicates the symmetric algorithm being used: 10:123456789ABCDEFFFFFFFFFFFFFFFFFFFFFF would indicate that it's a TWOFISH key. Also, the length of the key is a good hint. Basically, I just want some way to look at my encrypted data and see that it actually uses the algorithms that I specified before I send it out somewhere that it could be intercepted and compromised. I have a few methods for checking, but they a few leave key pieces of information out. If anybody has a good method for verification or even knows of some 3rd party tool that can analyze encrypted data, I would really appreciate your input. -- View this message in context: http://old.nabble.com/Verifying-Encryption-Algorithms-tp32500003p32500003.html Sent from the GnuPG - User mailing list archive at Nabble.com. From avi.wiki at gmail.com Tue Sep 20 19:28:34 2011 From: avi.wiki at gmail.com (Avi) Date: Tue, 20 Sep 2011 13:28:34 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 What about us windows users who do not have GPG installed on our desktops, but our secure USB sticks. 1.4.11 works very nicely as a stand-alone (or in my case, with GPGShell). I'm afraid that 2.+ would not work properly when installed to an encrypted stick, although, I admit, I have not actually tried it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) - GPGshell v3.77 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iJgEAREKAEAFAk54zTE5GGh0dHA6Ly9wZ3AubmljLmFkLmpwL3Brcy9sb29rdXA/ b3A9Z2V0JnNlYXJjaD0weEY4MEUyOUY5AAoJEA1isBn4Din5shMA/3cWQTSh6UVw RHzz2haPMRa9Vlc146PjyJLYZbRg//DiAQCLr8aJHrlGMLW7DaNKdnTx+n0YPM7k HKuiahyASXxncQ== =BuQ4 -----END PGP SIGNATURE----- ---- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 From: Werner Koch > To: Johan Wevers > Date: Sat, 17 Sep 2011 12:06:49 +0200 > Subject: Re: windows binary for gnupg 1.4.11 // compilation instructions > posted > On Fri, 16 Sep 2011 21:42, johanw at vulcan.xs4all.nl said: > > If they don't find this, I doubt that they have any need for 1.4. 1.4 > is not aimed for desktop users but for vintage Unix versions and maybe > for servers. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Sep 20 21:23:06 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 20 Sep 2011 21:23:06 +0200 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: (Avi's message of "Tue, 20 Sep 2011 13:28:34 -0400") References: Message-ID: <87obyfqaqt.fsf@vigenere.g10code.de> On Tue, 20 Sep 2011 19:28, avi.wiki at gmail.com said: > What about us windows users who do not have GPG installed on our > desktops, but our secure USB sticks. 1.4.11 works very nicely as > a stand-alone (or in my case, with GPGShell). I'm afraid that > 2.+ would not work properly when installed to an encrypted There is no such thing as a secure USB stick to run programs from. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From luca at pca.it Tue Sep 20 18:31:44 2011 From: luca at pca.it (Luca Capello) Date: Tue, 20 Sep 2011 18:31:44 +0200 Subject: Posting rules for the gnupg-devel@ mailing list Message-ID: <8739fr2n0v.fsf@gismo.pca.it> Hi there! Please Cc: me, I am not subscribed to the list. I found what I think is a bug in gpg-agent (the environment file should be delete when quitting), please see: Yesterday, after having patched gpg-agent and extensively tested my (very simple) patch, I sent it to the gnupg-devel@ mailing list, but I still fail to see it appearing on the archives: Subject: [PATCH] Remove the environment file when quitting. Date: Mon, 19 Sep 2011 20:33:13 +0200 Message-Id: <1316457193-26043-1-git-send-email-luca at pca.it> X-Mailer: git-send-email 1.7.6.3 While I know that my email was accepted, I have not received any error/moderation message: ===== Sep 19 20:33:27 clio postfix/smtp[2929]: 5D125CE980: to=, \ relay=ns1.u64.de[217.69.77.222]:25, delay=6.4, delays=0.01/0.01/6.2/0.12, \ dsn=4.0.0, status=deferred (host ns1.u64.de[217.69.77.222] said: \ 451-151.1.160.141 is not yet authorized to deliver mail from \ to 451 . Please try later. (in reply to RCPT TO command)) Sep 19 20:42:49 [...] status=deferred [...] Sep 19 20:52:49 [...] status=deferred [...] Sep 19 21:12:49 [...] status=deferred [...] Sep 19 21:52:50 clio postfix/smtp[14485]: 5D125CE980: to=, \ relay=ns1.u64.de[217.69.77.222]:25, delay=4769, delays=4763/0.01/5.1/0.81, \ dsn=2.0.0, status=sent (250 OK id=1R5jta-0006Hh-CE) ===== Should I subscribe to the gnupg-devel@ mailing list to post? Can this information be added to the listinfo page, please? Thx, bye, Gismo / Luca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From roam at ringlet.net Tue Sep 20 22:04:53 2011 From: roam at ringlet.net (Peter Pentchev) Date: Tue, 20 Sep 2011 23:04:53 +0300 Subject: Posting rules for the gnupg-devel@ mailing list In-Reply-To: <8739fr2n0v.fsf@gismo.pca.it> References: <8739fr2n0v.fsf@gismo.pca.it> Message-ID: <20110920200452.GA2988@straylight.m.ringlet.net> On Tue, Sep 20, 2011 at 06:31:44PM +0200, Luca Capello wrote: > Hi there! > > Please Cc: me, I am not subscribed to the list. > > I found what I think is a bug in gpg-agent (the environment file should > be delete when quitting), please see: > > > > > Yesterday, after having patched gpg-agent and extensively tested my > (very simple) patch, I sent it to the gnupg-devel@ mailing list, but I > still fail to see it appearing on the archives: > > Subject: [PATCH] Remove the environment file when quitting. > Date: Mon, 19 Sep 2011 20:33:13 +0200 > Message-Id: <1316457193-26043-1-git-send-email-luca at pca.it> > X-Mailer: git-send-email 1.7.6.3 > > While I know that my email was accepted, I have not received any > error/moderation message: > ===== > Sep 19 20:33:27 clio postfix/smtp[2929]: 5D125CE980: to=, \ > relay=ns1.u64.de[217.69.77.222]:25, delay=6.4, delays=0.01/0.01/6.2/0.12, \ > dsn=4.0.0, status=deferred (host ns1.u64.de[217.69.77.222] said: \ > 451-151.1.160.141 is not yet authorized to deliver mail from \ > to 451 . Please try later. (in reply to RCPT TO command)) > Sep 19 20:42:49 [...] status=deferred [...] > Sep 19 20:52:49 [...] status=deferred [...] > Sep 19 21:12:49 [...] status=deferred [...] > Sep 19 21:52:50 clio postfix/smtp[14485]: 5D125CE980: to=, \ > relay=ns1.u64.de[217.69.77.222]:25, delay=4769, delays=4763/0.01/5.1/0.81, \ > dsn=2.0.0, status=sent (250 OK id=1R5jta-0006Hh-CE) > ===== > > Should I subscribe to the gnupg-devel@ mailing list to post? Can this > information be added to the listinfo page, please? Not necessarily. I believe that this is just greylisting in action - http://en.wikipedia.org/wiki/Greylisting In short, if your mailserver is well-behaved and retransmits the message within a reasonable timeframe (usually a couple of hours would be enough, although most mailservers will retry in less than an hour), the gnupg.org server will accept your message and everything will be just fine. Of course, the gnupg.org mail admins are free to jump in and correct me :) G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at FreeBSD.org peter at packetscale.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If there were no counterfactuals, this sentence would not have been paradoxical. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From kloecker at kde.org Tue Sep 20 22:20:31 2011 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Tue, 20 Sep 2011 22:20:31 +0200 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <4E73B0F9.1000305@sixdemonbag.org> References: <20110916184909.237D614DBD4@smtp.hushmail.com> <4E73B0F9.1000305@sixdemonbag.org> Message-ID: <201109202220.39168@thufir.ingo-kloecker.de> On Friday 16 September 2011, Robert J. Hansen wrote: > On 9/16/2011 2:49 PM, vedaal at nym.hush.com wrote: > > Because then who is to say that it wasn't tampered with? > > Who's to say the one on ftp.gnupg.org wasn't tampered with? It would > be fairly easy to make a version of GnuPG that always reported > itself as having a good signature. (See, e.g., Ken Thompson, > _Reflections on Trusting Trust_. David A. Wheeler had an > interesting solution to Thompson's problem, but in the main > Thompson's remarks are still quite applicable. [1]) > > And if you're downloading source code and compiling from source -- > how do you know the source wasn't tampered with? A back door could > be hidden inside the code, making sure that whenever you attempted > to verify... etc., etc. The backdoor could even be hidden in the compiler. Who says Microsoft can be trusted? > > The whole point is to start with gnupg.org signed and verified > > material, and then let the user take it from there. > > You can't. I hate to rain on the parade, but this is simply not > achievable. At some point you have to accept something on faith. > The only question is what you'll accept. > > In the extreme case, let's say GnuPG hosts a Windows binary and posts > an MD5 sum of it. How do you know the MD5 sum that's posted is > accurate? Werner's signature on it is meaningless: you don't have a > trusted copy of GnuPG you can use to verify the signature. The > posted MD5 sum could have been tampered with and you wouldn't know. > Etc., etc. Well, one could use PGP or another independent implementation of OpenPGP to verify the signature on GnuPG. And then one could use GnuPG to verify the other implementation. Of course, they could still both have been forged by the same entity, but that's a lot less likely. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Tue Sep 20 22:48:53 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 20 Sep 2011 16:48:53 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <87obyfqaqt.fsf@vigenere.g10code.de> References: <87obyfqaqt.fsf@vigenere.g10code.de> Message-ID: <4E78FC35.8020100@sixdemonbag.org> On 9/20/2011 3:23 PM, Werner Koch wrote: > There is no such thing as a secure USB stick to run programs from. If I determine that my work PC and my home PC are both trusted systems, and I have a single USB stick containing my GnuPG installation and keyrings that I want to use on both, then I don't see the risk so long as that USB stick is never plugged into an untrusted machine. "Secure" and "insecure" seem to be a words that apply to specific uses of technologies, rather than those technologies /qua/ themselves. From crimer at crimer90.co.cc Tue Sep 20 21:04:24 2011 From: crimer at crimer90.co.cc (Simone Cianfriglia) Date: Tue, 20 Sep 2011 21:04:24 +0200 Subject: Verifying Encryption Algorithms In-Reply-To: <32500003.post@talk.nabble.com> References: <32500003.post@talk.nabble.