windows binary for gnupg 1.4.11 // compilation instructions posted

John Clizbe John at enigmail.net
Thu Sep 22 18:38:06 CEST 2011 

vedaal at nym.hush.com wrote:
> 
> Thanks,
> I knew about the MSYS method, but not about the others,
> but my point was about running gnupg from a flash drive.
> 
> I was under the impression that there is no portable way to do that 
> on a flashdrive that doesn't have these systems installed on the 
> host computer, 
> (Is there?? If anyone knows of a way to do it, please post. Thanks.
> The only way I could think of is to boot to ubuntu and run gnupg 
> from there on the flash drive).

It can be done, but it's nontrivial. I think it's more like Sisyphean IMHO :-(.

To *securely* run gpg, or any other program, from portable media, use ldd or
MS's Dependency Walker to see all the DLLs that need to be supplied locally from
a trusted system. They need to go in the same directory as the gpg executable as
Windows searches there first. At a minimum one needs these DLLs: libbz2,
readline5, libz, libgcc_s_dw2-1.dll, probably be good to include msvcrt.dll as
MinGW targets it.
Then you have all the Windows DLLs to deal with. Are your copies 'safe'? Do you
have all the dependencies of the initial dependencies?

Here's a first pass at a list (these are examples from my builds, yours will nut
likely be the same):

JPClizbe at booboo ~
$ c:/Cygwin/bin/ldd $(which gpg)| sed -e 's/\/cygdrive//'
        ntdll.dll => /c/WINDOWS/system32/ntdll.dll (0x7c900000)
        kernel32.dll => /c/WINDOWS/system32/kernel32.dll (0x7c800000)
        ADVAPI32.DLL => /c/WINDOWS/system32/ADVAPI32.DLL (0x77dd0000)
        RPCRT4.dll => /c/WINDOWS/system32/RPCRT4.dll (0x77e70000)
        Secur32.dll => /c/WINDOWS/system32/Secur32.dll (0x77fe0000)
        libbz2-2.dll => /c/MinGW/bin/libbz2-2.dll (0x644c0000)
        msvcrt.dll => /c/WINDOWS/system32/msvcrt.dll (0x77c10000)
        libgcc_s_dw2-1.dll => /c/MinGW/bin/libgcc_s_dw2-1.dll (0x6e940000)
        readline5.dll => /c/MinGW/bin/readline5.dll (0x63e40000)
        MSVCP60.DLL => /c/WINDOWS/system32/MSVCP60.DLL (0x76080000)
        OLE32.dll => /c/WINDOWS/system32/OLE32.dll (0x774e0000)
        GDI32.dll => /c/WINDOWS/system32/GDI32.dll (0x77f10000)
        USER32.dll => /c/WINDOWS/system32/USER32.dll (0x7e410000)
        WSOCK32.DLL => /c/WINDOWS/system32/WSOCK32.DLL (0x71ad0000)
        WS2_32.dll => /c/WINDOWS/system32/WS2_32.dll (0x71ab0000)
        WS2HELP.dll => /c/WINDOWS/system32/WS2HELP.dll (0x71aa0000)
        libz-1.dll => /c/MinGW/bin/libz-1.dll (0x65500000)

Once one gets all those, then he can start on the keyserver helpers.
gpgkeys_curl is fun. Here are just the local dependecies, none of the ones from
Windows:

$ c:/Cygwin/bin/ldd $(which gpgkeys_curl)| sed -e 's/\/cygdrive//'| grep MinGW
        libcurl-4.dll => /c/MinGW/bin/libcurl-4.dll (0x70800000)
        libcares-2.dll => /c/MinGW/bin/libcares-2.dll (0x62d80000)
        cryptoeay32-0.9.8.dll => /c/MinGW/bin/cryptoeay32-0.9.8.dll (0x63000000)
        zlib1.dll => /c/MinGW/bin/zlib1.dll (0x61b80000)
        libidn-11.dll => /c/MinGW/bin/libidn-11.dll (0x69540000)
        libiconv-2.dll => /c/MinGW/bin/libiconv-2.dll (0x66000000)
        libintl-8.dll => /c/MinGW/bin/libintl-8.dll (0x61cc0000)
        libssh2-1.dll => /c/MinGW/bin/libssh2-1.dll (0x63b40000)
        ssleay32-0.9.8.dll => /c/MinGW/bin/ssleay32-0.9.8.dll (0x69240000)

And so on...

Now, you've got all your gpg-related exe files along with a closure of DLLs to
be called. What are you going to do about the core Windows OS, device drivers or
the actual hardware? Quick answer: probably nothing unless the machine is yours
and under your full control.

You cannot secure "everything" necessary to securely run gpg (or any other
program) from a USB stick.

Please don't delude yourself into thinking you can. You can't. Even with an
encrypted file system, you still reach the point where you don't control things
the rest of the way, and only iff you do, can it be made "secure," and in that
case, why go to all this trouble in the first place? Put GnuPG on the machine
and your keys and other data on the USB stick if you need them to be portable.

The only way to securely run any program from a USB stick is on a computer you
installed the OS (from a secure source - Is your Windows CD Genuine?), audited
and have total control, and in that case you don't need the USB stick for the
programs, only data you wish between machines of which you also have total control.

Now, on the other hand, if your goal isn't security, just to be able to run the
programs from an USB stick, you need the gpg and gpgkeys_* binaries along with
the non Windows DLLS all in the same folder - It's several MB zipped up,
cryptoeay is BIG. But I have to ask, why use gpg without security in mind?

*UAYOR*YMMV*IANAL*NWEOI

-- 
John P. Clizbe                      Inet: John ( a ) Mozilla DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Raise your hand if you know someone who is alive only because you
did not want to spend time in jail

More information about the Gnupg-users mailing list