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi zerious, First of all: The following answer is about "how to get those informations from an encrypted message". If you need to force some algorithms, you can use the --cipher-algo, --digest-algo, --compress-algo and --cert-digest-algo options. === > My main question is: how can i get a warm fuzzy that a file has > [i]really[/i] been encrypted > using the cipher and digest that i specify and not something else? I was > thinking there might be some kind of -vv decrypt mode that would show in > detail what it's using to decrypt a file or some file metadata or something. The informations you're seeking for are inside the ciphertext, precisely: a) the symmetric encryption algorithm is with the key, in the symmetric-key encrypted session key packet; b) the digest algorithm is inside the one-pass signature packet, inside the symmetric ciphertext. So, you have to decrypt the Symmetric-Key Encrypted Session Key Packet with your public key to discover the crypto-algo and get the session key to decrypt the Symmetrically Encrypted Data Packet and get or a Compressed Data Packet or a Literal Data Packet, along with the one-pass signature cited above. > I think i've found a good way to verify the cipher-algo using > --show-session-key. the first digit of the output indicates the symmetric > algorithm being used: > 10:123456789ABCDEFFFFFFFFFFFFFFFFFFFFFF > would indicate that it's a TWOFISH key. Also, the length of the key is a > good hint. Exactly, that's the way to follow to discover the symmetric encryption algorithm using only GnuPG. > Basically, I just want some way to look at my encrypted data and see that it > actually uses the algorithms that I specified before I send it out somewhere > that it could be intercepted and compromised. You can use the --list-packets option, along with the --show-session-key one, to see a detailed view of your packet. Let's see an example: === $ gpg --list-packets --show-session-key message.asc (or .gpg) :pubkey enc packet: version 3, algo 1, keyid 0123456789ABCDEF data: [4096 bits] :encrypted data packet: length: unknown mdc_method: 2 gpg: encrypted with ... :compressed packet: algo=3 :onepass_sig packet: keyid FEDCBA9876543210 version 3, sigclass 0x00, digest 10, pubkey 1, last=1 :literal data packet: mode b (62), created 1316543985, name="", raw data: 6 bytes :signature packet: algo 1, keyid FEDCBA9876543210 version 4, created 1316543985, md5len 0, sigclass 0x00 digest algo 10, begin of digest dd 90 hashed subpkt 2 len 4 (sig created 2011-09-20) subpkt 16 len 8 (issuer key ID 10293847586FDBCE) data: [4096 bits] gpg: session key: `9:0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF' === You can see: - - RSA key (pubkey algo 1); - - the symmetric algo used is AES256 (9, first octet of session key); - - the message is compressed with BZIP2 (compressed algo 3) - - the digest algo is SHA512 (10 in signature and onepass_sig packets); - - the signature asymmetric algo is RSA (algo 1 in signature). Of course, you need a way to decipher that message, so if you're encrypting it without a key of yours, those informations are unavailable. > I have a few methods for > checking, but they a few leave key pieces of information out. If anybody has > a good method for verification or even knows of some 3rd party tool that can > analyze encrypted data, I would really appreciate your input. I don't know any tool to analyze encrypted data as you want, I'm sorry. If you want to discover more insight details about the informations stored inside an OpenPGP message, you can look at RFC4880, it's very exhaustive. ;) Hope it helps! Simone -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCgAGBQJOeOOMAAoJEGfVQEsGVc2ANycQALZAGzd50EGkvoajUd8YRLmu riLqf3MckNO4II0+BZbG7JeMY2MaS8J5TOxNDsNVAgtpnrQGQp/OtlEqzUbZa7tJ YWaEAS0HrQvRPJY+O5C5yIPf6SFhxYHWhFRIpS1+zM/ZGV9d75fQqM2XvVziTTH4 CVAo5PFQuxR8tF7fsTJT6PMn262edvosYgzFgpB3a6lhMMQS0D3H0L+Nz9LrUHHW o6Gr4yrqCChu5zAfBEJs43X/O6GF0+iJETMBjjqw9urAlOr4ZO/fIUTMMM72q1mG 6ACR7hPkSGd2MPmbxH03B5iX0ptrGyXZ1LIZTEGLzH6tG3Ffx4/HAPbsVVpfan7/ +ln3Wd9DakbaEoTmGH4ivQCsYXIsCodrkftG1MvBUqiW4DpAzik8/Ji67w8g4COI AmGaZ0J9pgLF0MowDMeaabt9LKNokL1+axKpVrcQzaIInWPUxu7QWa7ys1PRdlg/ iGiz19vtij+owpJIbEq3CkOvUJHqQT8FOlKEoVHqTfrSu/gbGMkChs0Kh9pD+BCC I8d/TYPuf4RfOXrZS3wiPZSUxnsClaVPlIMXpLx1bMdEvP0Yj2CKm+vJo0NuyI4y Si+WrKLRvcmnUgimNnjKBtlNwwkaQLBrWAhM850UgMiISLL+1LGkHa6Dtb/nt30E nEE6uu2si0OAL175NXDg =OJPE -----END PGP SIGNATURE----- From avi.wiki at gmail.com Tue Sep 20 22:46:07 2011 From: avi.wiki at gmail.com (Avi) Date: Tue, 20 Sep 2011 16:46:07 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <87obyfqaqt.fsf@vigenere.g10code.de> References: <87obyfqaqt.fsf@vigenere.g10code.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Fair enough, I was not precise, my apologies. I run GnuPG off a Truecrypt encrypted partition on a USB stick, so I can access it places where I do not wish to load my keyring, and cannot install a card reader. I find that version 1.4.11 with GPGShell works like a charm, and would be loathe to see it disappear. However, I am not a real programmer, nor do I play one on the radio (I just pretend to be one for the free stuff 8-) ) and so while I probably could, if I had to, compile from source using Cygwin or MingW, I'd feel safer if someone who knew what they were doing did it. I still have nightmares from the time I built an ATLAS BLAS and then used it to compile Rblas.dll under windows. Probably took me over two weeks to get it right :} - --Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) - GPGshell v3.77 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iJgEAREKAEAFAk54+3M5GGh0dHA6Ly9wZ3AubmljLmFkLmpwL3Brcy9sb29rdXA/ b3A9Z2V0JnNlYXJjaD0weEY4MEUyOUY5AAoJEA1isBn4Din5EjIA/1ge4XRc0oBF jrFi/rKcLBDNyY6AcpEFECcJslM6elOlAPoC4o2NUvUCGYXyHVgyYg6pzXbzsDzp fwaPR8Gr5Qdhdw== =+3Hz -----END PGP SIGNATURE----- ---- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) ?? Primary key fingerprint: 167C 063F 7981 A1F6 71EC? ABAA 0D62 B019 F80E 29F9 On Tue, Sep 20, 2011 at 3:23 PM, Werner Koch wrote: > > On Tue, 20 Sep 2011 19:28, avi.wiki at gmail.com said: > > What about us windows users who do not have GPG installed on our > > desktops, but our secure USB sticks. 1.4.11 works very nicely as > > a stand-alone (or in my case, with GPGShell). I'm afraid that > > 2.+ would not work properly when installed to an encrypted > > There is no such thing as a secure USB stick to run programs from. > > > > Salam-Shalom, > > ? Werner > > -- > Die Gedanken sind frei. ?Ausnahmen regelt ein Bundesgesetz. > From vedaal at nym.hush.com Wed Sep 21 02:12:06 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 20 Sep 2011 20:12:06 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted Message-ID: <20110921001206.ACDA214DBA6@smtp.hushmail.com> >Message: 8 >Date: Tue, 20 Sep 2011 13:28:34 -0400 >From: Avi >To: gnupg-users at gnupg.org >What about us windows users who do not have GPG installed on our >desktops, but our secure USB sticks. 1.4.11 works very nicely as >a stand-alone (or in my case, with GPGShell). >However, I am not a real programmer, nor do I play one on the radio (I just pretend to be one for the free stuff 8-) ) and so while I probably could, if I had to, compile from source using Cygwin or MingW, I'd feel safer if someone who knew what they were doing did it. ----- 1.4.11 when compiled from cygwin, works ok on windows, but only within cygwin. It WON'T work on a flashdrive that's attached to any windows system where cygwin isn't installed, as it needs some cygwin-specific dlls. 1.4.11 from mingw, will work anywhere, and is VERY EASY to compile from the posted instructions, (I'm not a real programmer either, and only recently have been able to successfully do 'Hello World' from Python and Perl, and haven't graduated to C yet ;-)) ) (Compiling from mingw according to the posted instructions, is easier than setting up gpgshell on a flashdrive, which isn't that hard, and is something you have already done), so try it ;-). BTW, There is a unique advantage to running gnupg from cygwin on windows, as it's the only way to make use of unix-like commands, (cat, grep, printf, etc.) and pipe them to and from gnupg. But, if you want a possibly 'more secure' flashdrive gnupg setup that lets you do everything, you can install ubuntu on a (big) usb drive, boot from the usb, and run gnupg from ubuntu. or, Boot from an ubuntu pocket dvd, and keep your keys and stuff on the usb , and write (encrypt or decrypt) to the usb. (and you don't have to compile anything ;-) ) vedaal From rjh at sixdemonbag.org Wed Sep 21 05:20:56 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 20 Sep 2011 23:20:56 -0400 Subject: Verifying Encryption Algorithms In-Reply-To: <32500003.post@talk.nabble.com> References: <32500003.post@talk.nabble.com> Message-ID: <4E795818.6040106@sixdemonbag.org> On 9/19/2011 11:15 PM, zerious wrote: > My main question is: how can i get a warm fuzzy that a file has > [i]really[/i] been encrypted > using the cipher and digest that i specify and not something else? Check a program called 'pgpdump'. Of course, this raises the question of how can you get a warm fuzzy that pgpdump is [i]really[/i] reporting things accurately and ... etc., etc. From wk at gnupg.org Wed Sep 21 10:58:00 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 21 Sep 2011 10:58:00 +0200 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <4E78FC35.8020100@sixdemonbag.org> (Robert J. Hansen's message of "Tue, 20 Sep 2011 16:48:53 -0400") References: <87obyfqaqt.fsf@vigenere.g10code.de> <4E78FC35.8020100@sixdemonbag.org> Message-ID: <87aa9yqnl3.fsf@vigenere.g10code.de> On Tue, 20 Sep 2011 22:48, rjh at sixdemonbag.org said: > If I determine that my work PC and my home PC are both trusted systems, > and I have a single USB stick containing my GnuPG installation and > keyrings that I want to use on both, then I don't see the risk so long > as that USB stick is never plugged into an untrusted machine. That is right. However you would only keep your data on the stick and not the programs. All systems these day have a package management system, and those are better at program updates than doing it manually. My point was that people very often talk about encrypted super secure USB sticks which they put it into an arbitrary computer and believe that the data and programs magically work secure this way. They don't consider that a "foreign" CPU is seeing everything they stored on the stick. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From americabrazil1234 at hotmail.com Wed Sep 21 05:42:45 2011 From: americabrazil1234 at hotmail.com (Vortran66) Date: Tue, 20 Sep 2011 20:42:45 -0700 (PDT) Subject: After opening file with GPG Tools any file can be opened w.o. pwd Message-ID: <32503709.post@talk.nabble.com> I have GPG Tools 20110711 installed on a MacAir running Snow Leopard. If I right click an encrypted file I get a services menu item "Open PGP: Decrypt". Selecting that will decrypt the file properly. My problem is this. Once that file is decrypted I can click on any file that was encrypted with the same key and it will open without asking for the password. If I wait a very long time 20 minutes plus, or shut down and restart the computer the behavior stops. Is there a way to require the password every time I try and decrypt a file. The current situation presents a security risk as opening one file essentially unlocks all files encrypted with the same key. -- View this message in context: http://old.nabble.com/After-opening-file-with-GPG-Tools-any-file-can-be-opened-w.o.-pwd-tp32503709p32503709.html Sent from the GnuPG - User mailing list archive at Nabble.com. From luca at pca.it Wed Sep 21 10:40:37 2011 From: luca at pca.it (Luca Capello) Date: Wed, 21 Sep 2011 10:40:37 +0200 Subject: Posting rules for the gnupg-devel@ mailing list In-Reply-To: <20110920200452.GA2988@straylight.m.ringlet.net> (Peter Pentchev's message of "Tue, 20 Sep 2011 23:04:53 +0300") References: <8739fr2n0v.fsf@gismo.pca.it> <20110920200452.GA2988@straylight.m.ringlet.net> Message-ID: <87pqiuthiy.fsf@gismo.pca.it> Hi there! On Tue, 20 Sep 2011 22:04:53 +0200, Peter Pentchev wrote: > On Tue, Sep 20, 2011 at 06:31:44PM +0200, Luca Capello wrote: >> Please Cc: me, I am not subscribed to the list. Still valid. >> While I know that my email was accepted, I have not received any >> error/moderation message: >> ===== >> Sep 19 20:33:27 clio postfix/smtp[2929]: 5D125CE980: to=, \ >> relay=ns1.u64.de[217.69.77.222]:25, delay=6.4, delays=0.01/0.01/6.2/0.12, \ >> dsn=4.0.0, status=deferred (host ns1.u64.de[217.69.77.222] said: \ >> 451-151.1.160.141 is not yet authorized to deliver mail from \ >> to 451 . Please try later. (in reply to RCPT TO command)) >> Sep 19 20:42:49 [...] status=deferred [...] >> Sep 19 20:52:49 [...] status=deferred [...] >> Sep 19 21:12:49 [...] status=deferred [...] >> Sep 19 21:52:50 clio postfix/smtp[14485]: 5D125CE980: to=, \ >> relay=ns1.u64.de[217.69.77.222]:25, delay=4769, delays=4763/0.01/5.1/0.81, \ >> dsn=2.0.0, status=sent (250 OK id=1R5jta-0006Hh-CE) >> ===== >> >> Should I subscribe to the gnupg-devel@ mailing list to post? Can this >> information be added to the listinfo page, please? > > Not necessarily. I believe that this is just greylisting in action - > http://en.wikipedia.org/wiki/Greylisting I know what and how greylisting works, which is exactly what happened in the log above. The problem is that there is no sign of my email above, not even the in-moderation notification. I will try to re-send it... I found the answer to my first question in the mailing list webpage, so this is purely my fault, it seems I completely missed the other part of that page. Short story: all GnuPG mailing lists are subscribers-only: I still think that this information should be added to the listinfo pages as well, but this is another matter. Sorry for the noise. Thx, bye, Gismo / Luca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From wk at gnupg.org Wed Sep 21 11:27:54 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 21 Sep 2011 11:27:54 +0200 Subject: Posting rules for the gnupg-devel@ mailing list In-Reply-To: <20110920200452.GA2988@straylight.m.ringlet.net> (Peter Pentchev's message of "Tue, 20 Sep 2011 23:04:53 +0300") References: <8739fr2n0v.fsf@gismo.pca.it> <20110920200452.GA2988@straylight.m.ringlet.net> Message-ID: <8762kmqm79.fsf@vigenere.g10code.de> On Tue, 20 Sep 2011 22:04, roam at ringlet.net said: > Not necessarily. I believe that this is just greylisting in action - > http://en.wikipedia.org/wiki/Greylisting Right. However, post from non-subscribers need to be moderated. That may take a while. We have a couple of volunteers who that job for many years now without most people noticing it. Many thanks to them. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From ml at schoenitzer.de Wed Sep 21 15:23:03 2011 From: ml at schoenitzer.de (Michael Florian =?iso-8859-1?q?Sch=F6nitzer?=) Date: Wed, 21 Sep 2011 13:23:03 +0000 (UTC) Subject: gpgkeymgr 0.3 released Message-ID: I've released version 0.3 of my tool gpgkeymgr today. With gpgkeymgr you can clean up and manage your GnuPGP-keyring, by removing old and unnecessary keys. There haven't been any new bigger features, but I have an French translation (thanks to jbar), German translation of program and manpage, some smaller improvements and probably most important an improved makefile working on more different Systems without problems. Link: http://nudin.github.com/GnuPGP-Tools/ Regards, Michael Sch?nitzer -- Michael F. Sch?nitzer Mail: michael ?t schoenitzer.de Jabber: Schoenitzer at jabber.piratenpartei.de From olav at enigmail.net Wed Sep 21 16:21:28 2011 From: olav at enigmail.net (Olav Seyfarth) Date: Wed, 21 Sep 2011 16:21:28 +0200 Subject: After opening file with GPG Tools any file can be opened w.o. pwd In-Reply-To: <32503709.post@talk.nabble.com> References: <32503709.post@talk.nabble.com> Message-ID: <4E79F2E8.4010700@enigmail.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi, > Is there a way to require the password every time I try and decrypt a > file. The current situation presents a security risk as opening one file > essentially unlocks all files encrypted with the same key. Caching in gpg-agent is responsible for this. You can configure its cache entry TTL values. Look for cache settings in gpg-agent.conf (to be created in your GnuPG homedir. You may want to set default-ttl to some seconds only (or "0"?). http://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Dies ist eine elektronische Signatur - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJOefLmAAoJEKGX32tq4e9WiLwL/0VcmWmGmLPLPVHPAHXSSlEm gRXPOm0mMppRRknBGszkpFwoPkoM5JfTx796HiLHPAmlwLA+6UtfjKLRR1W+OCh4 HB3adVOScMcCDTaNls3upoJTgqPzCygHsklhJYyR54s6fer0NL3K8cBm90Jzxk76 mQT1rVMhnqgggFLESYBY7GSdXCpz/lsHQwHbIvP6r3MfW7Rf1SbYVoo/NBtKrFNr IzPrXcpYMxZLdw1U3Xn0NJtUkNTULLULy3gAheldXzSOcKpCOFClBYz88qLHWM9J zMXULWSr6PcaW1kWIDZ1fnfyyheVH34mHGhTEoVgINdoV7nAy/vhl20Uu7foJLoD k4zG7x1/bG2j2gOP7dKZJ5H22brXzRVqiC/ZPAFGNWG6/v96T650FUa8f4cK5szD tE8EmIn5hoAI7kb9JHCtRWEITurWmd9Vqnyqtyf1/QP5grqc0pFC2JY5uGuUun/B MD05TZcJrN6OF2r2zZ6SRZcz2eJya1Y/KJvv0MGTKg== =vHRU -----END PGP SIGNATURE----- From wk at gnupg.org Wed Sep 21 16:45:37 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 21 Sep 2011 16:45:37 +0200 Subject: Posting rules for the gnupg-devel@ mailing list In-Reply-To: <87pqiuthiy.fsf@gismo.pca.it> (Luca Capello's message of "Wed, 21 Sep 2011 10:40:37 +0200") References: <8739fr2n0v.fsf@gismo.pca.it> <20110920200452.GA2988@straylight.m.ringlet.net> <87pqiuthiy.fsf@gismo.pca.it> Message-ID: <87vcsmosxa.fsf@vigenere.g10code.de> On Wed, 21 Sep 2011 10:40, luca at pca.it said: > the log above. The problem is that there is no sign of my email above, > not even the in-moderation notification. I will try to re-send it... Sending such notification back to the spammers is not a good idea. You either have to wait - or better - subscribe to the ML. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From vedaal at nym.hush.com Wed Sep 21 16:57:45 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Wed, 21 Sep 2011 10:57:45 -0400 Subject: gnupg2.x // adding subkeys - possible only from commandline ? Message-ID: <20110921145745.62F7014DBA6@smtp.hushmail.com> Have been playing with gpg4win, and installed everything according to the defaults. Cannot get Kleopatra or GPA to add a subkey, but can easily do it from the commandline. ----- C:\PROGRA~1\GNU\GNUPG>gpg --edit-key aaaa1 gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 2048R/F9015496 created: 2005-12-01 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). aaaa1 gpg> addkey Key is protected. You need a passphrase to unlock the secret key for user: "aaaa1 " 2048-bit RSA key, ID F9015496, created 2005-12-01 Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? ----- Is there a way to do this from any of the gpg4win front ends? TIA, vedaal From John at enigmail.net Thu Sep 22 05:44:26 2011 From: John at enigmail.net (John Clizbe) Date: Wed, 21 Sep 2011 22:44:26 -0500 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <20110921001206.ACDA214DBA6@smtp.hushmail.com> References: <20110921001206.ACDA214DBA6@smtp.hushmail.com> Message-ID: <4E7AAF1A.1040202@enigmail.net> vedaal at nym.hush.com wrote: > BTW, > There is a unique advantage to running gnupg from cygwin on > windows, as it's the only way to make use of unix-like commands, > (cat, grep, printf, etc.) and pipe them to and from gnupg. ONLY? How much effort did you expend looking? The MinGW compiler folks provide a little environment called MSYS, for Minimal System. It's not meant to be a full-on environment like Cygwin, even though it's a fork of an earlier Cygwin, but provides bash and enough tools to run most configure scripts and do a reasonable amount of work. BTW, it's faster than Cygwin because it's emulating less. IIRC, Mozilla based their Windows build environment on MSYS. In addition, there is Microsoft's Services for Unix which is the old Interix product. I think one may still download 3.5 for XP. cc looks for CL.EXE on the $PATH. gcc 3.3 is included. Lots of stuff available from the user site. Certain server levels of Vista and Windows 7 have SFU built-in. It cannot be installed separately on these OSes. Another alternative is UWIN, from AT&T's David Korn and Glenn Fowler. (Umm, yeah /THAT/ Dave Korn.) One used to be able to point cc to either the MinGW gcc or to MS' CL. I haven't used it in a while. That's just from memory. -- John P. Clizbe Inet: John ( a ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Raise your hand if you know someone who is alive only because you did not want to spend time in jail From rjh at sixdemonbag.org Thu Sep 22 06:59:35 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 22 Sep 2011 00:59:35 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <4E7AAF1A.1040202@enigmail.net> References: <20110921001206.ACDA214DBA6@smtp.hushmail.com> <4E7AAF1A.1040202@enigmail.net> Message-ID: <4E7AC0B7.9070808@sixdemonbag.org> On 9/21/2011 11:44 PM, John Clizbe wrote: > ONLY? How much effort did you expend looking? In addition to John's offerings, don't forget http://gnuwin32.sf.net. Most of the GNU tools exist in native Win32 builds. Some of them are a bit old (e.g., their flex is 2.5.4a, current is 2.5.34, their gawk is 3.1.6 and current is 4.0.0, etc.), but they generally work quite well. From vedaal at nym.hush.com Thu Sep 22 16:17:19 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 22 Sep 2011 10:17:19 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted Message-ID: <20110922141719.3CB3114DBA6@smtp.hushmail.com> >Message: 9 >Date: Wed, 21 Sep 2011 22:44:26 -0500 >From: John Clizbe >To: gnupg-users at gnupg.org >Subject: Re: windows binary for gnupg 1.4.11 // compilation > instructions posted >Message-ID: <4E7AAF1A.1040202 at enigmail.net> >Content-Type: text/plain; charset=UTF-8 > >vedaal at nym.hush.com wrote: >> BTW, >> There is a unique advantage to running gnupg from cygwin on >> windows, as it's the only way to make use of unix-like commands, >> (cat, grep, printf, etc.) and pipe them to and from gnupg. > >ONLY? How much effort did you expend looking? > >The MinGW compiler folks provide a little environment called MSYS, >for Minimal >System. It's not meant to be a full-on environment like Cygwin, >even though it's >a fork of an earlier Cygwin, but provides bash and enough tools to >run most >configure scripts and do a reasonable amount of work. BTW, it's >faster than >Cygwin because it's emulating less. >IIRC, Mozilla based their Windows build environment on MSYS. > >In addition, there is Microsoft's Services for Unix which is the >old Interix >product >Another alternative is UWIN, from AT&T's David Korn and Glenn >Fowler. >(Umm, yeah /THAT/ Dave Korn.) One used to be able to point cc to >either the >MinGW gcc or to MS' CL. I haven't used it in a while. >That's just from memory. ----- Thanks, I knew about the MSYS method, but not about the others, but my point was about running gnupg from a flash drive. I was under the impression that there is no portable way to do that on a flashdrive that doesn't have these systems installed on the host computer, (Is there?? If anyone knows of a way to do it, please post. Thanks. The only way I could think of is to boot to ubuntu and run gnupg from there on the flash drive). So, even though gnupg compiled from cygwin can't be put on a flashdrive to run from windows, it does have the advantage of the unix-like commands. Sorry, about the 'ONLY' ... vedaal From John at enigmail.net Thu Sep 22 18:38:06 2011 From: John at enigmail.net (John Clizbe) Date: Thu, 22 Sep 2011 11:38:06 -0500 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <20110922141719.3CB3114DBA6@smtp.hushmail.com> References: <20110922141719.3CB3114DBA6@smtp.hushmail.com> Message-ID: <4E7B646E.5050106@enigmail.net> vedaal at nym.hush.com wrote: > > Thanks, > I knew about the MSYS method, but not about the others, > but my point was about running gnupg from a flash drive. > > I was under the impression that there is no portable way to do that > on a flashdrive that doesn't have these systems installed on the > host computer, > (Is there?? If anyone knows of a way to do it, please post. Thanks. > The only way I could think of is to boot to ubuntu and run gnupg > from there on the flash drive). It can be done, but it's nontrivial. I think it's more like Sisyphean IMHO :-(. To *securely* run gpg, or any other program, from portable media, use ldd or MS's Dependency Walker to see all the DLLs that need to be supplied locally from a trusted system. They need to go in the same directory as the gpg executable as Windows searches there first. At a minimum one needs these DLLs: libbz2, readline5, libz, libgcc_s_dw2-1.dll, probably be good to include msvcrt.dll as MinGW targets it. Then you have all the Windows DLLs to deal with. Are your copies 'safe'? Do you have all the dependencies of the initial dependencies? Here's a first pass at a list (these are examples from my builds, yours will nut likely be the same): JPClizbe at booboo ~ $ c:/Cygwin/bin/ldd $(which gpg)| sed -e 's/\/cygdrive//' ntdll.dll => /c/WINDOWS/system32/ntdll.dll (0x7c900000) kernel32.dll => /c/WINDOWS/system32/kernel32.dll (0x7c800000) ADVAPI32.DLL => /c/WINDOWS/system32/ADVAPI32.DLL (0x77dd0000) RPCRT4.dll => /c/WINDOWS/system32/RPCRT4.dll (0x77e70000) Secur32.dll => /c/WINDOWS/system32/Secur32.dll (0x77fe0000) libbz2-2.dll => /c/MinGW/bin/libbz2-2.dll (0x644c0000) msvcrt.dll => /c/WINDOWS/system32/msvcrt.dll (0x77c10000) libgcc_s_dw2-1.dll => /c/MinGW/bin/libgcc_s_dw2-1.dll (0x6e940000) readline5.dll => /c/MinGW/bin/readline5.dll (0x63e40000) MSVCP60.DLL => /c/WINDOWS/system32/MSVCP60.DLL (0x76080000) OLE32.dll => /c/WINDOWS/system32/OLE32.dll (0x774e0000) GDI32.dll => /c/WINDOWS/system32/GDI32.dll (0x77f10000) USER32.dll => /c/WINDOWS/system32/USER32.dll (0x7e410000) WSOCK32.DLL => /c/WINDOWS/system32/WSOCK32.DLL (0x71ad0000) WS2_32.dll => /c/WINDOWS/system32/WS2_32.dll (0x71ab0000) WS2HELP.dll => /c/WINDOWS/system32/WS2HELP.dll (0x71aa0000) libz-1.dll => /c/MinGW/bin/libz-1.dll (0x65500000) Once one gets all those, then he can start on the keyserver helpers. gpgkeys_curl is fun. Here are just the local dependecies, none of the ones from Windows: $ c:/Cygwin/bin/ldd $(which gpgkeys_curl)| sed -e 's/\/cygdrive//'| grep MinGW libcurl-4.dll => /c/MinGW/bin/libcurl-4.dll (0x70800000) libcares-2.dll => /c/MinGW/bin/libcares-2.dll (0x62d80000) cryptoeay32-0.9.8.dll => /c/MinGW/bin/cryptoeay32-0.9.8.dll (0x63000000) zlib1.dll => /c/MinGW/bin/zlib1.dll (0x61b80000) libidn-11.dll => /c/MinGW/bin/libidn-11.dll (0x69540000) libiconv-2.dll => /c/MinGW/bin/libiconv-2.dll (0x66000000) libintl-8.dll => /c/MinGW/bin/libintl-8.dll (0x61cc0000) libssh2-1.dll => /c/MinGW/bin/libssh2-1.dll (0x63b40000) ssleay32-0.9.8.dll => /c/MinGW/bin/ssleay32-0.9.8.dll (0x69240000) And so on... Now, you've got all your gpg-related exe files along with a closure of DLLs to be called. What are you going to do about the core Windows OS, device drivers or the actual hardware? Quick answer: probably nothing unless the machine is yours and under your full control. You cannot secure "everything" necessary to securely run gpg (or any other program) from a USB stick. Please don't delude yourself into thinking you can. You can't. Even with an encrypted file system, you still reach the point where you don't control things the rest of the way, and only iff you do, can it be made "secure," and in that case, why go to all this trouble in the first place? Put GnuPG on the machine and your keys and other data on the USB stick if you need them to be portable. The only way to securely run any program from a USB stick is on a computer you installed the OS (from a secure source - Is your Windows CD Genuine?), audited and have total control, and in that case you don't need the USB stick for the programs, only data you wish between machines of which you also have total control. Now, on the other hand, if your goal isn't security, just to be able to run the programs from an USB stick, you need the gpg and gpgkeys_* binaries along with the non Windows DLLS all in the same folder - It's several MB zipped up, cryptoeay is BIG. But I have to ask, why use gpg without security in mind? *UAYOR*YMMV*IANAL*NWEOI -- John P. Clizbe Inet: John ( a ) Mozilla DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Raise your hand if you know someone who is alive only because you did not want to spend time in jail From rjh at sixdemonbag.org Thu Sep 22 19:08:20 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 22 Sep 2011 13:08:20 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <4E7B646E.5050106@enigmail.net> References: <20110922141719.3CB3114DBA6@smtp.hushmail.com> <4E7B646E.5050106@enigmail.net> Message-ID: <4E7B6B84.9040606@sixdemonbag.org> On 9/22/2011 12:38 PM, John Clizbe wrote: > probably be good to include msvcrt.dll as MinGW targets it. Also so that you're not depending on the host machine's MSVCRT.DLL. That .DLL is often targeted by malware: it makes such a perfect place to drop hook functions. (Putting that .DLL on the stick is a healthy practice, not a replacement for sane practices. Don't plug a USB stick into an untrusted machine, period, end of sentence: but in the event that one of your trusted machines gets compromised, having your own copy of MSVCRT.DLL on the USB stick may help prevent the spread of infection. *May*...) From vedaal at nym.hush.com Thu Sep 22 20:48:27 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 22 Sep 2011 14:48:27 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted Message-ID: <20110922184827.6315414DBA6@smtp.hushmail.com> John Clizbe John at enigmail.net wrote on Thu Sep 22 18:38:06 CEST 2011 : > It can be done, but it's nontrivial. I think it's more like Sisyphean IMHO :-(. OK, thought so, ;-) >You cannot secure "everything" necessary to securely run gpg (or any >other program) from a USB stick. >Please don't delude yourself into thinking you can. You can't. OK, not on windows, but maybe for my limited threat model I might be able to: My threat model doesn't include any 3 letter agencies, organized crime outfits, or malicious hackers out to get me, any of whom are capable of putting a hardware keylogger on a friend's laptop. Think of it as an 'envelope' threat model. I need an envelope, not a post-card, but don't need a trusted messenger to deliver my envelope by hand. So, if , for example, in a case where I don't have my laptop with me, (but I do have a usb with gpg and keyrings, and a miniDVD with ubuntu), then, assuming there is no keylogger on the borrowed laptop, what is the problem with booting from the ubuntu miniDVD, and running gnupg from ubuntu while accessing the keys from the usb, and writing to the usb? vedaal From John at enigmail.net Thu Sep 22 21:20:16 2011 From: John at enigmail.net (John Clizbe) Date: Thu, 22 Sep 2011 14:20:16 -0500 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <20110922184827.6315414DBA6@smtp.hushmail.com> References: <20110922184827.6315414DBA6@smtp.hushmail.com> Message-ID: <4E7B8A70.7060807@enigmail.net> vedaal at nym.hush.com wrote: > So, if , for example, in a case where I don't have my laptop with me, (but I > do have a usb with gpg and keyrings, and a miniDVD with ubuntu), > > then, assuming there is no keylogger on the borrowed laptop, what > is the problem with booting from the ubuntu miniDVD, and running > gnupg from ubuntu while accessing the keys from the usb, and > writing to the usb? You're also assuming no BIOS or UEFI rootkits :-) Whether that is or isn't a problem is up to you *UAYOR*YMMV*IANAL*NWEOI -- John P. Clizbe Inet: John ( a ) Mozilla DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Raise your hand if you know someone who is alive only because you did not want to spend time in jail From vedaal at nym.hush.com Thu Sep 22 21:59:09 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 22 Sep 2011 15:59:09 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted Message-ID: <20110922195909.3A14614DBA6@smtp.hushmail.com> John Clizbe John at enigmail.net wrote on Thu Sep 22 21:20:16 CEST 2011 : >You're also assuming no BIOS or UEFI rootkits :-) >Whether that is or isn't a problem is up to you Can these rootkits work when there is no mbr access? I'm booting from a dvd ubuntu install disk. No root information is available anyway, and the mbr on the hard drive isn't accessed. Now if these rootkits can copy the usb secring, then I might be worried. Can they?? Thanks, vedaal From rjh at sixdemonbag.org Thu Sep 22 22:07:07 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 22 Sep 2011 16:07:07 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <20110922195909.3A14614DBA6@smtp.hushmail.com> References: <20110922195909.3A14614DBA6@smtp.hushmail.com> Message-ID: <4E7B956B.1070002@sixdemonbag.org> On 9/22/2011 3:59 PM, vedaal at nym.hush.com wrote: > Can these rootkits work when there is no mbr access? Yes. In fact, EFI/UEFI is more or less a replacement for MBRs. EFI/UEFI is almost the first thing through the CPU's brain upon booting. There's probably some on-chip microcode that executes first, but EFI/UEFI is, IIRC, the first off-CPU stuff that gets loaded and executed. The EFI/UEFI designers went to some lengths to harden the system against malware -- unfortunately they could only harden it, not immunize it. From vedaal at nym.hush.com Thu Sep 22 22:51:11 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 22 Sep 2011 16:51:11 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted Message-ID: <20110922205111.20E8F14DBA6@smtp.hushmail.com> Robert J. Hansen rjh at sixdemonbag.org wrote on Thu Sep 22 22:07:07 CEST 2011 : >The EFI/UEFI designers went to some lengths to harden the system against malware -- unfortunately they could only harden it, not immunize it. I know only very limited stuff about this, but I thought that this was mainly to check that copies of windows were 'non-pirated', and has come under some criticism that they might be able to exclude some from running linux OS's ... At any rate, my laptop motherboard, (and those of my friends), don't use the UEFI. My concern is, how vulnerable (in the 'real world' for my limited threat model, and non-UEFI motherboards), is it to run gnupg from a usb and an Ubuntu install disk, when booting bypasses the harddrive's mbr altogether, even considering known bios rootkit infections? (or are we drifting into really OT waters already? ;-) ) vedaal From rjh at sixdemonbag.org Thu Sep 22 22:59:12 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 22 Sep 2011 16:59:12 -0400 Subject: windows binary for gnupg 1.4.11 // compilation instructions posted In-Reply-To: <20110922205111.20E8F14DBA6@smtp.hushmail.com> References: <20110922205111.20E8F14DBA6@smtp.hushmail.com> Message-ID: <4E7BA1A0.7030404@sixdemonbag.org> On 9/22/2011 4:51 PM, vedaal at nym.hush.com wrote: > I know only very limited stuff about this, but I thought that this > was mainly to check that copies of windows were 'non-pirated', and > has come under some criticism that they might be able to exclude some > from running linux OS's ... That's kind of like thinking that integrated circuits exist to run Windows. Windows is just one particular thing you can do with ICs, the same way that preventing end-users from installing their own operating systems is one particular thing you can do with UEFI. EFI was first developed by Intel for the Itanium processor/motherboards. Itanium was Intel's attempt at a clean break with the past, and not just in terms of architecture but in terms of the boot process. It was discovered EFI could be very useful for non-Itanium systems, and so the UEFI standard came about -- "Unified" EFI, which was able to support a large variety of systems. > My concern is, how vulnerable ... is it to run gnupg from a usb and > an Ubuntu install disk, when booting bypasses the harddrive's mbr > altogether, even considering known bios rootkit infections? This one's impossible to answer. Are you in an environment where BIOS rootkits are common? How do you know your answer to that question is correct? Etc., etc. From makrober at gmail.com Thu Sep 22 23:22:19 2011 From: makrober at gmail.com (M.R.) Date: Thu, 22 Sep 2011 21:22:19 +0000 Subject: windows binary for gnupg 1.4.11 In-Reply-To: <20110922195909.3A14614DBA6@smtp.hushmail.com> References: <20110922195909.3A14614DBA6@smtp.hushmail.com> Message-ID: <4E7BA70B.5060106@gmail.com> On 22/09/11 19:59, vedaal at nym.hush.com wrote: > I'm booting from a dvd ubuntu install disk. Yes, there are many threat models where operating from a PC that is unknown to the attacker to be associated with the particular target user will be easier to achieve than preventing the attacker to subvert the PC that is known to belong to him or her. Depending on circumstances, this will mean either booting from static removable media, or running the software without installation from a portable medium or device. Well designed security application should not ignore this fact and the need for this "drive-by" M.O. I consider the often heard argument "you must *never* run this software on computer that you don't own and control" as a poor excuse for inadequate design. Mark R. From beppecosta at yahoo.it Fri Sep 23 09:27:08 2011 From: beppecosta at yahoo.it (beppecosta) Date: Fri, 23 Sep 2011 00:27:08 -0700 (PDT) Subject: Compile PTH on AIX In-Reply-To: <32503854.post@talk.nabble.com> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> <28523361.post@talk.nabble.com> <87pr12poej.fsf@vigenere.g10code.de> <28592272.post@talk.nabble.com> <87r5k7wb9y.fsf@vigenere.g10code.de> <28902331.post@talk.nabble.com> <87k4pyx53m.fsf@vigenere.g10code.de> <28912285.post@talk.nabble.com> <32503854.post@talk.nabble.com> Message-ID: <32503856.post@talk.nabble.com> No. I rebuilt the previous version. omgparticle wrote: > > did you ever come up with a solution to this? > -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p32503856.html Sent from the GnuPG - User mailing list archive at Nabble.com. From omgparticle at gmail.com Fri Sep 23 07:48:16 2011 From: omgparticle at gmail.com (omgparticle) Date: Thu, 22 Sep 2011 22:48:16 -0700 (PDT) Subject: Compile PTH on AIX In-Reply-To: <28912285.post@talk.nabble.com> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> <28523361.post@talk.nabble.com> <87pr12poej.fsf@vigenere.g10code.de> <28592272.post@talk.nabble.com> <87r5k7wb9y.fsf@vigenere.g10code.de> <28902331.post@talk.nabble.com> <87k4pyx53m.fsf@vigenere.g10code.de> <28912285.post@talk.nabble.com> Message-ID: <32503854.post@talk.nabble.com> did you ever come up with a solution to this? -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p32503854.html Sent from the GnuPG - User mailing list archive at Nabble.com. From r.f.wolpert at gmail.com Sat Sep 24 04:46:48 2011 From: r.f.wolpert at gmail.com (Rembrandt Wolpert) Date: Fri, 23 Sep 2011 21:46:48 -0500 Subject: Erratic passphrase recognition (gpg (GnuPG/MacGPG2) 2.0.17) Message-ID: <4E7D4498.8000205@gmail.com> I am new to gpg -- and I am confronted by a weird, erratic behaviour of gpg: sometimes it recognises my passphrase, sometimes (alas, a lot of the time!) it doesn't. Since I can make the passphrase in pinentry visible I know that I am making no typing mistake. Any advice what I should do? Many thanks, Rembrandt PS. It just right now doesn't let me sign this email... -- ?????????? ?????????? From ivan at gray.siamics.net Mon Sep 26 12:45:18 2011 From: ivan at gray.siamics.net (Ivan Shmakov) Date: Mon, 26 Sep 2011 17:45:18 +0700 Subject: GnuPG users (or DD's) in Krasnoyarsk or Novosibirsk, Russia? Message-ID: <86k48vfupt.fsf@gray.siamics.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [Sorry for multi-posting.] I'm curious if there're any GnuPG users interested in public key data exchange in either Krasnoyarsk, Krasnoyarsk Krai, Russia, or Novosibirsk, Novosibirsk Oblast, Russia? I expect to be at Novosibirsk this Friday (2011-09-30), and the next Sunday (2011-10-02), and at Krasnoyarsk this Saturday (2011-10-01; local time all.) I'm especially interested in meeting a Debian Developer, since I may become interested in applying for a D-M this or the next year. Please reply me off-list to choose a meeting place. - -- FSF associate member #7257 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBAgAGBQJOgFXJAAoJEOhSCjIbp0KhO5sQAItrla9bPj+NDGtUmkFQmyoD grT2lAPVCPnXwXVP9Nc4m+9/uSbMHynmYTQKoMp1GTgjdQnZZ7wxk0UVZFUq9RiQ p5InwW/mlnVrMqLsmP9J2rsb5aR9MTxHggi2fO6W0ZzblQkwtgJgMLAmdD+yvdSO cgN99NyzzBojxs58UA1x10Qbs/Okc2UvSTsNxDyV/vHcXquPO+T5zYwG92pmFEKa VQBltisWy8+PnovGtTKefjtq/dwBPfaXjCKhFx0hsHSvEvjNdqLJOTHr5ZU06yhq S/LGZeZP4tDn5woWN11XWLxv6RaL0hW6XzuQepLFI3ttsR9DOQD8lWZH+rFtf3lN qEa5cCE+qo4aqNBfcFiYdjYbvnZjOOaY6vGpGw+YvkxlykYEDJWtdX6ZzG6a6nWL RJdLi/fqseducZefVOVTYCDCDJBIDSj0TWRzJUEDSbK8F5uBemPOGCaiuTRBVwuC lFF4+2RoE5B1A6yg616FLwxkfvECy0Gief5v8O3o1mORiOI8HPAtXsm+RwV6fMO1 /yLdXt0UWf/+giHe2D2I/pZu5l0ux61EDw3xLWj02rWgtk0Y2M/7SQVM/aYY53Z+ +/lUneNh3GNlldMZx90EEzXz7KPLGUceMc7C5zFNaGgKyZ+7a0Wv6D0quai/ehAU g7ZSZYTyl8Q2CnTkZsMQ =Gsig -----END PGP SIGNATURE----- From luca at pca.it Mon Sep 26 14:33:34 2011 From: luca at pca.it (Luca Capello) Date: Mon, 26 Sep 2011 14:33:34 +0200 Subject: Posting rules for the gnupg-devel@ mailing list In-Reply-To: <8762kmqm79.fsf@vigenere.g10code.de> (Werner Koch's message of "Wed, 21 Sep 2011 11:27:54 +0200") References: <8739fr2n0v.fsf@gismo.pca.it> <20110920200452.GA2988@straylight.m.ringlet.net> <8762kmqm79.fsf@vigenere.g10code.de> Message-ID: <87sjnjo541.fsf@gismo.pca.it> Hi there! Please Cc: me, I am not subscribed to the list. On Wed, 21 Sep 2011 11:27:54 +0200, Werner Koch wrote: > On Tue, 20 Sep 2011 22:04, roam at ringlet.net said: > >> Not necessarily. I believe that this is just greylisting in action - >> http://en.wikipedia.org/wiki/Greylisting > > Right. As I wrote in my previous email, greylisting is not the problem. > However, post from non-subscribers need to be moderated. That may take a > while. We have a couple of volunteers who that job for many years now > without most people noticing it. > > Many thanks to them. I agree with the thanks, not with the fact that non-subscribers need to be moderated (and greylisting is already a moderation), but it is your project, so you decide ;-) On Wed, 21 Sep 2011 16:45:37 +0200, Werner Koch wrote: > On Wed, 21 Sep 2011 10:40, luca at pca.it said: > >> the log above. The problem is that there is no sign of my email above, >> not even the in-moderation notification. I will try to re-send it... > > Sending such notification back to the spammers is not a good idea. You > either have to wait - or better - subscribe to the ML. I do not see the point in not sending notifications: 1) I would be interested to know how many spam emails passes greylisting. 2) given the fact that there is no SMTP error message and no notification, there is no way for the sender to know what happened with her/his email, which is a bit unfair. 3) not having notifications also means that you can not cancel your email, which could result in duplicate posts. Really, I do not have any problem with waiting (if I know that I have to), but the above seems overcomplicated. FTR, I subscribed to the gnupg-devel@ mailing list and re-sent my email: Thx, bye, Gismo / Luca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From wk at gnupg.org Tue Sep 27 09:09:38 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 27 Sep 2011 09:09:38 +0200 Subject: Posting rules for the gnupg-devel@ mailing list In-Reply-To: <87sjnjo541.fsf@gismo.pca.it> (Luca Capello's message of "Mon, 26 Sep 2011 14:33:34 +0200") References: <8739fr2n0v.fsf@gismo.pca.it> <20110920200452.GA2988@straylight.m.ringlet.net> <8762kmqm79.fsf@vigenere.g10code.de> <87sjnjo541.fsf@gismo.pca.it> Message-ID: <87r532jwb1.fsf@vigenere.g10code.de> On Mon, 26 Sep 2011 14:33, luca at pca.it said: > 1) I would be interested to know how many spam emails passes > greylisting. Way too many. > 2) given the fact that there is no SMTP error message and no > notification, there is no way for the sender to know what happened > with her/his email, which is a bit unfair. Posting are also distributed to the poster. > 3) not having notifications also means that you can not cancel your > email, which could result in duplicate posts. You can't do that anyway. > Really, I do not have any problem with waiting (if I know that I have > to), but the above seems overcomplicated. We have a pretty good track record regarding spam and thus I see no reason to change the subscribe-only policy. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From achim.cloer at cloer.de Mon Sep 26 23:11:54 2011 From: achim.cloer at cloer.de (Achim Cloer) Date: Mon, 26 Sep 2011 23:11:54 +0200 Subject: restoring SmartCard key with off-card copy Message-ID: <4E80EA9A.5070909@cloer.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users on this list, we are planing to deploy PGP in our team with Smartcards. Currently we are testing and learning... We found the following problem: During generating the keys, the pgp card is also generating a off-card copy. But we fail to import this backup into OpenPGP. The error message is "User-ID is missing". But the User-ID was given during generating the key. I can not find any documentation how to handle this off-card-copy. How to import or how to write it back to a card directly. Is there anybody who can help me? Unfortunately I am using PGP with WinXP, luckily with Thunderbird and Enigmail. I also tried the command line interface under windows but also without any success. Thanks! Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAgAGBQJOgOqYAAoJEGNcKEESQW1pjm0L/1MzvlSkNQpGXFNSvOcChgqI C31RrpV9flRe9VGQe0Vq4ISFKWGZ30oo3M5bGGDHRi1Z9PrMLodMc0xT6B98LLUA g9mLTyvyTn24aWZUksN4bnzp1SVdk5bwtJaXe4L33chWnBDkaxu9y1XtuCz3XRAF jc0yJtTgOx3d4PynNVRjoZZ9SyLHgWVZA2TGYgYB6CQcxgZj8fstyof1uTsYLx+C 48BVDeP65xgb3jC/JtjusVfvgOP2G9G4SYbtz5xvvh1wNnGy00KHOxsGfVCrIqs/ LBAsf4M3jwGISHEU2CR43EFRnM34prAAm6XNyBuZZCRSxJ2kkgcl56Tk4c42OxDE g4esPtlC8F8QjS3vr3Ig+nCc0ShFNz4SSuG/8bwDFN/qXtNykJIHz7pwGEF8mPva Ml3igzG7Kxkjrr38xSj6E5ejea5ck33eh/Ozyn7mTb8Xs8f155AG2QWYugSgnCII 2c11rrRI38YIeC0m00NyV8JYOmvtEuLpB/W0moPhtA== =nO8k -----END PGP SIGNATURE----- From luca at pca.it Tue Sep 27 09:39:17 2011 From: luca at pca.it (Luca Capello) Date: Tue, 27 Sep 2011 09:39:17 +0200 Subject: Posting rules for the gnupg-devel@ mailing list In-Reply-To: <87r532jwb1.fsf@vigenere.g10code.de> (Werner Koch's message of "Tue, 27 Sep 2011 09:09:38 +0200") References: <8739fr2n0v.fsf@gismo.pca.it> <20110920200452.GA2988@straylight.m.ringlet.net> <8762kmqm79.fsf@vigenere.g10code.de> <87sjnjo541.fsf@gismo.pca.it> <87r532jwb1.fsf@vigenere.g10code.de> Message-ID: <87zkhqbfiy.fsf@gismo.pca.it> Hi there! Please Cc: me, I am not subscribed to the list. Thank you for having answered my questions. On Tue, 27 Sep 2011 09:09:38 +0200, Werner Koch wrote: > On Mon, 26 Sep 2011 14:33, luca at pca.it said: >> 2) given the fact that there is no SMTP error message and no >> notification, there is no way for the sender to know what happened >> with her/his email, which is a bit unfair. > > Posting are also distributed to the poster. Do you mean that when a moderate post is accepted the poster receives a copy? This is not the case for gnupg-users@, I have never received my posts. And this happens way too late: it is more than a week now since my first attempt to post to gnupg-devel@ and still I do not have any news of that. I do not know if this is because, as you wrote, moderation (thanks to the hidden work of volunteers I, as you, am thankful to) or because my first email got lost on the ns1.u64.de server (which is the question I ask at the very beginning). While I do not care anymore (I am now subscribed to gnupg-devel@, at least until the environment file issue will be solved), I would like to be sure it is not a problem on my side (my SMTP server or how I sent the email), to avoid any consequence. >> 3) not having notifications also means that you can not cancel your >> email, which could result in duplicate posts. > > You can't do that anyway. I was surprised as well to discover that such an option exists! Here is the moderation email I received in reply to my last post to gnupg-users@, check at the very end: --8<---------------cut here---------------start------------->8--- Subject: Your message to Gnupg-users awaits moderator approval From: gnupg-users-bounces at gnupg.org To: luca at pca.it Message-ID: Date: Tue, 20 Sep 2011 19:09:49 +0200 Precedence: bulk X-BeenThere: gnupg-users at gnupg.org X-Mailman-Version: 2.1.12rc1 List-Id: Help and discussion among users of GnuPG X-List-Administrivia: yes Sender: gnupg-users-bounces+luca=pca.it at gnupg.org Errors-To: gnupg-users-bounces+luca=pca.it at gnupg.org Your mail to 'Gnupg-users' with the subject Posting rules for the gnupg-devel@ mailing list Is being held until the list moderator can review it for approval. The reason it is being held: Post by non-member to a members-only list Either the message will get posted to the list, or you will receive notification of the moderator's decision. If you would like to cancel this posting, please visit the following URL: http://lists.gnupg.org/mailman/confirm/gnupg-users/1392af50e53d2d3772ba1cc94074f746b0dddeb0 --8<---------------cut here---------------end--------------->8--- >> Really, I do not have any problem with waiting (if I know that I have >> to), but the above seems overcomplicated. > > We have a pretty good track record regarding spam and thus I see no > reason to change the subscribe-only policy. And, to be clear, I have never asked for that to be changed. Thx, bye, Gismo / Luca -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From wk at gnupg.org Tue Sep 27 14:11:46 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 27 Sep 2011 14:11:46 +0200 Subject: Posting rules for the gnupg-devel@ mailing list In-Reply-To: <87zkhqbfiy.fsf@gismo.pca.it> (Luca Capello's message of "Tue, 27 Sep 2011 09:39:17 +0200") References: <8739fr2n0v.fsf@gismo.pca.it> <20110920200452.GA2988@straylight.m.ringlet.net> <8762kmqm79.fsf@vigenere.g10code.de> <87sjnjo541.fsf@gismo.pca.it> <87r532jwb1.fsf@vigenere.g10code.de> <87zkhqbfiy.fsf@gismo.pca.it> Message-ID: <87ipoejibh.fsf@vigenere.g10code.de> On Tue, 27 Sep 2011 09:39, luca at pca.it said: > Please Cc: me, I am not subscribed to the list. Set your MFT header properly and MUAs will CC you. > And this happens way too late: it is more than a week now since my first > attempt to post to gnupg-devel@ and still I do not have any news of If you have such problems with it - and you are the first one in ~13 years to insist that is a problem - then simply subscribe. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From achim.cloer at cloer.com Tue Sep 27 15:49:26 2011 From: achim.cloer at cloer.com (Achim Cloer) Date: Tue, 27 Sep 2011 15:49:26 +0200 Subject: restoring SmartCard key with off-card copy In-Reply-To: <4E81D3E1.5040107@cloer.de> References: <4E81D3E1.5040107@cloer.de> Message-ID: <4E81D466.7060805@cloer.com> Dear Users on this list, we are planing to deploy PGP in our team with Smartcards. Currently we are testing and learning... We found the following problem: During generating the keys, the pgp card is also generating a off-card copy. But we fail to import this backup into OpenPGP. The error message is "User-ID is missing". But the User-ID was given during generating the key. I can not find any documentation how to handle this off-card-copy. How to import or how to write it back to a card directly. Is there anybody who can help me? Unfortunately I am using PGP with WinXP, luckily with Thunderbird and Enigmail. I also tried the command line interface under windows but also without any success. Thanks! Achim From peter at digitalbrains.com Tue Sep 27 17:22:45 2011 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 27 Sep 2011 17:22:45 +0200 Subject: restoring SmartCard key with off-card copy In-Reply-To: <4E80EA9A.5070909@cloer.de> References: <4E80EA9A.5070909@cloer.de> Message-ID: <4E81EA45.3000006@digitalbrains.com> On 26/09/11 23:11, Achim Cloer wrote: > During generating the keys, the pgp card is also generating a off-card copy. > But we fail to import this backup into OpenPGP. It's been a while since I played with it, but it worked then. From the man page, under --edit-key: bkuptocard file Restore the given file to a card. This command may be used to restore a backup key (as generated during card initialization) to a new card. In almost all cases this will be the encryption key. You should use this command only with the corresponding public key and make sure that the file given as argument is indeed the backup to restore. You should then select 2 to restore as encryption key. You will first be asked to enter the passphrase of the backup key and then for the Admin PIN of the card. So you can restore the key to the card using that command, after starting the following from the command prompt: gpg --edit-key And the reason you can't import it as a normal secret key, is that the backup is purely the RSA secret material instead of the bundle of information referred to as a secret key in OpenPGP. Your first message made it to the list, by the way. Good luck, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt From achim.cloer at cloer.de Tue Sep 27 15:47:13 2011 From: achim.cloer at cloer.de (Achim Cloer) Date: Tue, 27 Sep 2011 15:47:13 +0200 Subject: Fwd: bulk an achim.cloer@cloer.de restoring SmartCard key with off-card copy In-Reply-To: <4E80EA9A.5070909@cloer.de> References: <4E80EA9A.5070909@cloer.de> Message-ID: <4E81D3E1.5040107@cloer.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users on this list, we are planing to deploy PGP in our team with Smartcards. Currently we are testing and learning... We found the following problem: During generating the keys, the pgp card is also generating a off-card copy. But we fail to import this backup into OpenPGP. The error message is "User-ID is missing". But the User-ID was given during generating the key. I can not find any documentation how to handle this off-card-copy. How to import or how to write it back to a card directly. Is there anybody who can help me? Unfortunately I am using PGP with WinXP, luckily with Thunderbird and Enigmail. I also tried the command line interface under windows but also without any success. Thanks! Achim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAgAGBQJOgdPBAAoJEGNcKEESQW1pg5sMAIqNKMFTTPubyejrzHYn/C5x s6lE8xAtqrpPkd0WXzylUMHHy/FxUKc8nQFdFYliZgJd2wd4LmvF6yurHjlhUCr0 epUVdEFiBP0gXUiI5Vdm7pV/vU8IgYgUG6ILf41xnRmnwBFLiL6TmFuFXtATzqei HD5uk0fJ49xcO9F7ltMwNN/hF7P74bxQThwerAMo8N1QJV/3kIB/BOiYxtkAcaGa WnN3cJUh82/+7s0e38ImlzsVGGwY765Z43nayU26JAv6l4CiDR0nXeCnOFNQTd42 vYdBgud5utmSA70UtHsQlBw4hZLoAHle/cK18hhGj8YwBquc5kPoLUNQlOhGvqOv B9beV/TWtKk/2CisigU2Of3Uyhmm++sAd1RTI+iqrUDC6T7mlCRK64WKjEl/v0eX EMJ49DNewOyFalaqWuvTTpL1lHCmxUNJPyVMZivXxnScuw4RWOscIyF9ddtkk4SZ 2HQ6QlF7MrFiNmqQVQ3ktTGI7ffJ6/8qKTbh4HnNSA== =w5FL -----END PGP SIGNATURE----- From wk at gnupg.org Wed Sep 28 09:15:19 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 28 Sep 2011 09:15:19 +0200 Subject: restoring SmartCard key with off-card copy In-Reply-To: <4E80EA9A.5070909@cloer.de> (Achim Cloer's message of "Mon, 26 Sep 2011 23:11:54 +0200") References: <4E80EA9A.5070909@cloer.de> Message-ID: <87oby5jfy0.fsf@vigenere.g10code.de> On Mon, 26 Sep 2011 23:11, achim.cloer at cloer.de said: > we are planing to deploy PGP in our team with Smartcards. I assume you mean GnuPG, which has - like PGP - an implementaion of the OpenPGP standard. > During generating the keys, the pgp card is also generating a off-card > copy. But we fail to import this backup into OpenPGP. The error ...into GPG ;-) > message is "User-ID is missing". But the User-ID was given during To restore a key you need to use gpg's edit-key command. That requires that you pass it a key-id or a user-id. You should give the key-id which was stored on the card. Note that the public key as well as the secret-key stub are not stored on the card. The backup file only contains the parts of the key which will be stored on the card. After the --edit-key prompt is shown, enter the command "bkuptocard" and follow the instructions. If you don't have the public key available, you may give any other key-id to enter the key-edit menu. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From achim.cloer at cloer.com Wed Sep 28 12:09:29 2011 From: achim.cloer at cloer.com (Achim Cloer) Date: Wed, 28 Sep 2011 12:09:29 +0200 Subject: restoring SmartCard key with off-card copy In-Reply-To: <87oby5jfy0.fsf@vigenere.g10code.de> References: <4E80EA9A.5070909@cloer.de> <87oby5jfy0.fsf@vigenere.g10code.de> Message-ID: <4E82F259.2070703@cloer.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank you Werner! Am 28.09.2011 09:15, schrieb Werner Koch: > The backup file only contains the parts of the key which will be > stored on the card. After the --edit-key prompt is shown, enter > the command "bkuptocard" and follow the instructions. If you don't > have the public key available, you may give any other key-id to > enter the key-edit menu. Is there any possibility to import the off-card-backup into a normal keyring in GPG without using a SmartCard? Tank You! Gru?, Achim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAgAGBQJOgvJYAAoJEGNcKEESQW1pHtwL/1MGeffNjtwG1G3dKpy/g+95 53c2aJdyFwkkApcEH1j2k5/KLZxm2+ZnF3f/nTah1TsT5Tj9zDmvQgDR1MkAUW/Q uAR67OvC0SOoQArLruAArJF9CQJjlupWAQRyF/aINeWQI2Q6TxRwPh+/kkigSiDX FbB1yMBpVmy2ULcRafOwaiGClV4fxh1hYIyH9ZHJg6csPTjkTW0iAfCZJo+F6nTI /WkRBxO/C09PWArqq6jurMVahu592x1rzxzVvhIrleSMPBIE2hIH9lTtAVekjQ/E h2/Xs+YV+JVjC2xVO6Qnaip5u9c0dk9eH06IdqXrUmWe5sQHJm4RjbbYJew8sLNT MEpiJcbR4rtQhNhSjf3ErnCSb7LTT/JW0xv7GgeX3Z6LtWxeNStRF3pDDfcYEZpy LfI1+qKWwW1obJGXzWm21XYmhDhvP3e1mOjEK/ipr1MS3YrYuXlVRw/k8p+LDijE vHt3mm5gBDyOPLI1oYMrU03C+aVe+so8aQe8818iBw== =1DPi -----END PGP SIGNATURE----- From wk at gnupg.org Wed Sep 28 15:50:54 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 28 Sep 2011 15:50:54 +0200 Subject: restoring SmartCard key with off-card copy In-Reply-To: <4E82F259.2070703@cloer.com> (Achim Cloer's message of "Wed, 28 Sep 2011 12:09:29 +0200") References: <4E80EA9A.5070909@cloer.de> <87oby5jfy0.fsf@vigenere.g10code.de> <4E82F259.2070703@cloer.com> Message-ID: <87k48skc75.fsf@vigenere.g10code.de> On Wed, 28 Sep 2011 12:09, achim.cloer at cloer.com said: > Is there any possibility to import the off-card-backup into a normal > keyring in GPG without using a SmartCard? There is no feature for it. You may use gpgsplit to manually construct a key from such a backup. You need to take the keybinding signature etc from the matching public key. I have not tried, it though. If you look on the backup file using "gpg --list-packets" wyou will see that it is a standard secret key packets - but just that packet without any self-signatures or user-ids. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Wed Sep 28 16:54:57 2011 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 28 Sep 2011 16:54:57 +0200 Subject: restoring SmartCard key with off-card copy In-Reply-To: <87k48skc75.fsf@vigenere.g10code.de> References: <4E80EA9A.5070909@cloer.de> <87oby5jfy0.fsf@vigenere.g10code.de> <4E82F259.2070703@cloer.com> <87k48skc75.fsf@vigenere.g10code.de> Message-ID: <4E833541.4090605@digitalbrains.com> On 28/09/11 15:50, Werner Koch wrote: > There is no feature for it. You may use gpgsplit to manually construct > a key from such a backup. You need to take the keybinding signature etc > from the matching public key. I have not tried, it though. I'm fairly sure I tried it and it worked. It's a while ago, so I won't testify in court on that ;). Just export the "secret key" from GnuPG (actually with the divert-to-card stub), gpgsplit it, and replace the stub with that off-card backup. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt From root at ftc.br Wed Sep 28 13:46:10 2011 From: root at ftc.br (Bolin qu) Date: Wed, 28 Sep 2011 19:46:10 +0800 Subject: Looking for 3G smartphone partner and cooperator Message-ID: Hello,my friend: How are you recently? i hope everything is very well with you now. This is your friend_bolin worked in 3G T-smart communications factory as a sales man and tooling manager, Our company has many years experience in providing the brand owners and wholesalers all over the world with professional products and OEM, ODM services.and we're the strategic partner with China Mobile. Attached is our newest product presentation for you reference. if any style meets your interest,please don't hesitate to contact me! BRS! ------------------ Bolin qu,Oversea sales and tooling manager T-smart communications equipment Co.,LTD.(China mobile Partner) Add:B-D,8 Floor,Hanjing International building,Nanshan District,Shenzhen City,PRC MP:+86 13602649836 skype:bolin.qu Email: slsimonqbl at gmail.com or bolinqudoov at live.cn TEL:0755-83534040/25315393 FAX:0755-83584225 From thajsta at gmail.com Wed Sep 28 21:08:45 2011 From: thajsta at gmail.com (Jonathan Ely) Date: Wed, 28 Sep 2011 15:08:45 -0400 Subject: Looking for 3G smartphone partner and cooperator In-Reply-To: References: Message-ID: <4E8370BD.5010503@gmail.com> On 28/09/2011 07:46 AM, Bolin qu wrote: > Hello,my friend: > > How are you recently? i hope everything is very well with you now. > This is your friend_bolin worked in 3G T-smart communications factory as a sales man and tooling manager, Our company has many years experience in providing the brand owners and wholesalers all over the world with professional products and OEM, ODM services.and we're the strategic partner with China Mobile. > Attached is our newest product presentation for you reference. if any style meets your interest,please don't hesitate to contact me! > > BRS! > ------------------ > Bolin qu,Oversea sales and tooling manager > T-smart communications equipment Co.,LTD.(China mobile Partner) > Add:B-D,8 Floor,Hanjing International building,Nanshan District,Shenzhen City,PRC > MP:+86 13602649836 skype:bolin.qu > Email: slsimonqbl at gmail.com or bolinqudoov at live.cn > TEL:0755-83534040/25315393 FAX:0755-83584225 > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Nothing but a spammer. Get off the list or whomever controls the list should ban this fool for good. -- Brotha J. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xDA74EEF3.asc Type: application/pgp-keys Size: 3102 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 834 bytes Desc: OpenPGP digital signature URL: From hipaaware at yahoo.com Wed Sep 28 22:33:54 2011 From: hipaaware at yahoo.com (Priya Ranjan) Date: Wed, 28 Sep 2011 13:33:54 -0700 (PDT) Subject: No subject Message-ID: <1317242034.25209.YahooMailNeo@web36904.mail.mud.yahoo.com> Dear Gnupg users, ???????? I am having problems installing Gnupg on Solaris 10, and am getting? library not found messages from the configure script.? Any help from you is greatly appreciated ! ? Regards -Priya- ? This is what I basically did. 1) I untar 'ed the build libraries from required tar files from below sites ;? ftp://ftp.gnupg.org/gcrypt/libgpg-error/ ftp://ftp.gnupg.org/gcrypt/libgcrypt/ ftp://ftp.gnupg.org/gcrypt/libassuan/ ftp://ftp.gnupg.org/gcrypt/libksba/ ftp://ftp.gnupg.org/gcrypt/pinentry/ ftp://ftp.gnu.org/gnu/make/ ftp://ftp.gnu.org/gnu/pth/ ? 2) After unzip/untar, formed below directories: Under ?? /export/apps/gnupg egate> dirs drwxr-xr-x????????? gnupg-2.0.17 drwxr-xr-x????????? libassuan-2.0.2 drwxr-xr-???????????? ?libgcrypt-1.5.0 drwxr-xr-x????????? ?libgpg-error-1.9 drwxr-xr-???????????? ??libksba-1.2.0 drwxr-xr-???????????? ??make-3.82 drwxr-xr-???????????? ??pth-2.0.7 ????????????????????????????????????????????????????????????????????????? 3) I ran "build.sh" file in downloaded make directory ( /export/apps/gnupg/make-3.82 ). ?I think that activated??make? command. Than I ran make in same directory. 4) Ran ?configure? in /export/apps/gnupg/libgpg-error-1.9 >> ./configure ??????????????? ?????????????????? ???????????????????????... config.status: creating config.h config.status: config.h is unchanged config.status: executing depfiles commands config.status: executing libtool commands config.status: executing po-directories commands config.status: creating po/POTFILES config.status: creating po/Makefile ??????? Libgpg-error v1.9 has been configured as follows: ??????? Platform:? sparc-sun-solaris2.10 >> ? ????????????????????????????????????????????????????????????? 6) Ran ?make? command in /export/apps/gnupg/libgpg-error-1.9 7) But, when I try to build the ?libgcryp, I get below error. >> pwd /export/apps/gnupg/libgcrypt-1.5.0 ? >> ./configure ................................................................................................................................ checking which public-key ciphers to include... dsa elgamal rsa ecc checking which message digests to include... crc md4 md5 rmd160 sha1 sha256 sha512 tiger whirlpool checking which random module to use... default checking whether use of /dev/random is requested... yes checking whether the experimental random daemon is requested... no checking whether MPI assembler modules are requested... yes checking whether memory guard is requested... no checking whether use of capabilities is requested... no checking whether a HMAC binary check is requested... no checking whether padlock support is requested... yes checking whether AESNI support is requested... yes checking whether a -O flag munging is requested... yes checking for gpg-error-config... no checking for GPG Error - version >= 1.8... no Configure: error: libgpg-error is needed. ??????????????? See ftp://ftp.gnupg.org/gcrypt/libgpg-error/. >> Seems?- libgcrypt appears to depend on libgpg-error, and I ?haven't successfully built libgpg-error. 8) ??The libgpg-error build installed the library somewhere that the libcrypt or libassuan build can't find - looking back at the log of the build, could not find exact install the library file?? I added the path /export/apps/gnupg/libgpg-error-1.9 to? the $LD_LIBRARY_PATH environment variable in .profile.? Still does not recognize the libgpg-error ! 9) Tried to build libassuan ; same error as above. >>cd ?libassuan in Folder /export/apps/gnupg/libassuan-2.0.2 >?>? ./configure >? Still getting message: >? > checking for gpg-error-config... no > checking for GPG Error - version >= 1.8... no > configure: error: libgpg-error was not found -------------- next part -------------- An HTML attachment was scrubbed... URL: From hipaaware at yahoo.com Wed Sep 28 22:35:47 2011 From: hipaaware at yahoo.com (Priya Ranjan) Date: Wed, 28 Sep 2011 13:35:47 -0700 (PDT) Subject: Gnupg2 Install on Solaris 10 Problem. In-Reply-To: <1317242034.25209.YahooMailNeo@web36904.mail.mud.yahoo.com> References: <1317242034.25209.YahooMailNeo@web36904.mail.mud.yahoo.com> Message-ID: <1317242147.49940.YahooMailNeo@web36902.mail.mud.yahoo.com> Dear Gnupg users, ???????? I am having problems installing Gnupg on Solaris 10, and am getting? library not found messages from the configure script.? Any help from you is greatly appreciated ! ? Regards -Priya- ? This is what I basically did. 1) I untar 'ed the build libraries from required tar files from below sites ;? ftp://ftp.gnupg.org/gcrypt/libgpg-error/ ftp://ftp.gnupg.org/gcrypt/libgcrypt/ ftp://ftp.gnupg.org/gcrypt/libassuan/ ftp://ftp.gnupg.org/gcrypt/libksba/ ftp://ftp.gnupg.org/gcrypt/pinentry/ ftp://ftp.gnu.org/gnu/make/ ftp://ftp.gnu.org/gnu/pth/ ? 2) After unzip/untar, formed below directories: Under ?? /export/apps/gnupg egate> dirs drwxr-xr-x????????? gnupg-2.0.17 drwxr-xr-x????????? libassuan-2.0.2 drwxr-xr-???????????? ?libgcrypt-1.5.0 drwxr-xr-x????????? ?libgpg-error-1.9 drwxr-xr-???????????? ??libksba-1.2.0 drwxr-xr-???????????? ??make-3.82 drwxr-xr-???????????? ??pth-2.0.7 ????????????????????????????????????????????????????????????????????????? 3) I ran "build.sh" file in downloaded make directory ( /export/apps/gnupg/make-3.82 ). ?I think that activated??make? command. Than I ran make in same directory. 4) Ran ?configure? in /export/apps/gnupg/libgpg-error-1.9 >> ./configure ??????????????? ?????????????????? ???????????????????????... config.status: creating config.h config.status: config.h is unchanged config.status: executing depfiles commands config.status: executing libtool commands config.status: executing po-directories commands config.status: creating po/POTFILES config.status: creating po/Makefile ??????? Libgpg-error v1.9 has been configured as follows: ??????? Platform:? sparc-sun-solaris2.10 >> ? ????????????????????????????????????????????????????????????? 6) Ran ?make? command in /export/apps/gnupg/libgpg-error-1.9 7) But, when I try to build the ?libgcryp, I get below error. >> pwd /export/apps/gnupg/libgcrypt-1.5.0 ? >> ./configure ................................................................................................................................ checking which public-key ciphers to include... dsa elgamal rsa ecc checking which message digests to include... crc md4 md5 rmd160 sha1 sha256 sha512 tiger whirlpool checking which random module to use... default checking whether use of /dev/random is requested... yes checking whether the experimental random daemon is requested... no checking whether MPI assembler modules are requested... yes checking whether memory guard is requested... no checking whether use of capabilities is requested... no checking whether a HMAC binary check is requested... no checking whether padlock support is requested... yes checking whether AESNI support is requested... yes checking whether a -O flag munging is requested... yes checking for gpg-error-config... no checking for GPG Error - version >= 1.8... no Configure: error: libgpg-error is needed. ??????????????? See ftp://ftp.gnupg.org/gcrypt/libgpg-error/. >> Seems?- libgcrypt appears to depend on libgpg-error, and I ?haven't successfully built libgpg-error. 8) ??The libgpg-error build installed the library somewhere that the libcrypt or libassuan build can't find - looking back at the log of the build, could not find exact install the library file?? I added the path /export/apps/gnupg/libgpg-error-1.9 to? the $LD_LIBRARY_PATH environment variable in .profile.? Still does not recognize the libgpg-error ! 9) Tried to build libassuan ; same error as above. >>cd ?libassuan in Folder /export/apps/gnupg/libassuan-2.0.2 >?>? ./configure >? Still getting message: >? > checking for gpg-error-config... no > checking for GPG Error - version >= 1.8... no > configure: error: libgpg-error was not found -------------- next part -------------- An HTML attachment was scrubbed... URL: From crimer at crimer90.co.cc Thu Sep 29 00:12:51 2011 From: crimer at crimer90.co.cc (Simone Cianfriglia) Date: Thu, 29 Sep 2011 00:12:51 +0200 Subject: Gnupg2 Install on Solaris 10 Problem. In-Reply-To: <1317242147.49940.YahooMailNeo@web36902.mail.mud.yahoo.com> References: <1317242034.25209.YahooMailNeo@web36904.mail.mud.yahoo.com> <1317242147.49940.YahooMailNeo@web36902.mail.mud.yahoo.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Priya, I'm not an expert of Solaris 10 on Sparc architecture, however I might have found your problem in the procedure you followed. > 1) I untar 'ed the build libraries from required tar files > 2) After unzip/untar, formed below directories [...] > 3) I ran "build.sh" file in downloaded make directory > Than I ran make in same directory. > 4) Ran ?configure? in /export/apps/gnupg/libgpg-error-1.9 > 6) Ran ?make? command in /export/apps/gnupg/libgpg-error-1.9 > 7) But, when I try to build the libgcryp, I get below error. > [...] > checking for gpg-error-config... no > checking for GPG Error - version >= 1.8... no > Configure: error: libgpg-error is needed. > See ftp://ftp.gnupg.org/gcrypt/libgpg-error/ . > > Seems - libgcrypt appears to depend on libgpg-error, and I haven't > successfully built libgpg-error. That's true, libgcrypt depends on libgpg-error. > 8) The libgpg-error build installed the library somewhere that the > libcrypt or libassuan build can't find - looking back at the log of > the build, could not find exact install the library file? What I'm seeing here (and what I'm reading from your procedure) is that you didn't do the "make install" pass. That's why your ./configure script can't find the library on the system. > I added the path /export/apps/gnupg/libgpg-error-1.9 to the > $LD_LIBRARY_PATH environment variable in .profile. Still does not > recognize the libgpg-error ! It'll be useful only if the directory you added is the one which contains the library file. Search in subdirectories! You can resolve this issue by installing the library with make install. Of course, if you want to make your system clean from that external software, you can set the installation path with the --prefix parameter at ./configure. > 9) Tried to build libassuan ; same error as above. See above. Hope it helps. Forgive me if I wrote something wrong for Solaris... Regards and good luck, Simone -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCgAGBQJOg5vtAAoJEGfVQEsGVc2AW+oP/iNGAd9FIAequ9iWbq+KwRDk arHpMUCpaUmEaxmJAFrzAGWRiIzERQMUwOGP3JVhPTcpQdGyJM8+PlX3JS/LoK94 X5TJBDAt6DUXXaAwJriG/pUh26yBJUVyFMpM/Cv22EkUgu7SlZmJT7zmNoPrbsjC y76YhjSRpbwe6JtlcHDrmCle1yWnob9kiOlH9GCBaVdsGZL8JKOGnLDL5HuVab2O ZaiY4O9BQKSW/y3TszxRATVe1KSP2ugyUPwjTeqJkdDiBEzrv42U5scHhVbQem5P c0NXUbYIESn+Z3VukbfjvhU4Z8la3fJl+74OoOu4QsheII3J/4Fw3q/SRIx8lW64 S9UwI+bpWvAXSd6RAFCSFohZhG/YmccEkBJCmSDIk12vSsyWWKsDm9VLNZtUk7Fw mKGyyB/2tVrFFEi9I5QxPKQiOMiSdyaTONQ+VgejimQmJ5IeL20MX2zyO4ppepkJ dyrdw8U86MxzasF/BCV5RWZYTjtp8jDbjZ3LwF89PLAlBQgpMBNJOLa6mvzJp8Fx MrRIQKNx/OvVttDRCeA/4VkQaJd3uL9/Vtj1SLI57CDI8/WsjFBkVTfwEjF9YhcC 2jf5jVmHfNNvXEbc4Jms9vhNzSPACwBgIGwrlIrJZ9lv4gzgBJOtRkA7arrY8OOQ +Q/GQ7jr3FWbVU9Cwjtg =OdJ5 -----END PGP SIGNATURE----- From wk at gnupg.org Thu Sep 29 18:28:56 2011 From: wk at gnupg.org (Werner Koch) Date: Thu, 29 Sep 2011 18:28:56 +0200 Subject: Looking for 3G smartphone partner and cooperator In-Reply-To: <4E8370BD.5010503@gmail.com> (Jonathan Ely's message of "Wed, 28 Sep 2011 15:08:45 -0400") References: <4E8370BD.5010503@gmail.com> Message-ID: <877h4ria7r.fsf@vigenere.g10code.de> On Wed, 28 Sep 2011 21:08, thajsta at gmail.com said: > Nothing but a spammer. Get off the list or whomever controls the list > should ban this fool for good. Not subscribed, thus probably accidently approved. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Sep 29 18:37:31 2011 From: wk at gnupg.org (Werner Koch) Date: Thu, 29 Sep 2011 18:37:31 +0200 Subject: Gnupg2 Install on Solaris 10 Problem. In-Reply-To: <1317242147.49940.YahooMailNeo@web36902.mail.mud.yahoo.com> (Priya Ranjan's message of "Wed, 28 Sep 2011 13:35:47 -0700 (PDT)") References: <1317242034.25209.YahooMailNeo@web36904.mail.mud.yahoo.com> <1317242147.49940.YahooMailNeo@web36902.mail.mud.yahoo.com> Message-ID: <8739ffi9tg.fsf@vigenere.g10code.de> On Wed, 28 Sep 2011 22:35, hipaaware at yahoo.com said: > ftp://ftp.gnu.org/gnu/make/ There should be no need for GNU make, a standard make is sufficient. You need to build in the right order: 1. Build and install pth 2. Build and install libgpg-error 3. Build and install libgcrypt 4. Build and install libassuan 5. Build and install libksba 6. Build gnupg 7. Most likely you want to install gnupg now The install steps for the libraries are important. A library needs to be installed so that the next build is able to detect it. Pinentry is no hard dependency, you may build it before or after gnupg. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From hipaaware at yahoo.com Thu Sep 29 20:29:33 2011 From: hipaaware at yahoo.com (Priya Ranjan) Date: Thu, 29 Sep 2011 11:29:33 -0700 (PDT) Subject: Gnupg2 Install on Solaris 10 Problem. Message-ID: <1317320973.97546.androidMobile@web36903.mail.mud.yahoo.com> Simone ?? Many thanks.? I got a message Permission denied from the make install script. Maybe because I didn't come as root ; was rather doing a 'sudo su'. ??? I'll update you after working with Admin. Regards Priya -------------- next part -------------- An HTML attachment was scrubbed... URL: From Kevin.Williams at gkndriveline.com Fri Sep 30 19:36:03 2011 From: Kevin.Williams at gkndriveline.com (Kevin Williams (DL)) Date: Fri, 30 Sep 2011 13:36:03 -0400 Subject: Obtaining different script results than via command line Message-ID: Hello, I am using gpg on a Linux system. When I am using the following command line to create an encrypted output I get a compatible output file. gpg --armor --recipient "AFG_PROD" --output file.txt.pgp --always-trust --encrypt test.txt When I use the same command line plus a -batch element in a script, the output file is slightly larger than the command line version and my recipient can't decode it. gpg --armor --batch --recipient "AFG_PROD" --output file.txt.pgp --always-trust --encrypt file.txt (also tried without the - -batch) gpg --armor --recipient "AFG_PROD" --output file.txt.pgp --always-trust --encrypt file.txt All other aspects remain the same: * User * Directory * Input file I have searched extensively and can find no reason for it to do this. Does anyone have any recommendations as to what I am overlooking? Regards, Kevin Williams -------------------------------------------------------------------------- This e-mail and any attachments transmitted with it contain information which is confidential, intended solely for the addressee(s) and which may also be privileged or exempt from disclosure under applicable law.?If you are not the addressee(s), or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, print, disclose or use any part of it or its attachments. Internet communications are not guaranteed to be secure or free of any virus.?The GKN Group does not accept liability for any loss or damage arising in any way from changes to this e-mail or its attachments which may occur in transmission due to network, machine or software failure or manufacturer or operator error, or from unauthorised access or interference with internet communications by any third party or from the transmission of any viruses. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the GKN Group or any part of it is personal to the sender and is not given or in any way endorsed by the GKN Group or any part of it. ? -------------- next part -------------- An HTML attachment was scrubbed... URL: