From kloecker at kde.org Mon Dec 1 00:33:45 2014 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Mon, 1 Dec 2014 00:33:45 +0100 Subject: Setpref is not working or is it a bug or something? In-Reply-To: <3ABF0B.547AF592.0006@gate> References: <3ABF0B.547AF592.0006@gate> Message-ID: <3638322.c3sUlTZyjL@collossus.ingo-kloecker.de> On Sunday 30 November 2014 10:46:40 gnupgpack at on.yourweb.de wrote: > >> I am sorry, all my replies are sent to gnupg-users at gnupg.org only, > > > > Yes, that's the right procedure. > > The problem Peter mentioned is caused by the fact that your replies lack > > the message headers (In-reply-to and References) that usually link > > replies to the replied-to messages. > > Yes, that's true, SMTP-Filter is running for outgoing mails: > http://lab1.de/Central/Software/Internet/E-Mail/SMTP-Filter/ > > It deletes for security/privacy reasons: > IN-REPLY-TO: > MESSAGE-ID: > ORGANIZATION: > REFERENCES: > THREAD-INDEX: > THREAD-TOPIC: > X-MAILER: > X-MIMEOLE: > X-MSMAIL-PRIORITY: > X-Relayed-By: GPGrelay > > Hidden header 'In-Reply-To: <1CD78A.547AEDEA.0002 at machine>': > IN-REPLY-TO and REFERENCES for example include ... at machine, which is always > the same... This is not wanted because of the possibility of tracking cross > over the web ("who posts which content...") IMHO that's nonsense. Those headers do not identify your machine. Those headers reference the messages you reply to, so if anything then those headers identify the machine of the person you reply to. > So, how to deal with this behavior? I suggest that you stop deleting the In-reply-to and the References header. > Keeping subject untouched seems to be enough for identifying and associating > to thread, isn't it? Yes. At least for email clients that also thread messages by the Subject header. But even those mail clients usually don't know which original message your reply belongs to and therefore those mail clients will put your message below an arbitrary other message in the thread. This makes reading longer mail exchanges with multiple participants (e.g. like here on this mailing list) a PITA. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 1 03:52:42 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 1 Dec 2014 02:52:42 +0000 Subject: Order/changing of subkeys derogates compatibility!? In-Reply-To: <7B3B0E.547B7C39.0002@gate> References: <7B3B0E.547B7C39.0002@gate> Message-ID: <1444377634.20141201025242@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 30 November 2014 at 7:21:09 PM, in , gnupgpack at on.yourweb.de wrote: > So, is there a known issue regarding the order of > DSA-subkeys for signing? How to change order of subkeys > for testing purpose? - From (possibly inaccurate) memory, PGP was up to somewhere around version 8.x before it supported signing subkeys. IIRC, older PGP versions would choke on trying to encrypt to a key whose newest subkey was flagged for signing but not encryption, and would use the main key to sign with. (I have no recollection of what happened trying to verify signatures.) - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Ultimate consistency lies in being consistently inconsistent -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlR72ABXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pOzwD/3c6wAOrasH0OnbKbtt2vIyICXtII/ziOsc3 bKdIR6//JSMesoWejVQOQocH5xq0mAbvhsCW41LCy4yOxVHuyQ7F3s3dU/WQLKWW qlMnBJ/ATIFAgGJ34DL1SUrRLEwU+hbX6gzk8Bsq+IM1LxdxNORg6BYbTMcKBRPE nGgf41W1iQF8BAEBCgBmBQJUe9gAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRp b25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZB NUEwRjU2QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwUSAH/2rJW01PxmMFvRgw WiWJ5GOfFoqlXApF6pBCgq9jwBwH2hxanc0F1xy7cTs04MMN4vmGjRzruBqO5V4c BeWQSNTkc+RR6YZ+3GF9/ERA/mCOLnUu4irQCs1Akg7n7+ifU3ZFUi4Ip+4Rip5L uYfBuJ7ngsSM1xGQG1wpLI1XNo9B6onphMAaAOY3QYgQy7cyUF5kK3he1DvKwOTM PxgO3cZxyICml+Y8BWeVA7YArm9snrBKKFGGXMdOKXNuKy0IyqTU/vguynxrY9rv D+9tMEpSBaRjKcpvuB0ZDkrXEAQy4+UzFLgKSHUAjE4AQUjQk5eTsEoZ+ARD1Y9a MZyjAWM= =ic9w -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 1 04:33:19 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 1 Dec 2014 03:33:19 +0000 Subject: Setpref is not working or is it a bug or something? In-Reply-To: <3ABF0B.547AF592.0006@gate> References: <3ABF0B.547AF592.0006@gate> Message-ID: <6310419777.20141201033319@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 30 November 2014 at 9:46:40 AM, in , gnupgpack at on.yourweb.de wrote: > Yes, that's true, SMTP-Filter is running for outgoing > mails: > http://lab1.de/Central/Software/Internet/E-Mail/SMTP-Filter/ > It deletes for security/privacy reasons: > IN-REPLY-TO: That header is used to tell the recipient's email software what message-ID the reply is to, so that the response can be threaded. > MESSAGE-ID: If you delete the message-ID, a new one is added by the next server that handles the message. > ORGANIZATION: If you are going to delete this, why supply it in the first place? > REFERENCES: This is used along with the IN-REPLY-TO header for threading. It may contain more Message-IDs from the thread. Useful on a mailing list in case someone following the thread has blocked some contributors or deleted/not received the message to which you just replied. > X-MSMAIL-PRIORITY: Given that you set this on a per-message basis as High/Normal/Low, it's not a security/privacy issue at all. Deleting it just means all your messages default to Normal priority. > Hidden header 'In-Reply-To: > <1CD78A.547AEDEA.0002 at machine>': IN-REPLY-TO and > REFERENCES for example include ... at machine, which is > always the same... This is not wanted because of the > possibility of tracking cross over the web ("who posts > which content...") Having it in those headers in the messages you post means you are replying to a thread containing the content, not that you posted the content. Besides, unless the user has specifically set their mailer to do something different, the bit after the "@" often defaults to the domain in their email address. > So, how to deal with this behavior? Keeping subject > untouched seems to be enough for identifying and > associating to thread, isn't it? Only if for each thread you use a unique subject line that will never be repeated, and you can guarantee that everybody reading the threads only ever receives email from people who do the same. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net When duty calls...hang up immediately -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlR74ZpXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5puYsD/RjtmsGTj/6/qSiX2u4u0QBKYA536SOSBhpp 800sD3j71cmxWHQN0JF01NdwsJRk2NHnOD/nvwB5vPSwemMg9uuF43IinKvwIr1o rYdEKpS1ytW/SmuyFkz7uV8hFH/XJugNSRnqfx/TGHmORTv387aQIzXX3nETsPtb /D4Ha/I9iQF8BAEBCgBmBQJUe+GaXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRp b25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZB NUEwRjU2QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwmt8H/iV9MEXIHHUyXDNk uxIv6Q2GBOVPHLNF3JAumuDFkcdFnjuM3vUMa9nHCb0Pr+pYNaUKbJWXwlO1nqHI SA0ehkEjYhdzDFHID4YRmO+Di4gMELY5UR2FJzof6GVn3BFtEUp924HgSo7cYNGG ZpAvBsYWzN5kD36NV0OKDjRYkr4FWEsgmXrJEuWjooUECBqECbz3un32MdjmGCHs NdcL/huThZbjCbgoF4XF3WxS6FntIgVNDdszHV9NQXsQrZRN3R48u6k+i8nhPpl0 fV643aa6Bk8DpUUXxA5U1Zi/Njg7NaZQxhD/N4ljRomVgAfHQj2Oj1uG9gGyChr4 2/z3Lkk= =l43K -----END PGP SIGNATURE----- From gnupgpack at on.yourweb.de Mon Dec 1 10:53:18 2014 From: gnupgpack at on.yourweb.de (gnupgpack) Date: Mon, 1 Dec 2014 10:53:18 +0100 Subject: Order/changing of subkeys derogates compatibility!? In-Reply-To: <1444377634.20141201025242@my_localhost> References: <7B3B0E.547B7C39.0002@gate> <1444377634.20141201025242@my_localhost> Message-ID: <001a01d00d4c$a2382b10$e6a88130$@on.yourweb.de> Hello, > 6.5.8 is about sixteen years old now and has many known security > problems. Please stop using it. (Yes, intended only for testing...) > - From (possibly inaccurate) memory, PGP was up to somewhere around > version 8.x before it supported signing subkeys. First PGP version supporting WinXp has been PGP-8.x AFAIK. So I will test (yes, only testing...) new key compatibility with this still common spreaded version. But where to get old freeware version PGP-8.03/PGP-8.1 (release in Oct-2003)? Sym at ntec's freeware page seems to be redirected to shop: http://www.pgp.com/products/freeware.html PGP-version history up to v10: http://www.mccune.cc/PGPnew.txt Thanks + regrads, Chris From gnupgpack at on.yourweb.de Mon Dec 1 11:33:49 2014 From: gnupgpack at on.yourweb.de (gnupgpack) Date: Mon, 1 Dec 2014 11:33:49 +0100 Subject: Setpref is not working or is it a bug or something? In-Reply-To: <6310419777.20141201033319@my_localhost> References: <3ABF0B.547AF592.0006@gate> <6310419777.20141201033319@my_localhost> Message-ID: <002001d00d52$4b7ac200$e2704600$@on.yourweb.de> Hello, > I suggest that you stop deleting the In-reply-to and the References > header. Ok, i'll give it a try ;) >> X-MSMAIL-PRIORITY: > Given that you set this on a per-message basis as High/Normal/Low, > it's not a security/privacy issue at all. Deleting it just means all > your messages default to Normal priority. Some of the cleaned header entries are non-standard additions [1], for example issued by M$, useless for non-M$ clients... For example Priority is set by X-PRIORITY (RFC2076) and Importance (RFC1327/1911). Regards, Chris [1] http://people.dsv.su.se/~jpalme/ietf/ietf-mail-attributes.html From dave at wiredthing.com Mon Dec 1 13:13:02 2014 From: dave at wiredthing.com (Dave English) Date: Mon, 1 Dec 2014 12:13:02 +0000 Subject: Problem compiling GnuPG 1.4.18 on OS X 10.10, was: Problem compiling GnuPG 2.1.0 on OS X 10.10 In-Reply-To: <545E5B23.6040309@enigmail.net> References: <9D90696B-3792-4B64-90D2-09BD02E8010F__32846.578237559$1415357996$gmane$org@icloud.com> <545E5B23.6040309@enigmail.net> Message-ID: <58A4271A-6CA5-4C09-9F69-E8E91BF18864@wiredthing.com> > On 8 Nov 2014, at 18:04, Patrick Brunschwig wrote: > > On 07.11.14 06:41, Ramsey Dow wrote: >> Hello, I am having a build failure with GnuPG 2.1.0 on OS X 10.10 using Xcode 6.1's compiler tools. >> >> I have successfully compiled and installed all of the prerequisite libraries (npth 1.1, libgpg-error 1.17, libksba 1.3.1, and libassuan 2.1.2). My build sequence is as follows: >> >> gpg --verify $MRT/cache/gnupg-2.1.0.tar.bz2.sig >> tar xjf $MRT/cache/gnupg-2.1.0.tar.bz2 >> pushd gnupg-2.1.0 >> ./configure --prefix=$MRTRT >> make >> >> The compilation fails while linking t-sexputil in common. Here are the last few lines of the build process: >> >> gcc -DHAVE_CONFIG_H -I. -I.. -I../gl -I../intl -DLOCALEDIR=\"/Users/ramsey/Developer/MRT/runtime/share/locale\" -DGNUPG_BINDIR="\"/Users/ramsey/Developer/MRT/runtime/bin\"" -DGNUPG_LIBEXECDIR="\"/Users/ramsey/Developer/MRT/runtime/libexec\"" -DGNUPG_LIBDIR="\"/Users/ramsey/Developer/MRT/runtime/lib/gnupg\"" -DGNUPG_DATADIR="\"/Users/ramsey/Developer/MRT/runtime/share/gnupg\"" -DGNUPG_SYSCONFDIR="\"/Users/ramsey/Developer/MRT/runtime/etc/gnupg\"" -DGNUPG_LOCALSTATEDIR="\"/Users/ramsey/Developer/MRT/runtime/var\"" -I/Users/ramsey/Developer/MRT/runtime/include -I/Users/ramsey/Developer/MRT/runtime/include -I/Users/ramsey/Developer/MRT/runtime/include -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT t-sexputil.o -MD -MP -MF .deps/t-sexputil.Tpo -c -o t-sexputil.o t-sexputil.c >> mv -f .deps/t-sexputil.Tpo .deps/t-sexputil.Po >> gcc -I/Users/ramsey/Developer/MRT/runtime/include -I/Users/ramsey/Developer/MRT/runtime/include -I/Users/ramsey/Developer/MRT/runtime/include -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -o t-sexputil t-sexputil.o libcommon.a ../gl/libgnu.a -L/Users/ramsey/Developer/MRT/runtime/lib -lgcrypt -lgpg-error -lassuan -L/Users/ramsey/Developer/MRT/runtime/lib -lgpg-error -L/Users/ramsey/Developer/MRT/runtime/lib -lgpg-error -liconv >> Undefined symbols for architecture x86_64: >> "_default_errsource", referenced from: >> _parse_ber_header in libcommon.a(libcommon_a-tlv.o) >> _parse_sexp in libcommon.a(libcommon_a-tlv.o) >> ld: symbol(s) not found for architecture x86_64 >> clang: error: linker command failed with exit code 1 (use -v to see invocation) >> make[3]: *** [t-sexputil] Error 1 >> make[2]: *** [all] Error 2 >> make[1]: *** [all-recursive] Error 1 >> make: *** [all] Error 2 >> >> I'm not sure why this error is occurring, which is why I am reporting it here, per instructions in the README. Am I forgetting to specify an option to configure? Is the configuration subsystem missing something about my system's setup? Please advise. I'm happy to provide any other details if necessary. > > You'll need to apply the following patch for compiling GnuPG (the patch > is made to be applied before ./configure is executed): > > > > And most likely, you'll run into another build error in dirmgr. This can > be fixed by editing dirmgr/Makefile and deleting "-R/path/to/somewhere" > from LDFLAGS > > -Patrick I see that problem has since been fixed. I have though what looks like the same problem trying to build 1.4.18 from source on Mac OS X 10.10, according to the howto Version 4.26 (1 July 2014): http://macgpg.sourceforge.net/docs/howto-build-gpg-osx.txt.asc This fails for me with: gcc -arch x86_64 -Wall -Wno-pointer-sign -o gpg gpg.o build-packet.o compress.o compress-bz2.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o openfile.o keyid.o parse-packet.o status.o plaintext.o sig-check.o keylist.o signal.o cardglue.o tlv.o card-util.o app-openpgp.o iso7816.o apdu.o ccid-driver.o pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o keyedit.o dearmor.o import.o export.o trustdb.o tdbdump.o tdbio.o delkey.o keygen.o pipemode.o helptext.o keyserver.o photoid.o exec.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a -liconv -lresolv ../intl/libintl.a -liconv -Wl,-framework -Wl,CoreFoundation -lz -lbz2 -L/opt/local/lib -lusb Undefined symbols for architecture x86_64: "_iconv", referenced from: _native_to_utf8 in libutil.a(strgutil.o) _utf8_to_native in libutil.a(strgutil.o) __nl_find_msg in libintl.a(dcigettext.o) "_iconv_close", referenced from: _native_to_utf8 in libutil.a(strgutil.o) _set_native_charset in libutil.a(strgutil.o) _utf8_to_native in libutil.a(strgutil.o) "_iconv_open", referenced from: _native_to_utf8 in libutil.a(strgutil.o) _set_native_charset in libutil.a(strgutil.o) _utf8_to_native in libutil.a(strgutil.o) __nl_find_msg in libintl.a(dcigettext.o) ld: symbol(s) not found for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) make[2]: *** [gpg] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 My compiler is: $ clang -v Apple LLVM version 6.0 (clang-600.0.54) (based on LLVM 3.5svn) Target: x86_64-apple-darwin14.0.0 Thread model: posix I?m not sure how to patch the make files suitably for a GnuPG version 1 build. TIA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From dkg at fifthhorseman.net Mon Dec 1 15:47:06 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 01 Dec 2014 09:47:06 -0500 Subject: Order/changing of subkeys derogates compatibility!? In-Reply-To: <001a01d00d4c$a2382b10$e6a88130$@on.yourweb.de> References: <7B3B0E.547B7C39.0002@gate> <1444377634.20141201025242@my_localhost> <001a01d00d4c$a2382b10$e6a88130$@on.yourweb.de> Message-ID: <547C7F6A.5020403@fifthhorseman.net> On 12/01/2014 04:53 AM, gnupgpack wrote: >> 6.5.8 is about sixteen years old now and has many known security >> problems. Please stop using it. > (Yes, intended only for testing...) You are testing a modern tool that aims to be standards-compliant against an unmaintained, known-broken program that was out of date before the standards were even settled. When you found an incompatibility, you reported the problem against the modern, standards-compliant tool. That approach seems unlikely to get any fruitful results. > First PGP version supporting WinXp has been PGP-8.x AFAIK. > So I will test (yes, only testing...) new key compatibility with this still > common spreaded version. > > But where to get old freeware version PGP-8.03/PGP-8.1 (release in > Oct-2003)? > > Sym at ntec's freeware page seems to be redirected to shop: > http://www.pgp.com/products/freeware.html > > PGP-version history up to v10: > http://www.mccune.cc/PGPnew.txt I don't know the best place to get copies of older, out-of-date versions of this piece of proprietary software. GnuPG-users is probably not the best place to find this information. Have you tried speaking to anyone at Symantec about this? Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From johanw at vulcan.xs4all.nl Mon Dec 1 15:55:51 2014 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon, 01 Dec 2014 15:55:51 +0100 Subject: Order/changing of subkeys derogates compatibility!? In-Reply-To: <547C7F6A.5020403@fifthhorseman.net> References: <7B3B0E.547B7C39.0002@gate> <1444377634.20141201025242@my_localhost> <001a01d00d4c$a2382b10$e6a88130$@on.yourweb.de> <547C7F6A.5020403@fifthhorseman.net> Message-ID: <547C8177.4070503@vulcan.xs4all.nl> On 01-12-2014 15:47, Daniel Kahn Gillmor wrote: > You are testing a modern tool that aims to be standards-compliant > against an unmaintained, known-broken program that was out of date > before the standards were even settled. When you found an > incompatibility, you reported the problem against the modern, > standards-compliant tool. It seems logical to me to report it to the only one of those that is still maintained. I doubt very much there will ever be a pgp 6.5.8a to address those issues. But now I think of it, wasn't 6.5.8 the pgp version with all those CKT (Cyber Knight Templar) versions? Perhaps one of those solved this issue? -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From hugo.hinterberger at gmx.net Mon Dec 1 16:02:23 2014 From: hugo.hinterberger at gmx.net (Hugo Hinterberger) Date: Mon, 01 Dec 2014 16:02:23 +0100 Subject: Mailvelope [OpenPGP.js] key size vs. GnuPG Message-ID: Hello, I created a key using Mailvelope (the key I intended to use did not work with Mailvelope) and I noticed that GnuPG shows rsa2048 for the [SC] primary key and rsa2047 for the [E] subkey. Mailvelope shows 2048 bits for both keys. My guess is that Mailvelope generates the keys and shows the key properties incorrectly. My question to the list is: Are there known side effects from using such a key? (Besides the fact that it is not what I expected it to be.) Regards, Hugo From rjh at sixdemonbag.org Mon Dec 1 16:16:36 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 01 Dec 2014 10:16:36 -0500 Subject: Order/changing of subkeys derogates compatibility!? In-Reply-To: <001a01d00d4c$a2382b10$e6a88130$@on.yourweb.de> References: <7B3B0E.547B7C39.0002@gate> <1444377634.20141201025242@my_localhost> <001a01d00d4c$a2382b10$e6a88130$@on.yourweb.de> Message-ID: <547C8654.4070105@sixdemonbag.org> >> 6.5.8 is about sixteen years old now and has many known security >> problems. Please stop using it. > > (Yes, intended only for testing...) Then ensure you're testing it correctly by adding "pgp6" to your gpg.conf file, or "--pgp6" to the command line, whenever doing anything that involves PGP 6.5.8 interoperability. :) From peter at digitalbrains.com Mon Dec 1 17:15:19 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 01 Dec 2014 17:15:19 +0100 Subject: Order/changing of subkeys derogates compatibility!? In-Reply-To: <547C7F6A.5020403@fifthhorseman.net> References: <7B3B0E.547B7C39.0002@gate> <1444377634.20141201025242@my_localhost> <001a01d00d4c$a2382b10$e6a88130$@on.yourweb.de> <547C7F6A.5020403@fifthhorseman.net> Message-ID: <547C9417.8010308@digitalbrains.com> On 01/12/14 15:47, Daniel Kahn Gillmor wrote: > When you found an incompatibility, you reported the problem against > the modern, standards-compliant tool. I think you're being a bit harsh. He asked if this was a known problem, and how to work around it; he didn't report a bug. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From mlisten at hammernoch.net Mon Dec 1 20:27:58 2014 From: mlisten at hammernoch.net (=?UTF-8?B?THVkd2lnIEjDvGdlbHNjaMOkZmVy?=) Date: Mon, 01 Dec 2014 20:27:58 +0100 Subject: Problem compiling GnuPG 1.4.18 on OS X 10.10, was: Problem compiling GnuPG 2.1.0 on OS X 10.10 In-Reply-To: <58A4271A-6CA5-4C09-9F69-E8E91BF18864@wiredthing.com> References: <9D90696B-3792-4B64-90D2-09BD02E8010F__32846.578237559$1415357996$gmane$org@icloud.com> <545E5B23.6040309@enigmail.net> <58A4271A-6CA5-4C09-9F69-E8E91BF18864@wiredthing.com> Message-ID: <547CC13E.9070707@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 01.12.14 13:13, Dave English wrote: > I have though what looks like the same problem trying to build > 1.4.18 from source on Mac OS X 10.10, according to the howto > Version 4.26 (1 July 2014): > > http://macgpg.sourceforge.net/docs/howto-build-gpg-osx.txt.asc > > This fails for me with: > > gcc -arch x86_64 -Wall -Wno-pointer-sign -o gpg gpg.o > build-packet.o compress.o compress-bz2.o free-packet.o getkey.o > keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o > textfilter.o progress.o misc.o openfile.o keyid.o parse-packet.o > status.o plaintext.o sig-check.o keylist.o signal.o cardglue.o > tlv.o card-util.o app-openpgp.o iso7816.o apdu.o ccid-driver.o > pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o > encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o > keyedit.o dearmor.o import.o export.o trustdb.o tdbdump.o tdbio.o > delkey.o keygen.o pipemode.o helptext.o keyserver.o photoid.o > exec.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a > -liconv -lresolv ../intl/libintl.a -liconv -Wl,-framework > -Wl,CoreFoundation -lz -lbz2 -L/opt/local/lib -lusb Undefined > symbols for architecture x86_64: "_iconv", referenced from: > _native_to_utf8 in libutil.a(strgutil.o) _utf8_to_native in > libutil.a(strgutil.o) __nl_find_msg in libintl.a(dcigettext.o) > "_iconv_close", referenced from: _native_to_utf8 in > libutil.a(strgutil.o) _set_native_charset in libutil.a(strgutil.o) > _utf8_to_native in libutil.a(strgutil.o) "_iconv_open", referenced > from: _native_to_utf8 in libutil.a(strgutil.o) _set_native_charset > in libutil.a(strgutil.o) _utf8_to_native in libutil.a(strgutil.o) > __nl_find_msg in libintl.a(dcigettext.o) ld: symbol(s) not found > for architecture x86_64 (...) > I?m not sure how to patch the make files suitably for a GnuPG > version 1 build. Do you have software installed by fink, Macports or homebrew? If yes, please rename the /opt (or wherever they install their binaries) directory. After gpg1 is compiled, rename it back. Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJUfME+AAoJEA52XAUJWdLjD/UH/0F0DETpwmJuolJEUJSSUBVo 3Z/sEkfVo0LPQa5y2mpEjNU1+wG8MkUoOxSq72/+E+EMBuPLTMyVS8KXolb2mTh9 9/hxRVzqjg0rkhWbrbtitIEpEXkDX1DFk8Uk5u7zVQAP/k9XdjfxZqYjhI+KV7vL 16Gi8qgbsY+vqqcSQnjhVh/nd3/HQlPJnYWJ0eFCl7PVfpc8Wb6sCgPxe+bsyXr3 TWAmVziSzkLgqG6teO7gRxNYOTgC8UMv4JjwDvXDQh0/PVjQy8oipIe98adBNsbE SiMNsYqV7Wiknz8YhoqyWUeNAJPW3J0j2umukpVo5dCxTLurA4+e0SPylWLuvkw= =xPgS -----END PGP SIGNATURE----- From mlisten at hammernoch.net Mon Dec 1 20:30:30 2014 From: mlisten at hammernoch.net (=?windows-1252?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Mon, 01 Dec 2014 20:30:30 +0100 Subject: Setpref is not working or is it a bug or something? In-Reply-To: <002001d00d52$4b7ac200$e2704600$@on.yourweb.de> References: <3ABF0B.547AF592.0006@gate> <6310419777.20141201033319@my_localhost> <002001d00d52$4b7ac200$e2704600$@on.yourweb.de> Message-ID: <547CC1D6.8010801@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 01.12.14 11:33, gnupgpack wrote: > Hello, > >> I suggest that you stop deleting the In-reply-to and the >> References header. > > Ok, i'll give it a try ;) Now it works. Thank you, this improves reading your posts in context much easier! Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJUfMHWAAoJEA52XAUJWdLjuzAIAJdYVqj6ifPOxG14/BEjzCkQ SoURxMqTMMYpa+/az8Ej5y4lTd36xaFLuORQXDTzgKar3OU0EjwjKLB3gefipyO0 ZMMi/ntI29k7ieOFJwBIJlV8h5uGzTAl4hNugXoSrbSzaZBskyB2DxqtQDr1yLbM P1aKwhzW9EFXG4aIYLycMqQqiaGRYWDTgGRiCUMQkMx//M0SyKElDNB1V5nreftO 4FLQZgVT9sjqdak2o2xNzIJH//GPS4w6Hn9rIJkF9BP0J7bk8iIBdgfnYamRma+4 ORljCk8aXq9g2UKx2JIMbW9DmUdJY/JAEDGudP1bjoaPO1OEKQ6d1+T3qGLDI1o= =nmcT -----END PGP SIGNATURE----- From duplicitymailinglist at mail.ru Mon Dec 1 19:27:35 2014 From: duplicitymailinglist at mail.ru (Duplicity Mailing List) Date: Mon, 01 Dec 2014 18:27:35 +0000 Subject: Smartcards - using them over multiple computers and deleting their 'private keys' Message-ID: <547CB317.2040800@mail.ru> I bought a GPG smartcard, but, I'm having issues using it. I first tested it out on my desktop and messed around with it a little generating a few keys, now I've populated my keyring with a bunch of keys I have no idea how to delete, any help? >$ gpg2 --delete-secret-key ${KEYID} > >sec rsa2048/${KEYID} ${DATE} ${NAME} (${COMMENT}) <${EMAIL}> > >Delete this key from the keyring? (y/N) y >This is a secret key! - really delete? (y/N) y >gpg: deleting secret key failed: Not possible with a card based key >gpg: deleting secret subkey failed: Not possible with a card based key >gpg: deleting secret subkey failed: Not possible with a card based key >gpg: ${KEYID}: delete key failed: Not possible with a card based key _________________ The second issue is when I was happy with how the GPG key worked, I went over to an offline compuer I launched up a live CD, I generated the key, imported it to the card, backed up the private key and transferred the public key a webserver that allowed raw viewing, I then went into my card (`gpg2 --card-edit`) and allocated it the url (`admin` `url` `https://path.to/raw/public.key`). On my desktop I can now do:- >$ gpg2 --card-edit >${CARD_STATUS} >gpg/card> fetch >gpg: requesting key ${KEYID} from https server ${DOMAIN} >gpg: key ${KEYID}: public key "${NAME} (${COMMENT}) <${EMAIL}>" imported >gpg: Total number processed: 1 >gpg: imported: 1 But if I then go to decrypt a file encrypted for that public key, it doesn't attempt to use the smartcard, it just errors out:- >$ gpg2 -d b.gpg >gpg: encrypted with 2048-bit RSA key, ID ${ENCID}, created 2014-12-01 > "${NAME} (${COMMENT}) <${EMAIL}>" >gpg: decryption failed: No secret key How do I get gpg to link the public key and my smartcard together? It works fine if the GPG key was generated and imported _on the current computer_, but, I can't get it to link with the card otherwise (And running `gpg2 --card-status` doesn't help). Thanks in advance. From duplicitymailinglist at mail.ru Mon Dec 1 22:02:17 2014 From: duplicitymailinglist at mail.ru (Duplicity Mailing List) Date: Mon, 01 Dec 2014 21:02:17 +0000 Subject: Smartcards - using them over multiple computers and deleting their 'private keys' In-Reply-To: <547CB317.2040800@mail.ru> References: <547CB317.2040800@mail.ru> Message-ID: <547CD759.9010406@mail.ru> On 01/12/14 18:27, Duplicity Mailing List wrote: > I bought a GPG smartcard, but, I'm having issues using it. I first > tested it out on my desktop and messed around with it a little > generating a few keys, now I've populated my keyring with a bunch of > keys I have no idea how to delete, any help? > >> $ gpg2 --delete-secret-key ${KEYID} >> >> sec rsa2048/${KEYID} ${DATE} ${NAME} (${COMMENT}) <${EMAIL}> >> >> Delete this key from the keyring? (y/N) y >> This is a secret key! - really delete? (y/N) y >> gpg: deleting secret key failed: Not possible with a card based key >> gpg: deleting secret subkey failed: Not possible with a card based key >> gpg: deleting secret subkey failed: Not possible with a card based key >> gpg: ${KEYID}: delete key failed: Not possible with a card based key > > > _________________ > > > The second issue is when I was happy with how the GPG key worked, I went > over to an offline compuer I launched up a live CD, I generated the key, > imported it to the card, backed up the private key and transferred the > public key a webserver that allowed raw viewing, I then went into my > card (`gpg2 --card-edit`) and allocated it the url (`admin` `url` > `https://path.to/raw/public.key`). On my desktop I can now do:- > >> $ gpg2 --card-edit >> ${CARD_STATUS} >> gpg/card> fetch >> gpg: requesting key ${KEYID} from https server ${DOMAIN} >> gpg: key ${KEYID}: public key "${NAME} (${COMMENT}) <${EMAIL}>" imported >> gpg: Total number processed: 1 >> gpg: imported: 1 > > But if I then go to decrypt a file encrypted for that public key, it > doesn't attempt to use the smartcard, it just errors out:- > >> $ gpg2 -d b.gpg >> gpg: encrypted with 2048-bit RSA key, ID ${ENCID}, created 2014-12-01 >> "${NAME} (${COMMENT}) <${EMAIL}>" >> gpg: decryption failed: No secret key > > How do I get gpg to link the public key and my smartcard together? It > works fine if the GPG key was generated and imported _on the current > computer_, but, I can't get it to link with the card otherwise (And > running `gpg2 --card-status` doesn't help). > > Thanks in advance. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Sorry, both issues were solved by downgrading from 2.1.0 to 2.0.26 (Both Arch Linux repo packages), after looking at the bug tracker it seems a very similar (Although not identical) issue has been reported, so, I'm going to wait for that to be resolved before I start opening issues of my own. See:- https://bugs.g10code.com/gnupg/issue1759 Thanks, sorry for not reading the bugtracker first. From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 1 23:30:43 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 1 Dec 2014 22:30:43 +0000 Subject: Setpref is not working or is it a bug or something? In-Reply-To: <002001d00d52$4b7ac200$e2704600$@on.yourweb.de> References: <3ABF0B.547AF592.0006@gate> <6310419777.20141201033319@my_localhost> <002001d00d52$4b7ac200$e2704600$@on.yourweb.de> Message-ID: <1048179753.20141201223043@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 1 December 2014 at 10:33:49 AM, in , gnupgpack wrote: > Hello, >> I suggest that you stop deleting the In-reply-to and >> the References header. > Ok, i'll give it a try ;) There, that worked. (-: > Some of the cleaned header entries are non-standard > additions [1], for example issued by M$, useless for > non-M$ clients... For example Priority is set by > X-PRIORITY (RFC2076) and Importance (RFC1327/1911). All X-headers are non-standard, but not necessarily useless to other mail clients. My experience is that emails marked as high-priority in Outlook tend to show as such in non-MS clients, and vice versa. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net People who throw kisses are hopelessly lazy. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlR87CVXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5p9PUD/iktLj7gtPwqFJ4lRgneoUsn8lAJMMAr4BIC 1DO1zYh0XXj5pzsMWdyxQwlH236xcBopO9mUuDV1K5TTfOqc9tyTdYZwDJedrbAd gza5rbD7+INY4t2h5ohFDmh8+fvYPx4cth3JaRn4/qxBh9uZmfVVW8ceEdPAO3R5 ROf7CxVhiQF8BAEBCgBmBQJUfOwlXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRp b25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZB NUEwRjU2QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw8hwIAKhsp4mRO67+Um0x m3YCDKkaNHVGyWyVQKoivi1asx+SW91/4FgrWZAvtmib3N0lkrRk2M4V8wXZ+2CM h8wVZ/MMMLwHE9WpuD7JvKYRxwAe3U28b1SsjkjJB0qsz9wU95jWHyY7isqBPW7J 3scCPEsfwxp8IblT8Rj1zbTevUqSmRUEfPheaNBTiSWyVsNEtfHqZLcV4j8qZlri 07jVns2Y2Le73gSazDJ8O/DJMIqR02/1TTJ3siH3Q9NitYIOjEEJTPtJSiNFYhko uxkAgi3RiE0+CDkqKPoTaD26YiWU57+ysykLzLKBIuaiYdBXXvmHunGndoxtrIXL L1wN/SA= =/7vi -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 1 23:36:27 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 1 Dec 2014 22:36:27 +0000 Subject: Order/changing of subkeys derogates compatibility!? In-Reply-To: <001a01d00d4c$a2382b10$e6a88130$@on.yourweb.de> References: <7B3B0E.547B7C39.0002@gate> <1444377634.20141201025242@my_localhost> <001a01d00d4c$a2382b10$e6a88130$@on.yourweb.de> Message-ID: <1814417511.20141201223627@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 1 December 2014 at 9:53:18 AM, in , gnupgpack wrote: > But where to get old freeware version A search for "old version downloads" (without quotes) might be a reasonable place to start. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net We're all shipwrecked on this idea that everything has to be explained. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlR87XFXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pw8wEAIy9VgjwpDdKfh9OipZpb/sEM02ErezMCibN JYIxD/3NkCNrvMY8AjN0NBVMzszeVNQgaOwBdMtoB5ZtED1QvZ8vaqtJYHlq96Wx G/pdVqOK8kAJ51QzuSBjzch0iKdu44qwUQy+QY0dG59Rs2b3XmOVxU1iD6WgqEp0 660ADT0NiQF8BAEBCgBmBQJUfO1xXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRp b25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZB NUEwRjU2QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwPzwH/2oXWbXPMK1NUOMZ VHECgGAPnIH2Di8VZOwWkOZPd+UcFnHzDOTeD0Pt5o6Ryhrvrucon6JlrGfPkynU dYhF+zy8nT0cnbzLbkL91I0cpZ1G1XvF0WQMDffreIZZO1PNCVXxGwyvHIuQmEX9 FYVNozAGGZLboUhkySp+8fvZVFgxmHec0mCJYtfllYvsxQzrBx5Pezeqx5Ah5Kmw rHOx8exD7jIwDnuyzHR4fDl1NjnUhpDrsRFnihk0RLzwN5cZspQ2IIOiUwb3gSDE opvk/WDq1BpSL5qqKae+6DmCuxVoIu0mgG1wXFRtKU4ucbAzNcVhQw0LseVa0ia6 /OgqIQY= =h1ZN -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Dec 2 00:03:50 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 01 Dec 2014 18:03:50 -0500 Subject: Order/changing of subkeys derogates compatibility!? In-Reply-To: <547C7F6A.5020403@fifthhorseman.net> References: <7B3B0E.547B7C39.0002@gate> <1444377634.20141201025242@my_localhost> <001a01d00d4c$a2382b10$e6a88130$@on.yourweb.de> <547C7F6A.5020403@fifthhorseman.net> Message-ID: <547CF3D6.1030405@sixdemonbag.org> > You are testing a modern tool that aims to be standards-compliant > against an unmaintained, known-broken program that was out of date > before the standards were even settled. When you found an > incompatibility, you reported the problem against the modern, > standards-compliant tool. I think that's a bit harsh: he was asking about interoperability, not reporting a bug. That said, in the main I agree with you. If someone has a real need for 2.6 or 6.5.8 interoperability and upgrading isn't an option, then sure, ask around. But otherwise, I'd prefer it if anything pre-PGP 9 or pre-GnuPG 1.2 could just be left on the ash-heap of history. From mail at robinmathewrajan.com Tue Dec 2 09:27:13 2014 From: mail at robinmathewrajan.com (Robin Mathew Rajan) Date: Tue, 02 Dec 2014 13:57:13 +0530 Subject: Keysigning Message-ID: <547D77E1.8040100@robinmathewrajan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, Where can I get my keys signed? Does here anyone provide keysigning services through video conference? :) Thanks and regards, Robin Mathew Rajan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJUfXfhAAoJEJyRZAJNoXmuFecP/0UMzGfQr+uM0XL+oxz93n7D Sv7gEWAR99ES2wxeOaNL+zCl170UjJUY1LGaWmSLX9XewU8ER3v7IZ2VAXVco82j zMM608XUAs/li7J4NMD1WwpGyppRxcSbc1WNrCFGJm+gUsixRBlfIZppWWeJyjRS 7Jp/5pDmNflAZL0ZYiTNh7gA6H4PD4wxIC66llRxZOf4klKaNBBPpDps4ykzY5ov A9Lk4uC9MsLpA/j0uEdkhdPLAgtlf9hEqsrDSyOBWNEoqTadCvcT+PBdSgEt2hBQ Xaagava8NrYyQo7dvwniZGudZJscBqdELA2Dr27iF5XtulR/NUH7vAMsmJsMtJWn 0unzilj1BQyL4N1zrL3C/xejPdATZ+AJ5hdj/bWLI0oK4Ia13X7TjwO4Y71bfGHh GnLdX+fNWkNAaGeTbNTDzuVv3nzBFb4PlvATNJOimsPlgC2TIFLntxE3V2/upvz/ Vbfz5rpPcM4Y5KemB2SYMAmXMYcRPu9m8W/2Yo7PD1tOA73FqYRw3DGSzJ5eK3b6 mY5TFDZhvFZIWCxAZlXbbevdFIoTY5i5WguknVAnI/ux1utDc/ROBHtWzgTBTWLK uAgRhbp98DUUnaYq+S3ApiwCp/+cde5v+M5Lp/G9IuNe86BLWQ7LZCVRolgHfE4l dbgWNDUuEx3IdHptAMGN =lFrn -----END PGP SIGNATURE----- From david at gbenet.com Tue Dec 2 10:35:14 2014 From: david at gbenet.com (david at gbenet.com) Date: Tue, 02 Dec 2014 09:35:14 +0000 Subject: Keysigning In-Reply-To: <547D77E1.8040100@robinmathewrajan.com> References: <547D77E1.8040100@robinmathewrajan.com> Message-ID: <547D87D2.2020209@gbenet.com> On 02/12/14 08:27, Robin Mathew Rajan wrote: > Hello, > > Where can I get my keys signed? Does here anyone provide keysigning services through video conference? :) > > Thanks and regards, > Robin Mathew Rajan > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Hello Robin, The first thing you need to do is upload your public key to a key server. Perhaps you can find people where you live - a local Windows group or Linux group they would be happy to sign your key. Video conferencing? You need to produce some documentation of who you are - some here may feel that video conferencing is not a good idea. But first get your public key to a key server. David -- ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From mail at robinmathewrajan.com Tue Dec 2 11:53:34 2014 From: mail at robinmathewrajan.com (Robin Mathew Rajan) Date: Tue, 02 Dec 2014 16:23:34 +0530 Subject: Keysigning In-Reply-To: <547D87D2.2020209@gbenet.com> References: <547D77E1.8040100@robinmathewrajan.com> <547D87D2.2020209@gbenet.com> Message-ID: <547D9A2E.30802@robinmathewrajan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello David, :) I already uploaded my public key to a public key server some months ago. But there's no local Linux users group where I live! I sent emails to some people listed at biglumber.com with my Government issued ID card attached. But no reply came from them. :( Some of them are CACert Assurers! If someone could sign my key over video conferencing, that would be very much helpful to me. Yes, I know it's much less trusted than actual person-person meetups in real world. But at the same time, it offers an easy solution for someone living in a very remote area. And it's also particularly helpful if he/she can't afford travel expenses to get keys signed. I think it's just like performance vs. security in cryptography. Signing someone's key through video conferencing is less secure but at the same time it's an effective solution for remote areas. I think key signing through video conferencing, might help in reducing 'crypto divide' (like that in 'digital divide'). :) Regards, Robin Mathew Rajan https://www.robinmathewrajan.com/ On 02-12-2014 PM 03:05, david at gbenet.com wrote: > On 02/12/14 08:27, Robin Mathew Rajan wrote: >> Hello, >> >> Where can I get my keys signed? Does here anyone provide keysigning services through video conference? :) >> >> Thanks and regards, >> Robin Mathew Rajan >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > Hello Robin, > > The first thing you need to do is upload your public key to a key server. Perhaps you can > find people where you live - a local Windows group or Linux group they would be happy to > sign your key. > > Video conferencing? You need to produce some documentation of who you are - some here may > feel that video conferencing is not a good idea. But first get your public key to a key server. > > David > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJUfZotAAoJEJyRZAJNoXmukWsP/2rQjUt+xbHanjDsThu49V8Q 0fXDVSPyHsF88fkViF/bU7nibfdbijhUuSMxMx6GvFnn/jC6qQjqkSgq9fSD2Bc0 ahDdioHEW3tACxkjZHXyJbn3Z47A2mP2GyRQVQwwQus0PcDxN8BzL/R41sRmPcBg n7djwiQAJzqbs4+Q73zs+X4x3Fji2Q7PcqsOR9YJLi7OJ2Aeq7UmYtMYDPrMsmj4 asIoPyP7xD1shvjvFw9ibs6i+wFGfvmxIIlm2z7EDAGjq+F6apKnvHbTOIDapfyF JQTchjTTwrmxz9e0cdy3Gjz8EkZxlwqN0BPt+bvVkO/ezyoVeeKryDQrA6g9xUMP 3aed9rrXgDQCy4efIvim7dLvnn0b1rVykh149hKCu76ZP5skRVqc1DmE2NwXAqD6 dcOpPoiysaFdDSzmqebkfLx1mujr7pmNW16L1Nq04Vu8LQuHOg8r15xtyjlO+peh rW75psPkZj3t51kCLvWFwoYUefHMG8pJeQ/BAoUvQNoQx2Vz5Hvz7DNwnOqExKB/ vjJf+M/ulF3cpz3nHw4A7NamnaFSE4qpFwrlGgc1iXGF8mhSzcVPn1DS13Uv3CTE 08WPrIwhLYxzJbcw2yCb0rPNpCoEcseOBTOlilVdrhDvObQfQVUv7vhxULDKVb4S hs4DYFS7eUhQTSnRwH5Z =BVQa -----END PGP SIGNATURE----- From 4tmuelle at informatik.uni-hamburg.de Tue Dec 2 09:35:51 2014 From: 4tmuelle at informatik.uni-hamburg.de (Tobias Mueller) Date: Tue, 2 Dec 2014 09:35:51 +0100 Subject: Sign key and export for each UID In-Reply-To: References: <52375480.7020606@dougbarton.us> Message-ID: <20141202083551.GA22694@cryptobitch.de> Hi. I'm digging up this thread because it asked the same question I have, but it hasn't really been answered: On Tue, Sep 17, 2013 at 06:23:35AM +0000, atair wrote: > Is there a way to achieve the same signatures from gpg command line? > For example > $ gpg -a --export > exports the complete key and not just the signature. However, I > understand the gpg-man pages in a way that it's possible to do a > $ gpg -u --edit-key > > sign > > sign > > ... > > q What are the best practises for signing another person's key (i.e. all the UIDs on a key)? And how do you follow those using gnupg? And is there a batch mode to automate that process? Cheers, Tobi From mail at robinmathewrajan.com Tue Dec 2 12:34:58 2014 From: mail at robinmathewrajan.com (Robin Mathew Rajan) Date: Tue, 02 Dec 2014 17:04:58 +0530 Subject: Sign key and export for each UID In-Reply-To: <20141202083551.GA22694@cryptobitch.de> References: <52375480.7020606@dougbarton.us> <20141202083551.GA22694@cryptobitch.de> Message-ID: <547DA3E2.1000605@robinmathewrajan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello Tobi, :) This shell script might help you. (Semi)automatic GnuPG keysigning for busy people. Sign GPG keys, upload signatures to keyservers, and mail signed keys to their owner, including support for multiple private keys to sign with. All that?s left to do is verify fingerprints, type your password, and answer any questions asked by GPG. http://mirror.roe.ch/rel/scripts/gpg/gpg-sign-keys.sh-25 It requires mktemp and an MSA like mutt or mailx. Usage options ================ Usage: gpg-sign-keys.sh [options...] [-u keyids] [-f keyring] [keyids...] Options: -f file Get list of keyids to sign from keyring file -u ids Key(s) to sign with, multiple -u id1 -u id2 or -u 'id1 id2' -x ids eXceptions - don't process these keys (multiple like -u) -c addr CC all signed key emails to address -b addr BCC all signed key emails to address -a file Append content of file to e-mail message -n name Override your name normally obtained from /etc/passwd -y Assume yes on most questions (-Y for no questions asked at all) -I Don't import the -f keyring into the default keyring first -S Don't sign any keys - just do the sending/mailing -K Don't send signed keys to your default keyserver -M Don't mail signed keys to key owners -E Don't encrypt mails with owners key -U Don't update the trustdb after processing all keys -v/-h Display version/help and exit The script will guide you through signing all keys in the -f keyring, or just the keys explicitly specified. All GnuPG operations are done in your default keyring. You will be asked to confirm every mail being sent unless -y is used. The -u, -c, -b, -e and -n options override the env vars MYKEY, CC, BCC and OWNER respectively. For more details, read the source. Other general info can be found at: https://www.roe.ch/GPG Regards, Robin Mathew Rajan https://www.robinmathewrajan.com/ On 02-12-2014 PM 02:05, Tobias Mueller wrote: > Hi. > > I'm digging up this thread because it asked the same question I have, > but it hasn't really been answered: > > On Tue, Sep 17, 2013 at 06:23:35AM +0000, atair wrote: >> Is there a way to achieve the same signatures from gpg command line? >> For example >> $ gpg -a --export >> exports the complete key and not just the signature. However, I >> understand the gpg-man pages in a way that it's possible to do a >> $ gpg -u --edit-key >>> sign >>> sign >>> ... >>> q > > What are the best practises for signing another person's key (i.e. all the UIDs > on a key)? > > And how do you follow those using gnupg? And is there a batch mode to automate that process? > > Cheers, > Tobi > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJUfaPiAAoJEJyRZAJNoXmuZ2oQAKHx7WmFHvBcANw2vrx5lIp4 c/KwLFyHyC0y3sbmh2WdWwuKo7ygFYZp9yHvs63B0PybV4rE5xAjMrMQLBEpbKg2 f+jjUotN+LzKTNyuTe5JHd/7Nz+dS/kGidMhhNNMPzt4UDhmzuW5Cob7T3YLvA2d kp55j3zgLqTQgaOSzHwsVgtlqbq5SAXnZCecEqXp6k6ushtYRTuar7l4bGEVNI+4 BZzQtOy8fWXSWnJjDHl8MQbWEDy/GUSSbpfEXxk1y3y4myAU5KxTHagqyRHVJKJK wMSsjRVlE2Jt8h1EZNvoulMHIZklROySc4njVv8FV9tT7m6jFdunMQ/Tb6n0sF8e KKa+EM0VVG/84YOaYqn6ZgOtKt9rmeO7VL/E3pCSb1qDwptKagpz5tiwQFmJPukz p/qNYZGje/PCSghzSMvfEhtIW1tSbNOfC6rB9J776+liadz8AljjVDEndCTnPvxA C2rKSvFq604G1Za2ZbBDjRu0SA+IyUhJu9XFyrcEkCvNvMpR/lZVmffPohW+ByYU yQot4wETT8qppTQ9t8TQFeq7rkEyoB0eOcRn7RirXG8dMDGZQUBVDJ5SSsNaj759 sIdqcJvuPxGdpgOl85BAhdlztXT1PNk7dqC8RXConLDx+u2Zyp8iT1iMg1adMToZ 8NeeFJD/eHJ9EOYUW1bQ =07it -----END PGP SIGNATURE----- -------------- next part -------------- #!/usr/bin/env bash # gpg-sign-keys.sh - (semi)automatic GnuPG keysigning for busy people # http://www.roe.ch/GPG # # Copyright (C) 2003-2008, Daniel Roethlisberger # All rights reserved. # # Redistribution and use, with or without modification, are permitted # provided that the following conditions are met: # 1. Redistributions must retain the above copyright notice, this list of # conditions and the following disclaimer. # 2. The name of the author may not be used to endorse or promote products # derived from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Many thanks to the following contributors of patches and good ideas: # - Tobias Sager # - Daniel Hottinger # - Tobias Klauser # # $Id: gpg-sign-keys.sh 25 2008-12-14 20:07:10Z roe $ REVISION='$Id: gpg-sign-keys.sh 25 2008-12-14 20:07:10Z roe $' ############################################################################## # requirements # GnuPG for the actual signing, of course - http://www.gnupg.org/ # mktemp for secure temp file handling - http://www.mktemp.org/ # An MSA supporting the -s/-c/-b switches (see ``configuration'' below) ############################################################################## # environment vars # MYKEY: Private key(s) to sign with, whitespace separated # CC: Mail addresses to carbon copy the signature notifications # BCC: Mail addresses to blind carbon copy the signature notifications # OWNER: Real name of person running this script, normally from /etc/passwd ############################################################################## # configuration # MSA: Your mail submission agent, called as follows: # cat message | $MSA $MSA_OPTS -s "some subject" -b "$BCC" -c "$CC" $addresses # Using any of mail, mailx or mutt should work fine, though you should make # sure that mail sent this way will have a sensible/valid From: header. MSA="mutt" MSA_OPTS="" # GnuPG # You can use custom extra options to pass to GnuPG, eg. --use-agent for using # gpg-agent, or options affecting the number of questions asked by GnuPG when # signing keys. Use GnuPG options with care: some more intrusive options may # alter the behaviour of GnuPG too much and break the script. GPG="gpg" GPG_OPTS="" ############################################################################## # TODO / known bugs and limitations # Should be done: # - Better support for making gpg ask less questions # - Better support for "check first, then do all the signing", required for # doing any serious work with gpg-agent -- optionally feed list of uids and # fingerprints to ${PAGER:-more} and provide ways to yank out keys without # terminating the key signing process # - Better support for gpg-agent (currently in CVS only, but should work with # the current 1.2.x stable series of GnuPG, which has support for talking # to gpg-agent -- this will make signing many keys even easier) # - Don't send/mail keys when there was nothing to sign # Might be done: # - Add support for encrypting signatures, and only send them to # the email addresses of their respective uid. # - Maybe add some generic form of support for plugging into a # challenge-response system. # I don't think either of these are the Right Thing To Do, but this script # could/should implement them anyway, if just for completeness. ############################################################################## # check requirements if [ "x`which $GPG`" = "x" ]; then echo "${SCRIPT}: Get and install GnuPG from http://www.gnupg.org/" >&2 exit 1 fi if [ "x`which mktemp`" = "x" ]; then echo "${SCRIPT}: Get and install mktemp from http://www.mktemp.org/" >&2 exit 1 fi if [ "x`which $MSA`" = "x" ]; then echo "${SCRIPT}: Cannot find your MSA $MSA - fix \$MSA in $SCRIPT" >&2 exit 1 fi ############################################################################## # check and parse options and environment # script basename SCRIPT=`basename $0` # usage and version version() { echo "$SCRIPT `echo $REVISION | awk '{ print $3 }'`" >&2 echo "Copyright (C) 2003-2008, Daniel Roethlisberger " >&2 echo "Distributed under a BSD style license, see source for details." >&2 echo "Check http://dragon.roe.ch/bitsnpieces/scripts/gpg/ for updates." >&2 exit 1 } usage() { cat >&2 <&2 usage fi # need at least a keyid or keyring if [ "x$ids$keyring" = "x" ]; then echo 'You must provide key id(s) to sign, or use -f on a keyring file!' >&2 usage fi ############################################################################## # functions # -opts enabled bold echo shout() { echo -n ${CB} echo $@${CN} } # ask "Question" [y|n] ask() { local ans opts [ "$2" = "y" ] && opts="[Y/n]" || opts="[y/N]" while true; do read -p "$1? $opts " ans [ -z "$ans" ] && ans=${2:-n} case "$ans" in y|Y|j|J) return 0 ;; n|N) return 1 ;; esac done } # $1: id, $2: address mail_key() { mail_id="$1" mail_address="$2" mykey_list=`echo $MYKEY | sed 's/ /, /g'` if [ `echo $MYKEY | wc -w` -eq 1 ]; then key_s='key' else key_s='keys' fi cat <$tmp Hi, this is the $SCRIPT script running on behalf of $OWNER. Below is your signed key $id. Please do not forget to sign my owner's $key_s $mykey_list as well. If you have reasons not to sign the $key_s, my owner would like to know about them. EOF if [ "x$nosend" = "x" ]; then cat <>$tmp Additionally your signed key has been uploaded to the keyservers. EOF else cat <>$tmp Your key has not been uploaded to any keyserver. Please make sure that you upload your key and its signatures manually. EOF fi if [ -n "$append" -a -r "$append" ]; then cat "$append" >>$tmp fi $GPG --fingerprint $mail_id >>$tmp $GPG --armor --export $mail_id >>$tmp if [ -r ~/.signature ]; then cat <>$tmp -- EOF cat ~/.signature >>$tmp fi if [ "x$noencrypt" = "x" ]; then mv $tmp $tmp.orig $GPG --armor --encrypt --encrypt-to $mail_id --recipient $mail_id < $tmp.orig > $tmp 2>/dev/null rm $tmp.orig fi cat $tmp | $MSA $MSA_OPTS -s "Your key $mail_id signed by $mykey_list" $mailopts $mail_address } # clean up cleanup() { rm -rf $tmpdir } # console interrupt (ctrl-c) trap_int() { shout 'Chickening out, already?' cleanup exit 2 } # terminate trap_term() { shout 'Ouch!' cleanup exit 2 } ############################################################################## # set up things # GnuPG GPG="$GPG --no-auto-check-trustdb $GPG_OPTS" # colours: bold and normal CB='' CN='' # get owner name if [ "x$OWNER" = "x" ]; then owner_id=`id -un` OWNER=`grep "^$owner_id:" /etc/passwd | cut -f 5 -d ':' | sed 's/^\([^,]*\),.*$/\1/'` OWNER=${OWNER:-my owner} fi # set mail options mailopts='' if [ "x$BCC" != "x" ]; then MAILOPTIONS="$mailopts -b $BCC" fi if [ "x$CC" != "x" ]; then MAILOPTIONS="$mailopts -c $CC" fi # trap signals trap 'trap_int' 2 trap 'trap_term' 15 # temp files tmpdir=`mktemp -d -t gpg-sign-keys.XXXXXXXXXXXX` || exit 1 tmp="$tmpdir/mail.tmp" ############################################################################## # process keyring, if necessary, and prune id list # check keyring file, dearmor if [ "x$keyring" != "x" ]; then keyring=`echo "$keyring" | awk '!/\// { print "./" $1 } /\// { print $1 }'` if [ ! -r "$keyring" ]; then echo "${SCRIPT}: $keyring: No such keyring." >&2 exit 1 fi keyring_ext=`echo "$keyring" | sed 's/^.*\.\([^.]*\)$/\1/'` if [ "x$keyring_ext" = "xasc" ]; then if [ "$noask" ] || \ ask "Automatically dearmor keyring $keyring" n; then shout "Dearmoring keyring $keyring to $keyring.gpg" $GPG --dearmor $keyring || exit 1 keyring="$keyring.gpg" if [ ! -r "$keyring" ]; then echo "${SCRIPT}: $keyring: No such keyring. Dearmoring failed?" >&2 exit 1 fi else echo "${SCRIPT}: $keyring: Keyring is ASCII armored. Dearmor it manually." >&2 exit 1 fi unset ans fi fi if [ "x$ids" = "x" ]; then GPG_KEYRING="$GPG --no-default-keyring --keyring $keyring" ids=`$GPG_KEYRING --list-keys | sed 's/\// /g' | awk '/^pub/ { print $3 }'` # import keys to main keyring if [ "x$noimport" = "x" ]; then shout "Importing keys from $keyring into default keyring..." $GPG_KEYRING --export | $GPG --import else shout "Skipping import - you should make sure all keys are in your default keyring" fi fi for myid in $MYKEY $except; do ids=`echo $ids | sed "s/ *$myid */ /g"` done ids=`echo $ids | sed -e 's/ */ /g' -e 's/^ *//g' -e 's/ *$//g'` ############################################################################## # main loop if [ `echo $ids | wc -w` -lt 1 ]; then shout 'No keys to sign!' cleanup exit 0 fi # give last chance to chicken out echo "This script's owner: $OWNER" echo "Your private key(s): $MYKEY" echo "List of keys to sign: $ids" if [ "x$noask" = "x" ]; then shout "Press enter to proceed or Ctrl-C to abort..." read p fi # check for missing ids in local keyring unset import_ids for id in $ids; do if ! $GPG --fingerprint $id > /dev/null 2>&1; then import_ids="$import_ids $id" fi done if [ "x$import_ids" != "x" ]; then echo "Could not find the following ids in the local keyring:" echo "$import_ids" if ask "Import missing ids now" y; then $GPG --recv-keys $import_ids fi fi # process all keys for id in $ids; do shout "Now processing key: $id" # signing if [ "x$nosign" = "x" ]; then for myid in $MYKEY; do shout "Using your key: $myid" $GPG -u $myid --sign-key $id done else shout "Skipping signature creation" fi # sending to keyserver if [ "x$nosend" = "x" ]; then shout "Sending key $id to keyserver..." $GPG --send-key $id else shout "Skipping send to keyserver" fi # sending by email if [ "x$nomail" = "x" ]; then address=`$GPG --list-key $id | egrep '<.*>' | sed 's/^.*<\(.*\)>.*$/\1/g' | head -1` if [ "x$address" = "x" ]; then shout "No email address for key $id:" $GPG --list-key $id if [ "x$noask2" = "x" ]; then shout -n "Enter email address for key $id: " read address fi fi if [ "x$address" != "x" ]; then if [ "$noask" ] || \ ask "Send key $id to $address" n; then shout "Sending key $id to $address" mail_key $id $address else shout "No email sent to owner of key $id" fi else shout "Will not send email to owner of key $id - no address given" fi else shout "Skipping mail" fi done # clean up and update trustdb cleanup if [ "x$noupdate" = "x" ]; then shout "Updating trustdb - this could take a while..." gpg --update else shout "Skipping trustdb update - you should run gpg --update-trustdb manually." fi shout "Done." From david at gbenet.com Tue Dec 2 13:05:48 2014 From: david at gbenet.com (david at gbenet.com) Date: Tue, 02 Dec 2014 12:05:48 +0000 Subject: Keysigning In-Reply-To: <547D9A2E.30802@robinmathewrajan.com> References: <547D77E1.8040100@robinmathewrajan.com> <547D87D2.2020209@gbenet.com> <547D9A2E.30802@robinmathewrajan.com> Message-ID: <547DAB1C.3040702@gbenet.com> On 02/12/14 10:53, Robin Mathew Rajan wrote: > Hello David, :) > > I already uploaded my public key to a public key server some months ago. But there's no local Linux users group where I live! I sent emails to some people listed at biglumber.com with my Government issued ID card attached. But no reply came from them. :( Some of them are CACert Assurers! > > If someone could sign my key over video conferencing, that would be very much helpful to me. Yes, I know it's much less trusted than actual person-person meetups in real world. But at the same time, it offers an easy solution for someone living in a very remote area. And it's also particularly helpful if he/she can't afford travel expenses to get keys signed. I think it's just like performance vs. security in cryptography. Signing someone's key through video conferencing is less secure but at the same time it's an effective solution for remote areas. I think key signing through video conferencing, might help in reducing 'crypto divide' (like that in 'digital divide'). :) > > Regards, > Robin Mathew Rajan > https://www.robinmathewrajan.com/ > > > On 02-12-2014 PM 03:05, david at gbenet.com wrote: >> On 02/12/14 08:27, Robin Mathew Rajan wrote: >>> Hello, >>> >>> Where can I get my keys signed? Does here anyone provide keysigning services through video conference? :) >>> >>> Thanks and regards, >>> Robin Mathew Rajan >>> >>> _______________________________________________ >>> Gnupg-users mailing list >>> Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>> >> Hello Robin, > >> The first thing you need to do is upload your public key to a key server. Perhaps you can >> find people where you live - a local Windows group or Linux group they would be happy to >> sign your key. > >> Video conferencing? You need to produce some documentation of who you are - some here may >> feel that video conferencing is not a good idea. But first get your public key to a key server. > >> David > > > >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Hello Robin, I tried to download your public key from several servers - without any luck. As your using Thunderbird you can always attach your public key. As for key signing - then face to face communications are better. I've asked myself "what is the importance of people signing my keys?" There is no valid reason as far as I can see - though people like to build the web of trust - and for the most part - people on here are who they say they are - and over the years you get to build up trust. Though having said that I'm not about to rush out and sign every one's keys. Why not start your own group? There are lots of Linux groups around the world - unless your stuck in the middle of nowhere! Perhaps you can provide a link to where you uploaded your public key? David -- ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From mail at robinmathewrajan.com Tue Dec 2 13:30:11 2014 From: mail at robinmathewrajan.com (Robin Mathew Rajan) Date: Tue, 02 Dec 2014 18:00:11 +0530 Subject: Keysigning In-Reply-To: <547DAB1C.3040702@gbenet.com> References: <547D77E1.8040100@robinmathewrajan.com> <547D87D2.2020209@gbenet.com> <547D9A2E.30802@robinmathewrajan.com> <547DAB1C.3040702@gbenet.com> Message-ID: <547DB0D3.9040708@robinmathewrajan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello David :) My key is available on these key servers. http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=mail%40robinmathewrajan.com&fingerprint=on https://pgp.mit.edu/pks/lookup?search=mail%40robinmathewrajan.com&op=vindex&fingerprint=on Regards, Robin Mathew Rajan On 02-12-2014 PM 05:35, david at gbenet.com wrote: > On 02/12/14 10:53, Robin Mathew Rajan wrote: >> Hello David, :) >> >> I already uploaded my public key to a public key server some months ago. But there's no local Linux users group where I live! I sent emails to some people listed at biglumber.com with my Government issued ID card attached. But no reply came from them. :( Some of them are CACert Assurers! >> >> If someone could sign my key over video conferencing, that would be very much helpful to me. Yes, I know it's much less trusted than actual person-person meetups in real world. But at the same time, it offers an easy solution for someone living in a very remote area. And it's also particularly helpful if he/she can't afford travel expenses to get keys signed. I think it's just like performance vs. security in cryptography. Signing someone's key through video conferencing is less secure but at the same time it's an effective solution for remote areas. I think key signing through video conferencing, might help in reducing 'crypto divide' (like that in 'digital divide'). :) >> >> Regards, >> Robin Mathew Rajan >> https://www.robinmathewrajan.com/ >> >> >> On 02-12-2014 PM 03:05, david at gbenet.com wrote: >>> On 02/12/14 08:27, Robin Mathew Rajan wrote: >>>> Hello, >>>> >>>> Where can I get my keys signed? Does here anyone provide keysigning services through video conference? :) >>>> >>>> Thanks and regards, >>>> Robin Mathew Rajan >>>> >>>> _______________________________________________ >>>> Gnupg-users mailing list >>>> Gnupg-users at gnupg.org >>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>>> >>> Hello Robin, >> >>> The first thing you need to do is upload your public key to a key server. Perhaps you can >>> find people where you live - a local Windows group or Linux group they would be happy to >>> sign your key. >> >>> Video conferencing? You need to produce some documentation of who you are - some here may >>> feel that video conferencing is not a good idea. But first get your public key to a key server. >> >>> David >> >> >> >>> _______________________________________________ >>> Gnupg-users mailing list >>> Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> >> > Hello Robin, > > I tried to download your public key from several servers - without any luck. As your using > Thunderbird you can always attach your public key. > > As for key signing - then face to face communications are better. I've asked myself "what is > the importance of people signing my keys?" There is no valid reason as far as I can see - > though people like to build the web of trust - and for the most part - people on here are > who they say they are - and over the years you get to build up trust. Though having said > that I'm not about to rush out and sign every one's keys. > > Why not start your own group? There are lots of Linux groups around the world - unless your > stuck in the middle of nowhere! Perhaps you can provide a link to where you uploaded your > public key? > > David > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJUfbDTAAoJEJyRZAJNoXmunbYP/2dXXPhu6rzQB1tKQqTPXoqa XDBx9UTGVIMsI1A7ic4wJao5aD9+PgvRL7Iunqo4exGOab0uBDBZle7/pNqE3wEe 1npOpVJhUd9hXQa1HLPQdaDlBu8ap7DiGrtNgR4g4kFukzJilvtdps4Pmvd+hc/f ciMf1wMszynQ5sTcmJ4U7lNLlwSlClk1poWSAsg9Q1dU97aSUE54r8m9qGBwfMP3 T5UB8A68iokiij0+IJIFYEvmqFFUsdG8dYtDehqJl0tX/hd64YV/5qbz7K97XiPC 5vhlFphBpSFNjl3iuXNdljr8UoIdTgSYolzbF4SH8fnx9f4jBFBTgO3mpenlJUP9 lwOCV1Gcmn3HfDRV7aW1QvTExdyw9tcJQhUSOppuDivUFePpirXZugRqDNPsN8t0 bhTR/wTBIV/3InCu8JktbwBCa+h1dVMY5rEvlSnp8AXc8sQLg3htapCITng5sEpj 2re1v5YHNiIWqWPIKE3yoj2oAcx2jX53Vg+s3dIaoyIwCDn+muITQ26b0PlDdKnL cfoqmAJGhG6jsnI/UyfIHbjYIlRb8esCsoaTG2WRfww3N3YbWLUNu/M3P70h9cTD OmsbHDCLUWKjEkzUdHwohvtapFTmSprrLrZZYzHO9DYKV22czNyWwb/IRNCYmJ/Y uQoOh0ymQpwiAjbu0VJs =Tx23 -----END PGP SIGNATURE----- From brian at minton.name Tue Dec 2 18:03:59 2014 From: brian at minton.name (Brian Minton) Date: Tue, 2 Dec 2014 12:03:59 -0500 Subject: Security patches and gpg 1/2 development In-Reply-To: <54762327.4000008@fifthhorseman.net> References: <54762327.4000008@fifthhorseman.net> Message-ID: On Wed, Nov 26, 2014 at 1:59 PM, Daniel Kahn Gillmor wrote: > https://bugs.g10code.com/gnupg/index > I noticed that my browser complained about the certificate of that URL. Is that the correct address? From tristan.santore at internexusconnect.net Tue Dec 2 18:15:30 2014 From: tristan.santore at internexusconnect.net (Tristan Santore) Date: Tue, 02 Dec 2014 17:15:30 +0000 Subject: Security patches and gpg 1/2 development In-Reply-To: References: <54762327.4000008@fifthhorseman.net> Message-ID: <547DF3B2.2050207@internexusconnect.net> On 02/12/14 17:03, Brian Minton wrote: > On Wed, Nov 26, 2014 at 1:59 PM, Daniel Kahn Gillmor > wrote: > >> https://bugs.g10code.com/gnupg/index >> > I noticed that my browser complained about the certificate of that > URL. Is that the correct address? > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users SHA256 Finger Print: A4:00:9A:76:1E:DA:98:12:36:E8:2F:89:CF:28:8C:E7:A1:BB:17:93:3D:C0:68:D1:A9:82:60:A6:0C:73:2B:39 That is what I have here. I had to add an exemption on this as it is not signed by a CA. But then again, just because it is signed by a CA, does not necessarily make it safer. Hope this helps. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore at internexusconnect.net Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore at fedoraproject.org From aaron.toponce at gmail.com Tue Dec 2 18:23:13 2014 From: aaron.toponce at gmail.com (Aaron Toponce) Date: Tue, 2 Dec 2014 10:23:13 -0700 Subject: Keysigning In-Reply-To: <547D77E1.8040100@robinmathewrajan.com> References: <547D77E1.8040100@robinmathewrajan.com> Message-ID: <20141202172312.GD5496@eightyeight.xmission.com> On Tue, Dec 02, 2014 at 01:57:13PM +0530, Robin Mathew Rajan wrote: > Where can I get my keys signed? Does here anyone provide keysigning services > through video conference? :) Yes. You can get me through Tox. My Tox ID is: 76AC69FEB7DA042DFD75F30574CEE3C6498DF9DD766E1D78FC5CB4693CA10BD381F696 My key signing policy: https://pthree.org/my-pgp-key-signing-policy/ I'm not as militant about key signing as some others in the community. I'll take precautions, but I'll also make an attempt at getting more in the WoT. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 502 bytes Desc: not available URL: From aaron.toponce at gmail.com Tue Dec 2 18:25:04 2014 From: aaron.toponce at gmail.com (Aaron Toponce) Date: Tue, 2 Dec 2014 10:25:04 -0700 Subject: Keysigning In-Reply-To: <20141202172312.GD5496@eightyeight.xmission.com> References: <547D77E1.8040100@robinmathewrajan.com> <20141202172312.GD5496@eightyeight.xmission.com> Message-ID: <20141202172502.GE5496@eightyeight.xmission.com> On Tue, Dec 02, 2014 at 10:23:13AM -0700, Aaron Toponce wrote: > Yes. You can get me through Tox. My Tox ID is: > > 76AC69FEB7DA042DFD75F30574CEE3C6498DF9DD766E1D78FC5CB4693CA10BD381F696 Hmm. It seems to have been truncated in the paste. The actual Tox ID is: 30861A76AC69FEB7DA042DFD75F30574CEE3C6498DF9DD766E1D78FC5CB4693CA10BD381F696 -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 502 bytes Desc: not available URL: From 2014-667rhzu3dc-lists-groups at riseup.net Wed Dec 3 00:47:03 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Tue, 2 Dec 2014 23:47:03 +0000 Subject: Keysigning In-Reply-To: <547DB0D3.9040708@robinmathewrajan.com> References: <547D77E1.8040100@robinmathewrajan.com> <547D87D2.2020209@gbenet.com> <547D9A2E.30802@robinmathewrajan.com> <547DAB1C.3040702@gbenet.com> <547DB0D3.9040708@robinmathewrajan.com> Message-ID: <1314912172.20141202234703@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 2 December 2014 at 12:30:11 PM, in , Robin Mathew Rajan wrote: > My key is available on these key servers. When GnuPG searched for the key to verify your signatures, It failed with:- gpg: key 0x7D3A6C5A47CF3842: rejected by import filter But I was able to import it by gpg --recv-keys 0x7D3A6C5A47CF3842 without error. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net To know what we know, and know what we do not know, is wisdom. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlR+T35XFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pSy4D/RytVLaQwYevi3BL0GnkG9n423+Ym7JhSwW5 VInJlohZGSlBV70wDzJbXS5LCI1LJgn7dFmju5f8hMXrfAGU12NL4jelBZdk63l2 XirSnMiSh3CR9mPEgiAR121Uo0O6HrJLwCQU+TqJ8b8X2ihpCrIdGHeMseA5UOYL SErOpgA0iQF8BAEBCgBmBQJUfk9+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRp b25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZB NUEwRjU2QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwVE8H/RkAS9g61wZvFUNn 3weloC11++r4tS0rz84WMp7liWXGjR9jTx644ZTbs5SnfwsSkGDc4+wPMY0K70jI 6qWIHBE8X0hTtdMkkij9f9nSTT0s9mxmVIcM3UmSKDlunpCN/HYEBvTYXBz4WkI2 lNd8c5bTDwfzHlRSFwUkrlECl+U1P5yX5PvukszM/HgFse6XkZFAidNLlWVGqjed /nIWlmROuT5d9qb1Ps5nIW0eHIrJlGijdR9ydZcQvfU9bnrDfkO4j4dMDWZM9+Lm CPWFcNZ8EKJfsEBLLKq3ORF9k/8sUVrY+uoMNa1dFhPyDdMuFq7ltberJOLuQejX aPhigVs= =NTRz -----END PGP SIGNATURE----- From tjakway at nyu.edu Wed Dec 3 00:53:22 2014 From: tjakway at nyu.edu (Thomas Jakway) Date: Tue, 02 Dec 2014 18:53:22 -0500 Subject: Build Problems Involving libgpg-error Message-ID: <547E50F2.8020805@nyu.edu> Sorry to bother you all with build problems, but I'm really stumped on this one. Tried to cover as many possibilities as I could before coming here. I'm getting a weird error message trying to build gnupg. I'm on origin/HEAD (the development branch) My system: $ uname -a Linux thomas-VirtualBox 3.16.0-25-generic #33-Ubuntu SMP Tue Nov 4 12:05:25 UTC 2014 i686 i686 i686 GNU/Linux (I'm not aware of any problems unique to building on VirtualBox? Host uname -a is Darwin Thomass-MacBook-Pro-5.local 13.4.0 Darwin Kernel Version 13.4.0: Sun Aug 17 19:50:11 PDT 2014; root:xnu-2422.115.4~1/RELEASE_X86_64 x86_64 if it matters) ran: ./autogen.sh (gave normal output) ./configure --enable-maintainer-mode --sysconfdir=/etc --prefix=/home/thomas/git/OTHERGPG/t_install --with-libgcrypt-prefix=/home/thomas/git/libgcrypt/t_install/ --with-npth-prefix=/home/thomas/git/npth/t_install/ configure gives this output: GnuPG v2.1.1-beta51 has been configured as follows: Revision: e1f515b (57845) Platform: GNU/Linux (i686-pc-linux-gnu) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes G13: yes Dirmngr: yes Gpgtar: yes Protect tool: (default) LDAP wrapper: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) Dirmngr auto start: yes Readline support: yes LDAP support: yes DNS SRV support: yes TLS support: gnutls configure also says the libraries are OK: configure: checking for libraries checking for gpg-error-config... /usr/local/bin/gpg-error-config checking for GPG Error - version >= 1.16... yes (1.18-beta8) checking for libgcrypt-config... /home/thomas/git/libgcrypt/t_install//bin/libgcrypt-config checking for LIBGCRYPT - version >= 1.6.0... yes (1.7.0-beta128) checking LIBGCRYPT API version... okay checking for libassuan-config... /usr/bin/libassuan-config checking for LIBASSUAN - version >= 2.1.0... yes (2.1.2-unknown) checking LIBASSUAN API version... okay checking for ksba-config... /usr/bin/ksba-config checking for KSBA - version >= 1.2.0... yes (1.3.0) checking KSBA API version... okay checking for usb_bulk_write in -lusb... yes checking for usb_create_match... no checking for library containing dlopen... -ldl checking for encfs... /usr/bin/encfs checking for fusermount... /bin/fusermount checking for openpty in -lutil... yes checking for shred... /usr/bin/shred checking for npth-config... /home/thomas/git/npth/t_install//bin/npth-config checking for NPTH - version >= 0.91... yes (1.2-beta4) checking NPTH API version... okay checking for ntbtls-config... no checking for NTBTLS - version >= 0.1.0... no checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for LIBGNUTLS... yes make gives this error: asshelp.c: In function ?start_new_gpg_agent?: asshelp.c:511:33: error: ?GPG_ERR_FORBIDDEN? undeclared (first use in this function) if (gpg_err_code (err) == GPG_ERR_FORBIDDEN ^ asshelp.c:511:33: note: each undeclared identifier is reported only once for each function it appears in Makefile:1402: recipe for target 'libcommon_a-asshelp.o' failed make[3]: *** [libcommon_a-asshelp.o] Error 1 make[3]: Leaving directory '/home/thomas/git/gnupg/common' which makes me think libgpg-error probably didn't get included properly libgpg-error is definitely installed (at least according to aptitude): thomas at thomas-VirtualBox:~$ aptitude search libgpg-error i libgpg-error-dev - library for common error values and mes i libgpg-error0 - library for common error values and mes so I built libgpg-error and tried passing it using --with-libgpg-error-prefix: ./configure --enable-maintainer-mode --sysconfdir=/etc --prefix=/home/thomas/git/OTHERGPG/t_install --with-libgpg-error-prefix=/home/thomas/git/libgpg-error/t_install --with-libgcrypt-prefix=/home/thomas/git/libgcrypt/t_install/ --with-npth-prefix=/home/thomas/git/npth/t_install/ same error. Then saw this bug ticket: http://bugs.gnupg.org/gnupg/issue1561 (title: "configure: --with-libgpg-error-prefix doesn't impact includes") Got the relevant paths with gpg-error-config: thomas at thomas-VirtualBox:~/git/libgpg-error/t_install/bin$ ./gpg-error-config --libs -L/home/thomas/git/libgpg-error/t_install/lib -lgpg-error thomas at thomas-VirtualBox:~/git/libgpg-error/t_install/bin$ ./gpg-error-config --cflags -I/home/thomas/git/libgpg-error/t_install/include but trying CFLAGS="-I/home/thomas/git/libgpg-error/t_install/include" LDFLAGS="-L/home/thomas/git/libgpg-error/t_install/lib" LIBS="-lgpg-error" ./configure --enable-maintainer-mode --sysconfdir=/etc --prefix=/home/thomas/git/OTHERGPG/t_install --with-libgcrypt-prefix=/home/thomas/git/libgcrypt/t_install/ --with-npth-prefix=/home/thomas/git/npth/t_install/ gives the same error (nor does doing that last one with --with-libgpg-error-prefix) I did notice that even when I passed --with-libgpg-error-prefix configure still used the system libgpg-error libraries: checking for gpg-error-config... /usr/local/bin/gpg-error-config checking for GPG Error - version >= 1.16... yes (1.18-beta8) (I tried installing my build of libgpg-error after the debian package one wasn't working). Any help is much appreciated! Thomas Jakway PS: Earlier I tried sending this to gpg-devel but there was an issue my mail settings. Sorry if it went through and this is a duplicate, I think this is the better mailing list for this question anyways. -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Dec 3 08:37:53 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 03 Dec 2014 08:37:53 +0100 Subject: Build Problems Involving libgpg-error In-Reply-To: <547E50F2.8020805@nyu.edu> (Thomas Jakway's message of "Tue, 02 Dec 2014 18:53:22 -0500") References: <547E50F2.8020805@nyu.edu> Message-ID: <87ppc1xjxq.fsf@vigenere.g10code.de> On Wed, 3 Dec 2014 00:53, tjakway at nyu.edu said: > ./autogen.sh (gave normal output) Okay, you are using some GIT version. Thus expect to run into problems. > asshelp.c:511:33: error: ?GPG_ERR_FORBIDDEN? undeclared (first use in This is a new error code which is substituted for older libgpg-errors: /* These error codes are used but not defined in the required libgpg-error version. Define them here. */ #if GPG_ERROR_VERSION_NUMBER < 0x011200 /* 1.18 */ # define GPG_ERR_FORBIDDEN 251 #endif No, the git version of libgpg-error already has been set to version 1.18 but I have not yet pushed the changes. I suggest to use a released gpg-error version or go back to the libgpg-error-1.17 tag. You may also wait an hour or so until I have pushed the new error code. > PS: Earlier I tried sending this to gpg-devel but there was an issue The other list is gnupg-devel and not gpg-devel - maybe that was the problem. In general I would suggest to use gnupg-devel for build problems from GIT. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gnupgpack at on.yourweb.de Wed Dec 3 10:37:22 2014 From: gnupgpack at on.yourweb.de (gnupgpack) Date: Wed, 3 Dec 2014 10:37:22 +0100 Subject: Order/changing of subkeys derogates compatibility!? Message-ID: <001901d00edc$bd768700$38639500$@on.yourweb.de> After further investigation: Actual version of 'Symantec Encryption Desktop 10.2.3' (former known as PGP...) is supporting subkeys for signing or encryption in both directions, accurate interaction with GPG-2.0.26/GPG-1.4.18. NOT working with subkeys for signing or encryption are: PGP-6.5.1 / 6.5.1ckt PGP-8.1 (thanks to Symantec support...) I did try to get old version of PGP-9.0x, -9.5x, -10.0x, but it seems to be impossible to get it even from Symantec enterprise support. Didn't find it in download archives. Maybe someone can help from private trial archive (email...)? So finally there is still this open question: How is the collaboration between actual branches of GPG-2.0/GPG-1.4 and PGP versions: 9.0x 9.5x 10.0x? Before generating new series of long term keysets, what do you think about this keystructure: Example-keystructure: pub 4096R/97CA9679 erzeugt: 2014-11-22 verf?llt: niemals Aufruf: C Vertrauen: uneingeschr?nkt G?ltigkeit: uneingeschr?nkt sub 4096R/9D22119A erzeugt: 2014-11-22 verf?llt: 2016-11-21 Aufruf: A sub 4096R/884627F6 erzeugt: 2014-11-22 verf?llt: 2016-11-21 Aufruf: E sub 3072D/37F05D01 erzeugt: 2014-11-22 verf?llt: 2016-11-21 Aufruf: S [ unbek.] (1). vorname nachname (kommentar) Thanks and regards, Chris From kristian.fiskerstrand at sumptuouscapital.com Wed Dec 3 11:13:04 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 03 Dec 2014 11:13:04 +0100 Subject: Keysigning In-Reply-To: <1314912172.20141202234703@my_localhost> References: <547D77E1.8040100@robinmathewrajan.com> <547D87D2.2020209@gbenet.com> <547D9A2E.30802@robinmathewrajan.com> <547DAB1C.3040702@gbenet.com> <547DB0D3.9040708@robinmathewrajan.com> <1314912172.20141202234703@my_localhost> Message-ID: <547EE230.4070405@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/03/2014 12:47 AM, MFPA wrote: > Hi > > > On Tuesday 2 December 2014 at 12:30:11 PM, in > , Robin Mathew Rajan > wrote: > > > >> My key is available on these key servers. > > When GnuPG searched for the key to verify your signatures, It > failed with:- gpg: key 0x7D3A6C5A47CF3842: rejected by import > filter This one means you should update your version of gnupg. It was a bug back in 2.0.24 and 2.0.25 (and the 1.4 versions released around the same time). - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Nulla regula sine exceptione No rule without exception -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUfuIuAAoJEPw7F94F4TagPN0P/ii6fD7N7hXTmE3PuoTgfw0K sia/84OEnlAONc8Pslr2h11Zfylt6G10yq8DOK38zattCwsKoUcuKRWJUmOGph0q QDxXuW+HqUq2ioFalihvLuDuR8D3vOfWzfey2cmbRqN71Vhk9BYqyGn0d2Ldhh25 36J61JvRJ2HmMTdIDhgj6WqFjTjIb1/rMWvZ51iReQBecGf6ISgMR+njUkzlggWt jrLbfYX3fYQboUluRN2IfSGKRkHSrsPnt/mbgD+NiMWvaSvatdPmWGaTFsENbcrf YvCiHYZ44S4N8DN+cSDQafnnEhQCQeGfKnR2teV06s0TjJxOpaGtIp9UaIVskD2b 3DlFzOuK+PsJAxAy0G46iB63jsPVsUHhnXuJ/TY1ir7xHrMP2TMgSKPHN0NkK226 KjtIqa9YmQavJH2x1+xLBIGyS67nH4DQ8Z6uUVsFs0RuuYf4vzfdCaPdcP6DsbjK P95m6Fw6ho8ZxKcaabSxebx7nIJtCR2dXNigxGgIdsQQyuwjlO+NXWVCLc1EA7N+ KGhBDePG/OrbxOfkN3VrnBQsr5nNJWXvG79y6Uxvv30v20qv5q3UEJCjynCHZXNi fL2kiOLCKWlaBySnnoMSTuTy154evaBCn+Tc8xCsvAz5YTqVu1LD1ZGG2ayiHCW0 izUn7hPvelpNcz1MRCMd =xvXn -----END PGP SIGNATURE----- From aixtools at gmail.com Wed Dec 3 11:40:50 2014 From: aixtools at gmail.com (Michael Felt) Date: Wed, 3 Dec 2014 11:40:50 +0100 Subject: GnuPG 2.1.0 "modern" released In-Reply-To: <87ioisn1mo.fsf@vigenere.g10code.de> References: <87ioisn1mo.fsf@vigenere.g10code.de> Message-ID: Hello, I am running "make check" and the process seems to stop after this line to stdout ... CERT lookup on 'simon.josefsson.org' Key found (33162 bytes) PASS: t-dns-cert PASS: t-mapstrings PASS: t-zb32 max. file descriptors: 2147483647 Is this perhaps a bug - at least for the test logic - because this is an unusual number. And, is the test goinf to try an open that many file descriptors? I ulimit will stop much earlier - also because it says the max is 2000 not INT32_MAX! e.g. stdint.h:#define INT32_MAX (2147483647) root at x065:[/]ulimit -a time(seconds) unlimited file(blocks) unlimited data(kbytes) unlimited stack(kbytes) 4194304 memory(kbytes) unlimited coredump(blocks) unlimited nofiles(descriptors) 2000 On Thu, Nov 6, 2014 at 10:01 AM, Werner Koch wrote: > Hello! > > The GnuPG Project is pleased to announce the availability of a > new release: Version 2.1.0. > > The GNU Privacy Guard (GnuPG) is a complete and free implementation of > the OpenPGP standard as defined by RFC-4880 and better known as PGP. > > GnuPG, also known as GPG, allows to encrypt and sign data and > communication, features a versatile key management system as well as > access modules for public key directories. GnuPG itself is a command > line tool with features for easy integration with other applications. > A wealth of frontend applications and libraries making use of GnuPG > are available. Since version 2 GnuPG provides support for S/MIME and > Secure Shell in addition to OpenPGP. > > GnuPG is Free Software (meaning that it respects your freedom). It can > be freely used, modified and distributed under the terms of the GNU > General Public License. > > Three different versions of GnuPG are actively maintained: > > - GnuPG "modern" (2.1) is the latest development with a lot of new > features. This announcement is about the first release of this > version. > > - GnuPG "stable" (2.0) is the current stable version for general use. > This is what most users are currently using. > > - GnuPG "classic" (1.4) is the old standalone version which is most > suitable for older or embedded platforms. > > You may not install "modern" (2.1) and "stable" (2.0) at the same > time. However, it is possible to install "classic" (1.4) along with > any of the other versions. > > > What's New in GnuPG-2.1 > ======================= > > - The file "secring.gpg" is not anymore used to store the secret > keys. Merging of secret keys is now supported. > > - All support for PGP-2 keys has been removed for security reasons. > > - The standard key generation interface is now much leaner. This > will help a new user to quickly generate a suitable key. > > - Support for Elliptic Curve Cryptography (ECC) is now available. > > - Commands to create and sign keys from the command line without any > extra prompts are now available. > > - The Pinentry may now show the new passphrase entry and the > passphrase confirmation entry in one dialog. > > - There is no more need to manually start the gpg-agent. It is now > started by any part of GnuPG as needed. > > - Problems with importing keys with the same long key id have been > addressed. > > - The Dirmngr is now part of GnuPG proper and also takes care of > accessing keyserver. > > - Keyserver pools are now handled in a smarter way. > > - A new format for locally storing the public keys is now used. > This considerable speeds up operations on large keyrings. > > - Revocation certificates are now created by default. > > - Card support has been updated, new readers and token types are > supported. > > - The format of the key listing has been changed to better identify > the properties of a key. > > - The gpg-agent may now be used on Windows as a Pageant replacement > for Putty in the same way it is used for years on Unix as > ssh-agent replacement. > > - Creation of X.509 certificates has been improved. It is now also > possible to export them directly in PKCS#8 and PEM format for use > on TLS servers. > > A detailed description of the changes can be found at > https://gnupg.org/faq/whats-new-in-2.1.html . > > > Getting the Software > ==================== > > Please follow the instructions found at https://gnupg.org/download/ or > read on: > > GnuPG 2.1.0 may be downloaded from one of the GnuPG mirror sites or > direct from its primary FTP server. The list of mirrors can be found > at https://gnupg.org/mirrors.html . Note that GnuPG is not available > at ftp.gnu.org. > > On ftp.gnupg.org you find these files: > > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2 (3039k) > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2.sig > > This is the GnuPG 2.1 source code compressed using BZIP2 and its > OpenPGP signature. > > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe (6225k) > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe.sig > > This is an experimental installer for Windows including GPA as > graphical key manager and GpgEX as an Explorer extension. Please > de-install an already installed Gpg4win version before trying this > installer. This binary version has not been tested very well, thus it > is likely that you will run into problems. The complete source code > for the software included in this installer is in the same directory; > use the suffix ".tar.xz" instead of ".exe". > > Although several beta versions have been released over the course of > the last years, no extensive public field test has been done. Thus it > is likely that bugs will show up. Please check the mailing list > archives and the new wiki https://wiki.gnupg.org for latest > information on known problems and workaround. > > > Checking the Integrity > ====================== > > In order to check that the version of GnuPG which you are going to > install is an original and unmodified one, you can do it in one of > the following ways: > > * If you already have a version of GnuPG installed, you can simply > verify the supplied signature. For example to verify the signature > of the file gnupg-2.1.0.tar.bz2 you would use this command: > > gpg --verify gnupg-2.1.0.tar.bz2.sig > > This checks whether the signature file matches the source file. > You should see a message indicating that the signature is good and > made by one or more of the release signing keys. Make sure that > this is a valid key, either by matching the shown fingerprint > against a trustworthy list of valid release signing keys or by > checking that the key has been signed by trustworthy other keys. > See below for information on the signing keys. > > * If you are not able to use an existing version of GnuPG, you have > to verify the SHA-1 checksum. On Unix systems the command to do > this is either "sha1sum" or "shasum". Assuming you downloaded the > file gnupg-2.1.0.tar.bz2, you would run the command like this: > > sha1sum gnupg-2.1.0.tar.bz2 > > and check that the output matches the first line from the > following list: > > 2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33 gnupg-2.1.0.tar.bz2 > 9907cb6509a0e63331b27a92e25c1ef956caaf3b gnupg-w32-2.1.0_20141105.exe > 28dc1365292c61fbb2bbae730d4158f425463c91 gnupg-w32-2.1.0_20141105.tar.xz > > > Release Signing Keys > ==================== > > To guarantee that a downloaded GnuPG version has not been tampered by > malicious entities we provide signature files for all tarballs and > binary versions. The keys are also signed by the long term keys of > their respective owners. Current releases are signed by one or more > of these four keys: > > 2048R/4F25E3B6 2011-01-12 > Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > Werner Koch (dist sig) > > rsa2048/E0856959 2014-10-29 > Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 > David Shaw (GnuPG Release Signing Key) > > rsa2048/33BD3F06 2014-10-29 > Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 > NIIBE Yutaka (GnuPG Release Key) > > rsa2048/7EFD60D9 2014-10-19 > Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 > Werner Koch (Release Signing Key) > > You may retrieve these files from the keyservers using this command > > gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \ > 2071B08A33BD3F06 8A861B1C7EFD60D9 > > The keys are also available at https://gnupg.org/signature_key.html > and in the released GnuPG tarball in the file g10/distsigkey.gpg . > Note that this mail has been signed using my standard PGP key. > > > Internationalization > ==================== > > This new branch of GnuPG has support for 4 languages: French, German, > Japanese, and Ukrainian. More translations can be expected with the > next point releases. > > > Documentation > ============= > > If you used GnuPG in the past you should read the description of > changes and new features at doc/whats-new-in-2.1.txt or online at > > https://gnupg.org/faq/whats-new-in-2.1.html > > The file gnupg.info has the complete user manual of the system. > Separate man pages are included as well but they have not all the > details available in the manual. It is also possible to read the > complete manual online in HTML format at > > https://gnupg.org/documentation/manuals/gnupg/ > > or in Portable Document Format at > > https://gnupg.org/documentation/manuals/gnupg.pdf . > > The chapters on gpg-agent, gpg and gpgsm include information on how > to set up the whole thing. You may also want search the GnuPG mailing > list archives or ask on the gnupg-users mailing lists for advise on > how to solve problems. Many of the new features are around for > several years and thus enough public knowledge is already available. > > > Support > ======= > > Please consult the archive of the gnupg-users mailing list before > reporting a bug . > We suggest to send bug reports for a new release to this list in favor > of filing a bug at . For commercial support > requests we keep a list of known service companies at: > > https://gnupg.org/service.html > > The driving force behind the development of GnuPG is the company of > its principal author, Werner Koch. Maintenance and improvement of > GnuPG and related software takes up most of their resources. To allow > him to continue this work he kindly asks to either purchase a support > contract, engage g10 Code for custom enhancements, or to donate money: > > https://gnupg.org/donate/ > > > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, administering the > servers, spreading the word, and answering questions on the mailing > lists. A final big Thank You goes to Hal Finney, who too early passed > away this year. Hal worked on PGP and helped to make OpenPGP a great > standard; it has been a pleasure having worked with him. > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > _______________________________________________ > GNU Announcement mailing list > https://lists.gnu.org/mailman/listinfo/info-gnu > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at wiredthing.com Wed Dec 3 10:42:00 2014 From: dave at wiredthing.com (Dave English) Date: Wed, 3 Dec 2014 09:42:00 +0000 Subject: Problem compiling GnuPG 1.4.18 on OS X 10.10, was: Problem compiling GnuPG 2.1.0 on OS X 10.10 In-Reply-To: <547CC13E.9070707@hammernoch.net> References: <9D90696B-3792-4B64-90D2-09BD02E8010F__32846.578237559$1415357996$gmane$org@icloud.com> <545E5B23.6040309@enigmail.net> <58A4271A-6CA5-4C09-9F69-E8E91BF18864@wiredthing.com> <547CC13E.9070707@hammernoch.net> Message-ID: <23BA8236-DF37-454B-99BB-553DAD807754@wiredthing.com> Yes, no doubt, renaming /opt solves it. Cheers > On 1 Dec 2014, at 19:27, Ludwig H?gelsch?fer wrote: > > Signed PGP part > On 01.12.14 13:13, Dave English wrote: > > > I have though what looks like the same problem trying to build > > 1.4.18 from source on Mac OS X 10.10, according to the howto > > Version 4.26 (1 July 2014): > > > > http://macgpg.sourceforge.net/docs/howto-build-gpg-osx.txt.asc > > > > This fails for me with: > > > > gcc -arch x86_64 -Wall -Wno-pointer-sign -o gpg gpg.o > > build-packet.o compress.o compress-bz2.o free-packet.o getkey.o > > keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o > > textfilter.o progress.o misc.o openfile.o keyid.o parse-packet.o > > status.o plaintext.o sig-check.o keylist.o signal.o cardglue.o > > tlv.o card-util.o app-openpgp.o iso7816.o apdu.o ccid-driver.o > > pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o > > encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o > > keyedit.o dearmor.o import.o export.o trustdb.o tdbdump.o tdbio.o > > delkey.o keygen.o pipemode.o helptext.o keyserver.o photoid.o > > exec.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a > > -liconv -lresolv ../intl/libintl.a -liconv -Wl,-framework > > -Wl,CoreFoundation -lz -lbz2 -L/opt/local/lib -lusb Undefined > > symbols for architecture x86_64: "_iconv", referenced from: > > _native_to_utf8 in libutil.a(strgutil.o) _utf8_to_native in > > libutil.a(strgutil.o) __nl_find_msg in libintl.a(dcigettext.o) > > "_iconv_close", referenced from: _native_to_utf8 in > > libutil.a(strgutil.o) _set_native_charset in libutil.a(strgutil.o) > > _utf8_to_native in libutil.a(strgutil.o) "_iconv_open", referenced > > from: _native_to_utf8 in libutil.a(strgutil.o) _set_native_charset > > in libutil.a(strgutil.o) _utf8_to_native in libutil.a(strgutil.o) > > __nl_find_msg in libintl.a(dcigettext.o) ld: symbol(s) not found > > for architecture x86_64 > > (...) > > > I?m not sure how to patch the make files suitably for a GnuPG > > version 1 build. > > Do you have software installed by fink, Macports or homebrew? If yes, > please rename the /opt (or wherever they install their binaries) > directory. After gpg1 is compiled, rename it back. > > Ludwig > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From kai at poeritz.de Wed Dec 3 12:38:32 2014 From: kai at poeritz.de (=?UTF-8?B?S2FpIFDDtnJpdHo=?=) Date: Wed, 03 Dec 2014 12:38:32 +0100 Subject: Is the OpenPGP card open hardware Message-ID: <547EF638.30406@poeritz.de> Hi folks, I hear a lot of poeple -saying- that the OpenPGP card is "open hardware". Now as much as I would like it to be just that, I can not find any reference about that claim to be true. I see a lot of online shops selling the OpenPGP card, but none of them claims the card to be open hardware. I am confused about what people -say- when i -talk- to them in personal and what I find as printed facts. E.g. A mecrchandise shop owner at "Linux Tag 2014 in Berlin" that also sold the OpenPGP cards said (that was his 1st and major selling point): "The thing is open hardware". So my questions are simply: 1) Is the OpenPGP card indeed open hardware? 2) If so, where can I read abaout the hardware layout and the firmware? 3) If not so, what makes the OpenPGP different from any other proprietary samrtcard? Thanks in advance -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Dec 3 15:14:30 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 03 Dec 2014 15:14:30 +0100 Subject: Is the OpenPGP card open hardware In-Reply-To: <547EF638.30406@poeritz.de> ("Kai =?utf-8?Q?P=C3=B6ritz=22's?= message of "Wed, 03 Dec 2014 12:38:32 +0100") References: <547EF638.30406@poeritz.de> Message-ID: <87h9xcx1kp.fsf@vigenere.g10code.de> On Wed, 3 Dec 2014 12:38, kai at poeritz.de said: > I hear a lot of poeple -saying- that the OpenPGP card is "open hardware". Unfortunately this is not the case. However, I have not heard that claim. In case you mean the crypto-stick: Its hardware and the software seems to be free but the actual crypto of the stick is the very same chip from the "regualr" OpenPGP card. The stick is a card reader with a glued on card. The usual question is whether the software on the card is free - which is also not the case. If you want a free software implementation of the card, you need to go for gnuk (http://fsij.org/gnuk) but it does not use a dedicated smart card chip and thus the hardware and thus the keys are not protected from even simple attacks on the chip. > E.g. A mecrchandise shop owner at "Linux Tag 2014 in Berlin" that also > sold the OpenPGP cards said (that was his 1st and major selling point): > "The thing is open hardware". kernelconcepts? Did they really say that? > 1) Is the OpenPGP card indeed open hardware? No. > 2) If so, where can I read abaout the hardware layout and the firmware? Contact NXP or Zeitcontrol. > 3) If not so, what makes the OpenPGP different from any other > proprietary samrtcard? It works and is easy available. The specs are fully published, written with the goal to support OpenPGP, kept simple, and are used by a couple of other vendors (mostly for internal projects). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From nicole.faerber at kernelconcepts.de Wed Dec 3 15:25:21 2014 From: nicole.faerber at kernelconcepts.de (Nicole Faerber) Date: Wed, 03 Dec 2014 15:25:21 +0100 Subject: Is the OpenPGP card open hardware In-Reply-To: <87h9xcx1kp.fsf@vigenere.g10code.de> References: <547EF638.30406@poeritz.de> <87h9xcx1kp.fsf@vigenere.g10code.de> Message-ID: <547F1D51.5030301@kernelconcepts.de> Am 03.12.2014 um 15:14 schrieb Werner Koch: > On Wed, 3 Dec 2014 12:38, kai at poeritz.de said: >> E.g. A mecrchandise shop owner at "Linux Tag 2014 in Berlin" that also >> sold the OpenPGP cards said (that was his 1st and major selling point): >> "The thing is open hardware". > > kernelconcepts? Did they really say that? I am pretty sure that we did not :) But we usually point out that _specification_ is open. > Salam-Shalom, > Werner Cheers nicole -- kernel concepts GmbH Tel: +49-271-771091-12 Sieghuetter Hauptweg 48 D-57072 Siegen http://www.kernelconcepts.de/ From sieutruc at gmail.com Wed Dec 3 16:31:26 2014 From: sieutruc at gmail.com (Sieu Truc) Date: Wed, 3 Dec 2014 16:31:26 +0100 Subject: GPG cannot evaluate the length of text file. Message-ID: Hello, I have a problem when i wanted to sign and encrypt a text file ( attached below) gpg--y --batch --passphrase "B6rDhgMDEqv0DscSdxe" -o 4481110.txt.pgp --textmode -r test1 --sign --encrypt 4481110.txt gpg2 --verbose --no-mdc-warning --verbose --y --batch --passphrase "B6rDhgMDEqv0DscSdxe" --list-packets 4481110.txt.pgp :pubkey enc packet: version 3, algo 1, keyid EA0DF160773268B0 data: [2041 bits] gpg: la cl? publique est 773268B0 gpg: utilisation de la sous-cl? 773268B0 ? la place de la cl? principale 7FD35007 gpg: donn?es chiffr?es par cl? publique: bonne cl? de chiffrement (DEK) :encrypted data packet: length: 491 mdc_method: 2 gpg: utilisation de la sous-cl? 773268B0 ? la place de la cl? principale 7FD35007 gpg: chiffr? avec une cl? de 2048 bits RSA, ID 773268B0, cr??e le 2014-07-02 ? T.A.FICP.30001 ? gpg: donn?es chiffr?es avec AES :compressed packet: algo=1 :onepass_sig packet: keyid EA0DF160773268B0 version 3, sigclass 0x01, digest 2, pubkey 1, last=1 :literal data packet: mode t (74), created 1417110768, name="4481110.txt", raw data: unknown length ( THE PROBLEM HERE ) As i know, if the file length is more than 5Gb, that problem appears. But this file has only 499b. Its weird. Can someone show me the problem ? Thanks in advance, Truc -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- 30002 0608 123456DXX25T02 Benef25 CLY 00287000001175870000000000054000VIREMENT REGLT0686 30002 0608 123456DXX25T03 Benef25 CLY 00287000001175870000000000012000VIREMENT REGLT0667 30002 0808 123456 0000000000078000 From wk at gnupg.org Wed Dec 3 20:12:14 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 03 Dec 2014 20:12:14 +0100 Subject: GPG cannot evaluate the length of text file. In-Reply-To: (Sieu Truc's message of "Wed, 3 Dec 2014 16:31:26 +0100") References: Message-ID: <874mtcwnsh.fsf@vigenere.g10code.de> On Wed, 3 Dec 2014 16:31, sieutruc at gmail.com said: > gpg2 --verbose --no-mdc-warning --verbose --y --batch --passphrase > :literal data packet: > mode t (74), created 1417110768, name="4481110.txt", > raw data: unknown length ( THE PROBLEM HERE ) Unknown length means that this packet uses partial length encoding because it does not know the length in advance and gpg always works in stream mode. > As i know, if the file length is more than 5Gb, that problem appears. It is not a problem, it is just a standard encoding. > But this file has only 499b. Its weird. You used the --textmode option to create the file and thus we hit this condition: /* Because the text_filter modifies the length of the * data, it is not possible to know the used length * without a double read of the file - to avoid that * we simple use partial length packets. */ if ( ptmode == 't' ) filesize = 0; Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Dec 3 21:17:33 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 03 Dec 2014 21:17:33 +0100 Subject: GnuPG 2.1.0 "modern" released In-Reply-To: (Michael Felt's message of "Wed, 3 Dec 2014 11:40:50 +0100") References: <87ioisn1mo.fsf@vigenere.g10code.de> Message-ID: <87zjb4v676.fsf@vigenere.g10code.de> On Wed, 3 Dec 2014 11:40, aixtools at gmail.com said: > max. file descriptors: 2147483647 > > Is this perhaps a bug - at least for the test logic - because this is an > unusual number. And, is the test goinf to try an open that many file > descriptors? I ulimit will stop much earlier - also because it says the max > is 2000 not INT32_MAX! This test is t-exechelp.c which uses the function below from exechelp-posix.c: --8<---------------cut here---------------start------------->8--- /* Return the maximum number of currently allowed open file descriptors. Only useful on POSIX systems but returns a value on other systems too. */ int get_max_fds (void) { int max_fds = -1; #ifdef HAVE_GETRLIMIT struct rlimit rl; # ifdef RLIMIT_NOFILE if (!getrlimit (RLIMIT_NOFILE, &rl)) max_fds = rl.rlim_max; # endif # ifdef RLIMIT_OFILE if (max_fds == -1 && !getrlimit (RLIMIT_OFILE, &rl)) max_fds = rl.rlim_max; # endif #endif /*HAVE_GETRLIMIT*/ #ifdef _SC_OPEN_MAX if (max_fds == -1) { long int scres = sysconf (_SC_OPEN_MAX); if (scres >= 0) max_fds = scres; } #endif #ifdef _POSIX_OPEN_MAX if (max_fds == -1) max_fds = _POSIX_OPEN_MAX; #endif #ifdef OPEN_MAX if (max_fds == -1) max_fds = OPEN_MAX; #endif if (max_fds == -1) max_fds = 256; /* Arbitrary limit. */ return max_fds; } --8<---------------cut here---------------end--------------->8--- To return the number of possible open file descriptors. This is required to close all file descriptors after a fork and before the exec. Can you check which part of it is responsible for returning INT32_MAX? > nofiles(descriptors) 2000 I would have expected that HAVE_GETRLIMIT and RLIMIT_NOFILE are both defined in config.h because your ulimit seems to use it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From aixtools at gmail.com Wed Dec 3 14:45:49 2014 From: aixtools at gmail.com (Michael Felt) Date: Wed, 3 Dec 2014 14:45:49 +0100 Subject: GnuPG 2.1.0 "modern" released In-Reply-To: References: <87ioisn1mo.fsf@vigenere.g10code.de> Message-ID: To debug the test I modified the function in ./common/exechelp-posix.c to fprintf to stderr the value of max_fds as it moves through the code. On AIX the code: if (!getrlimit (RLIMIT_NOFILE, &rl)) max_fds = rl.rlim_max; sets max_fds to INT32_MAX - so the tests for -1 fail. With only the printed debug - the logic runs: start: max_fds(hex):ffffffff lim_max: -1 RLIMIT_NOFILE: getrlimit():0 max_fds(hex):7fffffff lim_max:2147483647 _POSIX_OPEN_MAX: max_fds(hex):7fffffff lim_max: 20 OPEN_MAX: max_fds(hex):7fffffff lim_max:65534 return: max_fds(hex):7fffffff lim_max: 256 max. file descriptors: 2147483647 So, I guess we could take the smallest value we see... PASS: t-mapstrings PASS: t-zb32 start: max_fds:2147483647 RLIMIT_NOFILE: max_fds:2147483647 _SC_OPEN_MAX: max_fds: 65534 _POSIX_OPEN_MAX:max_fds: 20 OPEN_MAX: max_fds: 20 return: max_fds: 20 max. file descriptors: 20 start: max_fds:2147483647 RLIMIT_NOFILE: max_fds:2147483647 _SC_OPEN_MAX: max_fds: 65534 _POSIX_OPEN_MAX:max_fds: 20 OPEN_MAX: max_fds: 20 return: max_fds: 20 open file descriptors: 3 start: max_fds:2147483647 RLIMIT_NOFILE: max_fds:2147483647 _SC_OPEN_MAX: max_fds: 65534 _POSIX_OPEN_MAX:max_fds: 20 OPEN_MAX: max_fds: 20 return: max_fds: 20 start: max_fds:2147483647 RLIMIT_NOFILE: max_fds:2147483647 _SC_OPEN_MAX: max_fds: 65534 _POSIX_OPEN_MAX:max_fds: 20 OPEN_MAX: max_fds: 20 return: max_fds: 20 start: max_fds:2147483647 RLIMIT_NOFILE: max_fds:2147483647 _SC_OPEN_MAX: max_fds: 65534 _POSIX_OPEN_MAX:max_fds: 20 OPEN_MAX: max_fds: 20 return: max_fds: 20 start: max_fds:2147483647 RLIMIT_NOFILE: max_fds:2147483647 _SC_OPEN_MAX: max_fds: 65534 _POSIX_OPEN_MAX:max_fds: 20 OPEN_MAX: max_fds: 20 return: max_fds: 20 PASS: t-exechelp =================== All 14 tests passed =================== Patch (with debug disabled) - I expect you may want to think about the order of the comparisons in the t-exechelp logic. root at x065:[/data/prj/gnu/gcrypt/gnupg/gnupg-2.1.0]diff -u common/exechelp-posix.c /tmp/exechelp-posix.c --- common/exechelp-posix.c 2014-10-11 17:45:14 +0000 +++ /tmp/exechelp-posix.c 2014-12-03 13:41:43 +0000 @@ -76,44 +76,62 @@ int get_max_fds (void) { - int max_fds = -1; + int max_fds = INT32_MAX; + +#if 0 +fprintf(stderr,"start:\t\tmax_fds:%10d\n", max_fds); +#endif #ifdef HAVE_GETRLIMIT struct rlimit rl; # ifdef RLIMIT_NOFILE if (!getrlimit (RLIMIT_NOFILE, &rl)) max_fds = rl.rlim_max; +#if 0 +fprintf(stderr,"RLIMIT_NOFILE:\tmax_fds:%10d\n", max_fds); +#endif # endif # ifdef RLIMIT_OFILE - if (max_fds == -1 && !getrlimit (RLIMIT_OFILE, &rl)) - max_fds = rl.rlim_max; + if (!getrlimit (RLIMIT_OFILE, &rl)) + max_fds = (rl.rlim_max < max_fds) ? rl.rlim_max : max_fds; +#if 0 +fprintf(stderr,"RLIMIT_OFILE:\tmax_fds:%10d\n", max_fds); +#endif # endif #endif /*HAVE_GETRLIMIT*/ #ifdef _SC_OPEN_MAX - if (max_fds == -1) { long int scres = sysconf (_SC_OPEN_MAX); if (scres >= 0) - max_fds = scres; + max_fds = (scres < max_fds) ? scres : max_fds; +#if 0 +fprintf(stderr,"_SC_OPEN_MAX:\tmax_fds:%10d\n", max_fds); +#endif } #endif #ifdef _POSIX_OPEN_MAX - if (max_fds == -1) - max_fds = _POSIX_OPEN_MAX; + max_fds = (_POSIX_OPEN_MAX < max_fds) ? _POSIX_OPEN_MAX : max_fds; +#if 0 +fprintf(stderr,"_POSIX_OPEN_MAX:max_fds:%10d\n", max_fds); +#endif #endif #ifdef OPEN_MAX - if (max_fds == -1) - max_fds = OPEN_MAX; + max_fds = (OPEN_MAX < max_fds) ? OPEN_MAX : max_fds; +#if 0 +fprintf(stderr,"OPEN_MAX:\tmax_fds:%10d\n", max_fds); +#endif #endif - if (max_fds == -1) - max_fds = 256; /* Arbitrary limit. */ + max_fds = (max_fds > 256) ? 256 : max_fds; +#if 0 +fprintf(stderr,"return:\t\tmax_fds:%10d\n", max_fds); +#endif return max_fds; } On Wed, Dec 3, 2014 at 11:40 AM, Michael Felt wrote: > Hello, > > I am running "make check" and the process seems to stop after this line to > stdout > ... > CERT lookup on 'simon.josefsson.org' > Key found (33162 bytes) > PASS: t-dns-cert > PASS: t-mapstrings > PASS: t-zb32 > max. file descriptors: 2147483647 > > Is this perhaps a bug - at least for the test logic - because this is an > unusual number. And, is the test goinf to try an open that many file > descriptors? I ulimit will stop much earlier - also because it says the max > is 2000 not INT32_MAX! > > e.g. > stdint.h:#define INT32_MAX (2147483647) > > root at x065:[/]ulimit -a > time(seconds) unlimited > file(blocks) unlimited > data(kbytes) unlimited > stack(kbytes) 4194304 > memory(kbytes) unlimited > coredump(blocks) unlimited > nofiles(descriptors) 2000 > > > On Thu, Nov 6, 2014 at 10:01 AM, Werner Koch wrote: > >> Hello! >> >> The GnuPG Project is pleased to announce the availability of a >> new release: Version 2.1.0. >> >> The GNU Privacy Guard (GnuPG) is a complete and free implementation of >> the OpenPGP standard as defined by RFC-4880 and better known as PGP. >> >> GnuPG, also known as GPG, allows to encrypt and sign data and >> communication, features a versatile key management system as well as >> access modules for public key directories. GnuPG itself is a command >> line tool with features for easy integration with other applications. >> A wealth of frontend applications and libraries making use of GnuPG >> are available. Since version 2 GnuPG provides support for S/MIME and >> Secure Shell in addition to OpenPGP. >> >> GnuPG is Free Software (meaning that it respects your freedom). It can >> be freely used, modified and distributed under the terms of the GNU >> General Public License. >> >> Three different versions of GnuPG are actively maintained: >> >> - GnuPG "modern" (2.1) is the latest development with a lot of new >> features. This announcement is about the first release of this >> version. >> >> - GnuPG "stable" (2.0) is the current stable version for general use. >> This is what most users are currently using. >> >> - GnuPG "classic" (1.4) is the old standalone version which is most >> suitable for older or embedded platforms. >> >> You may not install "modern" (2.1) and "stable" (2.0) at the same >> time. However, it is possible to install "classic" (1.4) along with >> any of the other versions. >> >> >> What's New in GnuPG-2.1 >> ======================= >> >> - The file "secring.gpg" is not anymore used to store the secret >> keys. Merging of secret keys is now supported. >> >> - All support for PGP-2 keys has been removed for security reasons. >> >> - The standard key generation interface is now much leaner. This >> will help a new user to quickly generate a suitable key. >> >> - Support for Elliptic Curve Cryptography (ECC) is now available. >> >> - Commands to create and sign keys from the command line without any >> extra prompts are now available. >> >> - The Pinentry may now show the new passphrase entry and the >> passphrase confirmation entry in one dialog. >> >> - There is no more need to manually start the gpg-agent. It is now >> started by any part of GnuPG as needed. >> >> - Problems with importing keys with the same long key id have been >> addressed. >> >> - The Dirmngr is now part of GnuPG proper and also takes care of >> accessing keyserver. >> >> - Keyserver pools are now handled in a smarter way. >> >> - A new format for locally storing the public keys is now used. >> This considerable speeds up operations on large keyrings. >> >> - Revocation certificates are now created by default. >> >> - Card support has been updated, new readers and token types are >> supported. >> >> - The format of the key listing has been changed to better identify >> the properties of a key. >> >> - The gpg-agent may now be used on Windows as a Pageant replacement >> for Putty in the same way it is used for years on Unix as >> ssh-agent replacement. >> >> - Creation of X.509 certificates has been improved. It is now also >> possible to export them directly in PKCS#8 and PEM format for use >> on TLS servers. >> >> A detailed description of the changes can be found at >> https://gnupg.org/faq/whats-new-in-2.1.html . >> >> >> Getting the Software >> ==================== >> >> Please follow the instructions found at https://gnupg.org/download/ or >> read on: >> >> GnuPG 2.1.0 may be downloaded from one of the GnuPG mirror sites or >> direct from its primary FTP server. The list of mirrors can be found >> at https://gnupg.org/mirrors.html . Note that GnuPG is not available >> at ftp.gnu.org. >> >> On ftp.gnupg.org you find these files: >> >> ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2 (3039k) >> ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2.sig >> >> This is the GnuPG 2.1 source code compressed using BZIP2 and its >> OpenPGP signature. >> >> ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe (6225k) >> ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe.sig >> >> This is an experimental installer for Windows including GPA as >> graphical key manager and GpgEX as an Explorer extension. Please >> de-install an already installed Gpg4win version before trying this >> installer. This binary version has not been tested very well, thus it >> is likely that you will run into problems. The complete source code >> for the software included in this installer is in the same directory; >> use the suffix ".tar.xz" instead of ".exe". >> >> Although several beta versions have been released over the course of >> the last years, no extensive public field test has been done. Thus it >> is likely that bugs will show up. Please check the mailing list >> archives and the new wiki https://wiki.gnupg.org for latest >> information on known problems and workaround. >> >> >> Checking the Integrity >> ====================== >> >> In order to check that the version of GnuPG which you are going to >> install is an original and unmodified one, you can do it in one of >> the following ways: >> >> * If you already have a version of GnuPG installed, you can simply >> verify the supplied signature. For example to verify the signature >> of the file gnupg-2.1.0.tar.bz2 you would use this command: >> >> gpg --verify gnupg-2.1.0.tar.bz2.sig >> >> This checks whether the signature file matches the source file. >> You should see a message indicating that the signature is good and >> made by one or more of the release signing keys. Make sure that >> this is a valid key, either by matching the shown fingerprint >> against a trustworthy list of valid release signing keys or by >> checking that the key has been signed by trustworthy other keys. >> See below for information on the signing keys. >> >> * If you are not able to use an existing version of GnuPG, you have >> to verify the SHA-1 checksum. On Unix systems the command to do >> this is either "sha1sum" or "shasum". Assuming you downloaded the >> file gnupg-2.1.0.tar.bz2, you would run the command like this: >> >> sha1sum gnupg-2.1.0.tar.bz2 >> >> and check that the output matches the first line from the >> following list: >> >> 2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33 gnupg-2.1.0.tar.bz2 >> 9907cb6509a0e63331b27a92e25c1ef956caaf3b gnupg-w32-2.1.0_20141105.exe >> 28dc1365292c61fbb2bbae730d4158f425463c91 gnupg-w32-2.1.0_20141105.tar.xz >> >> >> Release Signing Keys >> ==================== >> >> To guarantee that a downloaded GnuPG version has not been tampered by >> malicious entities we provide signature files for all tarballs and >> binary versions. The keys are also signed by the long term keys of >> their respective owners. Current releases are signed by one or more >> of these four keys: >> >> 2048R/4F25E3B6 2011-01-12 >> Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 >> Werner Koch (dist sig) >> >> rsa2048/E0856959 2014-10-29 >> Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 >> David Shaw (GnuPG Release Signing Key) >> >> rsa2048/33BD3F06 2014-10-29 >> Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 >> NIIBE Yutaka (GnuPG Release Key) >> >> rsa2048/7EFD60D9 2014-10-19 >> Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 >> Werner Koch (Release Signing Key) >> >> You may retrieve these files from the keyservers using this command >> >> gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \ >> 2071B08A33BD3F06 8A861B1C7EFD60D9 >> >> The keys are also available at https://gnupg.org/signature_key.html >> and in the released GnuPG tarball in the file g10/distsigkey.gpg . >> Note that this mail has been signed using my standard PGP key. >> >> >> Internationalization >> ==================== >> >> This new branch of GnuPG has support for 4 languages: French, German, >> Japanese, and Ukrainian. More translations can be expected with the >> next point releases. >> >> >> Documentation >> ============= >> >> If you used GnuPG in the past you should read the description of >> changes and new features at doc/whats-new-in-2.1.txt or online at >> >> https://gnupg.org/faq/whats-new-in-2.1.html >> >> The file gnupg.info has the complete user manual of the system. >> Separate man pages are included as well but they have not all the >> details available in the manual. It is also possible to read the >> complete manual online in HTML format at >> >> https://gnupg.org/documentation/manuals/gnupg/ >> >> or in Portable Document Format at >> >> https://gnupg.org/documentation/manuals/gnupg.pdf . >> >> The chapters on gpg-agent, gpg and gpgsm include information on how >> to set up the whole thing. You may also want search the GnuPG mailing >> list archives or ask on the gnupg-users mailing lists for advise on >> how to solve problems. Many of the new features are around for >> several years and thus enough public knowledge is already available. >> >> >> Support >> ======= >> >> Please consult the archive of the gnupg-users mailing list before >> reporting a bug . >> We suggest to send bug reports for a new release to this list in favor >> of filing a bug at . For commercial support >> requests we keep a list of known service companies at: >> >> https://gnupg.org/service.html >> >> The driving force behind the development of GnuPG is the company of >> its principal author, Werner Koch. Maintenance and improvement of >> GnuPG and related software takes up most of their resources. To allow >> him to continue this work he kindly asks to either purchase a support >> contract, engage g10 Code for custom enhancements, or to donate money: >> >> https://gnupg.org/donate/ >> >> >> Thanks >> ====== >> >> We have to thank all the people who helped with this release, be it >> testing, coding, translating, suggesting, auditing, administering the >> servers, spreading the word, and answering questions on the mailing >> lists. A final big Thank You goes to Hal Finney, who too early passed >> away this year. Hal worked on PGP and helped to make OpenPGP a great >> standard; it has been a pleasure having worked with him. >> >> >> -- >> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. >> >> _______________________________________________ >> GNU Announcement mailing list >> https://lists.gnu.org/mailman/listinfo/info-gnu >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sieutruc at gmail.com Wed Dec 3 22:59:14 2014 From: sieutruc at gmail.com (Sieu Truc) Date: Wed, 3 Dec 2014 22:59:14 +0100 Subject: GPG cannot evaluate the length of text file. In-Reply-To: <874mtcwnsh.fsf@vigenere.g10code.de> References: <874mtcwnsh.fsf@vigenere.g10code.de> Message-ID: I read some articles about partial length encoding. But i don't really understand how gpg can determine when to use partial length encoding or other methods (one octet, 2 octets, 4 octets) To be clear, in the file attached above, if i remove one line or reduce the length of data just a bit, i get the section ":signature packet: algo 1, keyed F1B3EC4859B360A7' and gpg is able to detect data length. So how can i deactivate "partial length encoding" because i want to get the information in "signature packet" for my application. Regards, Truc On Wed, Dec 3, 2014 at 8:12 PM, Werner Koch wrote: > On Wed, 3 Dec 2014 16:31, sieutruc at gmail.com said: > > > gpg2 --verbose --no-mdc-warning --verbose --y --batch --passphrase > > :literal data packet: > > mode t (74), created 1417110768, name="4481110.txt", > > raw data: unknown length ( THE PROBLEM HERE ) > > Unknown length means that this packet uses partial length encoding > because it does not know the length in advance and gpg always works in > stream mode. > > > As i know, if the file length is more than 5Gb, that problem appears. > > It is not a problem, it is just a standard encoding. > > > But this file has only 499b. Its weird. > > You used the --textmode option to create the file and thus we hit this > condition: > > /* Because the text_filter modifies the length of the > * data, it is not possible to know the used length > * without a double read of the file - to avoid that > * we simple use partial length packets. */ > if ( ptmode == 't' ) > filesize = 0; > > > Shalom-Salam, > > Werner > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sieutruc at gmail.com Wed Dec 3 23:04:59 2014 From: sieutruc at gmail.com (Sieu Truc) Date: Wed, 3 Dec 2014 23:04:59 +0100 Subject: GPG cannot evaluate the length of text file. In-Reply-To: <874mtcwnsh.fsf@vigenere.g10code.de> References: <874mtcwnsh.fsf@vigenere.g10code.de> Message-ID: I read some articles about partial length encoding. But i don't really understand how gpg can determine when to use partial length encoding or other methods (one octet, 2 octets, 4 octets) To be clear, in the file attached above, if i remove one line or reduce the length of data just a bit, i get the section ":signature packet: algo 1, keyed F1B3EC4859B360A7' and gpg is able to detect data length. So how can i deactivate "partial length encoding" because i want to get the information in "signature packet" for my application. Regards, Truc On Wed, Dec 3, 2014 at 8:12 PM, Werner Koch wrote: > On Wed, 3 Dec 2014 16:31, sieutruc at gmail.com said: > > > gpg2 --verbose --no-mdc-warning --verbose --y --batch --passphrase > > :literal data packet: > > mode t (74), created 1417110768, name="4481110.txt", > > raw data: unknown length ( THE PROBLEM HERE ) > > Unknown length means that this packet uses partial length encoding > because it does not know the length in advance and gpg always works in > stream mode. > > > As i know, if the file length is more than 5Gb, that problem appears. > > It is not a problem, it is just a standard encoding. > > > But this file has only 499b. Its weird. > > You used the --textmode option to create the file and thus we hit this > condition: > > /* Because the text_filter modifies the length of the > * data, it is not possible to know the used length > * without a double read of the file - to avoid that > * we simple use partial length packets. */ > if ( ptmode == 't' ) > filesize = 0; > > > Shalom-Salam, > > Werner > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Wed Dec 3 22:34:40 2014 From: faramir.cl at gmail.com (Faramir) Date: Wed, 03 Dec 2014 18:34:40 -0300 Subject: Keysigning In-Reply-To: <547D9A2E.30802@robinmathewrajan.com> References: <547D77E1.8040100@robinmathewrajan.com> <547D87D2.2020209@gbenet.com> <547D9A2E.30802@robinmathewrajan.com> Message-ID: <547F81F0.8090906@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 02-12-2014 a las 7:53, Robin Mathew Rajan escibi?: > Hello David, :) > > I already uploaded my public key to a public key server some months > ago. But there's no local Linux users group where I live! I sent > emails to some people listed at biglumber.com with my Government > issued ID card attached. But no reply came from them. :( Some of > them are CACert Assurers! CAcert requires face to face meetings, since we (yes, I'm an assurer) must check the government issued ID and try to figure out if it has been tampered. Then we must compare the picture with your face, to make sure you are you, and not someone else with your ID. But the purpose of getting a signature in your key is to: 1.- allow the person that issues the signature to trust your key validity. 2.- allow people trusting the signature issuer's judgement to trust your key validity. So, if you get CAcert's signature, it allows people trusting CAcert procedures to consider your key as valid, but it won't have any meaning for people that doesn't trust CAcert. Several persons in this list falls in that category. A signature from a local linux users group would mean nothing to me, since I don't know any of them, and I don't know what kind of validation they do before signing a key. In other words, you want signatures, but not just any signature, you want signatures that have some meaning for the people that will be exchanging messages with you. I know when I first made my key, I wanted it signed, as if it was some kind of autograph book, but after a while you realize it just increases the key's weight. Nothing to worry too much about, since while you can't remove signatures from keyservers (and you can't prevent somebody from fetching your key from a keyserver, signing it with 200 bogus keys, and uploading it again), you can still clear your local copy of your key, and send it by email to one of your friends. And your friends can also fetch your key and clean it from all the meaningless signatures it may have (meaningless to them, as I said, it depends on each person). For some uses, I could use a key carrying only a nickname, and exchange signatures with my gaming alliance, and that would be OK, since I won't be exchanging any world domination plan with them. If I were working with a customer that is a representative of a bank, and I had to email him the user and password for the server I just setup for them, I'd require a face to face meeting to sign his key (and I wouldn't mind too much about what name is on the key, I'd care about the person that uses the key. If they key says "Barak Obama", I'd issue a local signature, so I can still use the signature to verify the key's validity, and I would not be vouching to the world the key belongs to "Barak Obama"). Or I could trust the signature already issued by my boss. By the way, that was just an example, probably any customer requesting me to give them the server login info would accept it in plain text over email, or maybe using whatsapp. If "paranoid", they may request the user name being sent by mail and the password by SMS. Yes, it's frustrating. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJUf4HwAAoJEMV4f6PvczxAsxsH/1+hkZvznGKT4OERtKrygsRN XUOeXz3AOM0gZZZJ6S91tLvjz7aCqtjZGVZRx7mDq0IRXdvJ8enfuysyTgPpKPfM JNE23xF2e7D12lbJR9dfSPftruOd38HqN9kIOMtI1oXa28rAgBqfV0o04Gba8JlD HsOVCrd2y+E82Ozbf79xAP7Ckg57MSBkmULpwz2cgC2b7OagSYA9hmL8uMe23Ktl LdXq/y83AEsRxAM8Drd9hw/Wvqsj6AMarTvxOz5CZFdqs4q/5X1ZsLMM4acikC+r 8ydWH3shoefASam4kfHJhXMpNLhjUWxo4mX0dcqAcjMiZjTMaMqZyJRLUR/feh0= =QTn4 -----END PGP SIGNATURE----- From aixtools at gmail.com Thu Dec 4 00:01:32 2014 From: aixtools at gmail.com (Michael Felt) Date: Thu, 4 Dec 2014 00:01:32 +0100 Subject: GnuPG 2.1.0 "modern" released In-Reply-To: <87zjb4v676.fsf@vigenere.g10code.de> References: <87ioisn1mo.fsf@vigenere.g10code.de> <87zjb4v676.fsf@vigenere.g10code.de> Message-ID: I sent a possible patch. the value returned in rl is MAX_INT32, not -1. not sure if looking for the smallest value is what get max fds should be doing though. On Dec 3, 2014 9:20 PM, "Werner Koch" wrote: > On Wed, 3 Dec 2014 11:40, aixtools at gmail.com said: > > > max. file descriptors: 2147483647 > > > > Is this perhaps a bug - at least for the test logic - because this is an > > unusual number. And, is the test goinf to try an open that many file > > descriptors? I ulimit will stop much earlier - also because it says the > max > > is 2000 not INT32_MAX! > > This test is t-exechelp.c which uses the function below from > exechelp-posix.c: > > > --8<---------------cut here---------------start------------->8--- > /* Return the maximum number of currently allowed open file > descriptors. Only useful on POSIX systems but returns a value on > other systems too. */ > int > get_max_fds (void) > { > int max_fds = -1; > #ifdef HAVE_GETRLIMIT > struct rlimit rl; > > # ifdef RLIMIT_NOFILE > if (!getrlimit (RLIMIT_NOFILE, &rl)) > max_fds = rl.rlim_max; > # endif > > # ifdef RLIMIT_OFILE > if (max_fds == -1 && !getrlimit (RLIMIT_OFILE, &rl)) > max_fds = rl.rlim_max; > > # endif > #endif /*HAVE_GETRLIMIT*/ > > #ifdef _SC_OPEN_MAX > if (max_fds == -1) > { > long int scres = sysconf (_SC_OPEN_MAX); > if (scres >= 0) > max_fds = scres; > } > #endif > > #ifdef _POSIX_OPEN_MAX > if (max_fds == -1) > max_fds = _POSIX_OPEN_MAX; > #endif > > #ifdef OPEN_MAX > if (max_fds == -1) > max_fds = OPEN_MAX; > #endif > > if (max_fds == -1) > max_fds = 256; /* Arbitrary limit. */ > > return max_fds; > } > --8<---------------cut here---------------end--------------->8--- > > To return the number of possible open file descriptors. This is > required to close all file descriptors after a fork and before the exec. > Can you check which part of it is responsible for returning INT32_MAX? > > > nofiles(descriptors) 2000 > > I would have expected that HAVE_GETRLIMIT and RLIMIT_NOFILE are both > defined in config.h because your ulimit seems to use it. > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Thu Dec 4 00:42:36 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 3 Dec 2014 23:42:36 +0000 Subject: Keysigning In-Reply-To: <547EE230.4070405@sumptuouscapital.com> References: <547D77E1.8040100@robinmathewrajan.com> <547D87D2.2020209@gbenet.com> <547D9A2E.30802@robinmathewrajan.com> <547DAB1C.3040702@gbenet.com> <547DB0D3.9040708@robinmathewrajan.com> <1314912172.20141202234703@my_localhost> <547EE230.4070405@sumptuouscapital.com> Message-ID: <1452967468.20141203234236@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 3 December 2014 at 10:13:04 AM, in , Kristian Fiskerstrand wrote: > This one means you should update your version of gnupg. > It was a bug back in 2.0.24 and 2.0.25 (and the 1.4 > versions released around the same time). Interesting, thank you. The error message was given by GnuPG 1.4.18, which is the newest 1.4 version I can see at . Is there a newer one elsewhere? - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net CAUTION! - Beware of Warnings! -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlR/n/lXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pZbgD/Rpz8UhwefPbhNqhvMZy0cZ3P7frZUUwziQY DLbIAvi2GXnIvgxFy7+WbzdxF1gwM71ta9faVOdUuDmHOV6g+Xf5HEF0z+4QJ8y5 MvBJg4UWR4HC2QT9MjqJEv082mP4Wx6VLZEr5HppY3qXJDHptH3zdlCDV02iK8QV hBAgQ8SKiQF8BAEBCgBmBQJUf5/5XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRp b25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZB NUEwRjU2QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwwnsH/0GNpmNOL5nFAoLo ktQLqJrp+Yf509ZpjIfv3I3oUkZ0gi0r3bvz7cpnqjBcqgyjDrSyv6nFfG/2oGFO HgUBCXQ12p2+i7GVD3u0KSlcV1mHzEa9+N3txp2ow6WX5LDcfefDpVciYDWcMTaP o1/7nZrEH17iDKdZlDGN1Q10iiI0WBRqSeF3ZtfFUL3Pu+NuEHESp2+mwAjIdpNx dl1f2LekHAfC8yVUhJoUK6LE077G5K7q3l7pwmgaS9CXbBF1LNaC9L0Y9sRdKlm+ 0tM3fWrmYNIL1BPXX+n2f0WZX4WgCEzGlA1sEJ/cjNYC8/KGIik0vDD1oBrH7zXz Cr3zsxk= =Xsco -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Thu Dec 4 01:27:05 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Thu, 4 Dec 2014 00:27:05 +0000 Subject: Different gpg.conf files for 1.4 and 2.1 Message-ID: <1957679723.20141204002705@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Is there a way to get GnuPG 1.4 to use one gpg.conf file and GnuPG 2.1 to use a different gpg.conf file? (Other than state it on the command line every time.) Under Windows XP, in case it matters. Alternatively, can you include a line in a gpg.conf file that will be parsed by 2.1 and not by 1.4? What I am trying to do is use an RSA key that has an ECC signing subkey (newer) and an RSA signing subkey (older). The idea is that if I use GnuPG version 2.1 it will sign with both subkeys, but if I use version 1.4 it signs with just the RSA subkey. "local-user 0xMainKeyID" in gpg.conf gets me a signature from the RSA subkey if using 1.4 and a signature from the ECC subkey if using 2.1. "local-user 0xRSAsubKeyID!" gets me an RSA signature from both GnuPG versions. "local-user 0xECCsubKeyID!" gets me an ECC signature from 2.1 but freezes 1.4. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Teamwork is essential - it allows you to blame someone else -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlR/qrJXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pJMAD+gMvE/Lk1THTYMkRTO/YMPK1Q3y2E7z3j/uN pNc58zIaEaRJGy0TOTzTK6rXCk0EMFkfetEXg0fSfEnimYfgWXuOGxdZGc2ZYH7D Z2TFmtySSwFezbPvQirY8yh6psFgAUdkXcxS+19esRSXur9MwG3+ykCeUeWXUYZI DzlZXDGriQF8BAEBCgBmBQJUf6qyXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRp b25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZB NUEwRjU2QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwqZ8H/iFWclshyk3W0DRz BfTayAtScmMGhnw5JUIf86w7mxT3MFj2HYgiCDOMWTIXgiPex4lMYkD2J+mVxFGp QH5zxWP++jwkrSuk/kC0PahB6BTrp2sxxoOmfDoRdzgWRxo4jSDGsfYpAfqNJqKJ QliR6POQv9tmhnk7+S1sCJX47+t936d2kbNquNbJndH1yPH5/xfDDz3KnFjvuUjQ cmzSGo5/dojIR7TKGNrXzxLeQYTTKsbrQtB/kY7/atAt79o4GfRX5NufPUHJ5b+r 7bx6BYyNCM4MRGiRmTm3CY8Eya2wL0PC87MfUmXI18t/UtLlnNDiI4+3ehAw9CYx tD215XM= =4TpO -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Thu Dec 4 01:41:44 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 03 Dec 2014 19:41:44 -0500 Subject: Different gpg.conf files for 1.4 and 2.1 In-Reply-To: <1957679723.20141204002705@my_localhost> References: <1957679723.20141204002705@my_localhost> Message-ID: <547FADC8.3010306@fifthhorseman.net> On 12/03/2014 07:27 PM, MFPA wrote: > Is there a way to get GnuPG 1.4 to use one gpg.conf file and GnuPG 2.1 > to use a different gpg.conf file? (Other than state it on the command > line every time.) Under Windows XP, in case it matters. gpg 2.1.0 will look for the following files in $GNUPGHOME and choose the first one it finds: gpg.conf-2.1.0 gpg.conf-2.1 gpg.conf-2 gpg.conf gpg 1.4.18 will do the same sort of search: gpg.conf-1.4.18 gpg.conf-1.4 gpg.conf-1 gpg.conf hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From 2014-667rhzu3dc-lists-groups at riseup.net Thu Dec 4 03:00:56 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Thu, 4 Dec 2014 02:00:56 +0000 Subject: Different gpg.conf files for 1.4 and 2.1 In-Reply-To: <547FADC8.3010306@fifthhorseman.net> References: <1957679723.20141204002705@my_localhost> <547FADC8.3010306@fifthhorseman.net> Message-ID: <973075688.20141204020056@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 4 December 2014 at 12:41:44 AM, in , Daniel Kahn Gillmor wrote: > gpg 2.1.0 will look for the following files in > $GNUPGHOME and choose the first one it finds: > gpg.conf-2.1.0 > gpg.conf-2.1 > gpg.conf-2 > gpg.conf > gpg 1.4.18 will do the same sort of search: > gpg.conf-1.4.18 > gpg.conf-1.4 > gpg.conf-1 > gpg.conf That is really useful. Thank you. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net It's better to feed one cat than many mice -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlR/wF5XFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pdDwEAMPgTZmonzyTM3rVq2EPnQslf+D9+gVWlJqw 2zLcy2jb4t/2e+UVBCifP2PrNt7hrtapkzT8Q5mj2wQbmZjYqrCkirBN03jT4Npv egfu1sVkgu9r4jSCC+0C1U5Z74UI91bSx6hOSCsi4OTeZkuTMzMajBe0sfVPfRgI 95My9iNZiQF8BAEBCgBmBQJUf8BeXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRp b25zLm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZB NUEwRjU2QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwfwwH/0Q+8wYzy5IGu7K8 /IhbhN184Q6nGq03rSW/SpQPiMVjv0w0Ava4ajB8y7CLa4WDlXtGi/lUG/zPf0O8 cAA90n8O9V1iSwe5JDKbDWhIAujbNkJnA9fbAwAHlzQz7Gk2CzJexiswTQ4sQoj4 XpVgXpyMTOOYgMRrht0aOqh1v83GZtQbRJbXMbjmiArdkNVlavkwXzFEV16+js9o a9DCwL1fljveIt48p7evto32i0PNnGi8ji/K/C1/qZCeCdhNAi7/MROJ6r6CYSa9 06cxl/+Ps9DiqPn4E5AJidwZO4J5Q8uWnW/UB3TNRqtByQGA1TDCMvvva1GD1Vg8 OQoYRes= =r6Om -----END PGP SIGNATURE----- From shtrom at ssji.net Thu Dec 4 07:54:58 2014 From: shtrom at ssji.net (Olivier Mehani) Date: Thu, 4 Dec 2014 06:54:58 +0000 (UTC) Subject: Cannot sign (but can decrypt) after importing stub-keys from smart-card Message-ID: Hi all, I am using * gpg (GnuPG) 2.0.26 (2.0.26-1 [ArchLinux]), * the card reader integrated with the Broadcom BCM5880 subsystem on my laptop, * pcsclite 1.8.13-1 and ccid 1.4.18-1 (ArchLinux), * an already initialised OpenPGP card (from Kernel Concepts), * a fresh user account. I had to downgrade from GPG 2.1 to 2.0 to be able to create the stubs, as suggested on this ML to work around [0] (In short: --card-edit/fetch; --edit-key/trust; --refresh-keys; --card-status). $ gpg --list-key /home/omehani/.gnupg/pubring.gpg -------------------------------- pub 2048R/0xF012A6E298C66655 2009-05-11 uid [ultimate] Olivier Mehani [...] sub 2048R/0xE9566B9D0957D2D3 2013-01-24 [expires: 2015-01-24] sub 2048R/0xF12C167116C243A9 2013-01-24 [expires: 2015-01-24] [...] sub 2048R/0xB3B251E0CCFEA0EF 2013-09-12 [...] $ gpg --list-secret-key /home/omehani/.gnupg/secring.gpg -------------------------------- sec# 2048R/0xF012A6E298C66655 2009-05-11 uid Olivier Mehani [...] [...] ssb> 2048R/0xE9566B9D0957D2D3 2013-01-24 ssb> 2048R/0xF12C167116C243A9 2013-01-24 [...] ssb> 2048R/0xB3B251E0CCFEA0EF 2013-09-12 [...] (other keys edited out are not stubbed, and suffixed with '#') I can now decrypt messages $ gpg -er shtrom at ssji.net | gpg -d test ^D and get the expected output after a PIN request. gpg: encrypted with 2048-bit RSA key, ID 0xB3B251E0CCFEA0EF, created 2013-09-12 "Olivier Mehani " test Unfortunately I don't seem to be able to sign gpg --debug expert -s gpg: reading options from `/home/omehani/.gnupg/gpg.conf' gpg: secret key parts are not available gpg: no default secret key: Unusable secret key I have the following in my .gnupg/gpg.conf default-key 0xE9566B9D0957D2D3 keyserver x-hkp://sks.pkqs.net use-agent cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed photo-viewer /usr/bin/display fixed-list-mode keyid-format 0xlong personal-digest-preferences SHA512 SHA384 SHA256 SHA224 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed verify-options show-uid-validity list-options show-uid-validity sig-notation issuer-fpr at notations.openpgp.fifthhorseman.net=%g 0xE9566B9D0957D2D3 is the signature subkey on the card, but the same happens with 0xF012A6E298C66655 (master key, not on the card) as the default-key, or without any .gnupg/gpg.conf. What am I doing wrong? [0] https://bugs.g10code.com/gnupg/issue1759 -- Olivier Mehani PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted. From wk at gnupg.org Thu Dec 4 08:36:41 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 04 Dec 2014 08:36:41 +0100 Subject: GPG cannot evaluate the length of text file. In-Reply-To: (Sieu Truc's message of "Wed, 3 Dec 2014 22:59:14 +0100") References: <874mtcwnsh.fsf@vigenere.g10code.de> Message-ID: <87tx1bvpbq.fsf@vigenere.g10code.de> On Wed, 3 Dec 2014 22:59, sieutruc at gmail.com said: > But i don't really understand how gpg can determine when to use partial > length encoding or other methods (one octet, 2 octets, 4 octets) Well, you need to read the code (g10/sign.c). > So how can i deactivate "partial length encoding" because i want to get > the information in "signature packet" for my application. Do not use the information provided by --list-packets - this is not a stable interface and only intended for debugging; it may change without notice. If you need to get the length of the signed data, use gpg --verify -o - file | wc -c Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Dec 4 09:23:52 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 04 Dec 2014 09:23:52 +0100 Subject: SSH generic socket forwarding for gpg-agent In-Reply-To: <546248D5.9050509@monaco.cx> (Matthew Monaco's message of "Tue, 11 Nov 2014 10:35:17 -0700") References: <546248D5.9050509@monaco.cx> Message-ID: <87lhmnvn53.fsf@vigenere.g10code.de> On Tue, 11 Nov 2014 18:35, matt at monaco.cx said: > Does anyone have gpg-agent forwarding working with SSH's recent generic socket > forwarding? Does it still require socat on one end, because I've only been able > to specify a socket path on the left-hand side of the forwarding > specification Yes, it works for me. However, I tested it with the current development version of 2.1 which adds an extra features: --extra-socket NAME Also listen on native gpg-agent connections on the given socket. The intended use for this extra socket is to setup a Unix domain socket forwarding from a remote machine to this socket on the local machine. A gpg running on the remote machine may then connect to the local gpg-agent and use its private keys. This allows to decrypt or sign data on a remote machine without exposing the private keys to the remote machine. The documentation on how to use Unix domain sockets with ssh is a bit sparse. You probably want to use "-o StreamLocalBindUnlink=yes" when connecting to the remote host and you have to enable the forwarding features (look for Stream* options). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From steve at sawczyn.com Thu Dec 4 18:41:40 2014 From: steve at sawczyn.com (Steven M. Sawczyn) Date: Thu, 4 Dec 2014 11:41:40 -0600 Subject: GPG and Outlook Message-ID: <02d901d00fe9$90501b70$b0f05250$@Sawczyn.com> I'm having trouble finding a really suitable way to get GPG and Outlook 2013 working together and would really appreciate some help. I know of two solutions and will outline the troubles I'm having with each below. GpgOl plugin (included with gpg4win) * Does not stay activated, I need to reactivate each time I launch Outlook 2013. * Does not allow me to clear sign a message, I can add an encrypted signed message to the clear text, but nine times out of ten, that's not what I want to do. * I have two Email accounts configured in Outlook and for some reason, GpgOL insists on encrypting to my other account even though that other account is not listed as a recipient anywhere in the message. Outlook Privacy plugin (beta 18) * Installation on Windows 8.1 is tricky because of how the plugin is signed (at least that's my limited understanding of it). * Plugin doesn't encrypt or sign until a message is actually sent so there's no way to really verify that it's working correctly until it's too late. * Many times I've chosen to encrypt a message only to find that the plugin sends the message unencrypted. * Plugin randomly seems to become deactivated. If anyone could help with any of this, I'd definitely appreciate it. As a stopgap solution, I've thought of possibly using the Windows clipboard to encrypt/decrypt, however, I can't find an easy way to do this with GPG4win either. Thanks in advance, Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From aheinecke at intevation.de Fri Dec 5 15:04:40 2014 From: aheinecke at intevation.de (Andre Heinecke) Date: Fri, 05 Dec 2014 15:04:40 +0100 Subject: GPG and Outlook In-Reply-To: <02d901d00fe9$90501b70$b0f05250$@Sawczyn.com> References: <02d901d00fe9$90501b70$b0f05250$@Sawczyn.com> Message-ID: <7627675.omMz0u8mnI@esus> Hi, On Thursday, December 04, 2014 11:41:40 AM Steven M. Sawczyn wrote: > GpgOl plugin (included with gpg4win) > * Does not stay activated, I need to reactivate each time I launch > Outlook 2013. Outlook decativates plugins when they are slow to load. As GpgOL pulls up gpg- agent and kleopatra on launch this might be the issue there. :-/ > * Does not allow me to clear sign a message, I can add an encrypted > signed message to the clear text, but nine times out of ten, that's not what > I want to do. Jep we had a long discussion about this. See http://wiki.gnupg.org/SignatureHandling feel free to comment there why this does not work in your use case. > * I have two Email accounts configured in Outlook and for some > reason, GpgOL insists on encrypting to my other account even though that > other account is not listed as a recipient anywhere in the message. Mmh, what we do there is ask outlook "Hey Outlook please give me the sender object for this mail" "Of that sender object can I have the SMTP address please" and then use this as encryption recipient. I'll try to look into this next time I start to work on GpgOL > If anyone could help with any of this, I'd definitely appreciate it. As a > stopgap solution, I've thought of possibly using the Windows clipboard to > encrypt/decrypt, however, I can't find an easy way to do this with GPG4win > either. Clipboard is definitely a good stopgap (until we can do a proper outlook >2010 plugin). Both Kleopatra (as of gpg4win-2.2.2) and GPA have Clipboard options in their menu. Kleopatra also offers the clipboard option through the system tray. If you configure it not to be hidden in the tray this should be "easy". Right Click on Kleopatra's icon -> Clipboard. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: This is a digitally signed message part. URL: From pelletier.thomas at gmail.com Fri Dec 5 14:47:13 2014 From: pelletier.thomas at gmail.com (Thomas Pelletier) Date: Fri, 05 Dec 2014 13:47:13 +0000 Subject: Changing key's passphrase in an automated way Message-ID: Hello everybody, I have seen this topic has been discussed a few times here and online, but I have not managed to reach a working solution. My goal is to be able to change a key's passphrase from a caller program, given its ID, the old passphrase and the new passphrase. My best shot is: echo -e "old_passpkey\nnew_passkey" | gpg --verbose --status-fd 2 --no-tty --homedir gpg_test --passphrase-fd 0 --batch --command-file cmds --edit-key 9C6BD0AC The cmds file contains the following: passwd save Here is what I have on my stderr: [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT [GNUPG:] USERID_HINT F47798F49C6BD0AC My Key (My Key) < pelletier.thomas at gmail.com> [GNUPG:] NEED_PASSPHRASE F47798F49C6BD0AC F47798F49C6BD0AC 1 0 [GNUPG:] GOOD_PASSPHRASE [GNUPG:] NEED_PASSPHRASE_SYM 3 3 2 [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT The key's passphrase does not change in the end. It seems to me that the second passphrase is never read. According to [1], "[--passphrase-fd] can only be used if only one passphrase is supplied". So how can I give it the two different passphrases? Thanks, Thomas [1] https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html -- Thomas Pelletier -------------- next part -------------- An HTML attachment was scrubbed... URL: From pelletier.thomas at gmail.com Sat Dec 6 12:54:19 2014 From: pelletier.thomas at gmail.com (Thomas Pelletier) Date: Sat, 06 Dec 2014 11:54:19 +0000 Subject: Changing key's passphrase in an automated way References: Message-ID: On Sat Dec 06 2014 at 12:15:53 AM John Kennerson wrote: > > ECHO -e PASSWD\nOLDPASS\nNEWPASS\nSAVE|GPG --command-fd 0 --no-tty > --passphrase-repeat > 0 --status-fd 2 --verbose --edit-key 9C6BD0AC > Awesome! It did the trick with GPG 1.4. Thank you, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Sat Dec 6 16:25:02 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 6 Dec 2014 15:25:02 +0000 Subject: Signature-notation %-expandos expanding to strings of zeros Message-ID: <132369472.20141206152502@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi I have the following line in my gpg.conf to generate a signature notation:- sig-notation issuer-fpr at notations.openpgp.fifthhorseman.net=%g I noticed when verifying signatures in the last few days that the %g in my recent signatures is expanding to a string of zeros instead of the fingerprint of the signing key. I tested with an older key that has no ECC subkeys and still got the same. Then I added the following line to my gpg.conf and tried again:- sig-notation %%g at test.invalid=%g %%S at test.invalid=%S %%s at test.invalid=%s %%p at test.invalid=%p The resulting output was:- gpg: Signature notation: %%g at test.invalid= 0000000000000000000000000000000000000000 %S at test.invalid=0000000000000000 %s at test.invalid=00000000 %p at test.invalid=0000000000000000000000000000000000000000 In case it makes any difference, I am currently using Gnupg 2.1.1-beta35 on Windows XP. It works correctly if I sign using GnuPG 1.4.18. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net ETHERNET(n): device used to catch the Ether bunny -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUgx/VXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwmvMH/AyFcb6WOD+sigLLZHc2vz6I bet6GOTARH1d3fPOoP1urayYJE+kV8sq4AxZV/b9lP+9FXMiscxzOixufzZ34GSK Da2T1NjYmmqgw1EF48sJhUqUYVg1fhQkosppmTgVY+5ixfcVQ5VY4zS1tpEupWqY NdpTAm9l4NKbyycqymZM0LSwLBiSHI/nnugLeTC5j+03rweZu1d2QzdY/HIZbRK4 XInbvSitcME6mtkmNyn1DysXg1gqC6z+yLQrbX6/jU7l3QQfR9MWzh6Gm4Kyda0J Ju4zNkre2PAGRpwF4B0F+bFyyysGRkinF3GRzcUgy+hm3+8YJANaAVpcy1dKNYiI vgQBFgoAZgUCVIMf3V8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45EiJAQAr08VajzAnywfvPx6McRPofYG3 tu9LxVGgeUSTvDSfOQEAqJojTE2ESIC/JizUHwVEBL8TguV6/OyykjWHy+N87Q4= =7cDR -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Sat Dec 6 16:56:11 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 6 Dec 2014 15:56:11 +0000 Subject: "key algorithm" in GnuPG's signature verification output Message-ID: <455294707.20141206155611@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 When verifying a signature using GnuPG, it seems the line (eg):- textmode signature, digest algorithm SHA512 has become:- textmode signature, digest algorithm SHA512, key algorithm rsa2048 Unless I am mistaken, the key algorithm given is that of the primary key. I just wondered why not the subkey algorithm, where the signature was made using a signing subkey? I was slightly confused to read:- gpg: Signature made 06/12/2014 13:13:11 GMT Standard Time gpg: using EDDSA key 0x1712BC461AF778E4 gpg: using subkey 0x1712BC461AF778E4 instead of primary key 0x251BCCEB547B7194 gpg: Good signature from "MFPA" [ultimate] Primary key fingerprint: 1755 EFD8 AEDE E4AD 9198 90C5 251B CCEB 547B 7194 Subkey fingerprint: 33AC ED4E E913 4EEB DE6A 8506 1712 BC46 1AF7 78E4 gpg: binary signature, digest algorithm SHA512, key algorithm rsa2048 (My confusion was the second line saying "using EDDSA key" but the last line saying "key algorithm rsa2048".) - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net The cure for anything is salt water - sweat, tears, or the sea. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUgycmXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwQqQH/jzr/Vgr++zkJOvaQIjhOmIh N0uBhpFgvRJzU07EkHPNpSICqeLAUohghGYDGNiX0oNL/RWIIhPvT1gemXxcXwwm u3gkd0B6fhvkGcJHjVqpg2yfQp+rQy0i5f1jj98WZRfkxMdQMOIhPe2ldwusIpP2 BbGTODpY4zntCBrRWnhSx/w5T0qZc+aj4PgMfikJG1ItkS7jnYXQ+vmW0QE1fLIh JZbW8m5z/8UAw8/mpY7CSYvrxonbBbSIYbE6tyFpzAhgxya5lpy73CJcSX6JAZ2I q8XV1BPoOJ2WQMZTWxokvt7+TkCSF9UowZIuV4T5ggA3XSclqXANp+llY6KrknyI vgQBFgoAZgUCVIMnMV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45L+TAQBi4wcJs236JP4G/0y8fxAbuHh2 rudShpBAQOywBpZ9JwEARfLHj1cmqiBnnDcWzG3DVx/yNH/+oXpsxGoFj4vOywI= =UGQ0 -----END PGP SIGNATURE----- From gnupgpack at on.yourweb.de Sat Dec 6 20:32:42 2014 From: gnupgpack at on.yourweb.de (gnupgpacker) Date: Sat, 6 Dec 2014 20:32:42 +0100 Subject: Changing key's passphrase in an automated way In-Reply-To: References: Message-ID: <000f01d0118b$67854d20$368fe760$@on.yourweb.de> Hello, did try it too: Thomas' attempt gave me with Gpg-1.4.18: gpg: verwende Vertrauensmodell PGP [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT [GNUPG:] USERID_HINT 5D4F1C79E62651B3 testpassw tester (44) [GNUPG:] NEED_PASSPHRASE 5D4F1C79E62651B3 5D4F1C79E62651B3 1 0 [GNUPG:] BAD_PASSPHRASE 5D4F1C79E62651B3 [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT John's hint with ECHO -e PASSWD\nMyOldPassword\nMyNewPassword\nSAVE|GPG --command-fd 0 --no-tty --passphrase-repeat 0 --status-fd 2 --verbose --edit-key E62651B3 gave me just: gpg: verwende Vertrauensmodell PGP [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT It seems that old password isn't accepted by batch cmd. Why? MyOldPassword is definitely correct and works if editing same test key for example with addkey !? Thanks, Chris > -----Original Message----- > From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of > Thomas Pelletier > Sent: Saturday, December 06, 2014 12:54 PM > To: John Kennerson; gnupg-users at gnupg.org > Subject: Re: Changing key's passphrase in an automated way > > On Sat Dec 06 2014 at 12:15:53 AM John Kennerson > wrote: > > ECHO -e PASSWD\nOLDPASS\nNEWPASS\nSAVE|GPG --command-fd 0 --no-tty - > -passphrase-repeat > 0 --status-fd 2 --verbose --edit-key 9C6BD0AC > > > > Awesome! It did the trick with GPG 1.4. > > Thank you, > Thomas From tomofr at web.de Sun Dec 7 16:04:09 2014 From: tomofr at web.de (Tomo Ruby) Date: Sun, 07 Dec 2014 16:04:09 +0100 Subject: Mainkey with many subkeys?? Message-ID: <54846C69.2020606@web.de> Hey, after searching for a long time I finally decided to ask here: I wanted to create new keys and came across the following "problem": If I create a main key to certify and subkeys for everything else, won't there be dozens of subkeys on my main key after years of creating and revoking subkeys?? I'm not sure if I understood everything right but I learned that even revoked subkeys stay in the keyring and on the keyservers. Although this is the setup most tutorials recommend, nobody seems to have old subkeys on their main keys and I don't understand why not... Thanks in advance!! Tomo Ruby -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From dougb at dougbarton.email Sun Dec 7 22:11:12 2014 From: dougb at dougbarton.email (Doug Barton) Date: Sun, 07 Dec 2014 13:11:12 -0800 Subject: Mainkey with many subkeys?? In-Reply-To: <54846C69.2020606@web.de> References: <54846C69.2020606@web.de> Message-ID: <5484C270.2040106@dougbarton.email> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/7/14 7:04 AM, Tomo Ruby wrote: | I wanted to create new keys and came across the following | "problem": If I create a main key to certify and subkeys for | everything else, won't there be dozens of subkeys on my main key | after years of creating and revoking subkeys?? Why do you believe that you will be creating and revoking so many subkeys? Doug -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJUhMJvAAoJEFzGhvEaGryEFfAH/Rqbbs4A5oZQ3+AWXZz0aY33 vTSJ96/jq6PO1O7xCDPm4n0XycWidZLglKuc25Q0glMfDtju4TbtJ+QeVvOxcEyG 0PgRkI988dLgxlggKSKb1p/ewuYSGWnhgpOTbLYBPLqhzK+BCrvnF4sp2qsit7ST BfxdVHysILKPy+Mj3bpp+9iN6hWhiHzzH4vZ8I5iPgNb0cR4BUyFQBfuxunaW6Lq CKMyG04KOmg4EpAx+N64OIaOvC1A4bRExQhp+Jt/dYaDPM5yL9LRaK7bsPgFM1K+ /ynAe0onMjTfC+R5ss9ks/e9OvBVsZJTE/zghC2e45q/4LJzr/N6drNDsPjopXw= =kHOV -----END PGP SIGNATURE----- From kristian.fiskerstrand at sumptuouscapital.com Sun Dec 7 22:16:29 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Sun, 07 Dec 2014 22:16:29 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <5484C270.2040106@dougbarton.email> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> Message-ID: <5484C3AD.1080407@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/07/2014 10:11 PM, Doug Barton wrote: > On 12/7/14 7:04 AM, Tomo Ruby wrote: | I wanted to create new keys > and came across the following | "problem": If I create a main key > to certify and subkeys for | everything else, won't there be dozens > of subkeys on my main key | after years of creating and revoking > subkeys?? > > Why do you believe that you will be creating and revoking so many > subkeys? > Easiest example of this would probably be per-device signing keys and cellphone substitution. Although in my experience the number of subkeys are increasing more due to expiration of encryption subkeys and key rotation. Tomo: you'll find that my key have a few subkeys at least due to these practises. It doesn't provide any issue for either keyservers or to use more generally, but you are correct in that the information is retained. - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Ab esse ad posse - From being to knowing -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUhMOoAAoJEPw7F94F4Tags7MP/jWaZnwm9+nBTdwArWlb+/qt i5OGylJMuALpJl1J/pYgatMW7ia/gNmMQcR547UCd+gPrmbrKzbTwVPfse7ebb4e Ve7793/6VmE7YG/4y8KDvYV8zVypq4BcpPt3+8PS4MsTc9Le8zHvwEyCsPIB5+w1 tABPTwUgX6Hul6pN0FmUFUojbhuGK01Z1AVnpxzZBhH63It5nvsNkm0ZJnMxJb06 8ZaqsVcozDO7e4yg8qg6TiJtfyAlZwg3te+Jl2YJrK78ltxHUDHkX5fxghZ7cFdg 33lTyd6X+oj0Tlvijixm/PdCdg9OchukFTnSJgvGbAGR9BqZofaYSRu3Sl5XsErn AqqERhWy5r/ekM26P/q9jvFLJxIiCic1/knVo7YY6oEourGs4/kq/dTLRwm19T+3 goM+1Nf7chDPbqLfm5xaJOYDma3dkyNjVyMlQFw664LucrvlP3oTErqxU2LAJOrm fHnCEQO+nM+MqihinrI0mYRqZ3T4tSjAAg7QmgOGXmd73gXm3hRPwrG6gF1f7rWC ARlkzZRlVWl+Ewzg1WMgcSk2LItdnfEe6QhF9Uur73ip59XEVZxlaxswAHcnQrkW cpgRle2joIYlkg0uhWceUidP9xS4oDD4mv54KWpahMvroHv0GW8c2PHdLoEip4K/ hqK3EeQoayU1Wxrzh2NR =Gj8B -----END PGP SIGNATURE----- From rex.k at me.com Sun Dec 7 22:27:23 2014 From: rex.k at me.com (Rex Kneisley) Date: Sun, 07 Dec 2014 13:27:23 -0800 Subject: Error message when trying to run GPA in Debian Message-ID: <001301d01264$979d6a90$c6d83fb0$@me.com> Hello group, I have searched this problem on the web, but have not found a solution. It may be an easy fix or a known bug. I am running Debian 7.7 I have installed GNUPG version 2.1 (modern) I have also installed GPA successfully. (so it says) When I type "gpa" at the command line, I am greeted with: relocation error: gpa: symbol gpgme_op_spawn, version GPGME_1.1 not defined in file libgpgme.so.11 with link time reference Have I forgotten to set something in my path? Or is this a known bug? Rex -------------- next part -------------- An HTML attachment was scrubbed... URL: From duplicitymailinglist at mail.ru Sun Dec 7 23:01:55 2014 From: duplicitymailinglist at mail.ru (Duplicity Mailing List) Date: Sun, 07 Dec 2014 22:01:55 +0000 Subject: Mainkey with many subkeys?? In-Reply-To: <5484C3AD.1080407@sumptuouscapital.com> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> Message-ID: <5484CE53.4080302@mail.ru> On 07/12/14 21:16, Kristian Fiskerstrand wrote: > On 12/07/2014 10:11 PM, Doug Barton wrote: >> On 12/7/14 7:04 AM, Tomo Ruby wrote: | I wanted to create new keys >> and came across the following | "problem": If I create a main key >> to certify and subkeys for | everything else, won't there be dozens >> of subkeys on my main key | after years of creating and revoking >> subkeys?? > >> Why do you believe that you will be creating and revoking so many >> subkeys? > > > Easiest example of this would probably be per-device signing keys and > cellphone substitution. Although in my experience the number of > subkeys are increasing more due to expiration of encryption subkeys > and key rotation. > > Tomo: you'll find that my key have a few subkeys at least due to these > practises. It doesn't provide any issue for either keyservers or to > use more generally, but you are correct in that the information is > retained. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Stupid question inbound:- If you make a bunch of subkeys, say, one for your phone, one for your desktop and one for your laptop, how does that work? I would assume if I send a piece of encrypted data to your laptop's subkey's public key and you were on your desktop, you'd have to go to your laptop to decrypt it, wouldn't you? Or am I missing something? From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 8 00:31:03 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sun, 7 Dec 2014 23:31:03 +0000 Subject: Mainkey with many subkeys?? In-Reply-To: <5484CE53.4080302@mail.ru> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <5484CE53.4080302@mail.ru> Message-ID: <1039528598.20141207233103@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 7 December 2014 at 10:01:55 PM, in , Duplicity Mailing List wrote: > Stupid question inbound:- If you make a bunch of > subkeys, say, one for your phone, one for your desktop > and one for your laptop, how does that work? I would > assume if I send a piece of encrypted data to your > laptop's subkey's public key and you were on your > desktop, you'd have to go to your laptop to decrypt it, > wouldn't you? Or am I missing something? I suspect when Kristian said "per-device signing keys" the inference was that each device might have its own signing subkey but they would share the encryption subkey. I don't know what they meant by "cellphone substitution." However, I have seen previous discussions that suggested the use of different encryption keys on things like mobile phones, which would indeed mean going to your other device to decrypt. I think the assertion is that a key held on a mobile phone is possibly less secure. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net It is easy to propose impossible remedies. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUhONQXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwufoH/1ztMZ8/a4/dex4UBm5YrvyL KdiPTffEIVQN65eh3WOeK0xt385UDZse58YEuIjF58f8XfZ70fQlq/6MLaPBoetH LUb82QUG1GFaPQTaML/3mNTKl+S3F/zG+PDocftXVhKaPRogWg3/oFjIW2E2ESwG Z8ohZK22ALrrpF/R2RKy2UZlYeOWmAGANY8LOFxRwsE6fOZPIATeltrd7lCrhFCB LtB6GFXoCMrb6Rd8vCzHunfS7UmXzkNdGIfjLgW0rEZuiHyt+kJVfXbnbH+F5rRV QdwkdHlm7i1tW3Pvj9zGr6HnfzoyGCqN6/XxT2MIIrpTWTcEgZfuJ51GKCcYDB6I vgQBFgoAZgUCVITjWV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45FFOAQA0w8/WoJ9tn0kVyO3n8txn1HrR AT1TpO5qV8pVmEp8WwEAgFrXm7W0JLm+36sMzkLD7UEb0cu6c0jKPshqj4a78gk= =qXiE -----END PGP SIGNATURE----- From ethansherriff at hotmail.co.uk Sun Dec 7 23:52:09 2014 From: ethansherriff at hotmail.co.uk (Ethan Sherriff) Date: Sun, 7 Dec 2014 22:52:09 +0000 Subject: Compiling GnuPG-2.1.0 on Mac OS X Yosemite (10.10.1) - Linking Errors Message-ID: Hello all, sorry if I?m on the wrong mailing list, I?m new to mailing-lists, this is my first. For a couple of weeks now, I?ve been trying to solve a linking error while building GnuPG-2.1.0 (modern). Make outputs: make[2]: Entering directory '/Users/Ethan/Documents/Programming/Third_Party_Software_and_Libraries/GnuPG/gnupg-2.1.0-build/g10' gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -o gpg2 gpg.o server.o build-packet.o compress.o compress-bz2.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o rmd160.o openfile.o keyid.o parse-packet.o cpr.o plaintext.o sig-check.o keylist.o pkglue.o ecdh.o pkclist.o skclist.o pubkey-enc.o passphrase.o decrypt.o decrypt-data.o cipher.o encrypt.o sign.o verify.o revoke.o keyedit.o dearmor.o import.o export.o migrate.o delkey.o keygen.o helptext.o keyserver.o call-dirmngr.o photoid.o call-agent.o trust.o trustdb.o tdbdump.o tdbio.o card-util.o exec.o ../kbx/libkeybox.a ../common/libcommon.a ../gl/libgnu.a ../common/libgpgrl.a -lz -lbz2 -L/usr/local/lib -lgcrypt -lgpg-error -L/usr/local/lib -lksba -lgpg-error -lassuan -L/usr/local/lib -lgpg-error -L/usr/local/lib -lgpg-error -L/usr/local/gnupg-2.1.0/lib -liconv ld: warning: ld: warning: ignoring file ../common/libgpgrl.a, file was built for archive which is not the architecture being linked (x86_64): ../common/libgpgrl.aignoring file ../gl/libgnu.a, file was built for archive which is not the architecture being linked (x86_64): ../gl/libgnu.a Undefined symbols for architecture x86_64: "_gnupg_rl_initialize", referenced from: _main in gpg.o I?ve tried: - Building everything as 32-bit (again compiles, but stops on same error). - Building in a folder that?s not the source directory (like you would with gcc). - Giving GnuPG and its dependancies a separate prefix (/usr/local/gnupg-2.1.0) - Forcing 64-bit compilation (CFLAGS=?-arch x86_64 -m64? and CXXFLAGS=?-arch x86_64 -m64? for ./configure and make), but the build fails earlier on. Any insights would be greatly appreciated, and if you would like I have a question on StackOverflow if you prefer to answer there. Ethan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 8 00:40:04 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sun, 7 Dec 2014 23:40:04 +0000 Subject: Mainkey with many subkeys?? In-Reply-To: <54846C69.2020606@web.de> References: <54846C69.2020606@web.de> Message-ID: <383313055.20141207234004@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sunday 7 December 2014 at 3:04:09 PM, in , Tomo Ruby wrote: > If I create a main key to certify > and subkeys for everything else, won't there be dozens > of subkeys on my main key after years of creating and > revoking subkeys? When the subkey was coming up for expiry, wouldn't you just edit the expiry date? Unless the subkey was no longer fit-for-purpose because larger key size or new key algorithm were now recommended, in which case the newer recommendations might prompt you to generate a new main key as well. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net He who rests on his laurels wears them on wrong end. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUhOVWXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwF7cH/0GAgnfz5ZMcHgYEjjrByFiR faBRa63yrwjm2Iv7Fbyw1Aq+MoC4K9b3i6QgLp9Jd24QvoRR68r+48YzwF8vCSVX Tn5/1Xz/4mPljjAUrVFg2jpb7jiG1eF9sPoDeEsmWXMb8HHtEJO0dtYPGvI8/5NJ 7Efu8I3zMVHAgirfkXtF3JjStpVkKqo4gY2qIf2wMG649LtkO55aA/hGKL5XaJFl ZEx80060YjqHiECze++/GLJj5PfYX+6g0a6h7sHKVZnX5nySXl6uRGDrmt635/HB CZEB3VXo+05TQlevTePKUcW2YrW4Xdve5xR5A282ii093b7QxnAoMCqB+ikHtT+I vgQBFgoAZgUCVITlV18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45BOhAQA42d3NS7QLs9hWx7KiAPGmRqFH fXH4163MabdMOQE6MQEABYQ4izuSQP2MZM0RJne2BFyLbQzu2g4LQwKG+stymAo= =fBLC -----END PGP SIGNATURE----- From mailinglists at gusnan.se Mon Dec 8 04:52:19 2014 From: mailinglists at gusnan.se (Andreas =?UTF-8?B?UsO2bm5xdWlzdA==?=) Date: Mon, 8 Dec 2014 04:52:19 +0100 Subject: Error message when trying to run GPA in Debian In-Reply-To: <001301d01264$979d6a90$c6d83fb0$@me.com> References: <001301d01264$979d6a90$c6d83fb0$@me.com> Message-ID: <20141208045219.696b1171@debian-workstation.lan> On Sun, 07 Dec 2014 13:27:23 -0800, Rex Kneisley wrote: >I am running Debian 7.7 > >I have installed GNUPG version 2.1 (modern) > >I have also installed GPA successfully. (so it says) > >When I type "gpa" at the command line, I am greeted with: > >relocation error: gpa: symbol gpgme_op_spawn, version GPGME_1.1 not >defined in file libgpgme.so.11 with link time reference > >Have I forgotten to set something in my path? Or is this a known bug? > Which version of gpgme11 are you using? I believe you'll need at least gpgme11 version 1.5.0 for that. -- Andreas R?nnquist mailinglists at gusnan.se gusnan at gusnan.se From tomofr at web.de Sun Dec 7 22:38:03 2014 From: tomofr at web.de (Tomo Ruby) Date: Sun, 07 Dec 2014 22:38:03 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <5484C3AD.1080407@sumptuouscapital.com> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> Message-ID: <5484C8BB.4090902@web.de> On 12/07/2014 10:16 PM, Kristian Fiskerstrand wrote: > On 12/07/2014 10:11 PM, Doug Barton wrote: > >> Why do you believe that you will be creating and revoking so many >> subkeys? > > ...expiration of encryption subkeys > and key rotation. Hey, thanks for the answers so far! The most important reason for creating and revoking subkeys would indeed be the expiration of used ones. I know I could just set a new expiration date but most times it's recommended to use a key for two years at the longest. So if I start counting I end up like this: One subkey for authentication, one for signing and one for encryption. This makes three new keys every two years... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From gnupgpacker at on.yourweb.de Mon Dec 8 10:12:39 2014 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Mon, 8 Dec 2014 10:12:39 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <5484C3AD.1080407@sumptuouscapital.com> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> Message-ID: <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> Kristian, I am a little bit confused about your key design ;) Main key has options SC. There is an active newer signing key S, so this will be always used for signing? And there are two active encryption keys E: GPG uses in my opinion only the key generated latest, isn't it? So how to desire which key is used? And what's about backward compatibility? Thanks for any hint, regards, Chris > -----Original Message----- > From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of > Kristian Fiskerstrand > Sent: Sunday, December 07, 2014 10:16 PM > Tomo: you'll find that my key have a few subkeys at least due to these > practises. It doesn't provide any issue for either keyservers or to > use more generally, but you are correct in that the information is > retained. From pete at heypete.com Mon Dec 8 11:37:56 2014 From: pete at heypete.com (Pete Stephenson) Date: Mon, 8 Dec 2014 11:37:56 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> Message-ID: On Mon, Dec 8, 2014 at 10:12 AM, gnupgpacker wrote: > Kristian, > I am a little bit confused about your key design ;) > > Main key has options SC. > There is an active newer signing key S, so this will be always used for > signing? My understanding is that if you have multiple signing subkeys on one computer, GnuPG will use the most-recently-created signing subkey for signing messages by default. However, nothing stops you have from creating multiple signing subkeys and distributing these to your different devices (e.g. SubkeyA for your desktop, SubkeyB for your laptop, etc.). Since all these signing subkeys are bound to your main key, signatures generated by any of them are valid. Recipients who verify the signatures do not need to be aware of the existence of other subkeys, so long as the binding between the main key and the subkey used to sign the message exists. > And there are two active encryption keys E: > GPG uses in my opinion only the key generated latest, isn't it? Encryption subkeys are handled a bit differently. Typically GnuPG will encrypt messages to the recipient's most-recently-created encryption subkey. This makes per-device encryption subkeys a bit less practical. > So how to desire which key is used? You can specify a particular keyID by appending an exclamation point ( ! ) after the key ID, fingerprint, etc. See https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html for details. As an example, I have a DSA main key with the ID 0xDA122186. When I generated it I also generated an ElGamal encryption subkey. Later, I generated RSA encryption and signing subkeys. If I sign a message, GnuPG will use the RSA signing subkey by default. If someone encrypts a message to me, they will encrypt a message to the RSA encryption subkey (as it is newer than the ElGamal one). If I wanted to force GnuPG to sign a message with my DSA main key instead of the RSA subkey, I could use the command "gpg --clearsign --armor -u DA122186!". Similarly, if someone wanted to force a message to be encrypted to my ElGamal subkey they could use "gpg --encrypt --armor -r 19DF6C14!" Cheers! -Pete > And what's about backward compatibility? > > Thanks for any hint, regards, Chris > > >> -----Original Message----- >> From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of >> Kristian Fiskerstrand >> Sent: Sunday, December 07, 2014 10:16 PM >> Tomo: you'll find that my key have a few subkeys at least due to these >> practises. It doesn't provide any issue for either keyservers or to >> use more generally, but you are correct in that the information is >> retained. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Pete Stephenson From kristian.fiskerstrand at sumptuouscapital.com Mon Dec 8 12:43:41 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Mon, 08 Dec 2014 12:43:41 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> Message-ID: <54858EED.1060808@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/08/2014 10:12 AM, gnupgpacker wrote: > Kristian, I am a little bit confused about your key design ;) Fair enough, > > Main key has options SC. There is an active newer signing key S, so > this will be always used for signing? Correct > > And there are two active encryption keys E: GPG uses in my opinion > only the key generated latest, isn't it? Normally yes, the reason there is currently two active is that I generate new encryption subkeys once a year, and we're now in overlap with one of them expiring at the end of this year. For users refreshing the keyring they will normally use the newest one already, but this overlap reduce the likelihood of unavailability due to expiry. > > So how to desire which key is used? > > And what's about backward compatibility? Backwards compatibility in which capacity? Encryption subkeys are well supported, signing subkeys are not supported by older versions of PGP, but people should not be using these versions anyways. > > Thanks for any hint, regards, Chris > > >> -----Original Message----- From: Gnupg-users >> [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Kristian >> Fiskerstrand Sent: Sunday, December 07, 2014 10:16 PM Tomo: >> you'll find that my key have a few subkeys at least due to these >> practises. It doesn't provide any issue for either keyservers or >> to use more generally, but you are correct in that the >> information is retained. > - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Qui audet vincit Who dares wins -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUhY7rAAoJEPw7F94F4Tag3yUQAICnV50KMARiBgGMlvEc7Lmt eck7/pO0h9VddCSWcMa05tsQOdyqN09n+usNiIbjQESIMMLu9SUVUxcj53SfWFan DYMSWr913m7jGrUGSJTeQmbEJn2O8yDqlNV7XYo0omJ+tz6aAbflwX4WG2dTkzLq mDb4RIEuf1og7tQe9yxEORr39wWO2hG/72jHur2xdMOjIX8MZ0OPgDy3Cc0Us7dh xjSk4OZ2kdWk18OS4P024CIb4dKKAs/zmUuWrlLhPSuzSaT+xfXAtPkLCFoAYsNA YeHcCJccpiFThtlgIVLHaDVydWjIk05R+kW28nIGLx9euOUJgDEp/M8hdsLmDB3f 8ersFiJMvgcrf/QjCqA3rnmeO1wuUl5cErkLIn0XexJwyhnvpZFa0xyqOJBXqyjd UZ4O7fM/2WGhH3tC+fzCP0AjLU69eCjs1ExO/83Pr3pu1Na09Ld4oQJXbCq+XveG 8OqsDzh16mgw70lckKMdYHoRytuQBQCXh4NHrSVHj//sw4I43MDsCR4HsVcuP4WW znm5hTB5FAekJ/Q7zL2oo0fr6Z51AIBw61aF4ex093gZo06E/w0YhDXnz8Yf/fdX 9PDNTn9NAl1/VAOmtG0QEzl2o+u3fvYGkqIhuu6dnpq7Z6d8nIYIv62wG5xCZHwb PHkPnqriZVGHD4Ozk6Dv =UNme -----END PGP SIGNATURE----- From kristian.fiskerstrand at sumptuouscapital.com Mon Dec 8 12:47:30 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Mon, 08 Dec 2014 12:47:30 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <1039528598.20141207233103@my_localhost> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <5484CE53.4080302@mail.ru> <1039528598.20141207233103@my_localhost> Message-ID: <54858FD2.6000802@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/08/2014 12:31 AM, MFPA wrote: > Hi > > > On Sunday 7 December 2014 at 10:01:55 PM, in > , Duplicity Mailing List wrote: > > >> Stupid question inbound:- If you make a bunch of subkeys, say, >> one for your phone, one for your desktop and one for your laptop, >> how does that work? I would assume if I send a piece of encrypted >> data to your laptop's subkey's public key and you were on your >> desktop, you'd have to go to your laptop to decrypt it, wouldn't >> you? Or am I missing something? > > I suspect when Kristian said "per-device signing keys" the > inference was that each device might have its own signing subkey > but they would share the encryption subkey. I don't know what they > meant by Well, in my case I wouldn't keep an encryption subkey on the mobile device at all. What would be nice to see is a scheme where the sender could specify a wanted confidentiality level , e.g. enum {public; confidential; classified} where two different encryption subkeys could be kept at the same time. The trusted device would keep both encryption subkeys but the mobilde device only the "confidential" one at a lower security expectation. That said, I'm not entirely sure that what we need for broader adoption is more complexity to the standard, but at the same time this would enable encryption more broadly on mobile devices. In my case though I'm mostly interested in digital signatures for the mobile device though. > "cellphone substitution." However, I have seen previous > discussions that suggested the use of different encryption keys on > things like The quality of cellphones and batteries these days at least means I'm switching phones once every two years or even more often. > mobile phones, which would indeed mean going to your other device > to decrypt. I think the assertion is that a key held on a mobile > phone is possibly less secure. Absolutely - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Qui audet vincit Who dares wins -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUhY/RAAoJEPw7F94F4Tag4eUQAIxcyzf/7fPIj7sq35xtgq48 IqIsWnMY+QNl+tokvKQyAFRTy71vvm00flhqWR4X3D96kxsEULP3N7v7Bm4wm7Xu jDP+xVhJHL3soUlD7Ss01xXqb0BkzIMSAc+V0B+x6RgnFi/bWj+muH3DeGNT5eXz oUZN6Ym/n2Y9cMxQCs/ISYbLa+v8Amki/FxOEj6NLb4akIhYpPQhBsU/tKKer1Ag 5Xgkm50xcRRx5jMLDDxOLXLRqSY3nXUHRTTHSC/gqFHUuD7WsxJJaL86cVqiT6oq FIgNWxkC+Mm3d85enUPGe1ZBF5sATb3GeICx7pwM6Cxf6xJYpLZ/cKNU+MTlFzEU UJbjyK7eq+YaV/bZTq2w0YeUc/DRmnmRIzdd6cP/7bUUfROvjneebVTI2NPEllUg P1IC7ohzkLpKm0D5r1qhh0uGsFhY42x4WkyInc98xkbY6sWgebsROnHFYGt36kGX rUrBRO5hqaRlgwAoLqM+RzGWLXU07jz2oFhJQr1U9457zNQ+JYpykBYoLCBv63aq Uc+EAJKTSq/RwwNegvXhaR7xUQDcqJuAZZxtGjtLUo3uYxWzz2Hlrq1ySjUeU4ws Q/wXUeVaxV3ArSIfI4Eq6uG7f+IuNyrYmzmt87NsU2n7UEORTzWgY+3lIZdf+Hv2 BMmxYLE5jzf7q5fuJ8kY =fzvf -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 8 14:02:09 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 8 Dec 2014 13:02:09 +0000 Subject: FAQ - configuration file location on Windows Message-ID: <1765948833.20141208130209@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 From :- > 8.6 Where does GnuPG look for configuration options? > > GnuPG looks at a file called gpg.conf to determine various runtime > parameters. On UNIX systems this file can be found in ~/.gnupg. On > Windows systems it?s a bit more difficult to predict, but try: > > Windows XP > FIXME > Windows Vista > FIXME > Windows 7 > FIXME > Windows 8 > FIXME > I just read this, and for Windows systems would suggest it is not all that difficult to predict. I thought GnuPG places the gpg.conf file (and various other files) in %appdata%\GnuPG. That is what it has always done for me (on Windows XP). - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Never interrupt me when I'm trying to interrupt you. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUhaFUXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwJgUH/ivNvhEoB4ET6LgtUkTEFCvY MokemJUu7ihVLsClOb+ZKCsvEWllEJKAz0XxCfMfY9gTbg20JJ1LIhwIB5ccIGNL 3RszRiT8xGFjPulsGBy+jc3zrgPTF3hSWqTSf2hbBDBJwTvMoaXkTU+BF0geKVYu XEVCdE5TCow3AGJrtlDZ6B4yUTKjXazahblmh+Uzln4+78bTnM+O1RLATxgFyE63 Wotlu07TQ8MDNjRQJ2ssV2Y0qDfkLJKxucZrUicIkCY5nybWUVAgW9jV5OmnrEKx 7oaxdwW6B2KjpIUAUSiUqGTNTJMuZo29D7bs6if3qVNqiBnSE+GSPC9OIsASRiSI vgQBFgoAZgUCVIWhfV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45GPPAQB2fxscXxtw/ICbfWRir6G1eSfI htKQQ2ifmzrV5hrGAwEA62WHS8CXxwgdenbn/qMN+77wkvbF7gIqQPvS7wvsuAI= =yFAx -----END PGP SIGNATURE----- From rex.k at me.com Mon Dec 8 15:52:10 2014 From: rex.k at me.com (Rex Kneisley) Date: Mon, 08 Dec 2014 06:52:10 -0800 Subject: Gnupg-users Digest, Vol 135, Issue 13 In-Reply-To: References: Message-ID: <000a01d012f6$8c29f880$a47de980$@me.com> On Sun, 07 Dec 2014 13:27:23 -0800, Rex Kneisley wrote: >>I am running Debian 7.7 >> >>I have installed GNUPG version 2.1 (modern) >> >>I have also installed GPA successfully. (so it says) >> >>When I type "gpa" at the command line, I am greeted with: >> >>relocation error: gpa: symbol gpgme_op_spawn, version GPGME_1.1 not >>defined in file libgpgme.so.11 with link time reference >> >>Have I forgotten to set something in my path? Or is this a known bug? >> >Which version of gpgme11 are you using? I believe you'll need at least >gpgme11 version 1.5.0 for that. Prior to installing gpa-0.9.5, I installed gpgme-1.5.2 (the latest version) From gnupgpacker at on.yourweb.de Mon Dec 8 16:28:49 2014 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Mon, 8 Dec 2014 16:28:49 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <54858EED.1060808@sumptuouscapital.com> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> <54858EED.1060808@sumptuouscapital.com> Message-ID: <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> Hello, > -----Original Message----- > From: Kristian Fiskerstrand > Sent: Monday, December 08, 2014 12:44 PM > >> Main key has options SC. There is an active newer signing key S, so >> this will be always used for signing? > Correct Why has the mainkey SC if signing is not used? Are there some compatibility reasons? >> And what's about backward compatibility? > Backwards compatibility in which capacity? Encryption subkeys are well > supported, signing subkeys are not supported by older versions of PGP, > but people should not be using these versions anyways. I am working on some new keypairs with backwards compatibility, pls see this thread: http://lists.gnupg.org/pipermail/gnupg-users/2014-December/051808.html Some corporate partners are still using older versions of Symantec's PGP with WinXP, mostly for intranet. Problems with signing keys are known, sometimes it works, sometimes not. It is very difficult to rate compatibility because Symantec's enterprise support (!) isn't be able to send me old PGP versions for testing. Compatibility seems to be depending on order of subkey creation: If encryption key is latest, it is working. If signing key is latest, mostly it is not working. DSA signing keys are only accepted if max 2048 bit!? If signing key is not the latest one and will be exchanged, it steps to last position => mostly not working. And so on... Best combination found so far: Example-keystructure: pub 4096R/97CA9679 erzeugt: 2014-11-22 verf?llt: niemals Aufruf: C Vertrauen: uneingeschr?nkt G?ltigkeit: uneingeschr?nkt sub 4096R/9D22119A erzeugt: 2014-11-22 verf?llt: 2016-11-21 Aufruf: A sub 2048D/37F05D01 erzeugt: 2014-11-22 verf?llt: 2016-11-21 Aufruf: S sub 4096R/884627F6 erzeugt: 2014-11-22 verf?llt: 2016-11-21 Aufruf: E [ unbek.] (1). vorname nachname (kommentar) Is there any possibility to change order of subkeys in keypair? Thanks for any hint, regards, Chris From kristian.fiskerstrand at sumptuouscapital.com Mon Dec 8 16:37:20 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Mon, 08 Dec 2014 16:37:20 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> <54858EED.1060808@sumptuouscapital.com> <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> Message-ID: <5485C5B0.3060604@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/08/2014 04:28 PM, gnupgpacker wrote: > Hello, > >> -----Original Message----- From: Kristian Fiskerstrand Sent: >> Monday, December 08, 2014 12:44 PM >> >>> Main key has options SC. There is an active newer signing key >>> S, so this will be always used for signing? >> Correct > > Why has the mainkey SC if signing is not used? Are there some > compatibility reasons? > This key will always be capable of signing by definition, but the reason it is not C only is that it was not generated with a signing subkey from the point of key generation, and the difference does not make any practical difference. Changing this would require a new self-signature limiting the use flags, but this is not worthwhile to do. - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Veni vidi velcro I came, I saw, I got stuck -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUhcWuAAoJEPw7F94F4TagYLoP+gK2l0QIsiO22z8zkcWNVkDN lPl2nWRdeUqPX+gfw2qNmum1wKKzBStyeqO9qat/UMXnM3n0tWHasFDhblTdWA02 bD6BGbp3dDFrDpGyupAe/LEmwHmEN8ey1RaiH/I/N167NwhQ0yOIiivLuwPVC1xG b7tKmCHhNW//XJCquHq/je0EAp8xIjlBB1u4EzDP9f809L2yFNuUf/g7S43oeI7e jEK8qPaLyrDo47yPfdKI7etCWN+lDqy2J2XpqkERtzOGqKPFbmfBuFT3l0fQ20V1 g8u390YCzscG0RjwQQj69HyIWXwCavRywc0EIleseJjlFMbjB45LmJAro5rKV0FH a5DLA3Lh5FRd417MMy+Fo07bZIt5XJ/TJzD0uyTl97pgqbrFgKW9jjkCJ9vWBvuN K9lfRe67O7EKLv11RFMo30RNl6XXY7lBZPI+XdUEz4QGSKKdfFdH04p24U6OOxaS aUKEGAQ2oNyhjD/fVR2prxbBZcShjz3N3gbytr9f/xmemPDQvWDRZdEAeRQdAMRr nrN3fXCo/7aX2u66RxeTO1dM3eGky72rZKTKRhNL0B7V4JDylZjzy8AA4aahqzW5 /zWLPxPQMCnQohGWQlDHoTNGnWXn5/ZxcGnSd09sqsNBf8yDFxSHwgd6L6qzlDxj UxdkJC1hWUDtH/Wn4yLI =kD/3 -----END PGP SIGNATURE----- From brian at minton.name Mon Dec 8 16:58:40 2014 From: brian at minton.name (Brian Minton) Date: Mon, 8 Dec 2014 10:58:40 -0500 Subject: Mainkey with many subkeys?? In-Reply-To: <54846C69.2020606@web.de> References: <54846C69.2020606@web.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I recently created a key, with a RSA 4096-bit main key (certify only) and 4 subkeys: one DSA for signing, and one ELGamal for encryption, for communicating with people who I don't know are using ECC, and one each of ED25519 and nistp384 for people who are. The cool thing is that since the dates on the ECC keys are newer, gpg 2.1 and other versions that are able to use those keys will do so automatically, while gpg and other openpgp implementations which don't support ECC will basically ignore those subkeys and use the DSA/ELGamal ones. When signing a message I often just use both signing capable subkeys, so everyone will be able to check the signature. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EARYIAAYFAlSFyo0ACgkQN7lQes/yAW6XdwEAb4v/EiN48ehUWcFUZKvF4KwX HJfLRpusl/4A1ATh8osBAAm1lNgtL0ndrj3XkVDoiQ530ajzExpEW2+xkVxtw+AP iF4EAREIAAYFAlSFyo0ACgkQa46zoGXPuqkBEQEAgh+WbK4ceIKPFza4/jTVd+e0 Zh2+3fAxCrSl+u0w43oA/Avh12SFRpQddXRNnDoQ+sDyifiVOoCLIcktoy5S9Nxb =3F/i -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 8 17:18:30 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 8 Dec 2014 16:18:30 +0000 Subject: Mainkey with many subkeys?? In-Reply-To: <5485C5B0.3060604@sumptuouscapital.com> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> <54858EED.1060808@sumptuouscapital.com> <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> <5485C5B0.3060604@sumptuouscapital.com> Message-ID: <164339835.20141208161830@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Monday 8 December 2014 at 3:37:20 PM, in , Kristian Fiskerstrand wrote: > Changing this would require a new > self-signature limiting the use flags, but this is not > worthwhile to do. Is there a method to do this within GnuPG? I have not heard of a way to reduce the number of capability flags. And the only way I know to add capabilities is to add subkeys. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net A bird in the hand makes it awfully hard to blow your nose -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUhc9oXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwxyAH/A9jXqJGJHfDWQrMSKRdsDDD tjKx69IAGN49W7j+t4pm5AcKLgf5DTalgvk4sKAHoj2qZOxnLS4oDOBwu7r5Bkgr f40aiUja+LjyGP5RFOe2gOgJ55EL4eQoTLdL++f7PkS9Je6qbEBq0m0jDte9BjwA sJ969Z6A0Kw4falInKRPe87jfr/7ri36Fhe15q5SL2UtjyuwWjceHxa9MXQSr4fl 1shXh1fCIROp56lERAA8c5cxYWlTz/2lTdrdjadyoWpCIz2XdcSpwLV2P2xLmf9A GFSGONwAlnr1kG7Bj1P6WpypcqtDxpN8A9MMgu1P82pVloyy0BgpSKNwgNVItNCI vgQBFgoAZgUCVIXPbV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45MBFAQDqjrponJ67EvFpJq09IOfZHReT 8JqDztSjeBNCns9vogEA73lkfISYqqqt73v4scBr6qBxWMv3jttIoNrR9ulApA8= =kXJM -----END PGP SIGNATURE----- From kardan38 at gmail.com Mon Dec 8 17:05:48 2014 From: kardan38 at gmail.com (Salih Kardan) Date: Mon, 8 Dec 2014 18:05:48 +0200 Subject: Convert GPG key to ssh key Message-ID: Hi everyone, I am just trying to convert gpg key to ssh key to be able use it in authorized_keys file and I am using *`gpgkey2ssh $key_id` *command. However this command does not work properly and gives this error : gpg: error reading key: public key not found gpgkey2ssh: gpgkey2ssh.c:278: main: Assertion `(algorithm_id == 1) || (algorithm_id == 17)' failed. Aborted (core dumped) I have searched the error however could not find a clear explanation. I come across some blog posts suggesting to use *`ssh-add -L` *command to extract public part of key pair but I need to use *gpgkey2ssh *command. I have another environment for testing same command, somehow on that environment *`gpgkey2ssh $key_id` *command extract public part of key which is compatible with authorized_keys file. I guess this is not a bug since same command works in another environment but could find the exact reason of this error? Any help is appreciated... Note: gpg2 version that I am using is 2.1.0. Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Mon Dec 8 17:46:48 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 08 Dec 2014 11:46:48 -0500 Subject: Convert GPG key to ssh key In-Reply-To: References: Message-ID: <5485D5F8.2080207@fifthhorseman.net> On 12/08/2014 11:05 AM, Salih Kardan wrote: > I am just trying to convert gpg key to ssh key to be able use it in > authorized_keys file and I am using *`gpgkey2ssh $key_id` *command. > However this command does not work properly and gives this error : > gpg: error reading key: public key not found > gpgkey2ssh: gpgkey2ssh.c:278: main: Assertion `(algorithm_id == 1) || > (algorithm_id == 17)' failed. > Aborted (core dumped) the gpgkey2ssh script isn't particularly well-documented or well-supported, unfortunately. Is they key you're looking to convert an RSA key or a DSA key? The above suggests that it is not. (see the list of publickey algorithms for OpenPGP [0]). Are you trying to convert a specific subkey? are you identifying the subkey explicitly? You may also be interested in the "openpgp2ssh" conversion script in the monkeysphere package [1]. Regards, --dkg [0] https://tools.ietf.org/html/rfc4880#section-9.1 [1] http://web.monkeysphere.info/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From kristian.fiskerstrand at sumptuouscapital.com Mon Dec 8 17:50:57 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Mon, 08 Dec 2014 17:50:57 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <164339835.20141208161830@my_localhost> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> <54858EED.1060808@sumptuouscapital.com> <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> <5485C5B0.3060604@sumptuouscapital.com> <164339835.20141208161830@my_localhost> Message-ID: <5485D6F1.6010705@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/08/2014 05:18 PM, MFPA wrote: > > > On Monday 8 December 2014 at 3:37:20 PM, in > , Kristian Fiskerstrand > wrote: > > >> Changing this would require a new self-signature limiting the use >> flags, but this is not worthwhile to do. > > Is there a method to do this within GnuPG? I have not heard of a > way to reduce the number of capability flags. And the only way I > know to add capabilities is to add subkeys. > It involve using a hacked version of gpg and generating a new self-signature, which, as I said is not worthwhile (as it doesn't do anything practically). But you have an example in the ML at [0] for the 1.4 branch References [0] http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036505.html - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Veni vidi velcro I came, I saw, I got stuck -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUhdbvAAoJEPw7F94F4TagwpoP/RT14qH1/UFJjq8GnZ8/VU/+ bBIb/qfK2Czdz+UwYRCGopS4nydfdZVjfmRIdfQraguqy40XQlDDmqqYjUnqRxW9 r56+an1p1PiK2bMFYiR29+qSxkqT3Ux25JyFEpcViYdRUKYRM32D44N3bM7QNezv Sq/WCsuyFzO/pfxhZtLAtzQI8qxM1g6eUgMpyzfsEqLwNnIn/6XZ3tLpowBCn2hn u4i+X8vJitWp1EWKaOSmT20EhevV8UOikiy3zfkKTJF2L4KT5JlPCcAYiCOzPNgb Rvp6huX8Dh0s+k6xsDwKfMlaxXkDVGd1oTAV5rA4RFaJF4hQmPHRQt+ANvVFhvN0 jm6shEXR8JZN9kj0wbm4ap3OF1xEZsmTUGgBeUkMSIX5H00uJPskjSD7nlZ+/hr6 ISb/W3xz60CGCF2/wCrpQRw9HttRoHovBDimyRQH6A8YyVdjRZTdXqDmcJVjsC7j 5+n4fYILBBRSZjlCNL07YUOyFVKJCKud80sQIak/CsX7+OD6CBrkDjOyotq8j6EK l5XjsKj5jETc65No3AjLC3j/67uE5vtHkoFEbVfg3CqS5CM9B6K6lRw64CT9Fc0o Wrdp+1ZfTJUtZFViwkXk2xZ2L+9MiCSrJdv2d9SETs/i0x56q+ZjaB/kucXRA+HR bH7zQxKYjX8G23LJijcq =5yIn -----END PGP SIGNATURE----- From wk at gnupg.org Mon Dec 8 18:18:52 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 08 Dec 2014 18:18:52 +0100 Subject: Convert GPG key to ssh key In-Reply-To: (Salih Kardan's message of "Mon, 8 Dec 2014 18:05:48 +0200") References: Message-ID: <87388qqcub.fsf@vigenere.g10code.de> On Mon, 8 Dec 2014 17:05, kardan38 at gmail.com said: > I am just trying to convert gpg key to ssh key to be able use it in > authorized_keys file and I am using *`gpgkey2ssh $key_id` *command. No need to convert a key if you are using gnupg 2.1. Run gpg -K --with-keygrip USERID and pick the keygrip from the output. For example: sec# rsa2048/E455F2D7CC9C6BBC 2009-11-05 Keygrip = B0C352EC5B3336681535ED3CC2FA62807B64B2CF uid [ unknown] Enoch Root (test) ssb rsa2048/591B5112D5A9C5A6 2009-11-05 Keygrip = 84722EE009690AA87BAF80A62EB0186CFCF72E64 ssb# rsa2048/D367147F5CB0CDF0 2009-11-05 Keygrip = 79DA43AD276B52EABFF0661153276A8E5A5F8DB9 To use the second subkey with ssh, you then do: echo >>~/.gnupg/sshcontrol 79DA43AD276B52EABFF0661153276A8E5A5F8DB9 0 (note the "0" after the keygrip) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From michard.antoine at gmail.com Mon Dec 8 17:34:34 2014 From: michard.antoine at gmail.com (Antoine Michard) Date: Mon, 8 Dec 2014 17:34:34 +0100 Subject: Can't Encrypt in Freebsd 10.1 Message-ID: Hi All, I've got some problem recently with GnuPG2 and FreeBSD 10.1. I've install it from port, everthing was fine but when I wanna try to encryt, it says Abort ! Key are installed and trust: root at WebBSD:~ # gpg -k /root/.gnupg/pubring.gpg ------------------------ pub 2048R/C81E7C1B 2014-12-06 uid [ultimate] WebBSD sub 2048R/93A1637C 2014-12-06 pub 2048R/6349E5E0 2014-12-06 uid [ultimate] Me root at WebBSD:~ # gpg -edit-key 6349E5E0 then list pub 2048R/6349E5E0 created: 2014-12-06 expires: never usage: SCE trust: ultimate validity: ultimate [ultimate] (1). Me Here full debug from my command: root at WebBSD:~ # gpg -r 6349E5E0 --debug-level 20 -e freebsd_forom.text gpg: enabled debug flags: packet mpi cipher filter iobuf memory cache memstat trust extprog cardio assuan gpg: DBG: fd_cache_open (/root/.gnupg/pubring.gpg) not cached gpg: DBG: iobuf-1.0: open `/root/.gnupg/pubring.gpg' fd=3 gpg: DBG: iobuf-1.0: underflow: req=8192 gpg: DBG: iobuf-1.0: underflow: got=2114 rc=0 gpg: DBG: parse_packet(iob=1): type=6 length=269 (search.keyring.c.1010) gpg: DBG: free_packet() type=6 gpg: DBG: parse_packet(iob=1): type=14 length=269 (search.keyring.c.1010) gpg: DBG: free_packet() type=14 gpg: DBG: parse_packet(iob=1): type=6 length=269 (search.keyring.c.1010) gpg: DBG: free_packet() type=6 gpg: DBG: fd_cache_open (/root/.gnupg/pubring.gpg) not cached gpg: DBG: iobuf-2.0: open `/root/.gnupg/pubring.gpg' fd=4 gpg: DBG: iobuf-2.0: underflow: req=8192 gpg: DBG: iobuf-2.0: underflow: got=928 rc=0 gpg: DBG: parse_packet(iob=2): type=6 length=269 (parse.keyring.c.402) gpg: DBG: parse_packet(iob=2): type=13 length=43 (parse.keyring.c.402) gpg: DBG: parse_packet(iob=2): type=2 length=313 (parse.keyring.c.402) gpg: DBG: parse_packet(iob=2): type=12 length=2 (parse.keyring.c.402) gpg: DBG: free_packet() type=12 gpg: DBG: parse_packet(iob=2): type=2 length=284 (parse.keyring.c.402) gpg: DBG: parse_packet(iob=2): type=12 length=2 (parse.keyring.c.402) gpg: DBG: free_packet() type=12 gpg: DBG: iobuf-2.0: underflow: req=8192 gpg: DBG: iobuf-2.0: underflow: got=0 rc=-1 gpg: DBG: /root/.gnupg/pubring.gpg: close fd 4 gpg: DBG: fd_cache_close (/root/.gnupg/pubring.gpg) new slot created gpg: DBG: iobuf-2.0: underflow: eof gpg: DBG: iobuf-2.0: close `?' gpg: DBG: finish_lookup: checking key 6349E5E0 (all)(req_usage=2) gpg: DBG: no suitable subkeys found - trying primary gpg: DBG: primary key may be used gpg: DBG: using key 6349E5E0 gpg: DBG: free_packet() type=6 gpg: DBG: free_packet() type=13 gpg: DBG: free_packet() type=2 gpg: DBG: free_packet() type=2 gpg: DBG: iobuf-1.0: close `file_filter(fd)' gpg: DBG: /root/.gnupg/pubring.gpg: close fd 3 gpg: DBG: fd_cache_close (/root/.gnupg/pubring.gpg) new slot created gpg: DBG: fd_cache_open (freebsd_forom.text) not cached gpg: DBG: iobuf-3.0: open `freebsd_forom.text' fd=6 gpg: DBG: iobuf-3.0: ioctl `file_filter(fd)' no_cache=1 gpg: DBG: fd_cache_invalidate (freebsd_forom.text.gpg) gpg: DBG: iobuf-4.0: create `file_filter(fd)' gpg: DBG: iobuf-4.0: ioctl `file_filter(fd)' no_cache=1 gpg: DBG: fd_cache_open (freebsd_forom.text) not cached gpg: DBG: iobuf-5.0: open `freebsd_forom.text' fd=8 gpg: DBG: iobuf-5.0: underflow: req=8192 gpg: DBG: iobuf-5.0: underflow: got=5 rc=0 gpg: DBG: iobuf-5.0: close `file_filter(fd)' gpg: DBG: freebsd_forom.text: close fd 8 gpg: DBG: fd_cache_close (freebsd_forom.text) new slot created Abort I've got this in my dmesg: pid 60311 (gpg2), uid 0: exited on signal 6 I've post a topics on FreeBSD Forum but no answer yet: https://forums.freebsd.org/threads/cant-encrypt-files-with-gnupg2.49354/ I've try on a VM with fresh install and the port work fine, I can encrypt/decrypt with the same version. But I really don't know why I've got no answer from debug :( And search everywhere with no answer, I recompil all GnuPG2 dependencies without result, regenerate key, etc... Can you help me? Thanks for reply and your time :D -- Antoine Michard -------------- next part -------------- An HTML attachment was scrubbed... URL: From kardan38 at gmail.com Mon Dec 8 19:21:20 2014 From: kardan38 at gmail.com (Salih Kardan) Date: Mon, 8 Dec 2014 20:21:20 +0200 Subject: Convert GPG key to ssh key In-Reply-To: <87388qqcub.fsf@vigenere.g10code.de> References: <87388qqcub.fsf@vigenere.g10code.de> Message-ID: Hi Daniel and Werner, Thanks for the quick repsonse and more inline... > Is they key you're looking to convert an RSA key or a DSA key? > The above suggests that it is not. (see the list of publickey algorithms > for OpenPGP [0]). > I am trying to convert RSA key and I am just avoiding use an external tool such as monkeysphere while converting keys. > Are you trying to convert a specific subkey? are you identifying the > subkey explicitly? > I will use subkey for ssh authentication and while using *`gpgkey2ssh $key_id` *command I am giving subkey id explicitly. What I could not understand is why the above command works inconsistently. It works on one of my setups but does not on another. No need to convert a key if you are using gnupg 2.1. Run > > gpg -K --with-keygrip USERID > > and pick the keygrip from the output. For example: > > sec# rsa2048/E455F2D7CC9C6BBC 2009-11-05 > Keygrip = B0C352EC5B3336681535ED3CC2FA62807B64B2CF > uid [ unknown] Enoch Root (test) > ssb rsa2048/591B5112D5A9C5A6 2009-11-05 > Keygrip = 84722EE009690AA87BAF80A62EB0186CFCF72E64 > ssb# rsa2048/D367147F5CB0CDF0 2009-11-05 > Keygrip = 79DA43AD276B52EABFF0661153276A8E5A5F8DB9 > > To use the second subkey with ssh, you then do: > > echo >>~/.gnupg/sshcontrol 79DA43AD276B52EABFF0661153276A8E5A5F8DB9 0 > > (note the "0" after the keygrip) Yeah I know that feature in 2.1.0 version, but why I am insisting on using *`gpgkey2ssh` *command is I am going to automate this process and since *`ssh-add -L` *strictly requires an running agent and it does not extract public part of key pair compatible with authorized_key file unless agent is running. (as mentioned in this tutorial and discussions in mailing list -thanks to Werner Koch- using sshcontrol file during ssh authentication requires using ssh-add command) What I am really looking for is there a workaround to use *`gpgkey2ssh` *command without getting the error given in first mail? Regards.. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomofr at web.de Mon Dec 8 19:48:23 2014 From: tomofr at web.de (Tomo Ruby) Date: Mon, 08 Dec 2014 19:48:23 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <383313055.20141207234004@my_localhost> References: <54846C69.2020606@web.de> <383313055.20141207234004@my_localhost> Message-ID: <5485F277.3020709@web.de> Am 08.12.2014 um 00:40 schrieb MFPA: > > > On Sunday 7 December 2014 at 3:04:09 PM, in > , Tomo Ruby wrote: > > >> If I create a main key to certify >> and subkeys for everything else, won't there be dozens >> of subkeys on my main key after years of creating and >> revoking subkeys? > > When the subkey was coming up for expiry, wouldn't you just edit the > expiry date? > Hey, as I wrote in the mail from Sun Dec 7 22:38:03 CET 2014: I know I could just set a new expiration date but most times it's recommended to use a key for two years at the longest. So if I start counting I end up like this: One subkey for authentication, one for signing and one for encryption. This makes three new keys every two years... I really don't understand why everyone has only so few subkeys... Best regards -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 9 00:49:07 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 8 Dec 2014 23:49:07 +0000 Subject: Mainkey with many subkeys?? In-Reply-To: <5485F277.3020709@web.de> References: <54846C69.2020606@web.de> <383313055.20141207234004@my_localhost> <5485F277.3020709@web.de> Message-ID: <92971600.20141208234907@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Monday 8 December 2014 at 6:48:23 PM, in , Tomo Ruby wrote: > as I wrote in the mail from Sun Dec 7 22:38:03 CET > 2014: I know I could just set a new expiration date but > most times it's recommended to use a key for two years > at the longest. Recommended by whom and against what threat model? And, really, the same lifespan for signing keys as for encryption keys? I use the supermarket approach to advice: only pick up what I need at the time. My take on the advice I have most often seen in previous discussions is to set fairly short expiry dates, and make the decision whether to replace it or extend its life when the expiry date is approaching. This gives you an opportunity to review the current state of your tools, and best practices. > So if I start counting I end up like > this: One subkey for authentication, one for signing > and one for encryption. This makes three new keys every > two years... OK, it would, but do you really need them all? If you use subkeys for each of those three capabilities, have you determined that in all three cases your threat model requires a new subkey every two years? > I really don't understand why everyone has only so few > subkeys... Because they do not follow the recommendations you have taken on board. A lot of keys are created without expiry date. This is the GnuPG default; we are frequently exhorted that the defaults are chosen to be sensible for most users, and to only deviate if you know what you are doing _and_why_. A large proportion of keys do not have a signing subkey (certainly of the 32 we currently encrypt messages to for the PGPNET discussion group [0], last time I looked there were about 12 or 14 with signing subkeys). And an individual who uses GnuPG only for email communication and file encryption has no need of an authentication key. That is probably a large percentage of users. [0] - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net A closed door is an invitation to knock -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUhjj+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXw1r8H/14IMASGNylCpc7Z6AE6xp4u /FwCCRbM3+N0EevdV5qAtw6P8Ttt191k5s2oV+oWQF4VnHWPl63H8x2+/jYO9ztC KtLKYw14ENcap77nF9eRAVQ6V/yaLlRWX5eZQqyKTLiuCacYsUpSrTGU3y/9L5fI BuPZhjcRp2FPogWRWwhNks2qMSVSHpDlhUxt/gci4NyTC51ZjD6e2NnxJV61gxgv Bpo7O3tv+KL9hvague3b+8Kyt8rcoxHeZCDTGpqY054ZcUfiNz8+/1qjXdaCSIwW eRe5aOfpmDoP5JoNOCFSkxTzcRjHd4IFn2N6Rbg1RQ9j0Yp7ADrZ3p1uDRAsGsGI vgQBFgoAZgUCVIY5BF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45Li0AQBGeWUHNcqtdXrgHbELOmzsCnuF JxGZsPkIVe+KIsrLQgEAzRVsXDMxYR2NTPwVlVKOID5Y0mo5FyBT/nS/8VbCFAo= =UjSg -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 9 01:00:19 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Tue, 9 Dec 2014 00:00:19 +0000 Subject: Mainkey with many subkeys?? In-Reply-To: <5485D6F1.6010705@sumptuouscapital.com> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> <54858EED.1060808@sumptuouscapital.com> <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> <5485C5B0.3060604@sumptuouscapital.com> <164339835.20141208161830@my_localhost> <5485D6F1.6010705@sumptuouscapital.com> Message-ID: <1994620535.20141209000019@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Monday 8 December 2014 at 4:50:57 PM, in , Kristian Fiskerstrand wrote: > It involve using a hacked version of gpg and generating > a new self-signature, which, as I said is not > worthwhile (as it doesn't do anything practically). But > you have an example in the ML at [0] for the 1.4 branch Fair enough. A new self-signature generated in the normal way by - --edit-key setpref does not have this effect, of course. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net The truth is out there. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUhjuWXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwKrAH/1v8plYaL7C3kJSyGg2DPlHr LEhM/mvgTBsUKP1ezopXHC9O6UWn/XQ9Zb+2z80b8ejJo7SUkIyfNvM2GfQn0HHz /xirJoH6q4+l9+/znSSFZZbJ6WAr4jKC7zj4wilsyTjKmBxAVmbs0M2S87yIJWdn r1E8KWtSpglEaZHCoWjO+JVajbipmrMP8IZm6LW0WJ7+6cjG2iDjkuqtO6r48HVS 83zjQIT4oWT7Mfl9k1ZWe7SrJqJEtCVkvLhfoE6C7qKW8rAq3K9vd4mkPvVMM3dF HDJJVQLGRXPVWWcBj0wmzfjNIYTPaYMUyR6TN0Q7SRwYrXGHvInEB5ewqaa6fLaI vgQBFgoAZgUCVIY7ll8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45IuAAQCEnyTyybB9HQYO9qaW4ttTsbsi QvsjTFuS4VjdMzNKUQEA+ah6anP6FRlfiVz2WGTPbwykKUWc2KNmLxXN4BdPqQY= =tkDM -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 9 01:08:17 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Tue, 9 Dec 2014 00:08:17 +0000 Subject: Mainkey with many subkeys?? In-Reply-To: <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> <54858EED.1060808@sumptuouscapital.com> <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> Message-ID: <1545611839.20141209000817@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Monday 8 December 2014 at 3:28:49 PM, in , gnupgpacker wrote: > Some corporate partners are still using older versions > of Symantec's PGP with WinXP, mostly for intranet. > Problems with signing keys are known, sometimes it > works, sometimes not. It is very difficult to rate > compatibility because Symantec's enterprise support (!) > isn't be able to send me old PGP versions for testing. Unable rather than unwilling? > Compatibility seems to be depending on order of subkey > creation: If encryption key is latest, it is working. > If signing key is latest, mostly it is not working. PGP 8.0.3 and 8.1 definitely did not handle signing subkeys, and choked if it happened to be the newest subkey. After trying and not liking PGP 9.x I switched to using GnuPG. I think it was the UI and the removal of support for encrypting to groups that prompted the switch, so I can't comment on signing subkey support. However, Tom McCune [0] says:- "GPG began using subkeys for signing before PGP. Until PGP 8.1, PGP had no support for this, and could not verify signatures made with such a signing subkey. PGP 9.x adds signing subkey functioning. With PGP 9.x, you can now generate and use signing subkeys - this allows you to continue using your original signing key ID and fingerprint for continuity purposes, while being able to enhance your signing security with key replacement." [0] - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net People who throw kisses are hopelessly lazy. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUhj1zXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXw7jEH/jbHweGoMQgqjDDuF71KpsxW 8WY4kkpiOTwKAUD1sFCx5YIL9QWHsJ3VRKcxipckCjKnCLtGf3dhpPBj1Xt0dVsy SNxmnVQ7slvcrKBd80fLZEFTvnfm+QjCGhvgjc+te3w/So69GRLAd4PNQZRJCM1E aXyrinMUxKUrNic1G5ve/hTX/9M1vx6EpsGP2EnoQQdnhO8qlZYh/zjQqTnLOAI3 eyU/cu/n/NJcAQvotkLl2+HTECsd3f6YkL4DIvVbreZkeub0D7TzZ0/o4o0UYWbI aP1zNgsq815HKBDSEszx2N+6uObIWGQtGCkSp/EqVPklmGaRwbiU0uk1qMLPEDqI vgQBFgoAZgUCVIY9dF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45OuqAQAwqOl8OsLjpqVkVAnDbcpu5TtV AiFrQT42j44crGg+4QEAd0gnUIBPK4dQBRF3NdK8yP84rjsxIvXin17pe3ZWYgM= =6iVl -----END PGP SIGNATURE----- From dave.pawson at gmail.com Tue Dec 9 09:07:51 2014 From: dave.pawson at gmail.com (Dave Pawson) Date: Tue, 9 Dec 2014 08:07:51 +0000 Subject: Cross platform working Message-ID: I'm looking at sharing an encrypted file, Linux to 64 bit windows. It seems that a Windows version isn't available, is this right please? Lots of "similar" names, nothing from GNU? TiA -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk From michard.antoine at gmail.com Tue Dec 9 09:30:48 2014 From: michard.antoine at gmail.com (Antoine Michard) Date: Tue, 9 Dec 2014 09:30:48 +0100 Subject: Cross platform working In-Reply-To: References: Message-ID: Hi, You can try http://www.gpg4win.org/, work great on 7 64bits and no problem to exchange with FreeBSD Envoy? de mon Nexus 5 Le 9 d?c. 2014 09:09, "Dave Pawson" a ?crit : > I'm looking at sharing an encrypted file, Linux to 64 bit windows. > > It seems that a Windows version isn't available, is this right please? > Lots of "similar" names, nothing from GNU? > > TiA > > -- > Dave Pawson > XSLT XSL-FO FAQ. > Docbook FAQ. > http://www.dpawson.co.uk > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave.pawson at gmail.com Tue Dec 9 09:31:50 2014 From: dave.pawson at gmail.com (Dave Pawson) Date: Tue, 9 Dec 2014 08:31:50 +0000 Subject: Cross platform working In-Reply-To: References: Message-ID: Thanks - I'll try it. regards Dave P On 9 December 2014 at 08:26, kendrick eastes wrote: > per https://www.gnupg.org/download/index.html that would be GPG4win ( > http://www.gpg4win.org/), there is only an x86 exe, but it works just fine > on x64 windows. > > On Tue, Dec 9, 2014 at 1:07 AM, Dave Pawson wrote: >> >> I'm looking at sharing an encrypted file, Linux to 64 bit windows. >> >> It seems that a Windows version isn't available, is this right please? >> Lots of "similar" names, nothing from GNU? >> >> TiA >> >> -- >> Dave Pawson >> XSLT XSL-FO FAQ. >> Docbook FAQ. >> http://www.dpawson.co.uk >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk From hugo.hinterberger at gmx.net Tue Dec 9 10:02:48 2014 From: hugo.hinterberger at gmx.net (Hugo Hinterberger) Date: Tue, 09 Dec 2014 10:02:48 +0100 Subject: Beta for 2.1.1 available References: <87sih9gg5f.fsf__20667.9045958028$1416817649$gmane$org@vigenere.g10code.de> Message-ID: Hi, On Mon, 24 Nov 2014 09:24:28 +0100, Werner Koch wrote: > Bug reports please to the gnupg-users. I just tried the Clipboard - Sign feature in GPA and noticed that when I copy the signed message to the clipboard that an empty line is inserted after each line generated for the signature, but not for the original message or modified lines (escaped line with "--" ? "- --"). System: Windows 7 64-bit Kind regards, Hugo From hugo.hinterberger at gmx.net Tue Dec 9 10:09:18 2014 From: hugo.hinterberger at gmx.net (Hugo Hinterberger) Date: Tue, 09 Dec 2014 10:09:18 +0100 Subject: Beta for 2.1.1 available References: <87sih9gg5f.fsf__20667.9045958028$1416817649$gmane$org@vigenere.g10code.de> Message-ID: On Tue, 09 Dec 2014 10:02:48 +0100, Hugo Hinterberger wrote: > Hi, > > On Mon, 24 Nov 2014 09:24:28 +0100, Werner Koch wrote: > >> Bug reports please to the gnupg-users. > > I just tried the Clipboard - Sign feature in GPA and noticed that when I > copy the signed message to the clipboard that an empty line is inserted > after each line generated for the signature, but not for the original > message or modified lines (escaped line with "--" ? "- --"). > > System: Windows 7 64-bit > > Kind regards, > Hugo Trying to verify the just generated message results in a ?"Clipboard" contained no OpenPGP data.? warning message. Tries to remove the empty lines resulted in ?Bad Signature? verification results. Hugo From hugo.hinterberger at gmx.net Tue Dec 9 10:22:07 2014 From: hugo.hinterberger at gmx.net (Hugo Hinterberger) Date: Tue, 09 Dec 2014 10:22:07 +0100 Subject: "key algorithm" in GnuPG's signature verification output References: <455294707.20141206155611__41273.4053134502$1417881488$gmane$org@my_localhost> Message-ID: Hi, It seems that you (MFPA) changed your signing practice after I noted that I can't verify signatures created with your key ?1AF778E4?. I did not know that one could sign a message with two keys in one signing block. I am wondering if there is a way to collapse the verification result for a multi-key signature down to a single ?good? or ?bad? value/result, because Enigmail gave me some ambiguous message about your signatures. Kind regards, Hugo From keastes at gmail.com Tue Dec 9 09:26:00 2014 From: keastes at gmail.com (kendrick eastes) Date: Tue, 9 Dec 2014 01:26:00 -0700 Subject: Cross platform working In-Reply-To: References: Message-ID: per https://www.gnupg.org/download/index.html that would be GPG4win ( http://www.gpg4win.org/), there is only an x86 exe, but it works just fine on x64 windows. On Tue, Dec 9, 2014 at 1:07 AM, Dave Pawson wrote: > I'm looking at sharing an encrypted file, Linux to 64 bit windows. > > It seems that a Windows version isn't available, is this right please? > Lots of "similar" names, nothing from GNU? > > TiA > > -- > Dave Pawson > XSLT XSL-FO FAQ. > Docbook FAQ. > http://www.dpawson.co.uk > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnupgpacker at on.yourweb.de Tue Dec 9 11:58:47 2014 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Tue, 9 Dec 2014 11:58:47 +0100 Subject: "key algorithm" in GnuPG's signature verification output Message-ID: <001101d0139f$1b426bd0$51c74370$@on.yourweb.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, signing with two keys in one block can be done. But also, if unequal technology used (e.g. RSA+edDSA)? Verifying of MFPA's signature with Gpg-1.4.18 gave me: gpg: Unterschrift vom 06.12.2014 16:56:22 mittels RSA-Schl?ssel ID B31F25F0 gpg: FALSCHE Unterschrift von "0x251BCCEB547B7194" [unbekannt] gpg: Unterschrift vom 06.12.2014 16:56:33 mittels ?-Schl?ssel ID 1AF778E4 gpg: Unterschrift kann nicht gepr?ft werden: Unbekanntes Public-Key-Verfahren Time: 09.12.2014 11:45:53 (09.12.2014 10:45:53 UTC) Gpg-1.4.8 isn't captable using edDAS. In my opinion output would be ok if a new edDSA key has been used!? If RSA signing key has been used, there might be some fault... Regards, Chris (Testkey 0x3e2e0598, DSA-2048-sig) > It seems that you (MFPA) changed your signing practice after I noted that > I can't verify signatures created with your key ?1AF778E4?. I did not know > that one could sign a message with two keys in one signing block. > I am wondering if there is a way to collapse the verification result for a > multi-key signature down to a single ?good? or ?bad? value/result, because > Enigmail gave me some ambiguous message about your signatures. -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAlSG1e4ACgkQI4+xq0ppLElTaAEA6HrAxq2sV30uRKp++6c/5zLa mQ62Ec4SeUsUM7H1V/UA/i3pU18f5vZUCY1CYClTHBFLcEyGjeDDY7Z063rrNlTQ =K9bu -----END PGP SIGNATURE----- From wk at gnupg.org Tue Dec 9 15:32:52 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 09 Dec 2014 15:32:52 +0100 Subject: Can't Encrypt in Freebsd 10.1 In-Reply-To: (Antoine Michard's message of "Mon, 8 Dec 2014 17:34:34 +0100") References: Message-ID: <87ppbsq4ff.fsf@vigenere.g10code.de> On Mon, 8 Dec 2014 17:34, michard.antoine at gmail.com said: > I've install it from port, everthing was fine but when I wanna try to > encryt, it says Abort ! Which GnuPG version is that? ("gpg --version"). What version of libgpg-error do you use? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From michard.antoine at gmail.com Tue Dec 9 16:50:27 2014 From: michard.antoine at gmail.com (Antoine Michard) Date: Tue, 9 Dec 2014 16:50:27 +0100 Subject: Can't Encrypt in Freebsd 10.1 In-Reply-To: <87ppbsq4ff.fsf@vigenere.g10code.de> References: <87ppbsq4ff.fsf@vigenere.g10code.de> Message-ID: For the GPG Version gpg (GnuPG) 2.0.26 libgcrypt 1.6.1 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 And the output of pkg info: Name : libgpg-error Version : 1.17 Installed on : Mon Dec 8 15:32:57 CET 2014 Install is from port up-to-date and I reinstall later with recompil of all dependencie Thanks for help me 2014-12-09 15:32 GMT+01:00 Werner Koch : > On Mon, 8 Dec 2014 17:34, michard.antoine at gmail.com said: > > > I've install it from port, everthing was fine but when I wanna try to > > encryt, it says Abort ! > > Which GnuPG version is that? ("gpg --version"). > What version of libgpg-error do you use? > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -- Antoine Michard -------------- next part -------------- An HTML attachment was scrubbed... URL: From johanw at vulcan.xs4all.nl Tue Dec 9 17:47:13 2014 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue, 09 Dec 2014 17:47:13 +0100 Subject: Beta for 2.1.1 available In-Reply-To: References: <87sih9gg5f.fsf__20667.9045958028$1416817649$gmane$org@vigenere.g10code.de> Message-ID: <54872791.1080902@vulcan.xs4all.nl> On 09-12-2014 10:02, Hugo Hinterberger wrote: > I just tried the Clipboard - Sign feature in GPA and noticed that when I > copy the signed message to the clipboard that an empty line is inserted > after each line generated for the signature, but not for the original > message or modified lines (escaped line with "--" ? "- --"). A misunderstanding of EOL conventions? -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From gnupgpacker at on.yourweb.de Tue Dec 9 18:14:24 2014 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Tue, 9 Dec 2014 18:14:24 +0100 Subject: "key algorithm" in GnuPG's signature verification output Message-ID: <000c01d013d3$94bc73f0$be355bd0$@on.yourweb.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, by the way: Pls refer to OP: http://lists.gnupg.org/pipermail/gnupg-users/2014-December/051872.html Why break quotation marks "1AF778E4" and "good" or "bad" in OP signature verification while answering? Some charset settings needed? Thx + regards, Chris -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAlSHLfAACgkQI4+xq0ppLEmbWgEA57UmoaVrru0W91fV214PiOyY yuaJFNsKaWvh8pWKVOcBAO7Kl2ZWEpfuHL8URd3aiK/6ZrJKQ/bhNK3CD54Vdhwi =oUi8 -----END PGP SIGNATURE----- From dougb at dougbarton.us Tue Dec 9 00:26:30 2014 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 08 Dec 2014 15:26:30 -0800 Subject: Mainkey with many subkeys?? In-Reply-To: <5485F277.3020709@web.de> References: <54846C69.2020606@web.de> <383313055.20141207234004@my_localhost> <5485F277.3020709@web.de> Message-ID: <548633A6.7030605@dougbarton.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/08/2014 10:48 AM, Tomo Ruby wrote: | I know I could just set a new expiration date but most times it's | recommended to use a key for two years at the longest. Why do you think that's true? What threat do you think that using a key for at most 2 years will protect you against? Note, I'm not trying to attack you here ... you seem to have absorbed some bad advice, or at best, advice that is intended for a different use case. So maybe you could fill us in a bit on how you intend to use your keys ... Doug -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJUhjOlAAoJEFzGhvEaGryERpYIALJdR30hoCq/xKMmGhf7++XP ZYDc6ywzPc8CQru0mFygGXK3eG+WHEtB4gVgWC5VBcLE/eQ8wlgPwMdr5oZdClb9 +gb2AX+cWInh70XPSBVNkkZGqeZNFftgUcDCOaLDNZwQJ8XJJhRXC9h/bIRnxbzH /T5VU9eUCsd2qoM4GJY1PJ0vOELmqg7K4WygKi6rMm0VtQgfFl2x3/bPAUH7fgCH Sr+yOCK2d7IIntyAVoSFDo9fFF+8jVtatrIfNrl/HA90D4nfhG2lYJ9sAXMjrpIZ AXMqQIaHEpgSN2cgazrlsnll4aLo0tSMMIhJMzGG0g3oEb3Jmctm+IA9uZ1V+jw= =efi6 -----END PGP SIGNATURE----- From shtrom at ssji.net Wed Dec 10 02:06:35 2014 From: shtrom at ssji.net (Olivier Mehani) Date: Wed, 10 Dec 2014 01:06:35 +0000 (UTC) Subject: [SOLVED-ish] Re: Cannot sign (but can decrypt) after importing stub-keys from smart-card References: Message-ID: Hi all, As it appears, I had the problem before, and even documented it [0] for memory's sake, then completely forgot about it. So here's an update for that, so I can find the solution better next time (: tldr; GnuPG looks (apparently) for the most recent signing subkey listed in the (public/secret?) keyring. Deleting those from the local keyring, until GPG picks the one present on the card, seems to be a working option. Is there any other? On 2014-12-04, Olivier Mehani wrote: > I am using > * gpg (GnuPG) 2.0.26 (2.0.26-1 [ArchLinux]), > * the card reader integrated with the Broadcom BCM5880 subsystem on my > laptop, > * pcsclite 1.8.13-1 and ccid 1.4.18-1 (ArchLinux), > * an already initialised OpenPGP card (from Kernel Concepts), > * a fresh user account. > I had to downgrade from GPG 2.1 to 2.0 to be able to create the stubs, as > suggested on this ML to work around [0] (In short: --card-edit/fetch; > --edit-key/trust; --refresh-keys; --card-status). [...] > I can now decrypt messages > $ gpg -er shtrom at ssji.net | gpg -d > test > ^D [...] > Unfortunately I don't seem to be able to sign [...] > What am I doing wrong? A better way to understand what's happenning is to ask GnuPG to be verbose. $ gpg -sv gpg: using subkey 0xF9EB425E6D1886A7 instead of primary key 0xF012A6E298C66655 gpg: secret key parts are not available gpg: no default secret key: Unusable secret key gpg: signing failed: Unusable secret key Here, 0xF9EB425E6D1886A7 is (one of) the key(s) to be removed from the keyring. $ gpg --edit-key 98c66655 gpg> key 10 gpg> delkey gpg> save Once all mentions of other (more recent?) signing subkeys have been removed from the keyring, GnuPG has no other choice but to use the signing subkey present on the smartcard. $ gpg -sv gpg: NOTE: signature key 0x6CDA813213912971 expired Fri 26 Oct 2012 23:17:20 AEDT gpg: NOTE: signature key 0x9CA49F44ABCF4EFA expired Mon 21 Jan 2013 14:11:29 AEDT gpg: no secret subkey for public subkey 0x6CDA813213912971 - ignoring gpg: no secret subkey for public subkey 0x9CA49F44ABCF4EFA - ignoring gpg: no secret subkey for public subkey 0xADCF72E06DBC3057 - ignoring gpg: no secret subkey for public subkey 0xF9EB425E6D1886A7 - ignoring gpg: using subkey 0xE9566B9D0957D2D3 instead of primary key 0xF012A6E298C66655 gpg: writing to stdout What is still not clear to me is that now GnuPG does recognise that the other secret subkeys are not available and ignores them. AFAIK they were already unavailable before (or, at least, unusable, as confirmed by the fact that they were suffixed with '#'). Could this be a bug, or just a misunderstanding on my part? Additionally, is there any better way to deal with this issue? [0] https://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard?&#missing_key_chosen_for_signing -- Olivier Mehani PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655 Confidentiality cannot be guaranteed on emails sent or received unencrypted. From 2014-667rhzu3dc-lists-groups at riseup.net Wed Dec 10 03:03:26 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 10 Dec 2014 02:03:26 +0000 Subject: "key algorithm" in GnuPG's signature verification output In-Reply-To: References: <455294707.20141206155611__41273.4053134502$1417881488$gmane$org@my_localhost> Message-ID: <1356473929.20141210020326@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tuesday 9 December 2014 at 9:22:07 AM, in , Hugo Hinterberger wrote: > Hi, > It seems that you (MFPA) changed your signing practice > after I noted that I can't verify signatures created > with your key ?1AF778E4?. I did not know that one could > sign a message with two keys in one signing block. Just use "local-user" more than once. If identifyinf specific subkeys, you need to follow the key-id with an exclamation mark (!). > I am wondering if there is a way to collapse the > verification result for a multi-key signature down to a > single ?good? or ?bad? value/result, because Enigmail > gave me some ambiguous message about your signatures. What I am applying is two signatures. It is perfectly possibly you can verify one and not the other. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net War is a matter of vital importance to the State. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUh6nwXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwB8AIAJcuHgKcGD51HjOdtnV+ViHW XYs7Ypk9qPmGC/0bDmFnOpp/cCobygi4i/H0ojHOnM2kSFmu8id+gUKDsBhUNn0w Fg/ITw/lVE8ZaOxIXkuMReJ6WSpWcs8KMVUxfah5df6QHdHvC4+hLeAPDi7ZujcP ZyqYkipLX90eOLD6szhmjZdP5N95ju05riq6NqQUhb5yuNW93PhSWBscHXpSjCdh j87N2wsa4UW5/qL35jQ30Jt4QNZfZ3VECfVchNDjjMgKDvghfAXOKPkPk1/QKraQ gE4UfmCCgWgocFTsBFYWYi7/OeEnItZ12Ea9B5nxlNUvhCkA1frY+PahgMI/A3eI vgQBFgoAZgUCVIep/F8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45C/0AQD/N8owcv/J7rCPMabq2FjdIXvJ BLeHP8nLrctA0YGKrwEAuBMOumfIN6dgDvid1NF11hFAv9vyCAJz3oUb2WlA8go= =HLH/ -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Wed Dec 10 03:52:44 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 10 Dec 2014 02:52:44 +0000 Subject: "key algorithm" in GnuPG's signature verification output In-Reply-To: <001101d0139f$1b426bd0$51c74370$@on.yourweb.de> References: <001101d0139f$1b426bd0$51c74370$@on.yourweb.de> Message-ID: <382239742.20141210025244@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tuesday 9 December 2014 at 10:58:47 AM, in , gnupgpacker wrote: > Gpg-1.4.8 isn't captable using edDAS. In my opinion > output would be ok if a new edDSA key has been used!? > If RSA signing key has been used, there might be some > fault... Both were used. For the RSA subkey, the verification output you shared shows bad signature. For the EDDSA subkey your output is the expected result. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net The trouble with words is that you never know whose mouths they've been in. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUh7V/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwwrcH+gKt9/sW+8btVANrSXIGq2B8 jIvPyL0kDax59DbHNq9IJtPZKWZOhkRQNEarxNot5bJxZ5JJVNT3y3FA7BnGMb2t K757tqUHFlid9UXgnQ4yop8Y10jUrLT5P3QpmhuVIOrtLxGDTqzpTtgSr4vVA+Gb SwjhJsztYufSc9qjxq6KqDOK3mJrSqYxZy6N2M6XqqRPMExOUsSP1TVPf4WA5srN DWKsXowhtSKwgjn5drZYJm17jxPSjLn954OhcZ0huPi5uzfo6rCC27ZsiWQM/9xC pJamhTAdoP/x6hyQq2S65lRgMrYy7z119LqaP1rT7/iFJjyIdOZk5oMWvm5XpGSI vgQBFgoAZgUCVIe1jF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45Ma8AQC1lupbEK2+lgxpu1PmMg3ip8Ug pQSEX8eqsCiBIHGWHwEATgPtS7KiSj3mKiHPngp7DNbyLaosbKEeMS+9vCeidwI= =nRKO -----END PGP SIGNATURE----- From kardan38 at gmail.com Wed Dec 10 08:52:15 2014 From: kardan38 at gmail.com (Salih Kardan) Date: Wed, 10 Dec 2014 09:52:15 +0200 Subject: Unattended subkey generation Message-ID: Hello everyone, Is it possible to generate sub-keys without user interaction? I found this Unattended-GPG-key-generation article, but currently it allows just one subkey while generating key pair. What I want is a little bit different: I want to generate just sub-keys without user interaction. Last week in a mailing list post I saw the below command to change passphrase without user interaction: *`ECHO -e PASSWD\nMyOldPassword\nMyNewPassword\nSAVE|GPG --command-fd 0 --no-tty --passphrase-repeat 0 --status-fd 2 --verbose --edit-key E62651B3`* Can I apply same approach while generation sub-keys? If yes could you please provide me some sample ? Thanks, Salih -------------- next part -------------- An HTML attachment was scrubbed... URL: From Hugo.Hinterberger at gmx.net Wed Dec 10 09:14:53 2014 From: Hugo.Hinterberger at gmx.net (Hugo Hinterberger) Date: Wed, 10 Dec 2014 09:14:53 +0100 Subject: "key algorithm" in GnuPG's signature verification output In-Reply-To: <000c01d013d3$94bc73f0$be355bd0$__17817.7343019799$1418145394$gmane$org@on.yourweb.de> References: <000c01d013d3$94bc73f0$be355bd0$__17817.7343019799$1418145394$gmane$org@on.yourweb.de> Message-ID: Hi Chris, > Why break quotation marks "1AF778E4" and "good" or "bad" in OP signature > verification while answering? I hope I understood you correctly. I use ?"? when it is required. In regular text I try to follow typographical conventions for text. Nothing seems to be broken on my end. It might be an encoding issue, but I could not find one on my side. It could also have to do with the fonts you are using. Below are some details. I use a DIN 2137-1:2012-06 T2 keyboard layout and try to make use of it. > Some charset settings needed? The default encoding of my messages should be UTF-8, the message format is set to MIME with no special text encoding (neither quoted printable nor base64), and I allow 8-bit characters in headers. I read the mailing list through Gmane (too little mailing list support in my e-mail clients, yes I use a few). I noticed some processing of my messages after they were sent (base64 encoding). Using [1] to decode the payload of the news article under observation of the content-type header (charset="utf-8") gives me my expected result, as do the messages archived at [2] and [3] (with Chrome on Windows). Regards, Hugo [1] https://www.base64decode.org/ [2] http://lists.gnupg.org/pipermail/gnupg-users/2014-December/051872.html [3] http://permalink.gmane.org/gmane.comp.encryption.gpg.user/39182 From Hugo.Hinterberger at gmx.net Wed Dec 10 09:57:30 2014 From: Hugo.Hinterberger at gmx.net (Hugo Hinterberger) Date: Wed, 10 Dec 2014 09:57:30 +0100 Subject: Beta for 2.1.1 available In-Reply-To: <54872791.1080902__33036.2627901652$1418143723$gmane$org@vulcan.xs4all.nl> References: <87sih9gg5f.fsf__20667.9045958028$1416817649$gmane$org@vigenere.g10code.de> <54872791.1080902__33036.2627901652$1418143723$gmane$org@vulcan.xs4all.nl> Message-ID: Hi, I am still trying to find a working solution to verify incoming files and messages with GnuPG on Windows ? and I want the solution to be able to handle PGP/MIME messages read through Gmane using elliptic curve based keys. I just have started to try signing messages. > A misunderstanding of EOL conventions? I tried signing a text several times, every time with the same result, the broken signature. I just tried to reproduce my previous results; now it seems to work. What is different? I ran Windows Update. I tried it on the console before using GPA. OK, so I did some more experimenting: 1. Sign ?Clipboard? in GPA using key 1. 2. Sign signed text in ?Clipboard? in GPA using key 2. 3. Verify text in ?Clipboard? in GPA. 4. Verify text in ?Clipboard? in GPA. Results: After 1.: Signed text looks fine, just like on the console. After 2.: Signed text looks fine, just like on the console (two ?BEGIN PGP SIGNED MESSAGE? and two PGP signature blocks). After 3.: Validation successful (valid), message stripped of signature is mangled (empty lines inserted). After 4.: Validation successful (valid), message stripped of signature is mangled again (now each line is followed by two empty lines). Copying text from ?Clipboard? in GPA to Windows clipboard results in message stripped of signature after step 4 to not be mangled, except for two newlines at the end of the message (they were not there at the start). The text copied to the Windows clipboard is mangled again (just the signature part): every line created by GPA is followed by 2 empty lines, the original message seems unchanged. Verifying the content of the Windows clipboard by pasing it into the ?Clipboard? in GPA results in a ?"Clipboard" contained no OpenPGP data.? warning. Something is rotten in the state of GPA. Regards, Hugo From johanw at vulcan.xs4all.nl Wed Dec 10 10:17:09 2014 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed, 10 Dec 2014 10:17:09 +0100 Subject: Beta for 2.1.1 available In-Reply-To: References: <87sih9gg5f.fsf__20667.9045958028$1416817649$gmane$org@vigenere.g10code.de> <54872791.1080902__33036.2627901652$1418143723$gmane$org@vulcan.xs4all.nl> Message-ID: <54880F95.7020203@vulcan.xs4all.nl> On 10-12-2014 9:57, Hugo Hinterberger wrote: In anorther post you write: > The default encoding of my messages should be UTF-8, the message > format is set to MIME with no special text encoding (neither quoted > printable nor base64), and I allow 8-bit characters in headers. I think we have the culprit. If you do things like that, your "text" will probably be seen as binary data and treated as such. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From gnupgpacker at on.yourweb.de Wed Dec 10 11:18:09 2014 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Wed, 10 Dec 2014 11:18:09 +0100 Subject: "key algorithm" in GnuPG's signature verification output In-Reply-To: References: <000c01d013d3$94bc73f0$be355bd0$__17817.7343019799$1418145394$gmane$org@on.yourweb.de> Message-ID: <006001d01462$9893fbd0$c9bbf370$@on.yourweb.de> Hi Hugo, I did make some test with your last post: Outlook-incoming as Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed" If signing ?something? (your choice) and resending, signature is broken. If signing ?something? and resending, signature is broken. (Word-2010; incoming Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable) If signing "something" and resending, signature works as expected. (Standard for Outlook-2010, Thunderbird-31.3; incoming Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit) Most used common keyboards are using SHIFT+2 for quotation marks. This results in above shown results, depending on charset and program used. Your (German) keyboard seems to be a scientific one with some additional chars enabled: http://is.gd/nkQQzK My Outlook-2010 (and Thunderbird too) generates "something" by default, not ?something? (your choice), or ?something?. Settings are set to "iso-8859-1", if new message is generated. If replying, incoming charset is used. I didn't notice such a behavior before!? Regards, Chris > -----Original Message----- > From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Hugo > Hinterberger > Sent: Wednesday, December 10, 2014 9:15 AM > > Why break quotation marks "1AF778E4" and "good" or "bad" in OP signature > > verification while answering? > > I use ?"? when it is required. In regular text I try to follow > typographical conventions for text. > Nothing seems to be broken on my end. From wk at gnupg.org Wed Dec 10 15:21:11 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 10 Dec 2014 15:21:11 +0100 Subject: Unattended subkey generation In-Reply-To: (Salih Kardan's message of "Wed, 10 Dec 2014 09:52:15 +0200") References: Message-ID: <87bnnbpovc.fsf@vigenere.g10code.de> On Wed, 10 Dec 2014 08:52, kardan38 at gmail.com said: > article, but currently it allows just one subkey while generating key pair. > What I want is a little bit different: I want to generate just sub-keys > without user interaction. It might be usefull to add a --quick-gen-subkey FINGERPRINT ALGO USAGE command. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From Hugo.Hinterberger at gmx.net Wed Dec 10 15:40:19 2014 From: Hugo.Hinterberger at gmx.net (Hugo Hinterberger) Date: Wed, 10 Dec 2014 15:40:19 +0100 Subject: "key algorithm" in GnuPG's signature verification output In-Reply-To: <006001d01462$9893fbd0$c9bbf370$__4724.37239154733$1418206816$gmane$org@on.yourweb.de> References: <000c01d013d3$94bc73f0$be355bd0$__17817.7343019799$1418145394$gmane$org@on.yourweb.de> <006001d01462$9893fbd0$c9bbf370$__4724.37239154733$1418206816$gmane$org@on.yourweb.de> Message-ID: Hi Chris, So, are you saying that my messages break your signatures of replies to my messages? Regards, Hugo From wk at gnupg.org Wed Dec 10 17:41:21 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 10 Dec 2014 17:41:21 +0100 Subject: Release scheduling Message-ID: <87vbljo3ta.fsf@vigenere.g10code.de> Hi! it is now more than a month since the 2.1.0 release and I am asking myself whether it is time to do another release. There are about 50 commits including * gpg: Detect faulty use of --verify on detached signatures. * gpg: New import option "keep-ownertrust". * gpg: Fixed regression in --refresh-keys. * gpg: Fixed best matching hash algo detection for ECDSA and EdDSA. * gpg: Improved perceived speed of secret key listisngs. * gpg: Print number of skipped PGP-2 keys on import. * gpgconf --kill does not anymore start a service only to kill it. * Fixed keyserver access for Windows. * Fixed build problems on Mac OS X * The Windows installer does now install development files * More translations (but most of them are not complete). * gpg: Removed the option aliases --throw-keyid and --notation-data; use --throw-keyids and --set-notation instead. * gpg: Skip too large keys during import. However, there are still open bugs and new bugs are also detected every few days. I think it is better to do a 2.1.1 now instead of trying to get all new bugs fixed - it would delay things into the next year. I plan to look into the learn card problem and find a solution before a 2.1.1, though. Okay? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gnupgpacker at on.yourweb.de Wed Dec 10 17:54:10 2014 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Wed, 10 Dec 2014 17:54:10 +0100 Subject: "key algorithm" in GnuPG's signature verification output Message-ID: <000401d01499$eb38bba0$c1aa32e0$@on.yourweb.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Hugo, yes, I am sorry: it seems to be like this assumption, but only if you are using other quotation marks than standard "something". Regards, Chris > -----Original Message----- > From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Hugo > Hinterberger > Hi Chris, > So, are you saying that my messages break your signatures of replies to my > messages? -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAlSIerIACgkQI4+xq0ppLEm56wD/YqUzECDWK2RfRtA3Z8VVgOPf mGFZvL1fvTs7syLa/qsBAOUWacyWtNPySLbiuWXXoVOtfMYEKjrOLPSErPNyzWpZ =9xex -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Wed Dec 10 17:57:57 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 10 Dec 2014 11:57:57 -0500 Subject: Release scheduling In-Reply-To: <87vbljo3ta.fsf@vigenere.g10code.de> References: <87vbljo3ta.fsf@vigenere.g10code.de> Message-ID: <54887B95.2050705@fifthhorseman.net> On 12/10/2014 11:41 AM, Werner Koch wrote: > However, there are still open bugs and new bugs are also detected every > few days. I think it is better to do a 2.1.1 now instead of trying to > get all new bugs fixed - it would delay things into the next year. > > I plan to look into the learn card problem and find a solution before a > 2.1.1, though. > > Okay? Yes, i think releasing 2.1.1 even if we haven't fixed all the bugs is a good plan. Clearly there are a lot of improvements that would be good to have in a released version. Thanks for your work on this, Werner. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From samir at samirnassar.com Wed Dec 10 18:02:26 2014 From: samir at samirnassar.com (Samir Nassar) Date: Wed, 10 Dec 2014 18:02:26 +0100 Subject: Release scheduling In-Reply-To: <87vbljo3ta.fsf@vigenere.g10code.de> References: <87vbljo3ta.fsf@vigenere.g10code.de> Message-ID: <1718696.G8yMxBzSpV@forge> On Wednesday, 2014-12-10 17:41:21 Werner Koch wrote: > Hi! > > it is now more than a month since the 2.1.0 release and I am asking > myself whether it is time to do another release. There are about 50 > commits including It is my understanding that 2.1.0 has a problem with hkps keyservers (such as the hkps SKS pool) and that this is only fixed in the betas for 2.1.1. If this understanding is correct and 2.1.1 fixes the hkps issues, I'd vote to release 2.1.1 -- Samir Nassar samir at samirnassar.com https://samirnassar.com PGP Fingerprint: EE76 B39E 0778 8F95 F796 B044 FE67 9A90 8E99 7AB2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From dkg at fifthhorseman.net Wed Dec 10 18:10:28 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 10 Dec 2014 12:10:28 -0500 Subject: Release scheduling In-Reply-To: <1718696.G8yMxBzSpV@forge> References: <87vbljo3ta.fsf@vigenere.g10code.de> <1718696.G8yMxBzSpV@forge> Message-ID: <54887E84.4050904@fifthhorseman.net> On 12/10/2014 12:02 PM, Samir Nassar wrote: > It is my understanding that 2.1.0 has a problem with hkps keyservers (such as > the hkps SKS pool) and that this is only fixed in the betas for 2.1.1. If this > understanding is correct and 2.1.1 fixes the hkps issues, I'd vote to release > 2.1.1 Can you provide more detail (or a link to a bug report) about the problem with hkps in 2.1.0 ? thanks, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From kristian.fiskerstrand at sumptuouscapital.com Wed Dec 10 18:10:58 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 10 Dec 2014 18:10:58 +0100 Subject: Release scheduling In-Reply-To: <54887E84.4050904@fifthhorseman.net> References: <87vbljo3ta.fsf@vigenere.g10code.de> <1718696.G8yMxBzSpV@forge> <54887E84.4050904@fifthhorseman.net> Message-ID: <54887EA2.4090104@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/10/2014 06:10 PM, Daniel Kahn Gillmor wrote: > On 12/10/2014 12:02 PM, Samir Nassar wrote: >> It is my understanding that 2.1.0 has a problem with hkps >> keyservers (such as the hkps SKS pool) and that this is only >> fixed in the betas for 2.1.1. If this understanding is correct >> and 2.1.1 fixes the hkps issues, I'd vote to release 2.1.1 > > Can you provide more detail (or a link to a bug report) about the > problem with hkps in 2.1.0 ? The SNI issue last discussed in [0] springs to mind. But I still experience this on gpg (GnuPG) 2.1.1-beta67 References: [0] http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051471.html - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- "If you choose to sail upon the seas of banking, build your bank as you would your boat, with the strength to sail safely through any storm." (Jacob Safra (1891?1963)) -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUiH6cAAoJEPw7F94F4TagWNYQAJwiRpGgHoeJdzjuVQNg8JnZ wv+6sZSONpPZUwAAZHcr7Ix5AYb78OMSYur69PLKsd4L+2hw6dXsP/lfvRXoV0Oq X5aIrAuYqf58wQ/mIQ9wZoKyNvMXc6WAFMSXiNSB5frzYOIpoPadKpg4Mhg+pefA h6JDpo905vR9bJd9p8W1aXED+kSxAYb05sp88aCrGpW61i9kPObmtIfw82pq+cDb DFAh+2cpNqlVq6OYPo2aM7/a2UAaPQHYMayBxumZvpFUwF6eumUk1MqlFViL5WRc Y13fin6hKbvA97b3PR0gBDkAOL/JLA5IivAkcuVVzygsOOZWv/3n0lN/J4V2pI0l Zb+FNMlow8omPwj8fy+suhA6f6bz5PTMVUYMcWL91UJay7Mt+YftLm7HO8moIJyO Yhj5BnTSx3hfmnSY6sAft9W702K9D7+lRekPB15guAmPdFPc/QW4EiQKFCI0f8qH iSKsHjLU7e747L8vCraEIkuyVfWptBX2/OuXFJIhVBNMsZJhhpc+G8CMBXgya0ZC 6z4DiVcLKEcVZyKaDYT90FRRO2ZNGJa3vh5C7dtM0eZPtrpzyxTeYYQiaKBtTzX5 K0WV3Cjt2UWul7UO4cbeXYWAYpn1Ty/QAsH/voaWWUr8hmg+PtVwI/UpIaoq7+fO Jr56Zwkpp+2aP+r9g7S3 =7xnz -----END PGP SIGNATURE----- From samir at samirnassar.com Wed Dec 10 18:26:10 2014 From: samir at samirnassar.com (Samir Nassar) Date: Wed, 10 Dec 2014 18:26:10 +0100 Subject: Release scheduling In-Reply-To: <54887EA2.4090104@sumptuouscapital.com> References: <87vbljo3ta.fsf@vigenere.g10code.de> <54887E84.4050904@fifthhorseman.net> <54887EA2.4090104@sumptuouscapital.com> Message-ID: <7602310.OjrjB9WmaG@forge> On Wednesday, 2014-12-10 12:10:28 Daniel Kahn Gillmor wrote: > > Can you provide more detail (or a link to a bug report) about the > > problem with hkps in 2.1.0 ? On upgrade to 2.1.0 looking up keys from a keyserver stopped working for me. I tracked down the following comment from Hugo Hinterberger: http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051695.html and Kristian Fiskerstrand's suggestion: http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051698.html On Wednesday, 2014-12-10 18:10:58 Kristian Fiskerstrand wrote: > The SNI issue last discussed in [0] springs to mind. But I still > experience this on gpg (GnuPG) 2.1.1-beta67 I had the impression that this bug is getting fixed in 2.1.1 and that I shouldn't increase noise to an existing and known problem. At this stage I can report that despite trying out Kristian's suggestion I am not able to interact with either the hkps pool or individual hkps keyservers. Arch Linux, GnuPG 2.1.0. -- Samir Nassar samir at samirnassar.com https://samirnassar.com PGP Fingerprint: EE76 B39E 0778 8F95 F796 B044 FE67 9A90 8E99 7AB2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From kristian.fiskerstrand at sumptuouscapital.com Wed Dec 10 18:40:49 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 10 Dec 2014 18:40:49 +0100 Subject: Release scheduling In-Reply-To: <7602310.OjrjB9WmaG@forge> References: <87vbljo3ta.fsf@vigenere.g10code.de> <54887E84.4050904@fifthhorseman.net> <54887EA2.4090104@sumptuouscapital.com> <7602310.OjrjB9WmaG@forge> Message-ID: <548885A1.1060404@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/10/2014 06:26 PM, Samir Nassar wrote: > On Wednesday, 2014-12-10 12:10:28 Daniel Kahn Gillmor wrote: >>> Can you provide more detail (or a link to a bug report) about >>> the problem with hkps in 2.1.0 ? > > On upgrade to 2.1.0 looking up keys from a keyserver stopped > working for me. I tracked down the following comment from Hugo > Hinterberger: > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051695.html > and Kristian Fiskerstrand's suggestion: > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051698.html > > On Wednesday, 2014-12-10 18:10:58 Kristian Fiskerstrand wrote: >> The SNI issue last discussed in [0] springs to mind. But I still >> experience this on gpg (GnuPG) 2.1.1-beta67 > > I had the impression that this bug is getting fixed in 2.1.1 and > that I shouldn't increase noise to an existing and known problem. > At this stage I can report that despite trying out Kristian's > suggestion I am not able to interact with either the hkps pool or > individual hkps keyservers. Arch Linux, GnuPG 2.1.0. > Individual keyserver should be no issue as long as you don't hit the SNI issue, are you sure gnupg is built with gnutls / hkps support? I know that at least earlier builds of arch did not include gnutls support, which caused some headache to debug while helping a user on IRC (the reason for the patch to only report hkps scheme earlier). Do an ldd on dirmngr binary and see if it is linked with gnutls. - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- "We can only see a short distance ahead, but we can see plenty there that needs to be done." (Alan Turing) -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUiIWfAAoJEPw7F94F4Tag31UQAJKSimTMhBif5PCUexU2fUZi zEquZ41JJEyrcVqhmB2MWHDRWl0uZ0NrRomxig/w99BQKUSNN147rEI/mcF1vSa7 g2Fmbi/WSd+lJGrBZAJ56uEGI/o7WcHoMRDiGucESCHE3zv4r9ZrIoWlHC1gZ/xj GBDLgk6kt5UiuRUYIcMjwe0lWowqyyUJGozm8ZGivULozNhU8CEGoame/NTCrE56 H8o6KaqpML1WMAEO9b2CnfVqOGJTYCJ0OwcunhuMlMiWG4ZsH5u7TlES67lY1Bzq TRbu5zsasJD5t81hCb90t69vOh1qH/K80h/WG0qXHjzOim41fSk9NbrZjp84i6Tk R6D0pAUnDxV0bst0mkhDjI3Sh0+VCsZg7PxtVnSruXYrL3LSCy30xHNzaSrMKxtH cRkoIcspl8E0tgMUDdSC/T0Z9KFNWKHf0/gkuv99K8z9k0uBDMAq/vgzoekR25cd ukyYEfhhsS9JSHaPX620g2fZ/qFxk/m3loNlYgXb6XyxPSYkNewqcMlrHpFFSUOv vx1kFfOzyxpH/al1ihsSLLnawP6xX5NSS729HHYL7RVaUFtexXiyR9PWd8Yt7nnL ZRIWB4MW2pugS1FUdiCAepYe5sQGx1uLcKGUP9zsoUsdkFDAVrAS4rEq5hNzbjDv 0LTrQMcxREE3yx5c45bi =Ro0f -----END PGP SIGNATURE----- From kristian.fiskerstrand at sumptuouscapital.com Wed Dec 10 18:44:09 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 10 Dec 2014 18:44:09 +0100 Subject: Release scheduling In-Reply-To: <548885A1.1060404@sumptuouscapital.com> References: <87vbljo3ta.fsf@vigenere.g10code.de> <54887E84.4050904@fifthhorseman.net> <54887EA2.4090104@sumptuouscapital.com> <7602310.OjrjB9WmaG@forge> <548885A1.1060404@sumptuouscapital.com> Message-ID: <54888669.2050302@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ... > Individual keyserver should be no issue as long as you don't hit > the SNI issue, are you sure gnupg is built with gnutls / hkps > support? I know that at least earlier builds of arch did not > include gnutls support, which caused some headache to debug while > helping a user on IRC (the reason for the patch to only report hkps > scheme earlier). Do that should read: only report hkps scheme when actually available... > an ldd on dirmngr binary and see if it is linked with gnutls. > > > - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- "History repeats itself; historians repeat each other" (Philip Guedalla) -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUiIZoAAoJEPw7F94F4TagNdsQALFxV+2lWt31u2UDhrvPBpfQ 5l9pR6Mly+uwhz1ngsWUFH34VHVbM8c/Ks1fqXdjPN5i0a4XxUmA66Ra1LCDWfJH hbh5urPAA+CSZEDzzcSbthkWs8mSwLW95TWxh/3mNT67jXn1WTW50kME0PZmsyFm j1VLoMGCrTXEugN6CucglV97hB5QE1zUVKv+hdAmTRWqbmyfUe6TWLQdqUFrQWFq bYIlKmYbb+u0mX9jtbPb0+y9MVf9HuWG58VyrAffA9u+sh7xAGy8Z3N6ScmvMil7 uNFIAzCbYaIo2O4DQn4oJ8lbcsRH/bl7vFmCAt+mgUr8UvOurneJizbKHc9sQ07V TA8vNSnuSBCrM8DQ2x8q8y4gjf4ySx8EREX1D57BuRfKnLQrB4HTdQsz2PkktE24 pIg4hSVFm37akttxtR4neFKw9kSN9pppO64oUNjYGFT3dd4XnohflCjHL8hiFic3 akMF4uKVh0kAJVHJhf0+2JXOgQHHt1ma0cMeYFQ5VYXCkoLFzwfpoRH2cilNUrKt H7408aDXDPQFES2mTMcCVp7v1avNh0r1oTGNjI6l2ZMeWKif2FKdW075aohhM4CS a1r/AGk2dU7QjzylbcAuBAOgSdz5AYXmLLvIftJWMGMK6Z4v+Y7qMkwmH6PP9aD7 KY+IOdclNFt0Xn9wDiZK =FDWh -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Wed Dec 10 18:50:23 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 10 Dec 2014 12:50:23 -0500 Subject: Release scheduling In-Reply-To: <7602310.OjrjB9WmaG@forge> References: <87vbljo3ta.fsf@vigenere.g10code.de> <54887E84.4050904@fifthhorseman.net> <54887EA2.4090104@sumptuouscapital.com> <7602310.OjrjB9WmaG@forge> Message-ID: <548887DF.9040204@fifthhorseman.net> On 12/10/2014 12:26 PM, Samir Nassar wrote: > On Wednesday, 2014-12-10 12:10:28 Daniel Kahn Gillmor wrote: >>> Can you provide more detail (or a link to a bug report) about the >>> problem with hkps in 2.1.0 ? > > On upgrade to 2.1.0 looking up keys from a keyserver stopped working for me. I > tracked down the following comment from Hugo Hinterberger: > http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051695.html and > Kristian Fiskerstrand's suggestion: http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051698.html kristian's suggestion works for 2.1.0 already. I currently use 2.1.0 with hkps just fine. > On Wednesday, 2014-12-10 18:10:58 Kristian Fiskerstrand wrote: >> The SNI issue last discussed in [0] springs to mind. But I still >> experience this on gpg (GnuPG) 2.1.1-beta67 > > I had the impression that this bug is getting fixed in 2.1.1 and that I > shouldn't increase noise to an existing and known problem. At this stage I can > report that despite trying out Kristian's suggestion I am not able to interact > with either the hkps pool or individual hkps keyservers. Arch Linux, GnuPG > 2.1.0. did you update ~/.gnupg/dirmngr.conf with a value for hkp-cacert ? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From kristian.fiskerstrand at sumptuouscapital.com Wed Dec 10 19:01:25 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 10 Dec 2014 19:01:25 +0100 Subject: Release scheduling In-Reply-To: <54888669.2050302@sumptuouscapital.com> References: <87vbljo3ta.fsf@vigenere.g10code.de> <54887E84.4050904@fifthhorseman.net> <54887EA2.4090104@sumptuouscapital.com> <7602310.OjrjB9WmaG@forge> <548885A1.1060404@sumptuouscapital.com> <54888669.2050302@sumptuouscapital.com> Message-ID: <54888A75.9070505@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/10/2014 06:44 PM, Kristian Fiskerstrand wrote: > > ... > >> Individual keyserver should be no issue as long as you don't hit >> the SNI issue, are you sure gnupg is built with gnutls / hkps >> support? I know that at least earlier builds of arch did not >> include gnutls support, which caused some headache to debug >> while helping a user on IRC (the reason for the patch to only >> report hkps scheme earlier). Do > > that should read: only report hkps scheme when actually > available... > >> an ldd on dirmngr binary and see if it is linked with gnutls. > See https://bugs.archlinux.org/task/42739?opened=6005&status%5B0%5D= > > > > - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Timendi causa est nescire The cause of fear is ignorance -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUiIpyAAoJEPw7F94F4TagNLIP/0qN3Xyt6yBT6E92zYGz+dPH vs2QTHrvoD82qcpppxX/EIQ0gOk/QimeNpnnJASVuKa+9hTQgNQi+XeaA5EdWZSN wenB9nE/8cs7Xsq1q/4p6r6/w3qdGVUiAU9/hcJ2orW3lPZWT1sJd7pyrjs25jm3 cdnQ9j+N6QsYV2togHkkOl/rhtrPYuow3JCll+IFhP3VhjnlTZSgDJDEP8DIaYTU SswrCRk2yOxLXYd+DqUjnwjMwPUC1e+rD8HMZEOK0bLEpzIo1QrwQPtLGcWGnQoH XCGDd3QQmMP/ivKSFJkJXKnC9oDiCOpHC2zYaniFkxvvOuPdyC+IUERE5s8g42D4 FvaRIJ5DRvbqR9K3FgagsyNgbeSQ0xcE2izX1f4diEPN+NmgcOmU1snmg48aCCBz qkj+9rDrYxIV2kTGHwOHLd1aqGBQZmLX+xMgLrkWXEclApmPgwM8vdEBd6zM9aKD kT9eqMmYtFHuPfEsdZ7CcvewdoS1LOmgamTau2FxhBUPGBEMf1b5Q2hdgWILL4la 3m9e9SxVRbm9AykN91OlYhPsy2J6pP9xYZohIcs+lmdTDagWpbd16raxigV4UjyK tmSgjOmkRX6GSe+gKwbPXq80/JKq5NiU4oLV93HeHnEBHLfEXa1rG7wWqcWGC5j5 CcWldu8pJsZRmRglaXl6 =bRtx -----END PGP SIGNATURE----- From wk at gnupg.org Wed Dec 10 19:30:42 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 10 Dec 2014 19:30:42 +0100 Subject: Release scheduling In-Reply-To: <54887EA2.4090104@sumptuouscapital.com> (Kristian Fiskerstrand's message of "Wed, 10 Dec 2014 18:10:58 +0100") References: <87vbljo3ta.fsf@vigenere.g10code.de> <1718696.G8yMxBzSpV@forge> <54887E84.4050904@fifthhorseman.net> <54887EA2.4090104@sumptuouscapital.com> Message-ID: <87r3w7nyr1.fsf@vigenere.g10code.de> On Wed, 10 Dec 2014 18:10, kristian.fiskerstrand at sumptuouscapital.com said: > The SNI issue last discussed in [0] springs to mind. But I still > experience this on gpg (GnuPG) 2.1.1-beta67 I have not yet tracked this down. For easier debugging I added some more debug output. Forgot to push them, though. ... Now available. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From samir at samirnassar.com Wed Dec 10 20:29:46 2014 From: samir at samirnassar.com (Samir Nassar) Date: Wed, 10 Dec 2014 20:29:46 +0100 Subject: Release scheduling In-Reply-To: <54888A75.9070505@sumptuouscapital.com> References: <87vbljo3ta.fsf@vigenere.g10code.de> <54888669.2050302@sumptuouscapital.com> <54888A75.9070505@sumptuouscapital.com> Message-ID: <2331784.TsuZKFkzZ6@forge> On Wednesday, 2014-12-10 19:01:25 Kristian Fiskerstrand wrote: > See https://bugs.archlinux.org/task/42739?opened=6005&status%5B0%5D= Well lo and behold. When I rebuilt the package with GnuTLS as a dependency and killed the running dirmngr process HKPS works. I understand that the GnuPG package maintainer is being conservative with adding requirements to Arch core repository, but I believe this is a mistake. Thank you all. -- Samir Nassar samir at samirnassar.com https://samirnassar.com PGP Fingerprint: EE76 B39E 0778 8F95 F796 B044 FE67 9A90 8E99 7AB2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From 2014-667rhzu3dc-lists-groups at riseup.net Wed Dec 10 20:59:26 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 10 Dec 2014 19:59:26 +0000 Subject: Beta for 2.1.1 available In-Reply-To: References: <87sih9gg5f.fsf__20667.9045958028$1416817649$gmane$org@vigenere.g10code.de> <54872791.1080902__33036.2627901652$1418143723$gmane$org@vulcan.xs4all.nl> Message-ID: <1362859528.20141210195926@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Wednesday 10 December 2014 at 8:57:30 AM, in , Hugo Hinterberger wrote: > Hi, > I am still trying to find a working solution It is more likely you will find help if you start your own thread, with a subject like that matches what you are talking about. > to verify > incoming files and messages with GnuPG on Windows ? and > I want the solution to be able to handle PGP/MIME > messages read through Gmane using elliptic curve based > keys. Let's break this requirement down. 1. Works on Windows. In case it makes a difference to the range of available solutions, 32-bit or 64-bit? XP? Vista? 7? 8?... 2. able to handle PGP/MIME messages Perhaps a mail client that integrates with GnuPG (either directly or using a plugin. Or you could copy the message source to the clipboard or a text file and decrypt/verify it there, but there are some message encodings that seem to frustrate this approach. 3. Reading through Gmain. Web interface? News reader? In a mail client? RSS feed? 4. using elliptic curve based keys Needs to use GnuPG 2.1.x. > I just have started to try signing messages. > I tried signing a text several times, every time with > the same result, the broken signature. Sounds frustrating. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net No matter where you go, there you are. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUiKYhXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwr8UIAIs5mAJO/HBXk9Bwv25GO9q3 +Kgy4JdcePtK55ci+a921hb8uhj0a6wJqBK8li9KDwnIYvJo11xVCKYRMaD/NtoU tZPZHiKyztO94YUYyZH0BE+bVxs5rHMBmndWRbyE4gupOst+/GDW2joLHwVkJFa/ Q5lGg9loafq/HFP/dUXas04H7ERH5lkMQr1EjbM1F3XMD/D2tuixuwJsiPpbZ0i1 9B5c8cPf980ksNQSMSYoQ6fIJ6VKxcM69YLOIcivsLHtFEfR/Yw5+uAjj+s9y1MG SzoS2oUdwm3NXSc1mOHU3xfieHdUOQ52zEEX7VPvRtxIbqddXofSPqpfMIcSSdiI vgQBFgoAZgUCVIimQ18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45K5NAQChTZzwC5i8jOLMEk1+v88W5Z4n GNSyl7apIogSGRwQPgEA0uqsV+feRBDwYdtxZWN5kWONxRkP5K8OQKelQnOX4wI= =61+r -----END PGP SIGNATURE----- From samir at samirnassar.com Wed Dec 10 21:08:05 2014 From: samir at samirnassar.com (Samir Nassar) Date: Wed, 10 Dec 2014 21:08:05 +0100 Subject: FYI: Arch linux provides GnuPG (2.1.0) package without ability to use HKPS Message-ID: <5646124.V5u6V9t1vH@forge> The Arch linux GnuPG package 2.1.0-6 is unable to connect to HKPS. The package maintainer is currently unable or unwilling to build GnuPG against GnuTLS. For further information you can follow: https://bugs.archlinux.org/task/42739 I attempted to convince the package maintainer that the current package breaks essential and previously working functionality and was told I could build my own package. -- Samir Nassar samir at samirnassar.com https://samirnassar.com PGP Fingerprint: EE76 B39E 0778 8F95 F796 B044 FE67 9A90 8E99 7AB2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From mlisten at hammernoch.net Wed Dec 10 21:20:27 2014 From: mlisten at hammernoch.net (=?UTF-8?B?THVkd2lnIEjDvGdlbHNjaMOkZmVy?=) Date: Wed, 10 Dec 2014 21:20:27 +0100 Subject: [Enigmail] Enigmail is not using seahorse In-Reply-To: <5484BA34.1070907@phyks.me> References: <5484B3FB.2050706@phyks.me> <5484B7B0.7090705@enigmail.net> <5484BA34.1070907@phyks.me> Message-ID: <5488AB0B.4070600@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, On 07.12.14 21:36, Lucas Verney wrote:> > Le 07/12/2014 21:25, Ludwig H?gelsch?fer a ?crit : >> Hi, >> >> On 07.12.14 21:09, Lucas Verney wrote: >> >>> In Arch, with Thunderbird 31.2 and Enigmail 1.7.2, I can't get >>> Enigmail to use Seahorse instead of prompting me for my >>> passphrase. >> >> When using gnupg 2.x, it's not Enigmail asking for the >> passphrase, it's gpg-agent. >> >>> Is there some hidden configuration option ? >> >> Please search for gpg-agent and gnome keyring, you'll get lots of >> hits and all telling the same story: they cannot coexist >> peacefully. Gnome keyring tries to hijack the gpg-agent, but is >> not very successful in doing this. > > Thanks for pointing me in the right direction, this is due to an > update in gpg and not in Enigmail, contrary to what I was > thinking? > > For the record, here is the explanation : > https://wiki.archlinux.org/index.php/GnuPG#GPG_AGENT_INFO > > Then, does this mean I have to enter my passphrase at least once > per session, or is there still some alternatives to Seahorse that > could handle this ? Taking this discussion from Enigmail to gnupg-users. I think there might be more and good advice :-) Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJUiKsLAAoJEA52XAUJWdLjuSwIALVmfyOcYzsqslFoSXlZ9dDb 7qyeu9YbdkeOvTlUnkhHo5N2yAeC29MtZMAUP/rZ1fwgA+AoVJVl4K6rxkiwO/N5 X3blTDbIZC4xlhHcSniPkS69nw3Qjooj2XKQINLTlvDIEPJst9RjyvtAGJk77IcR r7ZCSuWisJa98cDbCszoRo5q18RKgQEy8/WRYcfguuDcdAXMrXse9t/Mi3PuhDJL IXKkRDMRVbiJE4l0JGzf319O10SWxig6wrWTvpHLOHaT5n85nr8WZgU4ug7T5cYf tlkwfyhycM3uJqSFJA82D98Eqa5kGmIVOMEBySW1163SyrSZIsD6KclDGR1N6Eo= =9c4Y -----END PGP SIGNATURE----- From outa at gmx.de Thu Dec 11 02:11:22 2014 From: outa at gmx.de (outa) Date: Thu, 11 Dec 2014 02:11:22 +0100 Subject: gpg / Enigmail behavior after disabling Gnome Keyring Message-ID: <5488EF3A.1000707@gmx.de> Hi all, after a recent upgrade to Kubuntu 14.10, gpg started to show that warning message about Gnome Keyring hijacking it. After adding the following lines to a startup script: killall gpg-agent killall gnome-keyring-daemon gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info" . "${HOME}/.gpg-agent-info" export GPG_AGENT_INFO export SSH_AUTH_SOCK gnome-keyring-daemon --components=ssh,secrets,pkcs11 the pinentry dialog was back instead of the Gnome one. However, each time I decrypt an email now, gpg asks for my passphrase (apprently not caching it), and each time I want to sign an email, it asks for a passphrase twice. As described here: http://comments.gmane.org/gmane.comp.mozilla.enigmail.general/19022 (I also use Thunderbird and Enigmail). This is odd and a bit annoying. Using gpg directly on the command line to sign a message results in only one passphrase prompt though. Has anyone experienced the same problem and could point me to a solution? Thanks a lot. Greets, Lutz -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From jimoe at sohnen-moe.com Thu Dec 11 07:13:28 2014 From: jimoe at sohnen-moe.com (James Moe) Date: Wed, 10 Dec 2014 23:13:28 -0700 Subject: gpg wants IDEA Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I have an older gnuPG (v1.4.6) that is apparently mis-configured. When signing a message, it fails with a note about what a bad idea IDEA is, and quits. gpg is called from an email program to perform security services. There is no command option to indicate a preferred cipher. - ----[ command ]---- gpg.exe --passphrase-fd 0 --batch --armor --no-tty --status-fd 2 - --local-user person at example.com --output output.pgp --clearsign input.bod 2> splat.err - ----[ end ]---- - ----[ error ]---- gpg: protection algorithm 1 (IDEA) is not supported [GNUPG:] RSA_OR_IDEA gpg: the IDEA cipher plugin is not present gpg: please see http://www.gnupg.org/faq/why-not-idea.html [^] for more information gpg: skipped "person at example.com": unknown cipher algorithm gpg: W:\APPS\PMMAIL\TESTACCTS\test1_00.act\outbox.fld\nge4mh01.bod: clearsign failed: unknown cipher algorithm - ----[ end ]---- Why would gpg feel compelled to use IDEA? How do I convince gpg to forget about it? - -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlSJNggACgkQzTcr8Prq0ZNKvgCcCqWR7LgSHW2lk+DHE79BAJhp zjYAni21pGKiWetthS7EN93CL/Fkk8tP =k2Ka -----END PGP SIGNATURE----- From kristian.fiskerstrand at sumptuouscapital.com Thu Dec 11 09:31:46 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 11 Dec 2014 09:31:46 +0100 Subject: gpg wants IDEA In-Reply-To: References: Message-ID: <54895672.4020809@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/11/2014 07:13 AM, James Moe wrote: > Hello, I have an older gnuPG (v1.4.6) that is apparently > mis-configured. When signing a message, it fails with a note about > what a bad idea IDEA is, and quits. gpg is called from an email > program to perform security services. There is no command option to > indicate a preferred cipher. You shouldn't use such an old version of anything. > gpg: protection algorithm 1 (IDEA) is not supported [GNUPG:] > RSA_OR_IDEA gpg: the IDEA cipher plugin is not present Then install it as a module or upgrade to at last 1.4.13 (where IDEA was added in core) > gpg: please see http://www.gnupg.org/faq/why-not-idea.html [^] for > more information gpg: skipped "person at example.com": unknown cipher > algorithm gpg: > W:\APPS\PMMAIL\TESTACCTS\test1_00.act\outbox.fld\nge4mh01.bod: What does showpref on this key tell you about key preferences on that key and your own? If you include your own key as an encrypt-to and do not list IDEA in preferences for that it should find another common denominator (likely 3DES) - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- "A ship is safe in harbour, but that's not what ships are for" (Will Shedd) -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUiVZsAAoJEPw7F94F4Tag1UgQAI8yHsnpn2UwUFR9cIJ/J5ng Shg0W4hwtgid79clhmbNtSL7LTxHA8jK9ns5B/3wvusH6iaXuGTtTbpwWKRjejvR 0X5mHvx7vR651MtqwcjV6PzZU4QvWbk8fcWr7KuoFl2KWSk9Q2POpYul+RwwA74g QDOTUAFt0HhfZ3HW3G+wZX/QNYHblIUJohCNJFwHZ2hLXzZOaPuXBogYShMw1y5q 6zP4QDLx5B3XJz7zwotq+UD1fGxhabXCyDXupd428QWQytgObKTJHi+G2O2ACJDA vc0OYMcsQPmxGIyiP4V3h/X1ACltBAt0MPgVMcUSlKut6NKA80ue2HH2zEiy5187 m8DgjXNqouINZW2pU/QhXkvCqgVIUoLaZOU5K32i5w53NjOECt2LZIeSctK2pUJd NpXMsfDpiiuD4qOsWE7Q5kFPMpGQ73vbm98bzkWiS2jjf5WFzY5WNA/AiuMdXtX3 4rZru2z9fTeakpqwAIYwRXntxiaIut4dJClzYUzuF2gsppMM6sm7I3fpS9/wN0Pk f/7+t/HF13ftgJt6nCh8h7RNhQ6vzIXhcFVR/bken676QKdG1fwbM5QBzSRSp4I0 2N1KqBAmvArlizqslnd0fjecrxWNBUjmElCIZ1oc6HGaDXfLekQ9wahPswo77yGl BEFZ5mcBicb16ESnpIy2 =btS/ -----END PGP SIGNATURE----- From wk at gnupg.org Thu Dec 11 11:39:41 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 11 Dec 2014 11:39:41 +0100 Subject: 31C3 Message-ID: <87wq5ympw2.fsf@vigenere.g10code.de> Hi! I will be at the 31C3 at Hamburg from the 28th (late afternoon) to the 30th. You may find me at the FSFE Assembly or ask there for my local communication parameters. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Thu Dec 11 13:22:28 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 11 Dec 2014 13:22:28 +0100 Subject: 31C3, keysigning party In-Reply-To: <87wq5ympw2.fsf@vigenere.g10code.de> References: <87wq5ympw2.fsf@vigenere.g10code.de> Message-ID: <54898C84.6050105@digitalbrains.com> On 11/12/14 11:39, Werner Koch wrote: > Hi! Hi! > I will be at the 31C3 at Hamburg from the 28th (late afternoon) to the > 30th. You may find me at the FSFE Assembly or ask there for my local > communication parameters. I intend to organise a keysigning party if no one else does. I did one at 29C3 as well. I did a pure Sassaman-Efficient process then. Now I'm considering a mixed-mode party, basing on Sassaman-Efficient, but falling back to slips of paper as produced by e.g. gpg-key2ps for people who brought those from home and don't have access to a printer while at the congress. Oh, and there's this 2D barcode keysigning thing as well, should look it up. It was demonstrated to me at the keysigning at OHM2013. I printed my own Sassaman-Efficient list at the hotel I was staying at[1]. Do any people have experience with paperless keysigning parties, using laptops, tablets, mobile phones, that sort of stuff? BTW, I will attend the whole congress (27 to 30), but I might sleep in some days. Cheers, Peter. [1] I figured the odds that the hotel would modify my list rather low, especially since we were the only participants staying at that hotel, so they had probably never even heard of OpenPGP :). -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Thu Dec 11 13:49:36 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 11 Dec 2014 13:49:36 +0100 Subject: 31C3, keysigning party In-Reply-To: <54898C84.6050105@digitalbrains.com> References: <87wq5ympw2.fsf@vigenere.g10code.de> <54898C84.6050105@digitalbrains.com> Message-ID: <548992E0.6050509@digitalbrains.com> On 11/12/14 13:22, Peter Lebbing wrote: > Oh, and there's this 2D > barcode keysigning thing as well, should look it up. It was demonstrated to me > at the keysigning at OHM2013. Probably monkeyscan from monkeysign... the latter has been mentioned numerous times on this list, btw. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Thu Dec 11 15:06:45 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 11 Dec 2014 15:06:45 +0100 Subject: 31C3, keysigning party In-Reply-To: <20141211134647.GY21810@cryptobitch.de> References: <87wq5ympw2.fsf@vigenere.g10code.de> <54898C84.6050105@digitalbrains.com> <548992E0.6050509@digitalbrains.com> <20141211134647.GY21810@cryptobitch.de> Message-ID: <5489A4F5.3080904@digitalbrains.com> On 11/12/14 14:46, Tobias Mueller wrote: > FWIW: A tool with a similar goal is GNOME Keysign: Thanks for the pointer! > Contrasting caff or monkeysign, it does not rely on keyservers. Neither does caff, if the organiser of the keyparty simply collects all keys (sent by the participants) and sends the resulting keyring to all participants. Been there, done that, bought the GnuPG t-shirt. I haven't checked if you can pass a keyring to monkeysign. So I'm a bit surprised by that claim in the README of GNOME Keysign. They also keep talking of an authenticated copy of a key. The authentication usually consists of you checking the fingerprint (or the program checking the fingerprint in a securely retrieved barcode). Surely that is enough? Am I missing something somewhere? Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From Hugo.Hinterberger at gmx.net Thu Dec 11 17:15:03 2014 From: Hugo.Hinterberger at gmx.net (Hugo Hinterberger) Date: Thu, 11 Dec 2014 17:15:03 +0100 Subject: Beta for 2.1.1 available In-Reply-To: <54880F95.7020203@vulcan.xs4all.nl> References: <87sih9gg5f.fsf__20667.9045958028$1416817649$gmane$org@vigenere.g10code.de> <54872791.1080902__33036.2627901652$1418143723$gmane$org@vulcan.xs4all.nl> <54880F95.7020203@vulcan.xs4all.nl> Message-ID: Hi Johan, >> The default encoding of my messages should be UTF-8, the message >> format is set to MIME with no special text encoding (neither quoted >> printable nor base64), and I allow 8-bit characters in headers. > > I think we have the culprit. If you do things like that, your "text" > will probably be seen as binary data and treated as such. On the one hand: I do not think so. The text was completely in the US-ASCII range and showed up correctly in the ?Clipboard? in GPA. The issue should not have been related to my settings for my messaging software (I do not see how). On the other hand: I can't reproduce this issue any more, as stated in [1]. Regards, Hugo [1] http://lists.gnupg.org/pipermail/gnupg-users/2014-December/051885.html From Hugo.Hinterberger at gmx.net Thu Dec 11 18:21:45 2014 From: Hugo.Hinterberger at gmx.net (Hugo Hinterberger) Date: Thu, 11 Dec 2014 18:21:45 +0100 Subject: Beta for 2.1.1 available In-Reply-To: <1362859528.20141210195926__24761.9305308492$1418241710$gmane$org@my_localhost> References: <87sih9gg5f.fsf__20667.9045958028$1416817649$gmane$org@vigenere.g10code.de> <54872791.1080902__33036.2627901652$1418143723$gmane$org@vulcan.xs4all.nl> <1362859528.20141210195926__24761.9305308492$1418241710$gmane$org@my_localhost> Message-ID: Hi MFPA, >> Hi, >> >> I am still trying to find a working solution > > It is more likely you will find help if you start your own thread, > with a subject like that matches what you are talking about. I am currently not actively trying to get a working environment. I am exploring the current state of affairs. I am also not comletely passive, as you may have noticed. I am not trying to get all my issues addressed, I was repeatedly told that my expectations are way too high. E. g.: How hard can it be to combine genealogy data with your contacts and show a reminder when certain people (family members, ...) have an anniversary or birthday coming up? In the area I grew up it is sometimes customary to arrange a service in church for deceased family members ? it would be nice to have things like those pop up automatically in a calendar. >> to verify >> incoming files and messages with GnuPG on Windows ? and >> I want the solution to be able to handle PGP/MIME >> messages read through Gmane using elliptic curve based >> keys. > > Let's break this requirement down. > > 1. Works on Windows. > > In case it makes a difference to the range of available solutions, > 32-bit or 64-bit? XP? Vista? 7? 8?... Windows 7 64-bit and Windows 8.1 64-bit > > 2. able to handle PGP/MIME messages > > Perhaps a mail client that integrates with GnuPG (either directly or > using a plugin. I uninstalled Thunderbird and Enigmail since it was slooow and does not seem to be able to handle Mime in news articles. It also created ambiguous notifications for your signatures. > Or you could copy the message source to the clipboard or a text > file and decrypt/verify it there, but there are some message > encodings that seem to frustrate this approach. I can verify clearsigned message. It is not anywhere near what I would describe as user friendly, but it can be done. I completely failed to manually verify PGP/MIME messages, on the command line, so far. I have Symantec Encryption Desktop 10.3.2 in Limited Use/Unlicensed Mode installed, that offers the PGP Viewer tool that is a complexity level above using GPA (drag 'n drop for verification works fine, as long as you already have the senders key in your keyring and you trust it, but the result behaves like a picture). GPA, in comparison, does not support drag 'n drop, so one has to fiddle around with the file open dialogue, and for the same file that verifies fine in Encryption Desktop GPA tells me the signature is ?Bad?. > > 3. Reading through Gmain. > > Web interface? News reader? In a mail client? RSS feed? nntps://news.gmane.org (currently with an expired self-signed certificate) Windows Live Mail 2012 (pretty crappy, but still one of the better tools I know) > > 4. using elliptic curve based keys > > Needs to use GnuPG 2.1.x. That's why I am testing GnuPG 2.1.1-beta35 right now. PowerArchiver Enryption Suite supports ECC, via Eldos's SecureBlackbox library as far as i know, but the UI still needs work. Just a side note: I heard somewhere that the Austrian health insurance cards (ecard) utilises ECC somehow . I'll have to check this at some point. Regards, Hugo From peter at digitalbrains.com Thu Dec 11 18:26:47 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 11 Dec 2014 18:26:47 +0100 Subject: 31C3, keysigning party In-Reply-To: <20141211165841.GA24180@localhost> References: <87wq5ympw2.fsf@vigenere.g10code.de> <54898C84.6050105@digitalbrains.com> <20141211165841.GA24180@localhost> Message-ID: <5489D3D7.60006@digitalbrains.com> On 11/12/14 17:58, Guilhem Moulin wrote: > There is one advertized already: Excellent! And thank you for pointing it out, especially since they expect you to sign up /way before/ the event. I hope they'll allow people in who didn't sign up (who will bring their own slips of paper or QR code for people to photograph). In fact, I've mentioned this to the organiser while signing up. > You'll find an alternative to gpg-key2ps(1) in the latest signing-party > package: gpg-key2latex(1). It produces a nicer output IMHO, including > UAT (photo) and QR code, at the expense of heavier dependencies (such as > texlive). Disclaimer: I'm the author of that script :-P Thanks! That certainly is useful. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From guilhem at fripost.org Thu Dec 11 17:58:41 2014 From: guilhem at fripost.org (Guilhem Moulin) Date: Thu, 11 Dec 2014 17:58:41 +0100 Subject: 31C3, keysigning party In-Reply-To: <54898C84.6050105@digitalbrains.com> References: <87wq5ympw2.fsf@vigenere.g10code.de> <54898C84.6050105@digitalbrains.com> Message-ID: <20141211165841.GA24180@localhost> On Thu, 11 Dec 2014 at 13:22:28 +0100, Peter Lebbing wrote: > On 11/12/14 11:39, Werner Koch wrote: >> I will be at the 31C3 at Hamburg from the 28th (late afternoon) to the >> 30th. You may find me at the FSFE Assembly or ask there for my local >> communication parameters. > > I intend to organise a keysigning party if no one else does. There is one advertized already: https://events.ccc.de/congress/2014/wiki/Session:Keysigning_Party > Now I'm considering a mixed-mode party, basing on Sassaman-Efficient, > but falling back to slips of paper as produced by e.g. gpg-key2ps for > people who brought those from home and don't have access to a printer > while at the congress. Oh, and there's this 2D barcode keysigning > thing as well, should look it up. You'll find an alternative to gpg-key2ps(1) in the latest signing-party package: gpg-key2latex(1). It produces a nicer output IMHO, including UAT (photo) and QR code, at the expense of heavier dependencies (such as texlive). Disclaimer: I'm the author of that script :-P -- Guilhem. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From 2014-667rhzu3dc-lists-groups at riseup.net Fri Dec 12 01:27:44 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 12 Dec 2014 00:27:44 +0000 Subject: Mainkey with many subkeys?? In-Reply-To: <5489A6FE.60001@web.de> References: <54846C69.2020606@web.de> <383313055.20141207234004@my_localhost> <5485F277.3020709@web.de> <92971600.20141208234907@my_localhost> <5489A6FE.60001@web.de> Message-ID: <1773873520.20141212002744@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thursday 11 December 2014 at 2:15:26 PM, in , Tomo Ruby wrote: > To be honest I didn't think and search about that too > much, but that was not the point anyways... I'm confused. You seemed to be making quite a point of it. (-: > How do you judge whether to replace the key or not? Of > course there are obvious opportunities when to replace > keys but if nothing special (like the system being > compromised) happens, Or there are new ideas/standards/technology/exploits such that a particular key size or algorithm is no longer considered safe, or something is available with a smaller signature size, for example. Examples include the introduction of subkeys, larger key sizes (2048 instead of 1024), DSA or DSA2 vs RSA, ... > I really know only of this > approach: The more encrypted/signed data I spread over > the web, the easier it might be for an attacker to > calculate the secret key. And because of that I'd > replace on a regular basis. Please correct me here if > I'm wrong!! There are others on this list better placed to answer this. As far as I know, the only thing actually encrypted to your secret key is the session key for each message. > See above, besides Enigmail for example uses default > values with expiration dates... I did not know that. I guess the Enigmail developers must know what they are doing _and_why_. > I'm not sure if I understand you right here but if you > ask why I would use a subkey to sign, the answer is: > Because I want to use an offline mainkey and subkeys > for the daily work... You were asking why most keys seem to have far fewer subkeys (in use or expired/revoked) than the advice you were following would lead you to expect. I was saying that one reason is because a large proportion of keys do not have a signing subkey. (-; My old key was a v3 key that didn't support subkeys, and that lasted me about 11 years. My new key has signing subkeys of both RSA and EDDSA varieties. I understand the idea of offline main keys, but don't see how the use case fits my threat model. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Always borrow money from a pessimist - they don't expect it back -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUijaDXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwF1cH/AxVGZX8jSLRcaI8fqFOu2+1 HM/pKrWnVgG+sqog2YQzhHFbXdteI0VmhmkKZVW6z8AJesudVFtrYvXNWmaCPywY EDNFu05/G38zIIrAAblM4DXaKXOb6/nJeUeXpt+/JDRs+hRAzWpfbb8q3makCqns 1pHvP/q6fzDldttKPP432mGCFqmpZiRROxXcEH+Hsax+h6uFdytE7DMWM0CO0trK C9ASwZKOzTJ5d+rlRIk0Z09RglJIExfGCDM1+RHmDa1n7B/hMvVt4WMB1d3Vv1ab 1Ha+q0YnNORXTKECbfdv1gHgxSiBub2zRKmV3U0LYlUEdKemFOPizy8gF2l5vOqI vgQBFgoAZgUCVIo2lF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45NfbAQD5rRNgzhyHYHrClccbtLviXCYl og6lJd9lAh9tjGdIqAEAMkRhtr2WRz6WTdUp7RFR4eUd6KJ86GSXk7o9BRFm0gM= =zvmJ -----END PGP SIGNATURE----- From flapflap at riseup.net Fri Dec 12 01:49:43 2014 From: flapflap at riseup.net (flapflap) Date: Fri, 12 Dec 2014 00:49:43 +0000 Subject: 31C3 In-Reply-To: <87wq5ympw2.fsf@vigenere.g10code.de> References: <87wq5ympw2.fsf@vigenere.g10code.de> Message-ID: <548A3BA7.4010300@riseup.net> Werner Koch: > I will be at the 31C3 at Hamburg from the 28th (late afternoon) to the > 30th. You may find me at the FSFE Assembly or ask there for my local > communication parameters. Hi, is it possible for you (or other FSFE people at the Assembly) to accept donations for GnuPG (in cash) there? ~flapflap From antiprism at antiprism.ca Fri Dec 12 03:44:35 2014 From: antiprism at antiprism.ca (antiprism at antiprism.ca) Date: Thu, 11 Dec 2014 21:44:35 -0500 Subject: New project with GnuPG frontend for XBMC Message-ID: <548A5693.7070309@antiprism.ca> Hello, This might be interesting to the community: http://www.antiprism.ca/ AntiPrism is a tool for very secure web-browsing and communication. It is implemented as a set of extensions to the OpenELEC-derived media center software providing a universal and seamlessly integrated web privacy solution for home and small office. It runs from a read-only file system within a secure Linux operating environment bootable from a USB flash drive or installable on a HDD/SSD. AntiPrism is activated with a password used as an encryption key to a hidden file system. Once deactivated, it leaves no traces of its operations. The computer device running AntiPrism can serve as a media center for watching movies, streaming music and games, and general web surfing with the included basic web browser, because the basic XBMC/Kodi external plug-ins functionalities are preserved and acting as an anonymizing tool in the background. The main differences between AntiPrism and other existing anonymizing Linux derivatives (Tails, Whonix, Liberte, etc) are dictated by its purpose. AntiPrism provides, basically, a ?secure anonymizing media center?, a household device that would normally do little when not being used for entertainment, but is now loaded with new hidden powers. For example, you can anonymously search, download and watch your torrents right on the device, without a need to copy them elsewhere. It can run as an intermediate or entry node in the anonymous networks extending their strength and improving availability. It has a noticeably high performance, due to the fast Systemd Linux backend with close to real-time IRQ response and low network packets losses. AntiPrism is implemented as a set of built-in media center plugins. It provides anonymous surfing and networking with popular traffic anonymizing tools Tor, I2P and Privoxy. It implements a web of trust communications security model by using GnuPG for keys and contacts exchange. Encrypted file container keeps your sensitive data as well as private keys, secure identities and so on. Private keys and identities wouldn?t leak outside your device even if it is stolen, or your computer is infected by viruses/trojans. For encryption, both Cryptsetup (Linux-native disk encryption system, default) and TrueCrypt 7.1a (optional) are fully supported. For access control, pre-configured AppArmor rules are guarding the protected files. The built-in AntiPrism web browsing, messaging and file sharing services are protected with Tor and I2P. Private keys used by Tor, I2P, SSH, OpenVPN, etc services of AntiPrism are stored within the encrypted file system and are protected with AppArmor kernel security module. External browsers may use AntiPrism as a secure anonymizing proxy. The connection between the browser and AntiPrism can be optionally encrypted with a point-to-point VPN tunnel, eliminating the risks of intranet-based surveillance. AntiPrism can be freely downloaded from its GitHub release repository - https://github.com/antiprismca/OpenELEC-Antiprism/releases From tomofr at web.de Thu Dec 11 15:15:26 2014 From: tomofr at web.de (Tomo Ruby) Date: Thu, 11 Dec 2014 15:15:26 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <92971600.20141208234907@my_localhost> References: <54846C69.2020606@web.de> <383313055.20141207234004@my_localhost> <5485F277.3020709@web.de> <92971600.20141208234907@my_localhost> Message-ID: <5489A6FE.60001@web.de> > Recommended by whom and against what threat model? And, really, the > same lifespan for signing keys as for encryption keys? To be honest I didn't think and search about that too much, but that was not the point anyways... > My take on the advice I have most often seen in previous > discussions is to set fairly short expiry dates, and make the decision > whether to replace it or extend its life when the expiry date is > approaching. How do you judge whether to replace the key or not? Of course there are obvious opportunities when to replace keys but if nothing special (like the system being compromised) happens, I really know only of this approach: The more encrypted/signed data I spread over the web, the easier it might be for an attacker to calculate the secret key. And because of that I'd replace on a regular basis. Please correct me here if I'm wrong!! > A lot of keys are created without expiry date. This is the GnuPG > default; we are frequently exhorted that the defaults are chosen to be > sensible for most users, and to only deviate if you know what you are > doing _and_why_. See above, besides Enigmail for example uses default values with expiration dates... > A large proportion of keys do not have a signing subkey (certainly of > the 32 we currently encrypt messages to for the PGPNET discussion > group [0], last time I looked there were about 12 or 14 with signing > subkeys). I'm not sure if I understand you right here but if you ask why I would use a subkey to sign, the answer is: Because I want to use an offline mainkey and subkeys for the daily work... > And an individual who uses GnuPG only for email communication and file > encryption has no need of an authentication key. That is probably a > large percentage of users. Well that was actually the reason I started this whole process of reading, searching and now discussing: I want to use my key to authenticate to an SSH-Server... And to answer to the message of Doug Barton on Tue Dec 9 00:26:30 CET 2014: The sign and encrypt subkeys are mostly used for emails and a little bit of "offline encryption". Thanks again for the help! I really appreciate it! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From muelli at cryptobitch.de Thu Dec 11 14:46:48 2014 From: muelli at cryptobitch.de (Tobias Mueller) Date: Thu, 11 Dec 2014 14:46:48 +0100 Subject: 31C3, keysigning party In-Reply-To: <548992E0.6050509@digitalbrains.com> References: <87wq5ympw2.fsf@vigenere.g10code.de> <54898C84.6050105@digitalbrains.com> <548992E0.6050509@digitalbrains.com> Message-ID: <20141211134647.GY21810@cryptobitch.de> Hi. On Thu, Dec 11, 2014 at 01:49:36PM +0100, Peter Lebbing wrote: > Probably monkeyscan from monkeysign... FWIW: A tool with a similar goal is GNOME Keysign: https://github.com/muelli/geysigning (Note that the repository will move, so this link will become defunct) Contrasting caff or monkeysign, it does not rely on keyservers. Cheers, Tobi From muelli at cryptobitch.de Thu Dec 11 17:51:51 2014 From: muelli at cryptobitch.de (Tobias Mueller) Date: Thu, 11 Dec 2014 17:51:51 +0100 Subject: gpg / Enigmail behavior after disabling Gnome Keyring In-Reply-To: <5488EF3A.1000707@gmx.de> References: <5488EF3A.1000707@gmx.de> Message-ID: <20141211165151.GZ21810@cryptobitch.de> On Thu, Dec 11, 2014 at 02:11:22AM +0100, outa wrote: > Has anyone experienced the same problem and could point me to a solution? Not necessarily a solution, but a pointer to a discussion which took place: http://lists.gnupg.org/pipermail/gnupg-devel/2014-August/thread.html#28689 Cheers, Tobi From peter at digitalbrains.com Fri Dec 12 13:01:35 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 12 Dec 2014 13:01:35 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <5489A6FE.60001@web.de> References: <54846C69.2020606@web.de> <383313055.20141207234004@my_localhost> <5485F277.3020709@web.de> <92971600.20141208234907@my_localhost> <5489A6FE.60001@web.de> Message-ID: <548AD91F.9050202@digitalbrains.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/12/14 15:15, Tomo Ruby wrote: > I really know only of this approach: The more encrypted/signed data I > spread over the web, the easier it might be for an attacker to calculate > the secret key. If this was advice directly relating to OpenPGP: Do not take advice from the person/site who told you this. They shouldn't be giving advice if this is their advice. For all practical purposes, this is impossible. You don't get an improved chance of computing the secret key with more ciphertexts and/or signatures; not in any meaningful way. Applications using symmetrical ciphers sometimes have provisions to rotate keys after a certain amount of time or data has passed, but this is completely unrelated to OpenPGP keys, which are of a very different nature. OpenPGP keys are asymmetrical and only encrypt session keys or sign hashes, they never operate on the underlying data directly. The whole argument "the more encrypted data there is, the easier it is to crack" is a complete fallacy anyway. Anybody with your public key can create an unlimited amount of data encrypted to you; it's decrypting it that can only be done by you. If the availability of data encrypted to a key would be a way to compute the private key, that way would always already be available to an attacker. Fortunately, it doesn't work that way at all. HTH, Peter. - -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Sat Dec 13 12:20:16 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 13 Dec 2014 12:20:16 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <548C1F10.7070702@web.de> References: <54846C69.2020606@web.de> <383313055.20141207234004@my_localhost> <5485F277.3020709@web.de> <92971600.20141208234907@my_localhost> <5489A6FE.60001@web.de> <1773873520.20141212002744@my_localhost> <548C1F10.7070702@web.de> Message-ID: <548C20F0.5080907@digitalbrains.com> On 13/12/14 12:12, Tomo Ruby wrote: > But what does "meaningful way" mean? That there may be theoretic methods to use signatures to learn information about the private key, but that they are all so impractical that they can be ignored. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Sat Dec 13 13:39:22 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 13 Dec 2014 13:39:22 +0100 Subject: Randomized hashing In-Reply-To: <54785150.7050602@gmail.com> References: <87mw7e3x7i.fsf@vigenere.g10code.de> <547626EF.9010103@digitalbrains.com> <54762AA5.8080302@gmail.com> <54762C75.6080607@digitalbrains.com> <5476BCD6.2010007@gmail.com> <5476F7C7.2070209@digitalbrains.com> <5476FCC2.70701@digitalbrains.com> <54771347.5080609@gmail.com> <54772AFB.4050806@digitalbrains.com> <54785150.7050602@gmail.com> Message-ID: <548C337A.4010700@digitalbrains.com> On 28/11/14 11:41, NdK wrote: >> Oh, I agree, I already thought that might close any 'r'-swapping security >> issues, if there would be any; just like you can include the hash >> algorithm in the signature to prevent swapping it out for a weaker one. But when >> swapping 'r''s does not actually create any security issues, it just makes >> things needlessly complicated. > I don't understand you. I finally found the time to write this up. In part, it is a more elaborate version of what Ingo Kl?cker said in [1]. When you want to protect 'r' from modification, there are basically two ways to do it. You can include 'r' in the hashed data, or in the signature. I'll outline what an OpenPGP message might look like[2] with randomized hashing, with a symbol prepended to each line that indicates whether that line is unprotected, part of the hashed data or part of the RSA signature. A U means Unprotected, an H means Hashed, an S means its part of the signature itself. U One-pass Sig packet: U keyID 969E018FDE6CDCA1, sigclass "binary document", U digest randomized-SHA-1, pubkey RSA U Randomized hashing specifier packet: U r = b299c230c293191bd900217ab0dc7aad H Literal data packet: H This is the actual signed message. H It can go on for quite a while. H But I choose to end it here. H Signature packet: H sigclass "binary document", pubkey RSA, digest randomized-SHA-1 H Signature Creation Time subpacket: H Sig created 2014-12-13 U Issuer subpacket: U Issuer key ID 969E018FDE6CDCA1 U Begin of digest 49 1f S OpenPGP-RSA-randomized-SHA1-sign(r, ) Where OpenPGP-RSA-randomized-SHA1-sign is defined as (|| is concatenation): OpenPGP-RSA-randomized-SHA1-sign(r, d): H = SHA1(RMX(r, d || 0x04FF || len(d))) m = 0x00 || 0x01 || 0xFF || .. || 0xFF || 0x00 || 0x30 || 0x21 || 0x30 || 0x09 || 0x06 || 0x05 || 0x2B || 0x0E || 0x03 || 0x02 || 0x1A || 0x05 || 0x00 || 0x04 || 0x14 || H return m**d (mod n) ** is exponentiation. So the signature is computed over the hash, and a constant (which is padded with 0xFF's to make m the right size for an RSA signature). The hash is computed over the RMX function. The RMX function is rougly: RMX(r, d0 || d1 || .. || dn) = r || d0 ^ r || d1 ^ r || .. || dn ^ r ^ is the xor operation here, not exponentiation. RMX is not exactly that, but good enough for what I am trying to say. The point is, r is *included in the hash*. That's what protects it from modification. The paper at [3] contains a proof that it is intractable to modify r and get a message that hashes to the same hash. This is not immediately apparent, but they prove it for hash functions with the structure SHA-1 has. 'r' still needs to be passed to the recipient, but it needn't be protected explicitly, since it is included in the hash anyway. In fact, it is pretty much as if the "Randomized hashing specifier packet" I invented above wasn't of the U(nprotected) type but of the H(ashed) type. It's just that it's solved at the RMX level rather than the OpenPGP level. The other way is also mentioned in the paper. I can't find the footnote you mention; which paper were you looking at? The trade-off is that for that method, the actual signing operation needs to be changed, which is the problem. The advantage is that the rest of the message stays the same. For OpenPGP One-pass-signature packets, this gets a bit silly. The purpose of that is to start computing the hash while reading through the file the first time. This becomes impossible with this method, so let's drop that packet, pretend that it was never there in the first place, and we always needed two passes. Pretend that we keep everything as it was, and only change the signing operation. H Literal data packet: H This is the actual signed message. H It can go on for quite a while. H But I choose to end it here. H Signature packet: H sigclass "binary document", pubkey RSA, digest randomized-SHA-1 H Signature Creation Time subpacket: H Sig created 2014-12-13 U Issuer subpacket: U Issuer key ID 969E018FDE6CDCA1 U Begin of digest 66 1a S OpenPGP-RSA-randomized-SHA1-sign(r, ) Now we define OpenPGP-RSA-randomized-SHA1-sign quite differently: OpenPGP-RSA-randomized-SHA1-sign(r, d): H = SHA1(H_r(r, d || 0x04FF || len(d))) m = 0x00 || 0x01 || 0xFF || .. || 0xFF || 0x00 || some-new-ASN.1-specifier || r || H return m**d (mod n) H_r(r, d0 || d1 || .. || dn) = d0 ^ r || d1 ^ r || .. || dn ^ r Now, r is included in the RSA signature itself. To get at it, the receiver decodes the RSA message (raises it to the e-th power) and extracts r from it. Then the receiver can start to compute the hash. The some-new-ASN.1-specifier is a constant string specifying this new randomized-SHA1 scheme, because we changed the message and can't give it the same identifier as we use for regular RSA-with-SHA1. In fact, they propose the latter variant, but with RMX instead of H_r, for those cases where the message itself cannot be changed. So that was what I was trying to say: you can include r in the hashed data, or in the signature. They are not proposing to not protect r at all, they are proposing you keep the signature algorithm as it is and include it in the hash. HTH, Peter. [1] http://lists.gnupg.org/pipermail/gnupg-users/2014-November/051761.html [2] This is probably not the best way to include 'r', but it illustrates the method, rather than the actual OpenPGP packets defined. [3] http://webee.technion.ac.il/~hugo/rhash/rhash.pdf -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Sat Dec 13 14:41:53 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 13 Dec 2014 14:41:53 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <5485C5B0.3060604@sumptuouscapital.com> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> <54858EED.1060808@sumptuouscapital.com> <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> <5485C5B0.3060604@sumptuouscapital.com> Message-ID: <548C4221.3090101@digitalbrains.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/12/14 16:37, Kristian Fiskerstrand wrote: > This key will always be capable of signing by definition In what sense is that? It seems GnuPG is not letting me sign data with a certify-only key: $ gpg2 --edit-key de500b3e [...] pub 2048R/DE500B3E created: 2009-11-12 expires: 2015-10-27 usage: C trust: ultimate validity: ultimate sub 2048R/DE6CDCA1 created: 2009-11-12 expires: 2015-10-27 usage: S sub 2048R/73A33BEE created: 2009-11-12 expires: 2015-10-27 usage: E sub 2048R/B65D8246 created: 2009-12-05 expires: 2015-10-27 usage: A [...] $ echo hoi | gpg2 -u 0xDE500B3E\! -o test_cert_sig.gpg -s gpg: skipped "0xDE500B3E!": Unusable secret key gpg: signing failed: Unusable secret key Peter. - -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From 2014-667rhzu3dc-lists-groups at riseup.net Sat Dec 13 15:52:31 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 13 Dec 2014 14:52:31 +0000 Subject: Signature-notation %-expandos expanding to strings of zeros In-Reply-To: <132369472.20141206152502@my_localhost> References: <132369472.20141206152502@my_localhost> Message-ID: <15710565144.20141213145231@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 6 December 2014 at 3:25:02 PM, in , MFPA wrote: > I have the following line in my gpg.conf to generate a > signature notation:- > sig-notation > issuer-fpr at notations.openpgp.fifthhorseman.net=%g > I noticed when verifying signatures in the last few > days that the %g in my recent signatures is expanding > to a string of zeros instead of the fingerprint of the > signing key. Can anybody confirm they also get this? The signature notation generated is:- issuer-fpr at notations.openpgp.fifthhorseman.net=0000000000000000000000000000000000000000 whereas it should be (for example):- issuer-fpr at notations.openpgp.fifthhorseman.net=B3AE7ECA9A8C8B3026A5A0F56B7C74CEB31F25F0 - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Don't cry because it is over - smile because it happened -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUjFK4XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXw/eYH/jN5+zarcsUukIDHcL+nu8xf +vLbgzF52grADdWE+IGiwylmulFnyOfGap7DNivqh45FK3lgskuYKNhJCJ80IavP 1yCe569DMPBPJCr3OfAP/NnZbSTRLs4kupeC3/LqHkn/aBGKcMbn/b+sFTkQwJYb v3UWiv4Qpq1qUzqMVPKNlz5ZDUVN8Vvp8k/7fFmv+kLK4an507xo2S3rcWVGhJ+W To7MVc+6ot/Z+cW3A62ZRaXCVeXd2zRH+6Qc6GVse5sM6jQwJPy/Py8g8fqK2IJf X6cGDHGKdqIbii7RmAl0rPrvb3YKOKHP5dpBbNTMLbZ9s7Peu55QwqjKN8urqUeI vgQBFgoAZgUCVIxSwF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45LpNAQB1/AQBEltEDGIwj6JyfOAsDvn9 2/jbTHyKq+XDkji2LgEA0YYMIjAY90guVnBt5BJWX6TjEuWA2qDeiGuF7OO1cQ8= =yzSp -----END PGP SIGNATURE----- From dave.pawson at gmail.com Sat Dec 13 16:21:21 2014 From: dave.pawson at gmail.com (Dave Pawson) Date: Sat, 13 Dec 2014 15:21:21 +0000 Subject: Linux and windows mix? Message-ID: I asked a few weeks ago about sharing an encrypted file between windows and Linux boxes. Lots of hassle uninstalling an old version of gpg4win (I had to stop the service prior to deleting / uninstalling), but now working well. Thanks for the suggestion. Bash/shell scripts available if wanted. regards -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk From kristian.fiskerstrand at sumptuouscapital.com Sat Dec 13 15:22:17 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Sat, 13 Dec 2014 15:22:17 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <548C4221.3090101@digitalbrains.com> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> <54858EED.1060808@sumptuouscapital.com> <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> <5485C5B0.3060604@sumptuouscapital.com> <548C4221.3090101@digitalbrains.com> Message-ID: <548C4B99.6030505@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/13/2014 02:41 PM, Peter Lebbing wrote: > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > On 08/12/14 16:37, Kristian Fiskerstrand wrote: >> This key will always be capable of signing by definition > > In what sense is that? It seems GnuPG is not letting me sign data > with a certify-only key: But you could always generate a new self-signature giving it signing capability. But anyhow, that is a digression, the point remains that a spare S capability does no harm to the security of the key. - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- "If you choose to sail upon the seas of banking, build your bank as you would your boat, with the strength to sail safely through any storm." (Jacob Safra (1891?1963)) -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUjEuXAAoJEPw7F94F4TagmWMP/3HPvVFVT4z6eSHrD3lv6/04 AimNwBp4a5E7po1yHL1+UFJDcow44K/ZmdL4isVP918NcfO+DNaTwN98QA7BCxRb Pj+F/vt4j2Tg+qUCM4RX/nirZQxMVxeRITLRjeG1ptKOKBiLFd+/8N+SVynM1k2u 5iv8taLCBXCRBJQjvGrW7bzWZoL8B1grJvGWOFFnX91zpAvmQJrnQ9/5f/M6otlY tjq8gGf12WAVS+YotcBtkLs3MQxTzCGWH5EFam/pbnKpfqzGPelKd2BFyFAA45kF GmVaOjv3DUnGpYIRqbciDnOdeEIxVJNiaKNgqB0pC0psavpqm94+juqlAy/xsiKr /TIcxWw+BHnq3azRnfcHX6QaXPqI3EtLGftEUSr5wYVOfr3lEJ+XhLiYQBT5lmlk ZNb3ncV2Sg1i5MvqgTgH9k11tq/uv0OmsCyVPuD7set5LGAbknfiLaODFd1NwRYh BrNj2FIyCQ4Knj/Qk0fSrQnk9fqYYi0F3XlrLbL5nARRVx1dxPSo/ZlCi+wnF5cF UoOOso1Fho4fER9o6S3xYb8s/QcOlpDiaJhvbHc+Xi0wcpIIPU/QQNbpzps9mGkh dwWNHjrSxChonur75zTlSUGadzJsVYy5WKV38jXSVL31dkLP5NgcNxroRyrPPina qgBcio7etspFtTqXnNtE =kLI/ -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Sat Dec 13 19:41:04 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 13 Dec 2014 18:41:04 +0000 Subject: Mainkey with many subkeys?? In-Reply-To: <548C4B99.6030505@sumptuouscapital.com> References: <54846C69.2020606@web.de> <5484C270.2040106@dougbarton.email> <5484C3AD.1080407@sumptuouscapital.com> <001e01d012c7$1d6a9320$583fb960$@on.yourweb.de> <54858EED.1060808@sumptuouscapital.com> <000701d012fb$a9f94000$fdebc000$@on.yourweb.de> <5485C5B0.3060604@sumptuouscapital.com> <548C4221.3090101@digitalbrains.com> <548C4B99.6030505@sumptuouscapital.com> Message-ID: <305007585.20141213184104@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 13 December 2014 at 2:22:17 PM, in , Kristian Fiskerstrand wrote: > But you could always generate a new self-signature > giving it signing capability. As you said in an earlier posting, that requires the use of a hacked GnuPG version. Which would tend to limit how many people are capable or willing. > But anyhow, that is a > digression, the point remains that a spare S capability > does no harm to the security of the key. I think that's true. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net People who throw kisses are hopelessly lazy. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUjIhDXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwW9UH/33ceza5Etz54mYgMFD5eXl+ 6lpnU2ilG5hfaATk2KSn692a56jBVykeAqZc8molZH2qNFzGxCFVjZoldtxg+p4h sAKBKdIxdFLU+sXttNJ7R0LeQ8iEldqMl9h5MlYur+4KaPXLgkPt7+t1UyBtQgVS AX259ZwL9ch7ugXvgNNWwl4ciG8Sv8tk7260XPiVJbeesj8p0FNsU+7pJSLBfuYk jY3rej6V6tFHjJjqLxH4iKPGQHdAbCcwadVaZC6pJqloAjKL4EdUoSl1qMRdVs6p xCWjiRT6YL/Edaqz7LkCJw72p6QMxC6+wjQiEaEfJWGRKIQ0GtJynscerdH2We2I vgQBFgoAZgUCVIyISl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45LFhAQAwSDPKnjEp4kv4nMpTqEf6X+Yl A4AFLI0EMYZhULw3CAEAz17AHAuZJpGKUrfU0f1GOeJE2YlLRaa+V2WKkzcbLg0= =zzh7 -----END PGP SIGNATURE----- From samir at samirnassar.com Sat Dec 13 22:18:18 2014 From: samir at samirnassar.com (Samir Nassar) Date: Sat, 13 Dec 2014 22:18:18 +0100 Subject: FYI: Arch linux provides GnuPG (2.1.0) package without ability to use HKPS In-Reply-To: <5646124.V5u6V9t1vH@forge> References: <5646124.V5u6V9t1vH@forge> Message-ID: <1512115.7kEnvnBnUb@forge> On Wednesday, 2014-12-10 21:08:05 Samir Nassar wrote: > The Arch linux GnuPG package 2.1.0-6 is unable to connect to HKPS. As of the latest update to GnuPG 2.1.0-7, thanks to Gaetan Bisson, gpg should work with HKPS -- Samir Nassar samir at samirnassar.com https://samirnassar.com PGP Fingerprint: EE76 B39E 0778 8F95 F796 B044 FE67 9A90 8E99 7AB2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From mark.hellewell at gmail.com Sun Dec 14 04:22:47 2014 From: mark.hellewell at gmail.com (mark hellewell) Date: Sun, 14 Dec 2014 14:22:47 +1100 Subject: FYI: Arch linux provides GnuPG (2.1.0) package without ability to use HKPS In-Reply-To: <1512115.7kEnvnBnUb@forge> References: <5646124.V5u6V9t1vH@forge> <1512115.7kEnvnBnUb@forge> Message-ID: On 14 December 2014 at 08:18, Samir Nassar wrote: > On Wednesday, 2014-12-10 21:08:05 Samir Nassar wrote: >> The Arch linux GnuPG package 2.1.0-6 is unable to connect to HKPS. > > As of the latest update to GnuPG 2.1.0-7, thanks to Gaetan Bisson, gpg should > work with HKPS What was the underlying problem here? GnuPG needs to be built with GnuTLS support enabled or something? Mark > > -- > Samir Nassar > samir at samirnassar.com > https://samirnassar.com > PGP Fingerprint: EE76 B39E 0778 8F95 F796 B044 FE67 9A90 8E99 7AB2 From tomofr at web.de Sat Dec 13 12:12:16 2014 From: tomofr at web.de (Tomo Ruby) Date: Sat, 13 Dec 2014 12:12:16 +0100 Subject: Mainkey with many subkeys?? In-Reply-To: <1773873520.20141212002744@my_localhost> References: <54846C69.2020606@web.de> <383313055.20141207234004@my_localhost> <5485F277.3020709@web.de> <92971600.20141208234907@my_localhost> <5489A6FE.60001@web.de> <1773873520.20141212002744@my_localhost> Message-ID: <548C1F10.7070702@web.de> > I'm confused. You seemed to be making quite a point of it. (-: I'm confused too, that makes two ;) I didn't think about specific expiration times of subkeys. I tried to figure out why everybody has no revoked subkeys at all... > There are others on this list better placed to answer this. As far as > I know, the only thing actually encrypted to your secret key is the > session key for each message. Peter Lebbing wrote: > For all practical purposes, this is impossible. You don't get an improved chance > of computing the secret key with more ciphertexts and/or signatures; not in any > meaningful way. Ok, so this might be the point I'm missing here. Thinking about encrypting data that seems obvious because (as you wrote too) everyone can produce encrypted data with the public key... But what does "meaningful way" mean? Are there really no reasons to replace keys on a regular basis? Of course besides from > new ideas/standards/technology/exploits such that a > particular key size or algorithm is no longer considered safe, or > something is available with a smaller signature size or other rather irregular reasons? > I was saying that one reason is because a large proportion > of keys do not have a signing subkey. (-; Ok, got that now, tricky answer! :) > I understand the idea of offline main keys, but don't see how the use > case fits my threat model. Well in this point I'm possibly a little paranoid but I don't fully trust any system with internet connection. But if I think about that again: If I replace keys mostly because technology changes I'll have to replace the main key too anyways... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Mon Dec 15 02:11:30 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 14 Dec 2014 20:11:30 -0500 Subject: Signature-notation %-expandos expanding to strings of zeros In-Reply-To: <15710565144.20141213145231@my_localhost> References: <132369472.20141206152502@my_localhost> <15710565144.20141213145231@my_localhost> Message-ID: <548E3542.1020601@fifthhorseman.net> On 12/13/2014 09:52 AM, MFPA wrote: > Can anybody confirm they also get this? > The signature notation generated is:- > > issuer-fpr at notations.openpgp.fifthhorseman.net=0000000000000000000000000000000000000000 > > whereas it should be (for example):- > > issuer-fpr at notations.openpgp.fifthhorseman.net=B3AE7ECA9A8C8B3026A5A0F56B7C74CEB31F25F0 Yes, i'm also seeing this with 2.1.0, though i haven't looked into it in more detail yet. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Mon Dec 15 08:29:39 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Dec 2014 08:29:39 +0100 Subject: 31C3 In-Reply-To: <548A3BA7.4010300@riseup.net> (flapflap@riseup.net's message of "Fri, 12 Dec 2014 00:49:43 +0000") References: <87wq5ympw2.fsf@vigenere.g10code.de> <548A3BA7.4010300@riseup.net> Message-ID: <878ui9l6ak.fsf@vigenere.g10code.de> On Fri, 12 Dec 2014 01:49, flapflap at riseup.net said: > is it possible for you (or other FSFE people at the Assembly) to accept > donations for GnuPG (in cash) there? That should be possible. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Dec 15 08:48:50 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Dec 2014 08:48:50 +0100 Subject: GnuPG and g10 code Message-ID: <874msxl5el.fsf@vigenere.g10code.de> Hi, last week I basically finished the new infrastructure for www.gnupg.org and posted a new blog entry which you find below in plain text. If anyone has an interesting thing to say about GnuPG and related topics, drop me a note and we can publish it there. The blog part of the site has no comment functions because I find it easier to have discussions by mail. Salam-Shalom, Werner ==== After the release of GnuPG 1.0 in 1999 it turned out that this was not a write once and forget project. The unrestricted availability of the software and public concerns about the acquirement of /PGP Inc./ by /NAI Inc./ (coincidentally at the time of the initial GnuPG release in December 1997) raised a lot of interest by those who always cared about privacy issues. Fortunately the funding of the Windows port by the German Ministry of Economics helped to finance the maintenance and further developments in 1999 and 2000. After that I decided to keep on working on GnuPG full time and founded [g10^code GmbH] in 2001 as a legal framework for it. The company is owned entirely by my brother [Walter] and myself and I like to thank him for his long time support and waive of profit distribution. If you ever wondered about the name: /g10/ is a reference on the German constitution article on freedom of communication (Grundgesetz [Artikel 10]) and a pun on the [G-10] law which allows the secret services to bypass these constitutional guaranteed freedoms. The best known project of g10^code is probably version 2 of GnuPG, which started under the name /NewPG/ as part of the broader /Aegypten/ project. The main goal of Aegypten was to provide support for S/MIME under GNU/Linux and integrate that cleanly with other mail clients, most notably KMail. This project was due to a public tender of the [BSI] (German federal office for information security) and awarded to a consortium of g10^code, [Intevation], and [KDAB]. Another large project is [Gpg4win] which has its roots in a port of GnuPG-2 to Windows done by g10^code as part of a health research project. Another tender awarded to the same consortium extended this port to the now mostly used GnuPG distribution for Windows. Now, how viable is it to run a company for the development of free security software? Not very good I had to realize: the original plan of selling support contracts did not worked out too well due to the lack of resources for marketing. Larger development projects raised most of the revenues but they are not easy to acquire. In the last years we had problems to get new GnuPG related development contracts which turned the company into a one-person show by fall 2012. I actually planned to shut it down in 2013 and to take a straight coder job somewhere. However, as a side effect of Edward Snowden?s brave actions, there was more public demand for privacy tools and thus I concluded that it is worth to keep on working on GnuPG. ????????????????????????????????? year profit wages n balance ????????????????????????????????? 2001 -12000 11000 2 31000 2002 3000 40000 3 32000 2003 -16000 26000 3 35000 2004 3000 45000 4 52000 2005 0 44000 4 56000 2006 2000 48000 3 49000 2007 50000 57000 2 99000 2008 11000 75000 3 94000 2009 -23000 72000 3 68000 2010 28000 74000 2 78000 2011 -41000 63000 2 81000 2012 -16000 54000 2 45000 2013 -10000 32000 1 44000 2014 12000 32000 1 47000 ????????????????????????????????? The table above is a summary of g10^{code}?s balance sheets (in Euro, 2014 are estimations). /profit/ gives the annual net profit or loss, /wages/ are the gross salary costs for the /n/ employed developers, and /balance/ is the balance sheet total. Despite of our low wages we accumulated an estimated loss of 9000 Euro over the last 3 years. The crowdfunding campaign last year proved that there are many people who like to see GnuPG alive and maintained. Despite the huge [costs] of the campaign it allowed me to keep working on GnuPG and I am confident that there will be ways to continue work in 2015. [g10^code GmbH] https://g10code.com [Walter] http://www.u32.de [Artikel 10] http://de.wikipedia.org/wiki/Artikel_10_des_Grundgesetzes_f%C3%BCr_die_Bundesrepublik_Deutschland [G-10] http://en.wikipedia.org/wiki/Gesetz_zur_Beschr%C3%A4nkung_des_Brief-,_Post-_und_Fernmeldegeheimnisses [BSI] http://www.bsi.de/EN/ [Intevation] https://intevation.de/index.en.html [KDAB] https://kdab.com [Gpg4win] http://www.gpg4win.org [costs] file:20140512-rewards-sent.org -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Dec 15 09:53:19 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Dec 2014 09:53:19 +0100 Subject: Signature-notation %-expandos expanding to strings of zeros In-Reply-To: <132369472.20141206152502@my_localhost> (MFPA's message of "Sat, 6 Dec 2014 15:25:02 +0000") References: <132369472.20141206152502@my_localhost> Message-ID: <87zjapjnuo.fsf@vigenere.g10code.de> On Sat, 6 Dec 2014 16:25, 2014-667rhzu3dc-lists-groups at riseup.net said: > I noticed when verifying signatures in the last few days that the > %g in my recent signatures is expanding to a string of zeros instead > of the fingerprint of the signing key. Right, there was a regression. Works again; here a test using a subkey gpg: Good signature from "foo bar " [ultimate] gpg: Signature notation: signed-byf at example.org=0000000000000000000000000000000000000000 gpg: Signature notation: signed-byp at example.org=C91D0631309FE8FD3277446BCD6A67456C563330 gpg: Signature notation: signed-byg at example.org=3BCC875789C4D11CBC1A8D2794115DF018AEC210 signed-byf (%f) is all-zero because this is not key signature. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From brian at minton.name Mon Dec 15 13:02:26 2014 From: brian at minton.name (Brian Minton) Date: Mon, 15 Dec 2014 07:02:26 -0500 Subject: GnuPG and g10 code In-Reply-To: <874msxl5el.fsf@vigenere.g10code.de> References: <874msxl5el.fsf@vigenere.g10code.de> Message-ID: Thanks for the good work! Do you get any income from kernel concepts with sale of the OpenPGP smart cards? I prefer to buy products from for-profit companies, and donate only to charities / nonprofit organizations. On Dec 15, 2014 2:54 AM, "Werner Koch" wrote: > Hi, > > last week I basically finished the new infrastructure for www.gnupg.org > and posted a > new blog entry which you find below in plain text. If anyone has an > interesting thing to say about GnuPG and related topics, drop me a note > and we can publish it there. The blog part of the site has no comment > functions because I find it easier to have discussions by mail. > > > Salam-Shalom, > > Werner > > ==== > > > > After the release of GnuPG 1.0 in 1999 it turned out that this was not > a write once and forget project. The unrestricted availability of the > software and public concerns about the acquirement of /PGP Inc./ by > /NAI Inc./ (coincidentally at the time of the initial GnuPG release in > December 1997) raised a lot of interest by those who always cared > about privacy issues. > > Fortunately the funding of the Windows port by the German Ministry of > Economics helped to finance the maintenance and further developments > in 1999 and 2000. After that I decided to keep on working on GnuPG > full time and founded [g10^code GmbH] in 2001 as a legal framework for > it. The company is owned entirely by my brother [Walter] and myself > and I like to thank him for his long time support and waive of profit > distribution. If you ever wondered about the name: /g10/ is a > reference on the German constitution article on freedom of > communication (Grundgesetz [Artikel 10]) and a pun on the [G-10] law > which allows the secret services to bypass these constitutional > guaranteed freedoms. > > The best known project of g10^code is probably version 2 of GnuPG, > which started under the name /NewPG/ as part of the broader /Aegypten/ > project. The main goal of Aegypten was to provide support for S/MIME > under GNU/Linux and integrate that cleanly with other mail clients, > most notably KMail. This project was due to a public tender of the > [BSI] (German federal office for information security) and awarded to > a consortium of g10^code, [Intevation], and [KDAB]. Another large > project is [Gpg4win] which has its roots in a port of GnuPG-2 to > Windows done by g10^code as part of a health research project. > Another tender awarded to the same consortium extended this port to > the now mostly used GnuPG distribution for Windows. > > Now, how viable is it to run a company for the development of free > security software? Not very good I had to realize: the original plan > of selling support contracts did not worked out too well due to the > lack of resources for marketing. Larger development projects raised > most of the revenues but they are not easy to acquire. In the last > years we had problems to get new GnuPG related development contracts > which turned the company into a one-person show by fall 2012. I > actually planned to shut it down in 2013 and to take a straight coder > job somewhere. However, as a side effect of Edward Snowden?s brave > actions, there was more public demand for privacy tools and thus I > concluded that it is worth to keep on working on GnuPG. > > ????????????????????????????????? > year profit wages n balance > ????????????????????????????????? > 2001 -12000 11000 2 31000 > 2002 3000 40000 3 32000 > 2003 -16000 26000 3 35000 > 2004 3000 45000 4 52000 > 2005 0 44000 4 56000 > 2006 2000 48000 3 49000 > 2007 50000 57000 2 99000 > 2008 11000 75000 3 94000 > 2009 -23000 72000 3 68000 > 2010 28000 74000 2 78000 > 2011 -41000 63000 2 81000 > 2012 -16000 54000 2 45000 > 2013 -10000 32000 1 44000 > 2014 12000 32000 1 47000 > ????????????????????????????????? > > The table above is a summary of g10^{code}?s balance sheets (in Euro, > 2014 are estimations). /profit/ gives the annual net profit or loss, > /wages/ are the gross salary costs for the /n/ employed developers, > and /balance/ is the balance sheet total. Despite of our low wages we > accumulated an estimated loss of 9000 Euro over the last 3 years. The > crowdfunding campaign last year proved that there are many people who > like to see GnuPG alive and maintained. Despite the huge [costs] of > the campaign it allowed me to keep working on GnuPG and I am confident > that there will be ways to continue work in 2015. > > > [g10^code GmbH] https://g10code.com > > [Walter] http://www.u32.de > > [Artikel 10] > > http://de.wikipedia.org/wiki/Artikel_10_des_Grundgesetzes_f%C3%BCr_die_Bundesrepublik_Deutschland > > [G-10] > > http://en.wikipedia.org/wiki/Gesetz_zur_Beschr%C3%A4nkung_des_Brief-,_Post-_und_Fernmeldegeheimnisses > > [BSI] http://www.bsi.de/EN/ > > [Intevation] https://intevation.de/index.en.html > > [KDAB] https://kdab.com > > [Gpg4win] http://www.gpg4win.org > > [costs] file:20140512-rewards-sent.org > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Mon Dec 15 19:40:22 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Dec 2014 13:40:22 -0500 Subject: Thoughts on Keybase Message-ID: <548F2B16.1030703@sixdemonbag.org> Keybase (https://keybase.io) is trying to solve the Web of Trust problem in a new way. They're currently in beta, but I was able to snag an invitation. (I have no invites to give out, unfortunately.) The following is just a write-up on how it works and what my impressions of it are. You may find it interesting. You may not. :) ===== 1. SO WHAT'S THE PROBLEM WITH THE WoT? In a nutshell, "everything." In my own experience, the Web of Trust goes pretty much completely unused. There are several reasons for this. The first is that trust is intransitive: if Alice trusts Bob and Bob trusts Charlene, it doesn't necessarily follow that Alice trusts Charlene. (I like to imagine that Alice and Charlene were competing for Bob's affections once upon a time, and that Alice still wishes Bob wouldn't trust that hussy.[1]) The dream of the Web of Trust is that trust chains would form and Alice would be able to trust Charlene's certificate as well as Doug's and Elaine's and all the way on through to Xavier, Yvonne and Zenobia. Unfortunately, it doesn't work that way. If Alice trusts Bob, that means Alice has to trust all those people trusted by Bob... or even all those people trusted by all those people trusted by Bob... or even all those people trusted by all those people trusted by all those people trusted by Bob. It gets impractical really fast. In twenty years of using PGP and GnuPG, I've relied on the Web of Trust a total of something like six times. It was a neat idea, but as far as general rollout goes it's been a dismal failure. 2. OKAY, SO YOU CONFIRM EVERYTHING VIA VOICE. Voice doesn't give us much confidence in identity. Voice allows us to do out-of-band verification [2], but it doesn't let us confirm identity. Most people think identity is something that gets proven by documents, but identity is actually a lot more nebulous than that. I normally require two forms of government-issued identity documents before I'll sign a certificate, but I haven't seen two government-issued identity documents from my own mother. That doesn't mean I think she's not my mother. It means I've somewhere along the line done an identity verification that has nothing to do with documents. 3. SO WHAT'S IDENTITY, ANYWAY? In a phrase, identity is the name we give to continuity of agency over time. Knowing who's responsible for something right here, now, in this moment, is all well-and-good, but it's also kind of trivial: "the person standing there with a smoking gun is the one who's responsible for the body on the floor." Doesn't tell you very much, really. But knowing that person is also "the person who bought a bagel at a delicatessen yesterday" and "the person who's driven a Peugeot to work every day for the last three years" and "the person who for the last several years has lived at this address" all builds up to give us a sense of *what choices this person has made* (agency) and *over what time frame these choices have been made* (time). Once we have a concept of agency over time, that by itself is an identity. A legal name specifies an agent, but not an identity. Identity requires history. A track record. A paper trail, as it were. 4. SO WHAT'S THE RELEVANCE TO KEYBASE? Keybase has given up on the Web of Trust and on using official government records to prove who people are. Instead, proofs are established by *what you've done* (agency) and *for how long you've been able to do it* (time). For instance, visit this website: https://keybase.io/rjh You'll see a list of several "what I can do"s. Key 0xD6B98E10 has been used to sign a tweet containing an assertion of identity: "I am Rob Hansen, robertjhansen on Twitter." Thereby, key 0xD6B98E10 has been bound to my Twitter social-media identity [3]. You can pull this tweet down from Twitter's own servers and verify the statement yourself; you don't have to take keybase's word for it. (In fact, you probably *should* verify it for yourself.) Likewise, I've made similar statements of identity for my GitHub account and for a couple of web pages I run. These disparate activities comprise a record of things I have done (agency) over a time period (time), which is ... identity. 5. BUT YOU'RE NOT REALLY PROVING ANYTHING! It would be pretty foolish to think my legal name was Rob Hansen based solely on keybase, yes. Keybase makes no assertion that someone is correctly representing their legal name. But how many of us really care about that? The more common use case seems to be that we want to know we're not being catfished [4]. I could be named Maurice Micklewhite and it wouldn't change the fact that I control that Twitter account, that GitHub account, or those webpages. If the fraction of my identity that you care about maps well to that realm, then keybase is a pretty effective way to verify that fraction. 6. FRACTIONS OF AN IDENTITY? Sure. People on this list know a completely different me than my parents do. You're the only one who knows the fullness of the choices you've made over the course of your life: you're the only one who knows who you truly are when the chips are down. The rest of us only ever get to see a fraction of the true identity. 7. SO DO YOU SEE KEYBASE MAKING A BIG DIFFERENCE? Given how miserable the WoT's adoption rate is, any improvement will be a big difference. In its present form I don't see it as making a big difference to the world at large, though. Right now keybase allows you to certify your Twitter, GitHub, Reddit, CoinBase, and Hacker News identities, as well as BitCoin addresses and any web pages you control. For the geek cognoscenti that's great, but for the world at large it's not going to matter half a damn until and unless keybase gets either Google+ or Facebook on board. 8. CLOSING THOUGHTS It's a cool idea and worth looking into. https://keybase.io. :) [1] Americanism: "an impudent or immoral woman." Generally considered rude, but not profane. [2] Kind-of sort-of: most phone traffic nowadays flows over the network, so it's actually in-band. [3] I rarely if ever use Twitter. If you're a Twitter fiend feel free to follow me, but don't expect much. [4] Americanism: "identity deception." From rjh at sixdemonbag.org Mon Dec 15 19:57:50 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Dec 2014 13:57:50 -0500 Subject: Holidays Message-ID: <548F2F2E.6080600@sixdemonbag.org> Just like in past years, I'm going to celebrate Christmas by making a donation to g10 Code for continued maintenance and support of GnuPG. Not only that, but from now until January 6 I'll match any contributions that *you* make, dollar for dollar and euro for euro, up to $500. You can donate at the web site, you can hand the money to Werner in person, I don't care. Merry Christmas to everyone, and a giant thank-you to all the contributors for putting together software worth supporting. :) (Why January 6? Because that's the end of the Christmas season. Twelfth Night is the evening of January 5.) From martin-gnupg-users at dkyb.de Mon Dec 15 20:12:36 2014 From: martin-gnupg-users at dkyb.de (Martin Behrendt) Date: Mon, 15 Dec 2014 20:12:36 +0100 Subject: Holidays In-Reply-To: <548F2F2E.6080600@sixdemonbag.org> References: <548F2F2E.6080600@sixdemonbag.org> Message-ID: <548F32A4.8020008@dkyb.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 15.12.2014 um 19:57 schrieb Robert J. Hansen: > Not only that, but from now until January 6 I'll match any > contributions that *you* make, dollar for dollar and euro for euro, > up to $500. Just out of curiosity, at which EUR-USD exchange rate are you at? And how do you treat multiple donations by the same person? :) Greetings Martin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlSPMqIACgkQ/6vdZgk46si53wCgyNkYByjSaZkgwOP+/DmUlWgE cjQAoKK0eSbhDTmMyUStPJmMvhxV1f7L =N8kD -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Mon Dec 15 20:40:40 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 15 Dec 2014 14:40:40 -0500 Subject: Holidays In-Reply-To: <548F32A4.8020008@dkyb.de> References: <548F2F2E.6080600@sixdemonbag.org> <548F32A4.8020008@dkyb.de> Message-ID: <548F3938.6080302@sixdemonbag.org> > Just out of curiosity, at which EUR-USD exchange rate are you at? That's an "ask my bank" issue. On January 6 I'll ask Werner for how much I owe him, which I imagine he'll quote to me in euros. I'll call up my bank, get that number converted to USD, and make an appropriate-sized donation. Today the exchange rate is $1.25 USD = 1 EUR. I don't imagine that rate will fluctuate wildly by January 6, but it'll probably vary some. > And how do you treat multiple donations by the same person? :) I don't. This is a sum total. If individual donations amount to $400 USD, then I pay out $400 USD, regardless of whether it's one person donating $400, four people donating $100, one person donating $100 four times, or whatever. (And as a special bonus, if the space aliens from Zarbnulax are reading this, I'll match you guys two-for-one, but only if you let me play with your quantum computers that can brute-force RSA in realtime.) From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 15 21:31:22 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 15 Dec 2014 20:31:22 +0000 Subject: Signature-notation %-expandos expanding to strings of zeros In-Reply-To: <87zjapjnuo.fsf@vigenere.g10code.de> References: <132369472.20141206152502@my_localhost> <87zjapjnuo.fsf@vigenere.g10code.de> Message-ID: <66501187.20141215203122@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Monday 15 December 2014 at 8:53:19 AM, in , Werner Koch wrote: > On Sat, 6 Dec 2014 16:25, > 2014-667rhzu3dc-lists-groups at riseup.net said: > Right, there was a regression. Works again; here a > test using a subkey Thank you. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Put candles on your birthday cake to make light of your age. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUj0UdXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwj5cIAK+XFP1fQC1DFoVCHWnEdruG 0xLh0BMlXSj97ZG4uI45awHFm/q9ttD7Xv0IOTX36HBC/SBT8V8nEpyaxRSKVBsy OY6bZNy93ESe0IKLLOLABao3ZDFD3E9tfsWYGS72v+oZC2JHT5eg4ZPQXi7y4sUj +pOHe+EBoOP8OrCfKTPYAhY5U238XcjtK13AKRqhgELLy9h0mh4ZugMjAa1eDvj2 5k0v6tOV/eLHqqrvOgm930una6Me1+huWCArc9tNNN2H89aM50GaZ859ttaZb3sN mlHLMRTB3yNor562PMOCQpQNuGxW6eti0N7Dgmj3bdNRpSUI+NNEQPsbxnoXPpeI vgQBFgoAZgUCVI9FHV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45OWXAQBxHUdnOyLwNbcj8SQYbxtJ/0AA Rfevrbj26j6YJUXF5AEAQniABUgA4lhYObSUZ+xnEYQ7yK5t1W1KzF0CcKpD0QI= =/pHB -----END PGP SIGNATURE----- From florin at andrei.myip.org Tue Dec 16 02:43:27 2014 From: florin at andrei.myip.org (Florin Andrei) Date: Mon, 15 Dec 2014 17:43:27 -0800 Subject: gpg-agent + smartcards + OS X 10.10 = lots of problems Message-ID: <548F8E3F.904@andrei.myip.org> I'm generating and storing ssh keys on smartcards, and I use gpg-agent in ssh-agent emulation mode for authentication. This is what I have in gpg-agent.conf: pinentry-program [various pinentry apps] enable-ssh-support write-env-file use-standard-socket default-cache-ttl 600 max-cache-ttl 7200 Then in ~/.bash_profile I have this: source ~/.gpg-agent-info This is the smartcard type I use - the YubiKey NEO: https://www.yubico.com/products/yubikey-hardware/yubikey-neo/ I use gpg and gpg-agent version 2.0.26 from Homebrew. I have also tried GPGTools, but the results are the same. https://gpgtools.org/ After launching the agent with "gpg-agent --daemon", the ssh client will authenticate using the key stored on the smartcard, everything works just great. At least that was the case on OS X 10.9. After upgrading to 10.10, I've had lots of issues. Authentication seems to work for a while after I boot up and log into my account, but then after 1 hour, maybe 2, it stops working. Sometimes ssh sessions get stuck somewhere in authentication; other times authentication just fails. If I kill gpg-agent and restart it, and unplug / replug the smartcard, everything works again - for a while. Then later again authentication starts having problems, and I have to do the kill / relaunch / unplug / replug song and dance all over again. I've heard there were some changes in the smartcard framework in 10.10, but I'm not sure how relevant that is to this issue. Any idea what I can do to get the smartcards working again? (other than downgrade to OS X 10.9) -- Florin Andrei http://florin.myip.org/ From harningt at gmail.com Tue Dec 16 03:07:01 2014 From: harningt at gmail.com (Thomas Harning Jr.) Date: Tue, 16 Dec 2014 02:07:01 +0000 Subject: gpg-agent + smartcards + OS X 10.10 = lots of problems References: <548F8E3F.904@andrei.myip.org> Message-ID: OSX 10.10 has many known issues regarding PC/SC compatibility. See Ludovic Rousseau's blog which illustrates some issues: http://ludovicrousseau.blogspot.com/2014/12/os-x-yosemite-and-smart-cards-known-bugs.html On Mon, Dec 15, 2014, 8:45 PM Florin Andrei wrote: > I'm generating and storing ssh keys on smartcards, and I use gpg-agent > in ssh-agent emulation mode for authentication. This is what I have in > gpg-agent.conf: > > pinentry-program [various pinentry apps] > enable-ssh-support > write-env-file > use-standard-socket > default-cache-ttl 600 > max-cache-ttl 7200 > > Then in ~/.bash_profile I have this: > > source ~/.gpg-agent-info > > This is the smartcard type I use - the YubiKey NEO: > > https://www.yubico.com/products/yubikey-hardware/yubikey-neo/ > > I use gpg and gpg-agent version 2.0.26 from Homebrew. I have also tried > GPGTools, but the results are the same. > > https://gpgtools.org/ > > After launching the agent with "gpg-agent --daemon", the ssh client will > authenticate using the key stored on the smartcard, everything works > just great. At least that was the case on OS X 10.9. > > After upgrading to 10.10, I've had lots of issues. Authentication seems > to work for a while after I boot up and log into my account, but then > after 1 hour, maybe 2, it stops working. Sometimes ssh sessions get > stuck somewhere in authentication; other times authentication just fails. > > If I kill gpg-agent and restart it, and unplug / replug the smartcard, > everything works again - for a while. Then later again authentication > starts having problems, and I have to do the kill / relaunch / unplug / > replug song and dance all over again. > > I've heard there were some changes in the smartcard framework in 10.10, > but I'm not sure how relevant that is to this issue. > > Any idea what I can do to get the smartcards working again? (other than > downgrade to OS X 10.9) > > -- > Florin Andrei > http://florin.myip.org/ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Dec 16 10:06:42 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Dec 2014 10:06:42 +0100 Subject: GnuPG and g10 code In-Reply-To: (Brian Minton's message of "Mon, 15 Dec 2014 07:02:26 -0500") References: <874msxl5el.fsf@vigenere.g10code.de> Message-ID: <87tx0wezfh.fsf@vigenere.g10code.de> On Mon, 15 Dec 2014 13:02, brian at minton.name said: > Thanks for the good work! Do you get any income from kernel concepts with > sale of the OpenPGP smart cards? I prefer to buy products from for-profit > companies, and donate only to charities / nonprofit organizations. Initially I distributed few hundreds cards myself; however this is a lot of work given that my business is not setup for distributing small physical goods. Thus I asked Petra of kernelconcepts whether they want to do take care of it. They do not make a lot of profit from the cards and thus I do not ask for a share of it. g10 Code is not a charity but there have been talks on how to set up a charitable entity to support crypto projects. I hope that we can establish this by next spring. In the meantime you may donate to the Wau Holland Stiftung which is a charity and will use these donation to pay for development work on GnuPG. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dave.pawson at gmail.com Tue Dec 16 11:11:32 2014 From: dave.pawson at gmail.com (Dave Pawson) Date: Tue, 16 Dec 2014 10:11:32 +0000 Subject: GnuPG and g10 code In-Reply-To: <87tx0wezfh.fsf@vigenere.g10code.de> References: <874msxl5el.fsf@vigenere.g10code.de> <87tx0wezfh.fsf@vigenere.g10code.de> Message-ID: Hi Werner. 1. I knew nothing about this smart card. 2 Searched on Google. Found http://shop.kernelconcepts.de/product_info.php from there I see For more information, please visit this products webpage. Sadly that page is 404 http://www.hidglobal.de/products/readers/omnikeyindex.php?id=20 Where can I read a user view of this product and software please? regards On 16 December 2014 at 09:06, Werner Koch wrote: > On Mon, 15 Dec 2014 13:02, brian at minton.name said: >> Thanks for the good work! Do you get any income from kernel concepts with >> sale of the OpenPGP smart cards? I prefer to buy products from for-profit >> companies, and donate only to charities / nonprofit organizations. > > Initially I distributed few hundreds cards myself; however this is a lot > of work given that my business is not setup for distributing small > physical goods. Thus I asked Petra of kernelconcepts whether they want > to do take care of it. They do not make a lot of profit from the cards > and thus I do not ask for a share of it. > > g10 Code is not a charity but there have been talks on how to set up a > charitable entity to support crypto projects. I hope that we can > establish this by next spring. In the meantime you may donate to the > Wau Holland Stiftung which > is a charity and will use these donation to pay for development work on > GnuPG. > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 16 12:31:20 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Tue, 16 Dec 2014 11:31:20 +0000 Subject: OpenPGP card (Was Re: GnuPG and g10 code) In-Reply-To: References: <874msxl5el.fsf@vigenere.g10code.de> <87tx0wezfh.fsf@vigenere.g10code.de> Message-ID: <161651651.20141216113120@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tuesday 16 December 2014 at 10:11:32 AM, in , Dave Pawson wrote: > Hi Werner. 1. I knew nothing about this smart card. 2 > Searched on Google. Found > http://shop.kernelconcepts.de/product_info.php > from there I see For more information, please visit > this products webpage. > Sadly that page is 404 Try . - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net People who throw kisses are hopelessly lazy. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUkBgKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEGt8dM6zHyXwdKsH/A2D5cyADfszK5n5c0LRhI/q EYpWNp8x/6nI9A9Gb0zVteQxRs+/hDu01YjL9Tw7LLY5nCvLxQ8hdoYTzu9a/i5h grQZT+pQ5P73FrVnSQt9wcVs47ZJgPU4n70OKH8EHiSNu/+6Xg41yocTYAPjXH8e x+7nif264ZhV4UDtr/gjEBpzns6YDb6mtdu1zloqgMPMJ3V8A9oKZrnJeaz+6jvH bRP+fLYL8Bx17MxwLo6FJpTHUto3aTmVr3/ioBmZyUQ5r95864xeHIuWYsDybUN4 Nq41HUeY+zJGybs3m2y+NJJm04kBcQe2GAZvEOY3T+W+518qNDz6701YJ93V0A6I vgQBFgoAZgUCVJAYGV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMAAKCRAXErxGGvd45C+mAQC+QN5UjPf7y5K70zoAKCDrf/pD Yuc7Ux71F4SGLySSAwEAoDFzKR9nwiDBni9wS3K+PytXv3/gtMnW8xIp7ZgxRQw= =dDPJ -----END PGP SIGNATURE----- From dave.pawson at gmail.com Tue Dec 16 12:39:49 2014 From: dave.pawson at gmail.com (Dave Pawson) Date: Tue, 16 Dec 2014 11:39:49 +0000 Subject: OpenPGP card (Was Re: GnuPG and g10 code) In-Reply-To: <161651651.20141216113120@my_localhost> References: <874msxl5el.fsf@vigenere.g10code.de> <87tx0wezfh.fsf@vigenere.g10code.de> <161651651.20141216113120@my_localhost> Message-ID: On 16 December 2014 at 11:31, MFPA <2014-667rhzu3dc-lists-groups at riseup.net> wrote: >> from there I see For more information, please visit >> this products webpage. > >> Sadly that page is 404 > > Try . Which links on to the GNU pgp page? all written by techies, for techies? Nothing to explain what it's all about, how it might be used, why it is useful etc? IMHO that class of information would help to raise interest. My first question was, can I install a reader and use 'my' card to log on to my computer? No idea. Next? What else can I use a card/card reader for? Not answered. regards -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk From wk at gnupg.org Tue Dec 16 13:16:48 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Dec 2014 13:16:48 +0100 Subject: GnuPG and g10 code In-Reply-To: (Dave Pawson's message of "Tue, 16 Dec 2014 10:11:32 +0000") References: <874msxl5el.fsf@vigenere.g10code.de> <87tx0wezfh.fsf@vigenere.g10code.de> Message-ID: <87tx0veqmn.fsf@vigenere.g10code.de> On Tue, 16 Dec 2014 11:11, dave.pawson at gmail.com said: > 1. I knew nothing about this smart card. > 2 Searched on Google. Found http://shop.kernelconcepts.de/product_info.php What about: https://en.wikipedia.org/wiki/OpenPGP_card and the second section of https://gnupg.org/documentation/howtos.html Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Dec 16 13:22:29 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Dec 2014 13:22:29 +0100 Subject: card is permanently locked! In-Reply-To: (Maxwell Farrior's message of "Sat, 15 Nov 2014 13:36:17 -0500") References: Message-ID: <87ppbjeqd6.fsf@vigenere.g10code.de> Hi, while testing the forthcoming 2.1 cards (only minor changes) I found out that the old instructions on how to reset the card didn't worked always. The corrected script is --8<---------------cut here---------------start------------->8--- scd reset scd serialno undefined scd apdu 00 A4 04 00 06 D2 76 00 01 24 01 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd reset scd serialno undefined scd apdu 00 A4 04 00 06 D2 76 00 01 24 01 scd apdu 00 44 00 00 /echo Card has been reset to factory defaults /bye --8<---------------cut here---------------end--------------->8--- Put this into a file, say, "resetcard.scd" and run gpg-connect-agent --hex --run resetcard.scd This should reset all cards unless you are using the secure-messaging feature, which is not used by GnuPG. GnuPG 2.1.1 will have a "factory-reset" command for the --edit-card menu. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dave.pawson at gmail.com Tue Dec 16 13:26:05 2014 From: dave.pawson at gmail.com (Dave Pawson) Date: Tue, 16 Dec 2014 12:26:05 +0000 Subject: GnuPG and g10 code In-Reply-To: <87tx0veqmn.fsf@vigenere.g10code.de> References: <874msxl5el.fsf@vigenere.g10code.de> <87tx0wezfh.fsf@vigenere.g10code.de> <87tx0veqmn.fsf@vigenere.g10code.de> Message-ID: On 16 December 2014 at 12:16, Werner Koch wrote: > On Tue, 16 Dec 2014 11:11, dave.pawson at gmail.com said: > >> 1. I knew nothing about this smart card. >> 2 Searched on Google. Found http://shop.kernelconcepts.de/product_info.php > > What about: > > https://en.wikipedia.org/wiki/OpenPGP_card (IMHO) pure geekery copied from one of the other pages? > > and the second section of > > https://gnupg.org/documentation/howtos.html https://gnupg.org/howtos/card-howto/en/smartcard-howto-single.html#id2456468 Note how quickly it gets into using GPG? Then into software installation? Missing, the layer above this, the marketing 'spiel'. OK, it could be me (I don't think it is). Simple question, WTF is thing all about? I have lots of credit cards (are they smart? No idea). I know what to do with them. I think this thing is different, so my first question is what is it for? Why should I be interested, what can it do (especially as it costs....?80 Euro with reader?) As if you are talking to your little sister (big sister, anyone one non-geek :-) tell me (us) what it offers? I'll shut up now regards > > > > Shalom-Salam, > > Werner > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk From wk at gnupg.org Tue Dec 16 17:36:19 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Dec 2014 17:36:19 +0100 Subject: [Announce] GnuPG 2.1.1 released Message-ID: <874msveem4.fsf@vigenere.g10code.de> Hello! The GnuPG Project is pleased to announce the availability of the second release of GnuPG modern: Version 2.1.1. The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard as defined by RFC-4880 and better known as PGP. GnuPG, also known as GPG, allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. Since version 2 GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Three different versions of GnuPG are actively maintained: - GnuPG "modern" (2.1) is the latest development with a lot of new features. This announcement is about the first release of this version. - GnuPG "stable" (2.0) is the current stable version for general use. This is what most users are currently using. - GnuPG "classic" (1.4) is the old standalone version which is most suitable for older or embedded platforms. You may not install "modern" (2.1) and "stable" (2.0) at the same time. However, it is possible to install "classic" (1.4) along with any of the other versions. What's New in GnuPG-2.1 ======================= * gpg: Detect faulty use of --verify on detached signatures. * gpg: New import option "keep-ownertrust". * gpg: New sub-command "factory-reset" for --card-edit. * gpg: A stub key for smartcards is now created by --card-status. * gpg: Fixed regression in --refresh-keys. * gpg: Fixed regresion in %g and %p codes for --sig-notation. * gpg: Fixed best matching hash algo detection for ECDSA and EdDSA. * gpg: Improved perceived speed of secret key listisngs. * gpg: Print number of skipped PGP-2 keys on import. * gpg: Removed the option aliases --throw-keyid and --notation-data; use --throw-keyids and --set-notation instead. * gpg: New import option "keep-ownertrust". * gpg: Skip too large keys during import. * gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or dirmngr. * gpg-agent: New option --extra-socket to provide a restricted command set for use with remote clients. * gpgconf --kill does not anymore start a service only to kill it. * gpg-pconnect-agent: Add convenience option --uiserver. * Fixed keyserver access for Windows. * Fixed build problems on Mac OS X * The Windows installer does now install development files * More translations (but most of them are not complete). * To support remotely mounted home directories, the IPC sockets may now be redirected. This feature requires Libassuan 2.2.0. * Improved portability and the usual bunch of bug fixes. A detailed description of the changes found in 2.1 can be found at https://gnupg.org/faq/whats-new-in-2.1.html . Getting the Software ==================== Please follow the instructions found at https://gnupg.org/download/ or read on: GnuPG 2.1.1 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at https://gnupg.org/mirrors.html . Note that GnuPG is not available at ftp.gnu.org. On ftp.gnupg.org you find these files: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.1.tar.bz2 (4689k) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.1.tar.bz2.sig This is the GnuPG 2.1 source code compressed using BZIP2 and its OpenPGP signature. ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.1_20141216.exe (6364k) ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.1_20141216.exe.sig This is an *experimental* installer for Windows including GPA as graphical key manager and GpgEX as an Explorer extension. Please de-install an already installed Gpg4win version before trying this installer. This binary version has not been tested very well, thus it is likely that you will run into problems. The complete source code for the software included in this installer is in the same directory with ".exe" replaced by ".tar.xz". This version fixes a lot of bugs found after the release of 2.1.0 but there are still known bugs which we are working on. Please check the mailing list archives and https://wiki.gnupg.org for known problems and workaround. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.1.1.tar.bz2 you would use this command: gpg --verify gnupg-2.1.1.tar.bz2.sig gnupg-2.1.1.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See below for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.1.1.tar.bz2, you would run the command like this: sha1sum gnupg-2.1.1.tar.bz2 and check that the output matches the first line from the following list: 3d11fd150cf86f842d077437edb119a775c7325d gnupg-2.1.1.tar.bz2 fb541b8685b78541c9b2fadb026787f535863b4a gnupg-w32-2.1.1_20141216.exe 72d65f33d070aeb1894b0415533aad1a131899f4 gnupg-w32-2.1.1_20141216.tar.xz Release Signing Keys ==================== To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048/E0856959 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31] Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 Werner Koch (Release Signing Key) You may retrieve these files from the keyservers using this command gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \ 2071B08A33BD3F06 8A861B1C7EFD60D9 The keys are also available at https://gnupg.org/signature_key.html and in the released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed using my standard PGP key. Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese, Czech, French, German, Japanese, Russian, and Ukrainian being almost completely translated (2061 different strings). Documentation ============= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete user manual of the system. Separate man pages are included as well but they have not all the details available as are the manual. It is also possible to read the complete manual online in HTML format at https://gnupg.org/documentation/manuals/gnupg/ or in Portable Document Format at https://gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. You may also want to follow postings at https://gnupg.org/blob/. Support ======== Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . For commercial support requests we keep a list of known service companies at: https://gnupg.org/service.html The driving force behind the development of GnuPG is the company of its principal author, Werner Koch. Maintenance and improvement of GnuPG and related software takes up most of their resources. To allow him to continue this work he kindly asks to either purchase a support contract, engage g10 Code for custom enhancements, or to donate money: https://gnupg.org/donate/ Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Finally, a big Thank You to all who helped greatly by donating money. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Tue Dec 16 17:36:19 2014 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Dec 2014 17:36:19 +0100 Subject: [Announce] GnuPG 2.1.1 released Message-ID: <874msveem4.fsf@vigenere.g10code.de> Hello! The GnuPG Project is pleased to announce the availability of the second release of GnuPG modern: Version 2.1.1. The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard as defined by RFC-4880 and better known as PGP. GnuPG, also known as GPG, allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. Since version 2 GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Three different versions of GnuPG are actively maintained: - GnuPG "modern" (2.1) is the latest development with a lot of new features. This announcement is about the first release of this version. - GnuPG "stable" (2.0) is the current stable version for general use. This is what most users are currently using. - GnuPG "classic" (1.4) is the old standalone version which is most suitable for older or embedded platforms. You may not install "modern" (2.1) and "stable" (2.0) at the same time. However, it is possible to install "classic" (1.4) along with any of the other versions. What's New in GnuPG-2.1 ======================= * gpg: Detect faulty use of --verify on detached signatures. * gpg: New import option "keep-ownertrust". * gpg: New sub-command "factory-reset" for --card-edit. * gpg: A stub key for smartcards is now created by --card-status. * gpg: Fixed regression in --refresh-keys. * gpg: Fixed regresion in %g and %p codes for --sig-notation. * gpg: Fixed best matching hash algo detection for ECDSA and EdDSA. * gpg: Improved perceived speed of secret key listisngs. * gpg: Print number of skipped PGP-2 keys on import. * gpg: Removed the option aliases --throw-keyid and --notation-data; use --throw-keyids and --set-notation instead. * gpg: New import option "keep-ownertrust". * gpg: Skip too large keys during import. * gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or dirmngr. * gpg-agent: New option --extra-socket to provide a restricted command set for use with remote clients. * gpgconf --kill does not anymore start a service only to kill it. * gpg-pconnect-agent: Add convenience option --uiserver. * Fixed keyserver access for Windows. * Fixed build problems on Mac OS X * The Windows installer does now install development files * More translations (but most of them are not complete). * To support remotely mounted home directories, the IPC sockets may now be redirected. This feature requires Libassuan 2.2.0. * Improved portability and the usual bunch of bug fixes. A detailed description of the changes found in 2.1 can be found at https://gnupg.org/faq/whats-new-in-2.1.html . Getting the Software ==================== Please follow the instructions found at https://gnupg.org/download/ or read on: GnuPG 2.1.1 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at https://gnupg.org/mirrors.html . Note that GnuPG is not available at ftp.gnu.org. On ftp.gnupg.org you find these files: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.1.tar.bz2 (4689k) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.1.tar.bz2.sig This is the GnuPG 2.1 source code compressed using BZIP2 and its OpenPGP signature. ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.1_20141216.exe (6364k) ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.1_20141216.exe.sig This is an *experimental* installer for Windows including GPA as graphical key manager and GpgEX as an Explorer extension. Please de-install an already installed Gpg4win version before trying this installer. This binary version has not been tested very well, thus it is likely that you will run into problems. The complete source code for the software included in this installer is in the same directory with ".exe" replaced by ".tar.xz". This version fixes a lot of bugs found after the release of 2.1.0 but there are still known bugs which we are working on. Please check the mailing list archives and https://wiki.gnupg.org for known problems and workaround. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.1.1.tar.bz2 you would use this command: gpg --verify gnupg-2.1.1.tar.bz2.sig gnupg-2.1.1.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See below for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.1.1.tar.bz2, you would run the command like this: sha1sum gnupg-2.1.1.tar.bz2 and check that the output matches the first line from the following list: 3d11fd150cf86f842d077437edb119a775c7325d gnupg-2.1.1.tar.bz2 fb541b8685b78541c9b2fadb026787f535863b4a gnupg-w32-2.1.1_20141216.exe 72d65f33d070aeb1894b0415533aad1a131899f4 gnupg-w32-2.1.1_20141216.tar.xz Release Signing Keys ==================== To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048/E0856959 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31] Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 Werner Koch (Release Signing Key) You may retrieve these files from the keyservers using this command gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \ 2071B08A33BD3F06 8A861B1C7EFD60D9 The keys are also available at https://gnupg.org/signature_key.html and in the released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed using my standard PGP key. Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese, Czech, French, German, Japanese, Russian, and Ukrainian being almost completely translated (2061 different strings). Documentation ============= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete user manual of the system. Separate man pages are included as well but they have not all the details available as are the manual. It is also possible to read the complete manual online in HTML format at https://gnupg.org/documentation/manuals/gnupg/ or in Portable Document Format at https://gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. You may also want to follow postings at https://gnupg.org/blob/. Support ======== Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . For commercial support requests we keep a list of known service companies at: https://gnupg.org/service.html The driving force behind the development of GnuPG is the company of its principal author, Werner Koch. Maintenance and improvement of GnuPG and related software takes up most of their resources. To allow him to continue this work he kindly asks to either purchase a support contract, engage g10 Code for custom enhancements, or to donate money: https://gnupg.org/donate/ Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Finally, a big Thank You to all who helped greatly by donating money. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From peter at digitalbrains.com Wed Dec 17 01:35:32 2014 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 17 Dec 2014 01:35:32 +0100 Subject: GnuPG and g10 code In-Reply-To: References: <874msxl5el.fsf@vigenere.g10code.de> <87tx0wezfh.fsf@vigenere.g10code.de> <87tx0veqmn.fsf@vigenere.g10code.de> Message-ID: <5490CFD4.1010409@digitalbrains.com> On 16/12/14 13:26, Dave Pawson wrote: >> What about: >> >> https://en.wikipedia.org/wiki/OpenPGP_card > > (IMHO) pure geekery copied from one of the other pages? Hmmm, that article seems lacking. If you would have asked nicely, I might have bothered to improve it. Now, I don't feel inclined to do it. I'll get around to it one day. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dave.pawson at gmail.com Wed Dec 17 09:55:05 2014 From: dave.pawson at gmail.com (Dave Pawson) Date: Wed, 17 Dec 2014 08:55:05 +0000 Subject: GnuPG and g10 code In-Reply-To: <5490CFD4.1010409@digitalbrains.com> References: <874msxl5el.fsf@vigenere.g10code.de> <87tx0wezfh.fsf@vigenere.g10code.de> <87tx0veqmn.fsf@vigenere.g10code.de> <5490CFD4.1010409@digitalbrains.com> Message-ID: Not meant as a critique of the content, just pointing out that it does not explain 'why' and 'what' the card and software (as a system) do for the reader new to the idea. It may be accurate technically. Dave On 17 December 2014 at 00:35, Peter Lebbing wrote: > On 16/12/14 13:26, Dave Pawson wrote: >>> What about: >>> >>> https://en.wikipedia.org/wiki/OpenPGP_card >> >> (IMHO) pure geekery copied from one of the other pages? > > Hmmm, that article seems lacking. If you would have asked nicely, I might have > bothered to improve it. Now, I don't feel inclined to do it. I'll get around to > it one day. > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk From yanfiz at gmail.com Wed Dec 17 01:06:57 2014 From: yanfiz at gmail.com (Yan Fiz) Date: Wed, 17 Dec 2014 02:06:57 +0200 Subject: GnuPG 2.1.1 : Generation Unattended EC signing key with Ed25519 curve Message-ID: C:\Program Files (x86)\GNU\GnuPG\bin>gpg.exe --batch --gen-key Key-Type: ecdsa Key-Curve: Ed25519 Key-Usage: sign auth Name-Real: Yan Fiz Expire-Date: 1y Preferences: twofish sha512 zlib ^Z gpg: checking created signature failed: Bad signature gpg: signing failed: Bad signature gpg: make_keysig_packet failed: Bad signature gpg: key generation failed: Bad signature -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Dec 17 13:09:52 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 17 Dec 2014 13:09:52 +0100 Subject: GnuPG 2.1.1 : Generation Unattended EC signing key with Ed25519 curve In-Reply-To: (Yan Fiz's message of "Wed, 17 Dec 2014 02:06:57 +0200") References: Message-ID: <87lhm6bhpr.fsf@vigenere.g10code.de> On Wed, 17 Dec 2014 01:06, yanfiz at gmail.com said: > Key-Type: ecdsa Use "eddsa" with Ed25519: $ gpg -v --gen-key --batch Key-Type: eddsa Key-Curve: Ed25519 Key-Usage: sign auth Name-Real: Yan Fiz Expire-Date: 1y Preferences: twofish sha512 zlib gpg: writing self signature gpg: EDDSA/SHA256 signature from: "A3280639 [?]" gpg: writing public key to '.../pubring.gpg' gpg: using PGP trust model gpg: key A3280639 marked as ultimately trusted gpg: writing to '.../revocs.d/1B4456373B09AABBF1F309B638F5AEECA3280639.rev' gpg: EDDSA/SHA256 signature from: "A3280639 Yan Fiz" Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From Dhiraj.Haritwal at ap.sony.com Wed Dec 17 15:43:34 2014 From: Dhiraj.Haritwal at ap.sony.com (Haritwal, Dhiraj) Date: Wed, 17 Dec 2014 14:43:34 +0000 Subject: Unable to encrypt file with private/public key Message-ID: Hi, I am using gpg (GnuPG) 1.4.7 & trying to encrypt a file with private key whose public key I have shared to the partner who have to decrypt this file. I tried with --armour -symmetric switches which requires a passphrase to encrypt but I have requirement to encrypt it through private/public key. If I am using -encrypt --hidden-recipient option showing below error. I am able to see the public key while running -list-keys option. I am running it on AIX 6.1 under root user. gpg: --try-all-secrets: skipped: public key not found gpg: /tmp/test/INSONY01122014001.CSV: encryption failed: public key not found Kindly suggest what could be the problem & how to resolve it. Regards, Dhiraj ________________________________ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick at enigmail.net Wed Dec 17 18:02:11 2014 From: patrick at enigmail.net (Patrick Brunschwig) Date: Wed, 17 Dec 2014 18:02:11 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <874msveem4.fsf__35687.4066791081$1418750491$gmane$org@vigenere.g10code.de> References: <874msveem4.fsf__35687.4066791081$1418750491$gmane$org@vigenere.g10code.de> Message-ID: <5491B713.7060804@enigmail.net> On 16.12.14 17:36, Werner Koch wrote: > Hello! > > The GnuPG Project is pleased to announce the availability of the > second release of GnuPG modern: Version 2.1.1. > > The GNU Privacy Guard (GnuPG) is a complete and free implementation of > the OpenPGP standard as defined by RFC-4880 and better known as PGP. > > GnuPG, also known as GPG, allows to encrypt and sign data and > communication, features a versatile key management system as well as > access modules for public key directories. GnuPG itself is a command > line tool with features for easy integration with other applications. > A wealth of frontend applications and libraries making use of GnuPG > are available. Since version 2 GnuPG provides support for S/MIME and > Secure Shell in addition to OpenPGP. > > GnuPG is Free Software (meaning that it respects your freedom). It can > be freely used, modified and distributed under the terms of the GNU > General Public License. > > Three different versions of GnuPG are actively maintained: > > - GnuPG "modern" (2.1) is the latest development with a lot of new > features. This announcement is about the first release of this > version. > > - GnuPG "stable" (2.0) is the current stable version for general use. > This is what most users are currently using. > > - GnuPG "classic" (1.4) is the old standalone version which is most > suitable for older or embedded platforms. > > You may not install "modern" (2.1) and "stable" (2.0) at the same > time. However, it is possible to install "classic" (1.4) along with > any of the other versions. I created an installer for GnuPG 2.1.1 on Mac OS X, available from here: http://sourceforge.net/projects/gpgosx/files/GnuPG-2.1.1.dmg/download -Patrick From duplicitymailinglist at mail.ru Wed Dec 17 18:32:39 2014 From: duplicitymailinglist at mail.ru (Duplicity Mailing List) Date: Wed, 17 Dec 2014 17:32:39 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: References: Message-ID: <5491BE37.8070309@mail.ru> On 17/12/14 14:43, Haritwal, Dhiraj wrote: > Hi, > > > > I am using gpg (GnuPG) 1.4.7 & trying to encrypt a file with private key > whose public key I have shared to the partner who have to decrypt this > file. I tried with --armour ?symmetric switches which requires a > passphrase to encrypt but I have requirement to encrypt it through > private/public key. If I am using ?encrypt --hidden-recipient option > showing below error. I am able to see the public key while running > ?list-keys option. I am running it on AIX 6.1 under root user. If you just wish to encrypt, not sign, to the user, use:- >gpg2 --recipient AABBCCDD --encrypt supersecret.txt Or the shorter version:- >gpg2 -r AABBCCDD -e supersecret.txt It will dump supersecret.txt.gpg, that's your encrypted file. This isn't signed (I.E. the receiver won't be able to verify _you_ sent it, and can be replaced (Although not read) in transit). If you wish to sign it, you'll also need a GPG key in your keyring, then run:- >gpg2 --local-user FFEEDDCC --recipient AABBCCDD --encrypt --sign supersecret.txt Or the shorter version:- >gpg2 -u FFEEDDCC -r AABBCCDD -se supersecret.txt Where FFEEDDCC is your key identifier and AABBCCDD is the recipient's key identifier. When they decrypt the file, they will see something along the lines of:- >gpg: Good signature from "John Doe (JohnDoe at Example.com) [ultimate]" >gpg: binary signature, digest algorithm SHA512 >gpg: decryption okay the command you're using, --symmetric, is for using a passphrase for encryption/decrypt (I.E. symmetric encryption, not asymmetric). --hidden-recipient should work too, and is used if you don't wish to include information about the recipient in the gpg file, you probably don't want to use this option (As oppose to --recipient) unless you really do wish to use the features it provides. As for the failed public key, may I ask the exact command you're running? I get the same error message when I specify a recipient that doesn't exist:- >$ gpg2 -e -r ${RANDOM} b >gpg: 31546: skipped: No public key >gpg: b: encryption failed: No public key From dominyktiller at gmail.com Wed Dec 17 13:54:37 2014 From: dominyktiller at gmail.com (Dominyk Tiller) Date: Wed, 17 Dec 2014 12:54:37 +0000 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <874msveem4.fsf@vigenere.g10code.de> References: <874msveem4.fsf@vigenere.g10code.de> Message-ID: <54917D0D.3060007@gmail.com> Hi Werner, Thanks for the new release, It solves a lot of the OS X compile problems we were seeing, which is great. I'm still hitting a new one though. If you attempt to compile using an external gpg-agent, rather than one with the package, you hit this: ------------------------------------------------------------------------ clang -I/usr/local/Cellar/libgcrypt/1.6.2/include -I/usr/local/Cellar/libgpg-error/1.17/include -I/usr/local/Cellar/libgpg-error/1.17/include -I/usr/local/Cellar/libassuan/2.1.3/include -I/usr/local/Cellar/libgpg-error/1.17/include -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -lresolv -o gpgsplit gpgsplit.o ../common/libcommon.a -L/usr/local/Cellar/libgcrypt/1.6.2/lib -lgcrypt -L/usr/local/Cellar/libgpg-error/1.17/lib -lgpg-error -L/usr/local/Cellar/libgpg-error/1.17/lib -lgpg-error -lz -lbz2 -lintl -Wl,-framework -Wl,CoreFoundation -liconv Making all in po Making all in doc /Applications/Xcode.app/Contents/Developer/usr/bin/make all-am clang -o yat2m ./yat2m.c for file in gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi dirmngr.texi scdaemon.texi tools.texi ; do \ ./yat2m -I . -D gpgtwoone --release "GnuPG 2.1.1" --source "GNU Privacy Guard 2.1" --store \ `test -f '$file' || echo './'`$file ; done yat2m: writing 'gnupg.7' yat2m: writing 'gpg2.1' yat2m: writing 'gpgsm.1' yat2m: writing 'gpg-agent.1' yat2m: writing 'dirmngr.8' yat2m: writing 'scdaemon.1' yat2m: writing 'watchgnupg.1' yat2m: writing 'gpgv2.1' yat2m: writing 'addgnupghome.8' yat2m: writing 'gpgconf.1' yat2m: writing 'applygnupgdefaults.8' yat2m: writing 'gpgsm-gencert.sh.1' yat2m: writing 'gpg-preset-passphrase.1' yat2m: writing 'gpg-connect-agent.1' yat2m: writing 'dirmngr-client.1' yat2m: writing 'gpgparsemail.1' yat2m: writing 'symcryptrun.1' yat2m: writing 'gpg-zip.1' Making all in tests Making all in openpgp make[3]: *** No rule to make target `../../agent/gpg-agent', needed by `all-local'. Stop. make[2]: *** [all-recursive] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 ------------------------------------------------------------------------ Any ideas? Cheers, Dom Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. On 16/12/2014 16:36, Werner Koch wrote: > Hello! > > The GnuPG Project is pleased to announce the availability of the > second release of GnuPG modern: Version 2.1.1. > > The GNU Privacy Guard (GnuPG) is a complete and free implementation of > the OpenPGP standard as defined by RFC-4880 and better known as PGP. > > GnuPG, also known as GPG, allows to encrypt and sign data and > communication, features a versatile key management system as well as > access modules for public key directories. GnuPG itself is a command > line tool with features for easy integration with other applications. > A wealth of frontend applications and libraries making use of GnuPG > are available. Since version 2 GnuPG provides support for S/MIME and > Secure Shell in addition to OpenPGP. > > GnuPG is Free Software (meaning that it respects your freedom). It can > be freely used, modified and distributed under the terms of the GNU > General Public License. > > Three different versions of GnuPG are actively maintained: > > - GnuPG "modern" (2.1) is the latest development with a lot of new > features. This announcement is about the first release of this > version. > > - GnuPG "stable" (2.0) is the current stable version for general use. > This is what most users are currently using. > > - GnuPG "classic" (1.4) is the old standalone version which is most > suitable for older or embedded platforms. > > You may not install "modern" (2.1) and "stable" (2.0) at the same > time. However, it is possible to install "classic" (1.4) along with > any of the other versions. > > > What's New in GnuPG-2.1 > ======================= > > * gpg: Detect faulty use of --verify on detached signatures. > > * gpg: New import option "keep-ownertrust". > > * gpg: New sub-command "factory-reset" for --card-edit. > > * gpg: A stub key for smartcards is now created by --card-status. > > * gpg: Fixed regression in --refresh-keys. > > * gpg: Fixed regresion in %g and %p codes for --sig-notation. > > * gpg: Fixed best matching hash algo detection for ECDSA and EdDSA. > > * gpg: Improved perceived speed of secret key listisngs. > > * gpg: Print number of skipped PGP-2 keys on import. > > * gpg: Removed the option aliases --throw-keyid and --notation-data; > use --throw-keyids and --set-notation instead. > > * gpg: New import option "keep-ownertrust". > > * gpg: Skip too large keys during import. > > * gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or > dirmngr. > > * gpg-agent: New option --extra-socket to provide a restricted > command set for use with remote clients. > > * gpgconf --kill does not anymore start a service only to kill it. > > * gpg-pconnect-agent: Add convenience option --uiserver. > > * Fixed keyserver access for Windows. > > * Fixed build problems on Mac OS X > > * The Windows installer does now install development files > > * More translations (but most of them are not complete). > > * To support remotely mounted home directories, the IPC sockets may > now be redirected. This feature requires Libassuan 2.2.0. > > * Improved portability and the usual bunch of bug fixes. > > A detailed description of the changes found in 2.1 can be found at > https://gnupg.org/faq/whats-new-in-2.1.html . > > > Getting the Software > ==================== > > Please follow the instructions found at https://gnupg.org/download/ or > read on: > > GnuPG 2.1.1 may be downloaded from one of the GnuPG mirror sites or > direct from its primary FTP server. The list of mirrors can be found > at https://gnupg.org/mirrors.html . Note that GnuPG is not available > at ftp.gnu.org. > > On ftp.gnupg.org you find these files: > > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.1.tar.bz2 (4689k) > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.1.tar.bz2.sig > > This is the GnuPG 2.1 source code compressed using BZIP2 and its > OpenPGP signature. > > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.1_20141216.exe (6364k) > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.1_20141216.exe.sig > > This is an *experimental* installer for Windows including GPA as > graphical key manager and GpgEX as an Explorer extension. Please > de-install an already installed Gpg4win version before trying this > installer. This binary version has not been tested very well, thus it > is likely that you will run into problems. The complete source code > for the software included in this installer is in the same directory > with ".exe" replaced by ".tar.xz". > > This version fixes a lot of bugs found after the release of 2.1.0 but > there are still known bugs which we are working on. Please check the > mailing list archives and https://wiki.gnupg.org for known problems > and workaround. > > > Checking the Integrity > ====================== > > In order to check that the version of GnuPG which you are going to > install is an original and unmodified one, you can do it in one of > the following ways: > > * If you already have a version of GnuPG installed, you can simply > verify the supplied signature. For example to verify the signature > of the file gnupg-2.1.1.tar.bz2 you would use this command: > > gpg --verify gnupg-2.1.1.tar.bz2.sig gnupg-2.1.1.tar.bz2 > > This checks whether the signature file matches the source file. > You should see a message indicating that the signature is good and > made by one or more of the release signing keys. Make sure that > this is a valid key, either by matching the shown fingerprint > against a trustworthy list of valid release signing keys or by > checking that the key has been signed by trustworthy other keys. > See below for information on the signing keys. > > * If you are not able to use an existing version of GnuPG, you have > to verify the SHA-1 checksum. On Unix systems the command to do > this is either "sha1sum" or "shasum". Assuming you downloaded the > file gnupg-2.1.1.tar.bz2, you would run the command like this: > > sha1sum gnupg-2.1.1.tar.bz2 > > and check that the output matches the first line from the > following list: > > 3d11fd150cf86f842d077437edb119a775c7325d gnupg-2.1.1.tar.bz2 > fb541b8685b78541c9b2fadb026787f535863b4a gnupg-w32-2.1.1_20141216.exe > 72d65f33d070aeb1894b0415533aad1a131899f4 gnupg-w32-2.1.1_20141216.tar.xz > > > Release Signing Keys > ==================== > > To guarantee that a downloaded GnuPG version has not been tampered by > malicious entities we provide signature files for all tarballs and > binary versions. The keys are also signed by the long term keys of > their respective owners. Current releases are signed by one or more > of these four keys: > > 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] > Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > Werner Koch (dist sig) > > rsa2048/E0856959 2014-10-29 [expires: 2019-12-31] > Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 > David Shaw (GnuPG Release Signing Key) > > rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28] > Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 > NIIBE Yutaka (GnuPG Release Key) > > rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31] > Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 > Werner Koch (Release Signing Key) > > You may retrieve these files from the keyservers using this command > > gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \ > 2071B08A33BD3F06 8A861B1C7EFD60D9 > > The keys are also available at https://gnupg.org/signature_key.html > and in the released GnuPG tarball in the file g10/distsigkey.gpg . > Note that this mail has been signed using my standard PGP key. > > > Internationalization > ==================== > > This version of GnuPG has support for 26 languages with Chinese, > Czech, French, German, Japanese, Russian, and Ukrainian being almost > completely translated (2061 different strings). > > > Documentation > ============= > > If you used GnuPG in the past you should read the description of > changes and new features at doc/whats-new-in-2.1.txt or online at > > https://gnupg.org/faq/whats-new-in-2.1.html > > The file gnupg.info has the complete user manual of the system. > Separate man pages are included as well but they have not all the > details available as are the manual. It is also possible to read the > complete manual online in HTML format at > > https://gnupg.org/documentation/manuals/gnupg/ > > or in Portable Document Format at > > https://gnupg.org/documentation/manuals/gnupg.pdf . > > The chapters on gpg-agent, gpg and gpgsm include information on how > to set up the whole thing. You may also want search the GnuPG mailing > list archives or ask on the gnupg-users mailing lists for advise on > how to solve problems. Many of the new features are around for > several years and thus enough public knowledge is already available. > > You may also want to follow postings at https://gnupg.org/blob/. > > > Support > ======== > > Please consult the archive of the gnupg-users mailing list before > reporting a bug . > We suggest to send bug reports for a new release to this list in favor > of filing a bug at . For commercial support > requests we keep a list of known service companies at: > > https://gnupg.org/service.html > > The driving force behind the development of GnuPG is the company of > its principal author, Werner Koch. Maintenance and improvement of > GnuPG and related software takes up most of their resources. To allow > him to continue this work he kindly asks to either purchase a support > contract, engage g10 Code for custom enhancements, or to donate money: > > https://gnupg.org/donate/ > > > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, administering the > servers, spreading the word, and answering questions on the mailing > lists. > > Finally, a big Thank You to all who helped greatly by donating money. > > > Salam-Shalom, > > Werner > > > > _______________________________________________ > Gnupg-announce mailing list > Gnupg-announce at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-announce > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From 2014-667rhzu3dc-lists-groups at riseup.net Wed Dec 17 22:21:39 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 17 Dec 2014 21:21:39 +0000 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <874msveem4.fsf@vigenere.g10code.de> References: <874msveem4.fsf@vigenere.g10code.de> Message-ID: <1414437482.20141217212139@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tuesday 16 December 2014 at 4:36:19 PM, in , Werner Koch wrote: > * gpg: Fixed regresion in %g and %p codes for > --sig-notation. Could there be a similar issue with the %i for --photo-viewer? photo-viewer "path\to\gpgview.exe" %i /title 0x%K.%t[%V] seems to get me the message:- gpg: system error while calling external program: No error gpg: unable to display photo ID! - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net The secret to creativity is knowing how to hide your sources. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUkfPlXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwya0H/jVscH4wzZlQ4EqlhXJHOKvL 9Th8s/FR8SLcVhjJ8lH0FjOJCooq+QquqFrCMj7FZRo6mKmG403zNpSPv202CPke jFKBcuML9Kdxg/sHOQRhTWYuh/dAfbm/RBCJ3+1xx36F0v9pIvaGq0ViS8DwHMsB bYivIfDcvlYl70IS2D5cxMc7TgH6+mNogAmU7Lm8R+u2OpfK0XbWMV9F4Vi93V9M pZ3EffBRwMZqMVjXmdaSCqa9RMIjDqRJJiTOEBl+TsKgztg1sDhijqFIt88EkSXv eieqJx12oYyfa3ri6AyjOpF0VMlTVQVHQ+s0kXxB83WbP2vOg3Summ4fO8TmzNyI vgQBFgoAZgUCVJHz7V8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45O37AQBAm74Ib66ZbTWqSoD7uiPlBIk6 SG5wru7bfpv0ZZcj9QEAVGIhR34UcDoGXaj4NstNHYplD93pzoFqvsCEtnLaHQ0= =tvmk -----END PGP SIGNATURE----- From wk at gnupg.org Thu Dec 18 09:35:00 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 18 Dec 2014 09:35:00 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <54917D0D.3060007@gmail.com> (Dominyk Tiller's message of "Wed, 17 Dec 2014 12:54:37 +0000") References: <874msveem4.fsf@vigenere.g10code.de> <54917D0D.3060007@gmail.com> Message-ID: <87h9wt5paj.fsf@vigenere.g10code.de> On Wed, 17 Dec 2014 13:54, dominyktiller at gmail.com said: > I'm still hitting a new one though. If you attempt to compile using an > external gpg-agent, rather than one with the package, you hit this: You mean an option --disable-agent? Do we still have this option - it needs to be removed. gpg-agent is not optional. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Dec 18 09:58:29 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 18 Dec 2014 09:58:29 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <5491B713.7060804@enigmail.net> (Patrick Brunschwig's message of "Wed, 17 Dec 2014 18:02:11 +0100") References: <874msveem4.fsf__35687.4066791081$1418750491$gmane$org@vigenere.g10code.de> <5491B713.7060804@enigmail.net> Message-ID: <877fxp5o7e.fsf@vigenere.g10code.de> On Wed, 17 Dec 2014 18:02, patrick at enigmail.net said: > I created an installer for GnuPG 2.1.1 on Mac OS X, available from here: Is that one already useful for general public and shall I add it to the download page? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Dec 18 10:03:45 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 18 Dec 2014 10:03:45 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <1414437482.20141217212139@my_localhost> (MFPA's message of "Wed, 17 Dec 2014 21:21:39 +0000") References: <874msveem4.fsf@vigenere.g10code.de> <1414437482.20141217212139@my_localhost> Message-ID: <87388d5nym.fsf@vigenere.g10code.de> On Wed, 17 Dec 2014 22:21, 2014-667rhzu3dc-lists-groups at riseup.net said: > Could there be a similar issue with the %i for --photo-viewer? > > photo-viewer "path\to\gpgview.exe" %i /title 0x%K.%t[%V] I don't see any chnage in this part of the code. Did it worked in 2.0? Can you test on Unix too? (Debugging there is much easier for me). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dave.pawson at gmail.com Thu Dec 18 11:59:09 2014 From: dave.pawson at gmail.com (Dave Pawson) Date: Thu, 18 Dec 2014 10:59:09 +0000 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <874msveem4.fsf@vigenere.g10code.de> References: <874msveem4.fsf@vigenere.g10code.de> Message-ID: Running Fedora 21, 64 bit. ./configure gave error missing ksba Downloaded. ./configure gave libgpg-error is needed. # yum install --disablerepo=Dropbox libgpg-error Loaded plugins: langpacks Package libgpg-error-1.13-3.fc21.x86_64 already installed and latest version Nothing to do Circular error? regards On 16 December 2014 at 16:36, Werner Koch wrote: > Hello! > > The GnuPG Project is pleased to announce the availability of the > second release of GnuPG modern: Version 2.1.1. > > The GNU Privacy Guard (GnuPG) is a complete and free implementation of > the OpenPGP standard as defined by RFC-4880 and better known as PGP. > > GnuPG, also known as GPG, allows to encrypt and sign data and > communication, features a versatile key management system as well as > access modules for public key directories. GnuPG itself is a command > line tool with features for easy integration with other applications. > A wealth of frontend applications and libraries making use of GnuPG > are available. Since version 2 GnuPG provides support for S/MIME and > Secure Shell in addition to OpenPGP. > > GnuPG is Free Software (meaning that it respects your freedom). It can > be freely used, modified and distributed under the terms of the GNU > General Public License. > > Three different versions of GnuPG are actively maintained: > > - GnuPG "modern" (2.1) is the latest development with a lot of new > features. This announcement is about the first release of this > version. > > - GnuPG "stable" (2.0) is the current stable version for general use. > This is what most users are currently using. > > - GnuPG "classic" (1.4) is the old standalone version which is most > suitable for older or embedded platforms. > > You may not install "modern" (2.1) and "stable" (2.0) at the same > time. However, it is possible to install "classic" (1.4) along with > any of the other versions. > > > What's New in GnuPG-2.1 > ======================= > > * gpg: Detect faulty use of --verify on detached signatures. > > * gpg: New import option "keep-ownertrust". > > * gpg: New sub-command "factory-reset" for --card-edit. > > * gpg: A stub key for smartcards is now created by --card-status. > > * gpg: Fixed regression in --refresh-keys. > > * gpg: Fixed regresion in %g and %p codes for --sig-notation. > > * gpg: Fixed best matching hash algo detection for ECDSA and EdDSA. > > * gpg: Improved perceived speed of secret key listisngs. > > * gpg: Print number of skipped PGP-2 keys on import. > > * gpg: Removed the option aliases --throw-keyid and --notation-data; > use --throw-keyids and --set-notation instead. > > * gpg: New import option "keep-ownertrust". > > * gpg: Skip too large keys during import. > > * gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or > dirmngr. > > * gpg-agent: New option --extra-socket to provide a restricted > command set for use with remote clients. > > * gpgconf --kill does not anymore start a service only to kill it. > > * gpg-pconnect-agent: Add convenience option --uiserver. > > * Fixed keyserver access for Windows. > > * Fixed build problems on Mac OS X > > * The Windows installer does now install development files > > * More translations (but most of them are not complete). > > * To support remotely mounted home directories, the IPC sockets may > now be redirected. This feature requires Libassuan 2.2.0. > > * Improved portability and the usual bunch of bug fixes. > > A detailed description of the changes found in 2.1 can be found at > https://gnupg.org/faq/whats-new-in-2.1.html . > > > Getting the Software > ==================== > > Please follow the instructions found at https://gnupg.org/download/ or > read on: > > GnuPG 2.1.1 may be downloaded from one of the GnuPG mirror sites or > direct from its primary FTP server. The list of mirrors can be found > at https://gnupg.org/mirrors.html . Note that GnuPG is not available > at ftp.gnu.org. > > On ftp.gnupg.org you find these files: > > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.1.tar.bz2 (4689k) > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.1.tar.bz2.sig > > This is the GnuPG 2.1 source code compressed using BZIP2 and its > OpenPGP signature. > > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.1_20141216.exe (6364k) > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.1_20141216.exe.sig > > This is an *experimental* installer for Windows including GPA as > graphical key manager and GpgEX as an Explorer extension. Please > de-install an already installed Gpg4win version before trying this > installer. This binary version has not been tested very well, thus it > is likely that you will run into problems. The complete source code > for the software included in this installer is in the same directory > with ".exe" replaced by ".tar.xz". > > This version fixes a lot of bugs found after the release of 2.1.0 but > there are still known bugs which we are working on. Please check the > mailing list archives and https://wiki.gnupg.org for known problems > and workaround. > > > Checking the Integrity > ====================== > > In order to check that the version of GnuPG which you are going to > install is an original and unmodified one, you can do it in one of > the following ways: > > * If you already have a version of GnuPG installed, you can simply > verify the supplied signature. For example to verify the signature > of the file gnupg-2.1.1.tar.bz2 you would use this command: > > gpg --verify gnupg-2.1.1.tar.bz2.sig gnupg-2.1.1.tar.bz2 > > This checks whether the signature file matches the source file. > You should see a message indicating that the signature is good and > made by one or more of the release signing keys. Make sure that > this is a valid key, either by matching the shown fingerprint > against a trustworthy list of valid release signing keys or by > checking that the key has been signed by trustworthy other keys. > See below for information on the signing keys. > > * If you are not able to use an existing version of GnuPG, you have > to verify the SHA-1 checksum. On Unix systems the command to do > this is either "sha1sum" or "shasum". Assuming you downloaded the > file gnupg-2.1.1.tar.bz2, you would run the command like this: > > sha1sum gnupg-2.1.1.tar.bz2 > > and check that the output matches the first line from the > following list: > > 3d11fd150cf86f842d077437edb119a775c7325d gnupg-2.1.1.tar.bz2 > fb541b8685b78541c9b2fadb026787f535863b4a gnupg-w32-2.1.1_20141216.exe > 72d65f33d070aeb1894b0415533aad1a131899f4 gnupg-w32-2.1.1_20141216.tar.xz > > > Release Signing Keys > ==================== > > To guarantee that a downloaded GnuPG version has not been tampered by > malicious entities we provide signature files for all tarballs and > binary versions. The keys are also signed by the long term keys of > their respective owners. Current releases are signed by one or more > of these four keys: > > 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] > Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 > Werner Koch (dist sig) > > rsa2048/E0856959 2014-10-29 [expires: 2019-12-31] > Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 > David Shaw (GnuPG Release Signing Key) > > rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28] > Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 > NIIBE Yutaka (GnuPG Release Key) > > rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31] > Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 > Werner Koch (Release Signing Key) > > You may retrieve these files from the keyservers using this command > > gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \ > 2071B08A33BD3F06 8A861B1C7EFD60D9 > > The keys are also available at https://gnupg.org/signature_key.html > and in the released GnuPG tarball in the file g10/distsigkey.gpg . > Note that this mail has been signed using my standard PGP key. > > > Internationalization > ==================== > > This version of GnuPG has support for 26 languages with Chinese, > Czech, French, German, Japanese, Russian, and Ukrainian being almost > completely translated (2061 different strings). > > > Documentation > ============= > > If you used GnuPG in the past you should read the description of > changes and new features at doc/whats-new-in-2.1.txt or online at > > https://gnupg.org/faq/whats-new-in-2.1.html > > The file gnupg.info has the complete user manual of the system. > Separate man pages are included as well but they have not all the > details available as are the manual. It is also possible to read the > complete manual online in HTML format at > > https://gnupg.org/documentation/manuals/gnupg/ > > or in Portable Document Format at > > https://gnupg.org/documentation/manuals/gnupg.pdf . > > The chapters on gpg-agent, gpg and gpgsm include information on how > to set up the whole thing. You may also want search the GnuPG mailing > list archives or ask on the gnupg-users mailing lists for advise on > how to solve problems. Many of the new features are around for > several years and thus enough public knowledge is already available. > > You may also want to follow postings at https://gnupg.org/blob/. > > > Support > ======== > > Please consult the archive of the gnupg-users mailing list before > reporting a bug . > We suggest to send bug reports for a new release to this list in favor > of filing a bug at . For commercial support > requests we keep a list of known service companies at: > > https://gnupg.org/service.html > > The driving force behind the development of GnuPG is the company of > its principal author, Werner Koch. Maintenance and improvement of > GnuPG and related software takes up most of their resources. To allow > him to continue this work he kindly asks to either purchase a support > contract, engage g10 Code for custom enhancements, or to donate money: > > https://gnupg.org/donate/ > > > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, administering the > servers, spreading the word, and answering questions on the mailing > lists. > > Finally, a big Thank You to all who helped greatly by donating money. > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > _______________________________________________ > Gnupg-announce mailing list > Gnupg-announce at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-announce > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk From dotwayland at gmail.com Thu Dec 18 11:52:23 2014 From: dotwayland at gmail.com (Wayland Morgan) Date: Thu, 18 Dec 2014 04:52:23 -0600 Subject: Refreshing private key Message-ID: My current key is 2048 bits in length and I would like to have something that is closer to 8192 bits in length. Is there a way that I can accomplish this without revoking my key so that I can keep the same public key id? Any preferred RTFMing you can point me to? Thanks Wayland -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Thu Dec 18 14:35:41 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 18 Dec 2014 14:35:41 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: (Dave Pawson's message of "Thu, 18 Dec 2014 10:59:09 +0000") References: <874msveem4.fsf@vigenere.g10code.de> Message-ID: <87d27h3wsy.fsf@vigenere.g10code.de> On Thu, 18 Dec 2014 11:59, dave.pawson at gmail.com said: > ./configure gave libgpg-error is needed. configure shows you which version of which libaries you need. Please install them. The versions which come with your OS are usually too old. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From rjh at sixdemonbag.org Thu Dec 18 16:24:34 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Dec 2014 10:24:34 -0500 Subject: Refreshing private key In-Reply-To: References: Message-ID: <5492F1B2.90107@sixdemonbag.org> > My current key is 2048 bits in length and I would like to have > something that is closer to 8192 bits in length. Is there a way that > I can accomplish this... Definitely not from GnuPG, and probably not from without it, either. GnuPG is capped at 4096 bits (for good reasons). Further, you cannot change the length of the primary subkey on a certificate. From Dhiraj.Haritwal at ap.sony.com Thu Dec 18 16:39:35 2014 From: Dhiraj.Haritwal at ap.sony.com (Haritwal, Dhiraj) Date: Thu, 18 Dec 2014 15:39:35 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: <5491BE37.8070309@mail.ru> References: <5491BE37.8070309@mail.ru> Message-ID: Hi, Thanks for your response. About the below command, it's asking for passphrase whereas my requirement is to use only keys to encrypt/sign it. gpg2 -u FFEEDDCC -r AABBCCDD -se supersecret.txt I tried below command which shows confirmation screen where I have entered y (yes) & now able to see a file named supersecret.txt.gpg. m not sure what file it is because it think encrypted file should has an .asc extension. ./gpg --encrypt --hidden-recipient AABBCCDD supersecret.txt gpg: 89709B71: There is no assurance this key belongs to the named user Regards, Dhiraj -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Duplicity Mailing List Sent: 17 December 2014 23:03 To: gnupg-users at gnupg.org Subject: Re: Unable to encrypt file with private/public key On 17/12/14 14:43, Haritwal, Dhiraj wrote: > Hi, > > > > I am using gpg (GnuPG) 1.4.7 & trying to encrypt a file with private > key whose public key I have shared to the partner who have to decrypt > this file. I tried with --armour -symmetric switches which requires a > passphrase to encrypt but I have requirement to encrypt it through > private/public key. If I am using -encrypt --hidden-recipient option > showing below error. I am able to see the public key while running > -list-keys option. I am running it on AIX 6.1 under root user. If you just wish to encrypt, not sign, to the user, use:- >gpg2 --recipient AABBCCDD --encrypt supersecret.txt Or the shorter version:- >gpg2 -r AABBCCDD -e supersecret.txt It will dump supersecret.txt.gpg, that's your encrypted file. This isn't signed (I.E. the receiver won't be able to verify _you_ sent it, and can be replaced (Although not read) in transit). If you wish to sign it, you'll also need a GPG key in your keyring, then run:- >gpg2 --local-user FFEEDDCC --recipient AABBCCDD --encrypt --sign supersecret.txt Or the shorter version:- >gpg2 -u FFEEDDCC -r AABBCCDD -se supersecret.txt Where FFEEDDCC is your key identifier and AABBCCDD is the recipient's key identifier. When they decrypt the file, they will see something along the lines of:- >gpg: Good signature from "John Doe (JohnDoe at Example.com) [ultimate]" >gpg: binary signature, digest algorithm SHA512 >gpg: decryption okay the command you're using, --symmetric, is for using a passphrase for encryption/decrypt (I.E. symmetric encryption, not asymmetric). --hidden-recipient should work too, and is used if you don't wish to include information about the recipient in the gpg file, you probably don't want to use this option (As oppose to --recipient) unless you really do wish to use the features it provides. As for the failed public key, may I ask the exact command you're running? I get the same error message when I specify a recipient that doesn't exist:- >$ gpg2 -e -r ${RANDOM} b >gpg: 31546: skipped: No public key >gpg: b: encryption failed: No public key _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ________________________________ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. From vedaal at nym.hush.com Thu Dec 18 16:56:32 2014 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 18 Dec 2014 10:56:32 -0500 Subject: Unable to encrypt file with private/public key In-Reply-To: References: <5491BE37.8070309@mail.ru> Message-ID: <20141218155633.31841A0138@smtp.hushmail.com> On 12/18/2014 at 10:38 AM, "Dhiraj Haritwal" wrote: >About the below command, it's asking for passphrase whereas my >requirement is to use only keys to encrypt/sign it. > >gpg2 -u FFEEDDCC -r AABBCCDD -se supersecret.txt ----- '-s' in the above command means that you want to sign. Whenever you want to sign, GnuPG asks for your passphrase to unlock your signing key. ===== >I tried below command which shows confirmation screen where I have >entered y (yes) & now able to see a file named >supersecret.txt.gpg. m not sure what file it is because it think >encrypted file should has an .asc extension. > >./gpg --encrypt --hidden-recipient AABBCCDD supersecret.txt ----- 'supersecret.txt.gpg' is the GnuPG encrypted output of the file 'supersecret.txt'. If unspecified, GnuPG will produce a .gpg file rather than a .asc file. If you want a .asc file, you need to include the option of '--armor' or '-a' in your encryption command: gpg2 -u FFEEDDCC -r AABBCCDD -a -e supersecret.txt vedaal From wk at gnupg.org Thu Dec 18 16:59:22 2014 From: wk at gnupg.org (Werner Koch) Date: Thu, 18 Dec 2014 16:59:22 +0100 Subject: Unable to encrypt file with private/public key In-Reply-To: (Dhiraj Haritwal's message of "Thu, 18 Dec 2014 15:39:35 +0000") References: <5491BE37.8070309@mail.ru> Message-ID: <8761d93q5h.fsf@vigenere.g10code.de> On Thu, 18 Dec 2014 16:39, Dhiraj.Haritwal at ap.sony.com said: > gpg2 -u FFEEDDCC -r AABBCCDD -se supersecret.txt You asked to sign (-s) and thus it has to ask for the passphrase (unless you key is not protected by a passphrase). > I tried below command which shows confirmation screen where I have > entered y (yes) & now able to see a file named supersecret.txt.gpg. m > not sure what file it is because it think encrypted file should has an > .asc extension. If you want it ascii armored (which defaults to the ".asc" suffix) you need to give the option --armor (or -a). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From duplicitymailinglist at mail.ru Thu Dec 18 17:04:59 2014 From: duplicitymailinglist at mail.ru (Duplicity Mailing List) Date: Thu, 18 Dec 2014 16:04:59 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: References: <5491BE37.8070309@mail.ru> Message-ID: <5492FB2B.5030702@mail.ru> On 18/12/14 15:39, Haritwal, Dhiraj wrote: > Hi, > > Thanks for your response. > > About the below command, it's asking for passphrase whereas my requirement is to use only keys to encrypt/sign it. > > gpg2 -u FFEEDDCC -r AABBCCDD -se supersecret.txt > > I tried below command which shows confirmation screen where I have entered y (yes) & now able to see a file named supersecret.txt.gpg. m not sure what file it is because it think encrypted file should has an .asc extension. > > ./gpg --encrypt --hidden-recipient AABBCCDD supersecret.txt > gpg: 89709B71: There is no assurance this key belongs to the named user > > > Regards, > > Dhiraj .gpg is the extension of encrypted files, .asc is normally ASCII armored files (Signatures and the like), if you'd like to generate one of those, look into the -a option (for Ascii). A complete command would look something like `gpg2 -u AABBCCDD -as supersecret.txt`. The generated supersecret.txt.asc will only verify to someone who already has the .txt that it hasn't been touched/modified and that the key AABBCCDD did verify it as being legitimate, they won't be able to extrapolate supersecret.txt out of it. It's _only_ for signing, _not_ for encrypting/transportation of data, which is why you often see them on this mailing list and downloads (You want to verify that the user sent the data, but not encrypt it (Since it's public)). If you try to run:- >gpg -d supersecret.txt.gpg It should tell you it's encrypted and the destination public key, then error out (As it's not destined for you). As for the "There is no assurance this key belongs to thhe named user", this is because you haven't trusted them yet. If you do trust the key as being the key they claim to be, and have verified the key through out-of-bands means (I.E. Not over the internet, or using an already secure channel over the internet, this is *not* emails, this is *not* Skype, this is *not* text messages), then you can take a look at this:- https://www.gnupg.org/gph/en/manual/x334.html P.S. I'm replying to you on-list for the reasons:- 1. People are able to verify if I say anything stupid 2. In the case I haven't said anything stupid, someone else could also learn from this (I.E. Location this thread in the future via a search engine). I recommend you do the same. From duplicitymailinglist at mail.ru Thu Dec 18 17:11:18 2014 From: duplicitymailinglist at mail.ru (Duplicity Mailing List) Date: Thu, 18 Dec 2014 16:11:18 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: <5492FB2B.5030702@mail.ru> References: <5491BE37.8070309@mail.ru> <5492FB2B.5030702@mail.ru> Message-ID: <5492FCA6.5000906@mail.ru> On 18/12/14 16:04, Duplicity Mailing List wrote: > It's _only_ for signing, _not_ for > encrypting/transportation of data Ignore all of this. I made a huge mistake, apparently you can encrypt data and store it in the ASCII files, I have no idea why I thought you couldn't, it's so logical that you can, all it is doing is storing bytes as ASCII, it's just I've never seen it in use so I never connected the dots until I read vedaal's message. What I'm trying to say is:- .asc can be used for encrypted connect, albeit probably not recommending if you're sending large files, just as much as it can be used for signatures. Signatures are to verify the content hasn't been modified, encryption is to verify that only the recipient can read the data, and encrypt+sign is to verify the data hasn't been modified and the recipient is the only one who can read it. There we go, sorry for the mistake, I feel very stupid right about now. From dkg at fifthhorseman.net Thu Dec 18 17:49:27 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 18 Dec 2014 11:49:27 -0500 Subject: Refreshing private key In-Reply-To: <5492F1B2.90107@sixdemonbag.org> References: <5492F1B2.90107@sixdemonbag.org> Message-ID: <54930597.6080309@fifthhorseman.net> On 12/18/2014 10:24 AM, Robert J. Hansen wrote: >> My current key is 2048 bits in length and I would like to have >> something that is closer to 8192 bits in length. Is there a way that >> I can accomplish this... > > Definitely not from GnuPG, and probably not from without it, either. There are clearly tools that you can use to make larger keys than 4096-bit RSA, e.g. gnutls-bin + monkeysphere: certtool -p --bits 8192 | pem2openpgp 'Test User ' (this will produce a binary-formatted OpenPGP key on stdout, so you probably want to send it to a file or something) but I don't recommend trying to do this, because these larger RSA keys are expensive to use compared to the marginal extra security, and their signatures are large. I recommend sticking with 4096-bit RSA for now; for stronger keys you'll eventually want to move to a large ECC key (though the choices we have at the moment for ECC have some shadow of suspicion over them). > Further, you cannot change the length of the primary subkey on a > certificate. "primary subkey" doesn't make much sense. I'm pretty sure Robert means "primary key". --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From kloecker at kde.org Thu Dec 18 18:27:59 2014 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Thu, 18 Dec 2014 18:27:59 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: References: <874msveem4.fsf@vigenere.g10code.de> Message-ID: <4796267.Th3998rHsP@collossus.ingo-kloecker.de> On Thursday 18 December 2014 10:59:09 Dave Pawson wrote: > Running Fedora 21, 64 bit. > ./configure gave error > missing ksba > Downloaded. > ./configure gave libgpg-error is needed. > > # yum install --disablerepo=Dropbox libgpg-error > Loaded plugins: langpacks > Package libgpg-error-1.13-3.fc21.x86_64 already installed and latest version > Nothing to do > > Circular error? I guess you are lacking the development package of libgpg-error. It's probably called libgpg-error-devel. Whenever you want to build something yourself you have to install the development packages of all dependencies. Normal users don't need them. Therefore they are usually not installed by default. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Thu Dec 18 20:30:34 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Dec 2014 14:30:34 -0500 Subject: Refreshing private key In-Reply-To: <54930597.6080309@fifthhorseman.net> References: <5492F1B2.90107@sixdemonbag.org> <54930597.6080309@fifthhorseman.net> Message-ID: <54932B5A.50000@sixdemonbag.org> > "primary subkey" doesn't make much sense. I'm pretty sure Robert > means "primary key". Sorry, a little bit of inside baseball there [1]. tl;dr version -- Daniel's right. Longer version follows. At work I'm twiddling about with an OpenPGP parser and for various reasons you really don't want me to get into, the class that defines primary keys is a subclass of the class that defines subkeys. It seems backwards, but needs to be that way to preserve Liskov substitutability. As a result, I wind up talking about "primary subkeys" because in my head I'm talking about the PrimarySubkey class. :) [1] http://en.wikipedia.org/wiki/Inside_baseball_%28metaphor%29 From megamansec at gmail.com Thu Dec 18 11:14:26 2014 From: megamansec at gmail.com (Joshua Rogers) Date: Thu, 18 Dec 2014 21:14:26 +1100 Subject: latest version build error Message-ID: <5492A902.3050404@gmail.com> Hi, I'm trying to build the latest version of gnupgp from the git repo, but I'm encountering a problem while compiling it. It all compiles fine up until logging.c. gcc -g -O2 -O3 -Wall -Wcast-align -Wshadow -Wstrict-prototypes -Wformat -Wno-format-y2k -Wformat-security -W -Wno-sign-compare -Wno-missing-field-initializers -Wdeclaration-after-statement -Wno-pointer-sign -Wpointer-arith -o t-stringhelp t-stringhelp.o t-support.o libcommon.a -lgcrypt -lassuan -L/usr/lib/x86_64-linux-gnu -lgpg-error -L/usr/local/lib -lgpg-error libcommon.a(libcommon_a-logging.o): In function `set_file_fd': gnupg/common/logging.c:449: undefined reference to `gpgrt_fclose' gnupg/common/logging.c:457: undefined reference to `_gpgrt_get_std_stream' gnupg/common/logging.c:457: undefined reference to `gpgrt_fileno' gnupg/common/logging.c:516: undefined reference to `gpgrt_fopencookie' gnupg/common/logging.c:523: undefined reference to `gpgrt_setvbuf' gnupg/common/logging.c:521: undefined reference to `_gpgrt_get_std_stream' [.....] From a Google search, gpgrt_fclose, for example, is in libgpg-error. # strings -a /usr/local/lib/libgpg-error.so.0 | grep 'gpgrt_fclose' gpgrt_fclose gpgrt_fclose_snatch _gpgrt_fclose_snatch _gpgrt_fclose _gpgrt_fclose _gpgrt_fclose_snatch gpgrt_fclose_snatch gpgrt_fclose I run: # ./configure --build=x86_64-pc-linux-gnu --enable-maintainer-mode --with-libgpg-error-prefix=/usr/local which outputs no errors, and this info: GnuPG v2.1.2 has been configured as follows: Revision: 5cb6df8 (23734) Platform: GNU/Linux (x86_64-pc-linux-gnu) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes G13: yes Dirmngr: yes Gpgtar: yes Protect tool: (default) LDAP wrapper: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) Dirmngr auto start: yes Readline support: yes LDAP support: yes DNS SRV support: yes TLS support: gnutls Any suggestions? P.S: Please CC me, as I'm not subscribed to this list. Thanks, -- -- Joshua Rogers -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From realhosting at Safe-mail.net Thu Dec 18 15:34:40 2014 From: realhosting at Safe-mail.net (realhosting at Safe-mail.net) Date: Thu, 18 Dec 2014 09:34:40 -0500 Subject: Installation Message-ID: I can't install. Please help root at server1:/var/www/gnupg-2.0.26# ./configure bash: ./configure: Permission denied root at server1:/var/www/gnupg-2.0.26# chmod -R 777 * root at server1:/var/www/gnupg-2.0.26# ./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu configure: autobuild project... gnupg configure: autobuild revision... 2.0.26 configure: autobuild hostname... server1 configure: autobuild timestamp... 20141218-193017 checking for style of include used by make... GNU checking for gcc... no checking for cc... no checking for cl.exe... no configure: error: in `/var/www/gnupg-2.0.26': configure: error: no acceptable C compiler found in $PATH See `config.log' for more details From 2014-667rhzu3dc-lists-groups at riseup.net Thu Dec 18 22:50:37 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Thu, 18 Dec 2014 21:50:37 +0000 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <87388d5nym.fsf@vigenere.g10code.de> References: <874msveem4.fsf@vigenere.g10code.de> <1414437482.20141217212139@my_localhost> <87388d5nym.fsf@vigenere.g10code.de> Message-ID: <1247473308.20141218215037@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thursday 18 December 2014 at 9:03:45 AM, in , Werner Koch wrote: > I don't see any chnage in this part of the code. Did > it worked in 2.0? I had not used 2.0 much at all because my email app of choice doesn't play nice with it (but is fine with 2.1). I have 2.0.20 and 2.0.26 to hand; I just tested with them and found it didn't work for me. For both of these, the error message was slightly different than I see with 2.1:- gpg: system error while calling external program: Permission denied gpg: unable to display photo ID! ^^^^^^^^^^^^^^^^^ instead of:- gpg: system error while calling external program: No error gpg: unable to display photo ID! ^^^^^^^^ > Can you test on Unix too? (Debugging there is much > easier for me). The best I can do is try to get my Linux partition working again, if the wife doesn't invent too much that "needs" doing over Christmas. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net After all is said and done, a lot more will be said than done. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUk0wwXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwZc8IAIEkdqDjV5WK7Y6cHZF2Vi54 JCDD0U1set5Cs0nczv7jFTXAI15JIsw5brWRcPlKzDM4uBwNgnhFBC5Arr4f/UHB 2Yd1cmaGFE90ArQ4j9resAZ6Pv0MIvbvL3GwL/kvUAU6gPAqS72PlO9dyafmIbYz id6xDJCwOpJFT5XVYSAThJ2n/+Ao4KuOMsPqt9sU1QdSMNJwKS7MUdFil/85AK1p kIW7I/sIK+sLYwrvDIon3T8V/Za/eMeJVjM8AgD1A7pNbynh161hV9bH+GHXNGxC GkM1Kbj4ufK0dkow9ZEhwKeQnG7wx8Y+bcUoFJ9KNIorfEke/wU+b3ZQP87DrSuI vgQBFgoAZgUCVJNMOF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45LljAQCATOKlAtFkQd+KRGSeO4QLj/HR PXMd+g/TcollLscJNQEATn+VQZ6opqQZxDvtAewoqSRSYLGBETmzJhKiA0Wjgw8= =GTud -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Thu Dec 18 23:20:51 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 18 Dec 2014 17:20:51 -0500 Subject: latest version build error In-Reply-To: <5492A902.3050404@gmail.com> References: <5492A902.3050404@gmail.com> Message-ID: <54935343.4070103@fifthhorseman.net> On 12/18/2014 05:14 AM, Joshua Rogers wrote: > I'm trying to build the latest version of gnupgp from the git repo, but > I'm encountering a problem while compiling it. I think you mean gnupg, not gnupgp :) > libcommon.a(libcommon_a-logging.o): In function `set_file_fd': > gnupg/common/logging.c:449: undefined reference to `gpgrt_fclose' > gnupg/common/logging.c:457: undefined reference to `_gpgrt_get_std_stream' > gnupg/common/logging.c:457: undefined reference to `gpgrt_fileno' > gnupg/common/logging.c:516: undefined reference to `gpgrt_fopencookie' > gnupg/common/logging.c:523: undefined reference to `gpgrt_setvbuf' > gnupg/common/logging.c:521: undefined reference to `_gpgrt_get_std_stream' > [.....] > > From a Google search, gpgrt_fclose, for example, is in libgpg-error. You don't mention what platform you're on, but given your recent reports in the debian BTS, i think you're using debian. The package you're probably looking for is libgpg-error-dev. hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From frase at frase.id.au Fri Dec 19 00:34:44 2014 From: frase at frase.id.au (Fraser Tweedale) Date: Fri, 19 Dec 2014 09:34:44 +1000 Subject: Installation In-Reply-To: References: Message-ID: <20141218233443.GF13244@bacardi.hollandpark.frase.id.au> On Thu, Dec 18, 2014 at 09:34:40AM -0500, realhosting at Safe-mail.net wrote: > I can't install. Please help > > root at server1:/var/www/gnupg-2.0.26# ./configure > bash: ./configure: Permission denied > root at server1:/var/www/gnupg-2.0.26# chmod -R 777 * > root at server1:/var/www/gnupg-2.0.26# ./configure > checking for a BSD-compatible install... /usr/bin/install -c > checking whether build environment is sane... yes > checking for a thread-safe mkdir -p... /bin/mkdir -p > checking for gawk... gawk > checking whether make sets $(MAKE)... yes > checking build system type... x86_64-unknown-linux-gnu > checking host system type... x86_64-unknown-linux-gnu > configure: autobuild project... gnupg > configure: autobuild revision... 2.0.26 > configure: autobuild hostname... server1 > configure: autobuild timestamp... 20141218-193017 > checking for style of include used by make... GNU > checking for gcc... no > checking for cc... no > checking for cl.exe... no > configure: error: in `/var/www/gnupg-2.0.26': > configure: error: no acceptable C compiler found in $PATH > See `config.log' for more details > Hi, A compiler cannot be found. Do you have a C compiler installed? If so, which compiler (and operating system?) If not, you could install `gcc' and try again. Cheers, Fraser -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From dougb at dougbarton.email Fri Dec 19 03:08:40 2014 From: dougb at dougbarton.email (Doug Barton) Date: Thu, 18 Dec 2014 18:08:40 -0800 Subject: OT, but related ... =?UTF-8?B?R29vZ2xl4oCZcyBFbmQtVG8tRW5kIEVtYWk=?= =?UTF-8?B?bCBFbmNyeXB0aW9uIFRvb2wgR2V0cyBDbG9zZXIgVG8gTGF1bmNo?= Message-ID: <549388A8.3060204@dougbarton.email> The relevant bit is that the code is now public at github, so anyone interested can review it, and provide comments. http://techcrunch.com/2014/12/17/googles-end-to-end-email-encryption-tool-gets-closer-to-launch/ From dkg at fifthhorseman.net Fri Dec 19 08:11:56 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 19 Dec 2014 02:11:56 -0500 Subject: latest version build error In-Reply-To: <5493C74B.2070203@gmail.com> References: <5492A902.3050404@gmail.com> <54935343.4070103@fifthhorseman.net> <5493C74B.2070203@gmail.com> Message-ID: <5493CFBC.8000104@fifthhorseman.net> On 12/19/2014 01:35 AM, Joshua Rogers wrote: > On 19/12/14 09:20, Daniel Kahn Gillmor wrote: >> You don't mention what platform you're on, but given your recent reports >> in the debian BTS, i think you're using debian. The package you're >> probably looking for is libgpg-error-dev. > I'm using > ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.17.tar.gz , but > still to no avail. > > Is that the right package? how is it installed? if you're using debian testing or unstable, it's probably best to just do: apt-get install libgpg-error-dev --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Fri Dec 19 08:33:35 2014 From: wk at gnupg.org (Werner Koch) Date: Fri, 19 Dec 2014 08:33:35 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <1247473308.20141218215037@my_localhost> (MFPA's message of "Thu, 18 Dec 2014 21:50:37 +0000") References: <874msveem4.fsf@vigenere.g10code.de> <1414437482.20141217212139@my_localhost> <87388d5nym.fsf@vigenere.g10code.de> <1247473308.20141218215037@my_localhost> Message-ID: <87oar02iwg.fsf@vigenere.g10code.de> On Thu, 18 Dec 2014 22:50, 2014-667rhzu3dc-lists-groups at riseup.net said: > gpg: system error while calling external program: Permission denied > gpg: unable to display photo ID! ^^^^^^^^^^^^^^^^^ > > instead of:- > > gpg: system error while calling external program: No error > gpg: unable to display photo ID! ^^^^^^^^ I think I fixed this wrong error message yesterday in the npth library. No new release yet, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gnupgpacker at on.yourweb.de Fri Dec 19 09:09:32 2014 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Fri, 19 Dec 2014 09:09:32 +0100 Subject: Refreshing private key Message-ID: <001801d01b63$1e796990$5b6c3cb0$@on.yourweb.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, is there is a need keeping old key id, you can generate new subkeys for A/S/E, keeping the old 2048bit certification key C only for offline signing. Keystructure: Mainkey with old ID 2048bit - - Subkey A 8096bit - - Subkey S 8096bit (beware of this, long signature...) - - Subkey E 8096bit Old subkeys can be deactivated/revoked or not, GPG will use latest keys generated. Generating keys > 4096bit can be done with GnuPG-Pack up to 50176bit (RSA) with some additional features: http://home.arcor.de/rose-indorf/ Beware of compatibility with standard gpg installations! Security advantage isn't as great as it seems to be... Regards, Chris (RSA-Testkey 0x3E2E0598) > -----Original Message----- > Sent: Thursday, December 18, 2014 11:52 AM > My current key is 2048 bits in length and I > would like to have something that is closer to 8192 bits in length. Is > there a way that I can accomplish this without revoking my key so that I > can keep the same public key id? Any preferred RTFMing you can point me > to? -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJUk908AAoJEMMs0SrWTTEmRz4P/i8iJYKz5ta0145WEH3E64A5 mzVkN/7YI9mXapYp/7YzQAYq583P8kKoubCQorvyXYOI2RnehsThw/lRSvU3KId7 u+iqxdPOMT10tWzBSjIObxNZiw5DEV733Y8uI+I0CVSAiVYlvEEPY2j76SMngwWQ XkcJUW2oOagnJSfK8IKJ3es+N72JHh7ZHJQYTj1iV+SKJN83Y+RdP4XcSJiHjLsu hWeim3h19gYg/Kt9SQDIaJj94ucP2b9QADdZjQEx0yYUdZMpswa0Velq69LwWKi9 PUkR47R9PdJbfo0AeCfXmVY4kto2gkUNvgbFWcAko7CTVY+fJyIrFl/4MaDi/vo9 oNLNmhdUUHbXaxVQaAAuR+yK0aQu6C+hHWTzlKdmhGgPPQxcFLBmiLplv+Q36qmI JHd5j2On6uzJ1s3WtvxcOr9Hs1f54q0LpkK6X4bMj91/PY9DLzNLXTOSGpq2ICsm H++zQC3Nz1Ap8CIY5bsuZJpjZgpeIBPL2QMvmg53DpozSb2PAL4quCeNDRcluFjc 7ReOQ7BHUbXTN2EBSlhA/oBPr8eFh/qdLBN+9toR+7eX4ScFIauwegOxVjj+Eq00 9HSJBOTI7KS+MRarnkMoKP3CG4HjbiVpUIRUEI86O+pY0SkjgtDPVDyxh4uRkuJe uxhLHOtkSF3qCL07P0h7 =iVQV -----END PGP SIGNATURE----- From Dhiraj.Haritwal at ap.sony.com Fri Dec 19 10:14:05 2014 From: Dhiraj.Haritwal at ap.sony.com (Haritwal, Dhiraj) Date: Fri, 19 Dec 2014 09:14:05 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: <5492FB2B.5030702@mail.ru> References: <5491BE37.8070309@mail.ru> <5492FB2B.5030702@mail.ru> Message-ID: Thank you all for your response. What I have learned so far from these threads is Signing always require a passphrase whereas encryption can be done without Passphrase & it requires a Key. Correct me if my understand is not correct. I was doing a mistake. I was trying to encrypt the file with Partner Key hence it was showing the warning. While sending the file to partner I have to use my own key which I have share with them to decrypt it. Regards, Dhiraj -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Duplicity Mailing List Sent: 18 December 2014 21:35 To: gnupg-users at gnupg.org Subject: Re: Unable to encrypt file with private/public key On 18/12/14 15:39, Haritwal, Dhiraj wrote: > Hi, > > Thanks for your response. > > About the below command, it's asking for passphrase whereas my requirement is to use only keys to encrypt/sign it. > > gpg2 -u FFEEDDCC -r AABBCCDD -se supersecret.txt > > I tried below command which shows confirmation screen where I have entered y (yes) & now able to see a file named supersecret.txt.gpg. m not sure what file it is because it think encrypted file should has an .asc extension. > > ./gpg --encrypt --hidden-recipient AABBCCDD supersecret.txt > gpg: 89709B71: There is no assurance this key belongs to the named > user > > > Regards, > > Dhiraj .gpg is the extension of encrypted files, .asc is normally ASCII armored files (Signatures and the like), if you'd like to generate one of those, look into the -a option (for Ascii). A complete command would look something like `gpg2 -u AABBCCDD -as supersecret.txt`. The generated supersecret.txt.asc will only verify to someone who already has the .txt that it hasn't been touched/modified and that the key AABBCCDD did verify it as being legitimate, they won't be able to extrapolate supersecret.txt out of it. It's _only_ for signing, _not_ for encrypting/transportation of data, which is why you often see them on this mailing list and downloads (You want to verify that the user sent the data, but not encrypt it (Since it's public)). If you try to run:- >gpg -d supersecret.txt.gpg It should tell you it's encrypted and the destination public key, then error out (As it's not destined for you). As for the "There is no assurance this key belongs to thhe named user", this is because you haven't trusted them yet. If you do trust the key as being the key they claim to be, and have verified the key through out-of-bands means (I.E. Not over the internet, or using an already secure channel over the internet, this is *not* emails, this is *not* Skype, this is *not* text messages), then you can take a look at this:- https://www.gnupg.org/gph/en/manual/x334.html P.S. I'm replying to you on-list for the reasons:- 1. People are able to verify if I say anything stupid 2. In the case I haven't said anything stupid, someone else could also learn from this (I.E. Location this thread in the future via a search engine). I recommend you do the same. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ________________________________ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. From gnupgpacker at on.yourweb.de Fri Dec 19 11:02:17 2014 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Fri, 19 Dec 2014 11:02:17 +0100 Subject: Unable to encrypt file with private/public key Message-ID: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 @Dhiraj: Encrypting: You encrypt a message with recipient's public key, no password is required. (Password is only known by recipient.) Signing: You sign a message with your own private key, you must admit your private key's password. Regards, Chris (RSA-Testkey 0x3E2E0598) > What I have > learned so far from these threads is Signing always require a passphrase > whereas encryption can be done without Passphrase & it requires a Key. > Correct me if my understand is not correct. > I was doing a mistake. I > was trying to encrypt the file with Partner Key hence it was showing the > warning. While sending the file to partner I have to use my own key > which I have share with them to decrypt it. -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJUk/epAAoJEMMs0SrWTTEmkz8P/1yuKwvlFf4w2tE4/q84G/Ae zqhvgcwK5ILEfBJtL6Hc027ujnrmATe42Vk4TCaN1aEG8/uLPlsqIO8+ZfVV0YDl +UP+eLPw9Zqi7Bq+tvKtbSfS7VTmAUYtfTckAco/1PBfI5Sm0EbzvGf1jzPGHgoH z1b3MiYy4RWK/S3syL8TmV6tPYpl+Jf9D5qtMTQ/e0SfoLm4AFRTg5N/vU0Hg1Xc h1oEHDmRdlZ2TZTTsGscfx9WwzruVpg2cxZeUgZ4uFfgGOdazHvpEy+li/yVRAwf PWoM5xjPte9Tc0/5q4NL7CFvvlKMdLJhZHAOhjIFOvHrCIlEhViy8kKoqoFyKG9a HmzyNL3tajRASCdXaN92UUee2781nB7FIer65QoUdQ7cTozUHF3A2GCRwKu/jyb+ QLa8VOxPF/UUdeS9sYcoe2Cu4A69HJnohYpTaLzAnr89O7FyK2zjqbtIJhxoXy8v 6IIk1DfYCZkb9k1E3dMoIORGYCwdCcnNdJUkA4EkOh+9+a2e4hThnJm0b3OUT9Jy NShDaMS+ZFv61Wv5KH8js/d38ryG5lXcopNuav2LxHb+zMh8CulFQ8FhW4rVA72S pJFRmGfEusRVnCaPCwCHcOOlM8gHyZGrCP/GmrLT7v8vKe/AGbXCtavCss8UWeNz x/GqhPsbfXE1FuhMHWhF =r8V4 -----END PGP SIGNATURE----- From dominyktiller at gmail.com Thu Dec 18 21:19:56 2014 From: dominyktiller at gmail.com (Dominyk Tiller) Date: Thu, 18 Dec 2014 20:19:56 +0000 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <87h9wt5paj.fsf@vigenere.g10code.de> References: <874msveem4.fsf@vigenere.g10code.de> <54917D0D.3060007@gmail.com> <87h9wt5paj.fsf@vigenere.g10code.de> Message-ID: <549336EC.7070209@gmail.com> Apologies, that option is indeed gone. I was trying to pass it anyhow, in order to use an external (but up-to-date) gpg-agent as my agent, because that's how I was configuring the 2.0.x branch, "--disable-agent --with-agent-pgm=/usr/local/opt/gpg-agent/bin/gpg-agent". When I went to build this new release of the 2.1.x branch I just automatically passed those configure options, and when the configure script didn't flag the option as unrecognised I wondered if it was a bug that it was erroring out. I should have probably double-checked to see if I was just being stupid ;). Cheers for the reply, Dom Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. On 18/12/2014 08:35, Werner Koch wrote: > On Wed, 17 Dec 2014 13:54, dominyktiller at gmail.com said: > >> I'm still hitting a new one though. If you attempt to compile using an >> external gpg-agent, rather than one with the package, you hit this: > > You mean an option --disable-agent? Do we still have this option - it > needs to be removed. gpg-agent is not optional. > > > > Salam-Shalom, > > Werner > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From megamansec at gmail.com Fri Dec 19 07:35:55 2014 From: megamansec at gmail.com (Joshua Rogers) Date: Fri, 19 Dec 2014 17:35:55 +1100 Subject: latest version build error In-Reply-To: <54935343.4070103@fifthhorseman.net> References: <5492A902.3050404@gmail.com> <54935343.4070103@fifthhorseman.net> Message-ID: <5493C74B.2070203@gmail.com> On 19/12/14 09:20, Daniel Kahn Gillmor wrote: > You don't mention what platform you're on, but given your recent reports > in the debian BTS, i think you're using debian. The package you're > probably looking for is libgpg-error-dev. I'm using ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.17.tar.gz , but still to no avail. Is that the right package? Thanks, -- -- Joshua Rogers -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From megamansec at gmail.com Fri Dec 19 08:13:02 2014 From: megamansec at gmail.com (Joshua Rogers) Date: Fri, 19 Dec 2014 18:13:02 +1100 Subject: latest version build error In-Reply-To: <5493C74B.2070203@gmail.com> References: <5492A902.3050404@gmail.com> <54935343.4070103@fifthhorseman.net> <5493C74B.2070203@gmail.com> Message-ID: <5493CFFE.3060802@gmail.com> On 19/12/14 17:35, Joshua Rogers wrote: > On 19/12/14 09:20, Daniel Kahn Gillmor wrote: >> > You don't mention what platform you're on, but given your recent reports >> > in the debian BTS, i think you're using debian. The package you're >> > probably looking for is libgpg-error-dev. > I'm using > ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.17.tar.gz , but > still to no avail. > > Is that the right package? > > Thanks, Ends up that I had an old installation of libgpg-error still on the box. I just did apt-get remove libgpg-error-dev. I did use --with-gpg-error=/usr/local (or whatever it is), which is strange, though.. -- -- Joshua Rogers -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From Dhiraj.Haritwal at ap.sony.com Fri Dec 19 11:36:02 2014 From: Dhiraj.Haritwal at ap.sony.com (Haritwal, Dhiraj) Date: Fri, 19 Dec 2014 10:36:02 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> References: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> Message-ID: Thanks for the clarification, Chris. I got confused with recipient switch. In general (Exchange), Recipient is the one to whom we are sending the data or who will receive data. In our case we are sending the data to partner hence I was using partner's public key to encrypt the file. After I used my private key, the warning has gone & the file is encrypted in .asc format. One more query, partner is saying they are unable to decrypt this file with my private key which they have trusted & asking to encrypt this file with my private key & their public key (already trusted on my server). when I am suing both the key identifier's, giving some syntax error. Kindly suggest how can I do this. Dhiraj -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of gnupgpacker Sent: 19 December 2014 15:32 To: gnupg-users at gnupg.org Subject: Unable to encrypt file with private/public key -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 @Dhiraj: Encrypting: You encrypt a message with recipient's public key, no password is required. (Password is only known by recipient.) Signing: You sign a message with your own private key, you must admit your private key's password. Regards, Chris (RSA-Testkey 0x3E2E0598) > What I have > learned so far from these threads is Signing always require a > passphrase whereas encryption can be done without Passphrase & it requires a Key. > Correct me if my understand is not correct. > I was doing a mistake. I > was trying to encrypt the file with Partner Key hence it was showing > the warning. While sending the file to partner I have to use my own > key which I have share with them to decrypt it. -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJUk/epAAoJEMMs0SrWTTEmkz8P/1yuKwvlFf4w2tE4/q84G/Ae zqhvgcwK5ILEfBJtL6Hc027ujnrmATe42Vk4TCaN1aEG8/uLPlsqIO8+ZfVV0YDl +UP+eLPw9Zqi7Bq+tvKtbSfS7VTmAUYtfTckAco/1PBfI5Sm0EbzvGf1jzPGHgoH z1b3MiYy4RWK/S3syL8TmV6tPYpl+Jf9D5qtMTQ/e0SfoLm4AFRTg5N/vU0Hg1Xc h1oEHDmRdlZ2TZTTsGscfx9WwzruVpg2cxZeUgZ4uFfgGOdazHvpEy+li/yVRAwf PWoM5xjPte9Tc0/5q4NL7CFvvlKMdLJhZHAOhjIFOvHrCIlEhViy8kKoqoFyKG9a HmzyNL3tajRASCdXaN92UUee2781nB7FIer65QoUdQ7cTozUHF3A2GCRwKu/jyb+ QLa8VOxPF/UUdeS9sYcoe2Cu4A69HJnohYpTaLzAnr89O7FyK2zjqbtIJhxoXy8v 6IIk1DfYCZkb9k1E3dMoIORGYCwdCcnNdJUkA4EkOh+9+a2e4hThnJm0b3OUT9Jy NShDaMS+ZFv61Wv5KH8js/d38ryG5lXcopNuav2LxHb+zMh8CulFQ8FhW4rVA72S pJFRmGfEusRVnCaPCwCHcOOlM8gHyZGrCP/GmrLT7v8vKe/AGbXCtavCss8UWeNz x/GqhPsbfXE1FuhMHWhF =r8V4 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ________________________________ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. From Dhiraj.Haritwal at ap.sony.com Fri Dec 19 12:05:05 2014 From: Dhiraj.Haritwal at ap.sony.com (Haritwal, Dhiraj) Date: Fri, 19 Dec 2014 11:05:05 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: References: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> Message-ID: One more thing, this time when I encrypt the file with my private key (without sign & only with armor switch), it's still asking passphrase to decrypt it even on my same server. That means it's still using PassPhrase to encrypt the file. Does it somewhere set by default in the Gnupg config. Dhiraj -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Haritwal, Dhiraj Sent: 19 December 2014 16:06 To: gnupgpacker; gnupg-users at gnupg.org Subject: RE: Unable to encrypt file with private/public key Thanks for the clarification, Chris. I got confused with recipient switch. In general (Exchange), Recipient is the one to whom we are sending the data or who will receive data. In our case we are sending the data to partner hence I was using partner's public key to encrypt the file. After I used my private key, the warning has gone & the file is encrypted in .asc format. One more query, partner is saying they are unable to decrypt this file with my private key which they have trusted & asking to encrypt this file with my private key & their public key (already trusted on my server). when I am suing both the key identifier's, giving some syntax error. Kindly suggest how can I do this. Dhiraj -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of gnupgpacker Sent: 19 December 2014 15:32 To: gnupg-users at gnupg.org Subject: Unable to encrypt file with private/public key -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 @Dhiraj: Encrypting: You encrypt a message with recipient's public key, no password is required. (Password is only known by recipient.) Signing: You sign a message with your own private key, you must admit your private key's password. Regards, Chris (RSA-Testkey 0x3E2E0598) > What I have > learned so far from these threads is Signing always require a > passphrase whereas encryption can be done without Passphrase & it requires a Key. > Correct me if my understand is not correct. > I was doing a mistake. I > was trying to encrypt the file with Partner Key hence it was showing > the warning. While sending the file to partner I have to use my own > key which I have share with them to decrypt it. -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJUk/epAAoJEMMs0SrWTTEmkz8P/1yuKwvlFf4w2tE4/q84G/Ae zqhvgcwK5ILEfBJtL6Hc027ujnrmATe42Vk4TCaN1aEG8/uLPlsqIO8+ZfVV0YDl +UP+eLPw9Zqi7Bq+tvKtbSfS7VTmAUYtfTckAco/1PBfI5Sm0EbzvGf1jzPGHgoH z1b3MiYy4RWK/S3syL8TmV6tPYpl+Jf9D5qtMTQ/e0SfoLm4AFRTg5N/vU0Hg1Xc h1oEHDmRdlZ2TZTTsGscfx9WwzruVpg2cxZeUgZ4uFfgGOdazHvpEy+li/yVRAwf PWoM5xjPte9Tc0/5q4NL7CFvvlKMdLJhZHAOhjIFOvHrCIlEhViy8kKoqoFyKG9a HmzyNL3tajRASCdXaN92UUee2781nB7FIer65QoUdQ7cTozUHF3A2GCRwKu/jyb+ QLa8VOxPF/UUdeS9sYcoe2Cu4A69HJnohYpTaLzAnr89O7FyK2zjqbtIJhxoXy8v 6IIk1DfYCZkb9k1E3dMoIORGYCwdCcnNdJUkA4EkOh+9+a2e4hThnJm0b3OUT9Jy NShDaMS+ZFv61Wv5KH8js/d38ryG5lXcopNuav2LxHb+zMh8CulFQ8FhW4rVA72S pJFRmGfEusRVnCaPCwCHcOOlM8gHyZGrCP/GmrLT7v8vKe/AGbXCtavCss8UWeNz x/GqhPsbfXE1FuhMHWhF =r8V4 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ________________________________ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ________________________________ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. From brian at minton.name Fri Dec 19 14:51:30 2014 From: brian at minton.name (Brian Minton) Date: Fri, 19 Dec 2014 08:51:30 -0500 Subject: =?UTF-8?Q?Re=3A_OT=2C_but_related_=2E=2E=2E_Google=E2=80=99s_End=2DTo=2DEnd_Email_?= =?UTF-8?Q?Encryption_Tool_Gets_Closer_To_Launch?= In-Reply-To: <549388A8.3060204@dougbarton.email> References: <549388A8.3060204@dougbarton.email> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Not to mention the fact that they released technical documents about their combined keyserver / logger system. I always thought that would be a good idea, after reading about Certificate Transparency for TLS, to have a similar thing for OpenPGP, which seems to be what they are planning. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EARYIAAYFAlSULR8ACgkQN7lQes/yAW4gNAEAUZVG89IdStRP4yrV4wh/YrlI dMLH/eKzN2GgNRDM+TEBAAHAKT4k9YgDaKPjrQwf5A2Qzm+g5Em6oalyBrPvc/kK =5WU1 -----END PGP SIGNATURE----- On Thu, Dec 18, 2014 at 9:08 PM, Doug Barton wrote: > The relevant bit is that the code is now public at github, so anyone > interested can review it, and provide comments. > > http://techcrunch.com/2014/12/17/googles-end-to-end-email-encryption-tool-gets-closer-to-launch/ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From pete at heypete.com Fri Dec 19 16:29:23 2014 From: pete at heypete.com (Pete Stephenson) Date: Fri, 19 Dec 2014 10:29:23 -0500 Subject: Unable to encrypt file with private/public key In-Reply-To: References: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> Message-ID: <54944453.7070403@heypete.com> On 12/19/2014 6:05 AM, Haritwal, Dhiraj wrote: > One more thing, this time when I encrypt the file with my private key > (without sign & only with armor switch), it's still asking passphrase > to decrypt it even on my same server. That means it's still using > PassPhrase to encrypt the file. Does it somewhere set by default in > the Gnupg config. I assume that you mean that you encrypted the file using your own public key. If so, it's normal for GnuPG to prompt you for your passphrase when you decrypt the file: the private key is needed to decrypt the file, and the passphrase is used to unlock the private key so it can be used. When you're using symmetric encryption mode, the passphrase is used to encrypt and decrypt the file. When used with public/private keys, the passphrase is not used at all to encrypt the file. The file is encrypted using the recipient's *public* key[1] and sent to the recipient. The recipient uses their passphrase to unlock their *private* key, which is used to decrypt the file. Public-key crypto is somewhat of a black art, and there's many aspects that can be quite confusing. You might find the "Art of the Problem" video series on cryptography[3] to be interesting. Mozilla also has an introduction to cryptography[4] which might also help clarify things. While it focuses on the use of cryptography in a general web browser-server system, many of the concepts apply to GnuPG. Cheers! -Pete [1] This is a somewhat simplified explanation. In actuality, the file is encrypted using a randomly-generated session key and a symmetric cipher like AES, and the session key is encrypted using the recipient's public key. This "hybrid cryptosystem"[2] has several advantages over encrypting the whole file using the recipient's public key. [2] https://en.wikipedia.org/wiki/Hybrid_cryptosystem [3] https://www.youtube.com/playlist?list=PLB4D701646DAF0817 [4] https://developer.mozilla.org/en-US/docs/Introduction_to_Public-Key_Cryptography From pete at heypete.com Fri Dec 19 15:41:19 2014 From: pete at heypete.com (Pete Stephenson) Date: Fri, 19 Dec 2014 09:41:19 -0500 Subject: Unable to encrypt file with private/public key In-Reply-To: References: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> Message-ID: <5494390F.3070102@heypete.com> On 12/19/2014 5:36 AM, Haritwal, Dhiraj wrote: [snip] > One more query, partner is saying they are unable to decrypt this > file with my private key which they have trusted & asking to encrypt > this file with my private key & their public key (already trusted on > my server). when I am suing both the key identifier's, giving some > syntax error. Kindly suggest how can I do this. I think you mean that your partner is unable to decrypt the file with your *public* (rather than your private) key, right? If so, that's expected behavior: if you have encrypted a message to your partner's public key, your partner needs to use their private key to decrypt the message. They can use your public key for verifying your signature on the encrypted file. Cheers! -Pete From 2014-667rhzu3dc-lists-groups at riseup.net Fri Dec 19 17:20:53 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 19 Dec 2014 16:20:53 +0000 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <87oar02iwg.fsf@vigenere.g10code.de> References: <874msveem4.fsf@vigenere.g10code.de> <1414437482.20141217212139@my_localhost> <87388d5nym.fsf@vigenere.g10code.de> <1247473308.20141218215037@my_localhost> <87oar02iwg.fsf@vigenere.g10code.de> Message-ID: <1735727177.20141219162053@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Friday 19 December 2014 at 7:33:35 AM, in , Werner Koch wrote: > I think I fixed this wrong error message yesterday in > the npth library. No new release yet, though. Comparing --photo-viewer gpg.conf lines with Paul Kapaldo on PGPNET, Paul had no quotes around the path and it was working for him. I removed the quotes to test. (I had always had them in because a path with spaces normally needs them.) It seems --photo-viewer works in 2.0.x and 2.1.x without quotes around the path, and errors with the quotes in place. (1.4.x accepts it with or without). - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net The problem is not that we're paranoid; it's that we're not paranoid enough. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUlFBoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwRxsH/20OkR9CGnq6M/Q511hiIN/4 H2WwBLnb/9X5Yzw/kO66XmnlE5p1mO2hH8zFYcOnPJz1P9CMXxzvfDrDGx/naL1r TflZgnVOElMax7MGS+veRP2ITZ9CObvz1QZr79Z/PAgA+Ng3f8Lbs4v0a45c1VQN N32faQJnTKh372EGXlggjRO3pPSIQ2u6/DatrdMfbziYjaofndVM4zatwIZmdgiL JG07Rr2G1e3ZD5USkoYuDYa3x2qST+DSJqkJ+jlgCsfj9fkwVqZ3AnV6slLqzX4K vn6wH4O0GzD52FI+IhbXMs0QXDIWba0tutHo7UpfEmcEz6edtNdyqqC/nRNiiWuI vgQBFgoAZgUCVJRQbV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45JwHAQA9FeMnnwA+TSSoQUa0ezPtYajM RgCRRcQzNk79I/jcfAEAS+8WkVC6IxhoA/kcxqEDqwcEG6Laz8u39cUxTpqSEQY= =N4ED -----END PGP SIGNATURE----- From ricul77 at gmail.com Fri Dec 19 16:29:28 2014 From: ricul77 at gmail.com (Richard Ulrich) Date: Fri, 19 Dec 2014 16:29:28 +0100 Subject: gpg_agent with python-gnupg Message-ID: <1419002968.2047.3.camel@gmail.com> Hi, I have a python script that signs a message using python-gnupg: import gnupg gpg = gnupg.GPG(gnupghome='~/.gnupg', use_agent=True) qrInfoString = 'some long\nmessage\nspanning multiple\nlines' qrInfoString = str(gpg.sign(qrInfoString, keyid='E8401492!', clearsign=True, binary=False)) The last time I tried it about half a year ago, it worked. Since then with upgrading ubuntu there was a change in behavior of the gpg_agent. I can't remember the details, but it also affected enigform. I'm not sure, but I suspect gpg doesn't get the info about the gpg_agent. How can I verify my assumption, and if true, how can I pass the agent_info to python-gnupg? Rgds Richard -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From 2014-667rhzu3dc-lists-groups at riseup.net Fri Dec 19 17:32:34 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 19 Dec 2014 16:32:34 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: References: <5491BE37.8070309@mail.ru> <5492FB2B.5030702@mail.ru> Message-ID: <1712964979.20141219163234@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Friday 19 December 2014 at 9:14:05 AM, in , Haritwal, Dhiraj wrote: > Thank you all for your response. > What I have learned so far from these threads is > Signing always require a passphrase whereas encryption > can be done without Passphrase & it requires a Key. > Correct me if my understand is not correct. Each key pair consists of a private key and a public key that are mathematically related. Each user shares their public key with other people, but keeps their private key to themself and protects it with a passphrase. A signature is made with your own private key, which you need the passphrase to use. The person verifying your signature needs only your public key and does not need your passphrase. > I was doing a mistake. I was trying to encrypt the file > with Partner Key hence it was showing the warning. > While sending the file to partner I have to use my own > key which I have share with them to decrypt it. To encrypt a file (or a message) to me, you need only my public key and you do not need a passphrase. To decrypt the file, I need my private key, which I need my passphrase to use. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Change is inevitable except from a vending machine -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUlFMlXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwnAIH/00rCZ3q90EP0WVlB8zhQmsV ZzBXJvZ0H7bJmx2Wljo4TjI4lA7v3Ov4ga72kCHnr3EotOLdptrTMkKDP9h3iEkX NovstYyBPwOMHIm3A7Zbm6rneU9TxDv0lcPY2gzYBI2VRLGKDE6uR/kQ5c9kIrUD 1XFwLypBVU22EvGjwAyfvwLs7NIuXQbzTcybPQJBcOkGQe1cdeTHI7hdubScMkYg b57Vn+lVvPwsDDqZHo6lMHgljFXkGHWKEfVJJis/wIBw+FbUvupMDLvNrhrdIqcQ bznJUalkBZxZ4dbkketB7bP3LFnCeKucuGsrGMItsC9mOUs78/X1aQ2kQB+9gLaI vgQBFgoAZgUCVJRTMF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45NpWAQDVNzrlSMi7HtThaJ2YRBslqYB4 VtYY0lvA1DykRfy7gwEAw8+bHOUDf5YBkYKkQWpnHS7APnngaa1zCUN72H9UFAA= =YB+3 -----END PGP SIGNATURE----- From ricul77 at gmail.com Fri Dec 19 16:32:52 2014 From: ricul77 at gmail.com (Richard Ulrich) Date: Fri, 19 Dec 2014 16:32:52 +0100 Subject: Securing the future of GnuPG with BitCoin Message-ID: <1419003172.2047.5.camel@gmail.com> https://gnupg.org/donate/index.html Pay using BitCoin is missing Rgds Richard -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From michard.antoine at gmail.com Fri Dec 19 17:37:44 2014 From: michard.antoine at gmail.com (Antoine Michard) Date: Fri, 19 Dec 2014 17:37:44 +0100 Subject: Securing the future of GnuPG with BitCoin In-Reply-To: <1419003172.2047.5.camel@gmail.com> References: <1419003172.2047.5.camel@gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm agree ! -----BEGIN PGP SIGNATURE----- Version: OpenPGP.js v0.7.2 Comment: http://openpgpjs.org wsBcBAEBCAAQBQJUlFRQCRAQ6tJMY0nl4AAABucH/ihJ17qnQtttqYVPlkCy jK81sUXF2k69mzRxiW5JwHsiwboKtaeWTCY/V4qjKnZXV4MpwqHxj0WGk1j5 44ZA0yy0y+aMLcXoJQpAGdUFLLHI2oUi/xr+PoIBKA4aMeOMAjfYgpGG36DG Y1CVMsJV46wComkFQTceRcKiAgkUoQ93qarpeCWiW/dDxRJ5/vv8INUXexg2 r7PCkoSoJEVHeTSAEabbvMCVCj9ylS13NT4WktmcNPW6ZIq1mmtDDrpAjwvR bqKEEEBN1/wonWWktfoTCf3h+nm0kXLHv7NgqQfm9Jpc0F2bgEEhTbJPgN15 vAYi4FzqXyv1Q9OniowmmL0= =9SWz -----END PGP SIGNATURE----- 2014-12-19 16:32 GMT+01:00 Richard Ulrich : > > https://gnupg.org/donate/index.html > > Pay using BitCoin is missing > > Rgds > Richard > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- Antoine Michard -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick at enigmail.net Fri Dec 19 17:40:51 2014 From: patrick at enigmail.net (Patrick Brunschwig) Date: Fri, 19 Dec 2014 17:40:51 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <877fxp5o7e.fsf@vigenere.g10code.de> References: <874msveem4.fsf__35687.4066791081$1418750491$gmane$org@vigenere.g10code.de> <5491B713.7060804@enigmail.net> <877fxp5o7e.fsf@vigenere.g10code.de> Message-ID: <54945513.7050008@enigmail.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 18.12.14 09:58, Werner Koch wrote: > On Wed, 17 Dec 2014 18:02, patrick at enigmail.net said: > >> I created an installer for GnuPG 2.1.1 on Mac OS X, available >> from here: > > Is that one already useful for general public and shall I add it to > the download page? Yes, it is - I'd love to see it on the download page :-) - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJUlFURAAoJEMk25cDiHiw+ObwIAMMjdG1j5i+3imGktJE2Z1ZS Fp7deEyCFGt7eX3GJS5mKOKBUCmEI8uOofcFhp8V9hh41FSNXrXBMIHU13MElQsB 2rx7Kc3HKFge1adJ2GHuXr5KACt7x7XFVWp+Wevpdt+JfFZUZw3NhhUSq/UXQ4uX DZ4MmXcWMpmYCPpJmkF8CMhGAMCqGmSdgrJQ7mHbL+gFIGclrSqtJARsCXa+uN8R HsZB45bzveohzGS7hVk3u9E8d+Urec6RD/o/VxBarIEpAV7boivgegwRwlb4bE1l kWvzc9g2ycYv9oche6F/TS3+5/e+VK0xYWGxb+mlFqo+EMZDOYLZ8dJ74j/I+pc= =K7CN -----END PGP SIGNATURE----- From dougb at dougbarton.email Fri Dec 19 18:09:40 2014 From: dougb at dougbarton.email (Doug Barton) Date: Fri, 19 Dec 2014 09:09:40 -0800 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <5491B713.7060804@enigmail.net> References: <874msveem4.fsf__35687.4066791081$1418750491$gmane$org@vigenere.g10code.de> <5491B713.7060804@enigmail.net> Message-ID: <54945BD4.4010109@dougbarton.email> On 12/17/14 9:02 AM, Patrick Brunschwig wrote: > I created an installer for GnuPG 2.1.1 on Mac OS X, available from here: > > http://sourceforge.net/projects/gpgosx/files/ Patrick, Thank you for the time you've spent on this, but a minor quibble if you don't mind. Could you please provide signatures for the dmg files, and ideally sign the messages you send to the list about them? Doug From rjh at sixdemonbag.org Fri Dec 19 18:19:02 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 19 Dec 2014 12:19:02 -0500 Subject: Securing the future of GnuPG with BitCoin In-Reply-To: <1419003172.2047.5.camel@gmail.com> References: <1419003172.2047.5.camel@gmail.com> Message-ID: <54945E06.5010205@sixdemonbag.org> > Pay using BitCoin is missing I suspect it's the opposite: it's not missing at all so much as it's been considered and rejected. BitCoin is more of a currency speculation scheme than it is a serious currency. Further, governments haven't quite figured out how to regulate it yet -- what it should be taxed as, how it can be taxed, and so on. That large companies like Microsoft are beginning to accept BitCoin is promising, but Microsoft has a large team of lawyers to navigate these sorts of things. GnuPG doesn't. From rjh at sixdemonbag.org Fri Dec 19 18:22:45 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 19 Dec 2014 12:22:45 -0500 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <54945BD4.4010109@dougbarton.email> References: <874msveem4.fsf__35687.4066791081$1418750491$gmane$org@vigenere.g10code.de> <5491B713.7060804@enigmail.net> <54945BD4.4010109@dougbarton.email> Message-ID: <54945EE5.2090500@sixdemonbag.org> > Thank you for the time you've spent on this, but a minor quibble if you > don't mind. Could you please provide signatures for the dmg files, and > ideally sign the messages you send to the list about them? While we're on the subject -- it might be nice for GnuPG to be able to issue proper Authenticode-signed Windows binaries. Code signing certificates are fairly affordable although the paperwork is a headache. "It might be nice" doesn't mean "we should do this," of course. :) Just it might be nice, and maybe we ought think about it some. From kristian.fiskerstrand at sumptuouscapital.com Fri Dec 19 18:45:16 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Fri, 19 Dec 2014 18:45:16 +0100 Subject: Securing the future of GnuPG with BitCoin In-Reply-To: <1419003172.2047.5.camel@gmail.com> References: <1419003172.2047.5.camel@gmail.com> Message-ID: <5494642C.7010004@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/19/2014 04:32 PM, Richard Ulrich wrote: > https://gnupg.org/donate/index.html I notice that this page is also missing the Flattr option[0] that is listed on [1] . This might over time be a better way to secure a running donation to the project rather than a lump sum? References: [0] https://flattr.com/thing/1901175/GnuPG-donation [1] http://g10code.com/gnupg-donation.html - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- "A ship is safe in harbour, but that's not what ships are for" (Will Shedd) -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUlGQqAAoJEPw7F94F4TagTJsP/3w726YfOIgcwQFKI7nzYxpe k4ADfKCCC8pEpn+F/Iy2kQd99k0DNxJ4qPOv22eOd7NYYI5d7AClYTS1qaxNfQ9V OewrgERZQh9O2pKeVPbhiNJz014f99HvK0/5G8YrEzMR0grMfUJTouAOv+xP5CMi VPYcPqLrGCvl9+0yqAZmWVtrOl4tuXV05Tzd4N88tCgTLdvwwEJ3DfCn7u7++cFf TROreRTLGPoQ+eN/UFZsMKPGBgUJW71gQ+RQLeZC67clm49ipTEaN0Yn2BivjxXP ZOrbrc02ZBlVkFhTFLDGh6L5ybGIhHAdcOc5Vy09XSYjAzADk1sNS6ZtxyJ8RoTA 1ea/7bEG4z4ZvCsEt3yeatEcqTkB6AYwqNtjarLoQ9AharEPPW9XkqV4Uy/bVNWw bf6MzseFVl09XypXk60WuHrSbWX1jGtp1wWNlXqtNXZ0C9koUz9rYC/wAskk06u/ +qbycTNHAfWkeD88Z9rEZQ4YNtrtmU8rct8e4DN08C+WbM6dF6ERcRdPDr6YaXuf 4AUtVQJZEOCEGGLD1wWYa0HDw+D0EYcKth2MUCAr4e32jMpubF8Vpkm4Isv0PctG l1Kk6W4NiEyED3zTbMnMfn4vGwmPcle/61H1TRpmktlPYjLMuU7HM+CrW0xhX9ui /h496JP/Vr/OEICY5Sgx =18Wv -----END PGP SIGNATURE----- From robertc at broadcom.com Fri Dec 19 19:13:08 2014 From: robertc at broadcom.com (Bob (Robert) Cavanaugh) Date: Fri, 19 Dec 2014 18:13:08 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: References: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> Message-ID: <8F0B09FC6339FA439524099BFCABC11F2D398B7D@IRVEXCHMB11.corp.ad.broadcom.com> Dhiraj, You need to clarify your terminology: Key pairs are composed of public and private keys. Each person generates a key pair. You freely distribute the PUBLIC key to any and all, you keep your PRIVATE key secret. When you use asymmetric encryption, you encrypt to each separate PUBLIC key for whom you send the message. So if you have three people you are sending the encrypted message to, you will encrypt three separate times. If you have the keys on a keyring the process is automatic. When you receive an encrypted message, you decrypt using your PRIVATE key. If you generate a digital signature, you sign a message using your PRIVATE key. If you use symmetric encryption, your key pairs are not involved. You generate a passphrase that is converted into a key used internally by GPG. Both encryption and decryption must use the same passphrase. You can also generate subkeys based on your original key pair which can be assigned individual functions (signing only, encrypting, etc.). This is not required but in many instances recommended. Use the GPG default settings whenever possible. Does this clear things up? Thanks, Bob Cavanaugh -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Haritwal, Dhiraj Sent: Friday, December 19, 2014 2:36 AM To: gnupgpacker; gnupg-users at gnupg.org Subject: RE: Unable to encrypt file with private/public key Thanks for the clarification, Chris. I got confused with recipient switch. In general (Exchange), Recipient is the one to whom we are sending the data or who will receive data. In our case we are sending the data to partner hence I was using partner's public key to encrypt the file. After I used my private key, the warning has gone & the file is encrypted in .asc format. One more query, partner is saying they are unable to decrypt this file with my private key which they have trusted & asking to encrypt this file with my private key & their public key (already trusted on my server). when I am suing both the key identifier's, giving some syntax error. Kindly suggest how can I do this. Dhiraj -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of gnupgpacker Sent: 19 December 2014 15:32 To: gnupg-users at gnupg.org Subject: Unable to encrypt file with private/public key * PGP Signed by an unknown key @Dhiraj: Encrypting: You encrypt a message with recipient's public key, no password is required. (Password is only known by recipient.) Signing: You sign a message with your own private key, you must admit your private key's password. Regards, Chris (RSA-Testkey 0x3E2E0598) > What I have > learned so far from these threads is Signing always require a > passphrase whereas encryption can be done without Passphrase & it requires a Key. > Correct me if my understand is not correct. > I was doing a mistake. I > was trying to encrypt the file with Partner Key hence it was showing > the warning. While sending the file to partner I have to use my own > key which I have share with them to decrypt it. * Unknown Key * 0xD64D3126(L) _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ________________________________ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From mlisten at hammernoch.net Fri Dec 19 20:28:27 2014 From: mlisten at hammernoch.net (=?windows-1252?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Fri, 19 Dec 2014 20:28:27 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <54945BD4.4010109@dougbarton.email> References: <874msveem4.fsf__35687.4066791081$1418750491$gmane$org@vigenere.g10code.de> <5491B713.7060804@enigmail.net> <54945BD4.4010109@dougbarton.email> Message-ID: <54947C5B.9090508@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 19.12.14 18:09, Doug Barton wrote: > Thank you for the time you've spent on this, but a minor quibble if > you don't mind. Could you please provide signatures for the dmg > files, Open the .dmg and you'll notice the signature of the Installer (Install.pkg). Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJUlHxTAAoJEA52XAUJWdLj8noH/i5l4Q89Oq7cnmjoIprVMSY+ fXY8QTwXTckHSNJgHLnqg3go6rKIPaQJozzFPHVeyj+J2NJB6vRlmG5oLQIN1LQI 89LX4o2t7hpF6GfbpdQ3OozaRxb5idHdSVrtelA/NG45U8UNmFgcJNL8aXYvFvLF 6FCzRkWL3Uw7cg5b5jqIISzAiMoAS7tzFYnhKAUjTTIxgR1QRHsfske/OQq7xMce 8Zqo91RiaqvRLfPG4bmpvbgD5gDv5zCqccjJ+s7Pm2xLboDLn7xgT/XoPuLMEh+Y eFxaGGF3GehVSgtduL6dgF3EgeZtZsl2Whap5BmvIeidVN+HMq9x4siZBc3o7VY= =q5dG -----END PGP SIGNATURE----- From kristian.fiskerstrand at sumptuouscapital.com Fri Dec 19 20:02:15 2014 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Fri, 19 Dec 2014 20:02:15 +0100 Subject: Securing the future of GnuPG with BitCoin In-Reply-To: <1419003172.2047.5.camel@gmail.com> References: <1419003172.2047.5.camel@gmail.com> Message-ID: <54947637.2070002@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/19/2014 04:32 PM, Richard Ulrich wrote: > https://gnupg.org/donate/index.html > > Pay using BitCoin is missing This might have been added after your original post, but "If you like to donate Bitcoins you may use the Wau Holland Stiftung account too. ": https://www.wauland.de/en/donation.html#61 offers bitcoin - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aurum est Potestas Gold is power -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUlHY2AAoJEPw7F94F4TagFfIP/0sfGGpp7BkgTFNdWgcE5J81 qIVcDwQIjgIrlBQnjjyJtV1kfFM9TpeJHx3dgoOWPxrr9VBBirPv2yJy/8/ENVK4 Qse2ueyCe5Viidm6rRnlYYvr2yM1erhGkm3sJKSLZ5QzFpSQq+SUZZzIaOyqyjNd rtWet7TKsseds/4U/ANCpcWnUYjdqM//JzXKTd4V41DqOql0Cd72mtgyyPPMsK9H ADuhyuGFrbVF/cMQPkjaeMGJpJt3GOJ5YDXfxqAJ732GJ9UvwlhtIKy0U08XcoCq IXtNfgLKAe7oDqsYgAIWmB7EzjbZuCNmdnV5xu5YrNkUg6cIqgIIvGxdPbtYadLL FCnNXosE5KfY4xOqgCZRHJU2b9BKZu1erJu3vlwyCBMtfBx4ZEnjcZC1qoYBnM2X UuvtdkJN72r4t6mANrHuvs23CS0CYfXOoPRcFtE2WQXZ+iin8QTcJ4DOIzfLmzww jHA5BYS/1RY3Eq3ZZVCzPTc2fI8vXfEqL3VxnoWF12blpJcgZ8c4pFRFZcczUjwN yuU5f++1UTQNeKHjmWwdjxn/ksuocPnITMeVSgY0OljeReCZVokYB92zWQ4ON3t6 Gtm/2qxltevTlr4xIkMohDxiWlCbqsZ6oVBJsAPAq/FSjQBGYxnoilumEgIpPI1j z2JD3kTPzDs3gNGKKlIZ =U7tz -----END PGP SIGNATURE----- From koalalorenzo at gmail.com Sat Dec 20 10:07:52 2014 From: koalalorenzo at gmail.com (Lorenzo Setale) Date: Sat, 20 Dec 2014 10:07:52 +0100 Subject: GPG on iOS 8 with extensions Message-ID: Hello, I am using GPG every day on my Mac, and I am really glad to see that is working super fine: I can send encrypted messages with sensible information with my friends and colleagues, without thinking about gmail reading its content to provide ads to me. Sadly I noticed that on iOS (as on the majority of the other OS available) there is no support for GPG/PGP, and the apps available are ugly. Since the last release of iOS8 it is possible to execute ?extensions? to provide some tools and extra feature of your app inside the entire OS. This means that developers are able to create an ?extension? that could verify the signature or decrypt/encrypt an email, or a web page. Read more here: https://developer.apple.com/app-extensions/ I would like to know if there is anybody around the world that is working on this, so I can help instead of creating my own app. I believe that gpgtools.org code and developers could contribute to this idea. I am open to any feedback. I hope somebody is already working on this. Thanks for your time. Lorenzo Setale CTO at MinBilDinBil.dk http://who.is.lorenzo.setale.me/? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: Message signed with OpenPGP using GPGMail URL: From wk at gnupg.org Sat Dec 20 11:52:03 2014 From: wk at gnupg.org (Werner Koch) Date: Sat, 20 Dec 2014 11:52:03 +0100 Subject: Securing the future of GnuPG with BitCoin In-Reply-To: <54947637.2070002@sumptuouscapital.com> (Kristian Fiskerstrand's message of "Fri, 19 Dec 2014 20:02:15 +0100") References: <1419003172.2047.5.camel@gmail.com> <54947637.2070002@sumptuouscapital.com> Message-ID: <87wq5mwq3w.fsf@vigenere.g10code.de> On Fri, 19 Dec 2014 20:02, kristian.fiskerstrand at sumptuouscapital.com said: > This might have been added after your original post, but "If you like > to donate Bitcoins you may use the Wau Holland Stiftung account too. ": > https://www.wauland.de/en/donation.html#61 offers bitcoin Right, I added it later to www.gnupg.org. It was already mentioned in the FSFE's press release but not everyone may have seen that. As of yesterday WHS received about 1000 mBTC for the GnuPG project. There are two reasons why there is no direct bitcoin support: I do not want to keep volatile Bitcoin assets in the g10 code books. It is too much work for a small company to maintain more than one currency. Stripe.com has a closed beta for Bitcoin and I am waiting to make use of that. The alternative would be to a use another Bitcoin service provider but I try to avoid that. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From koalalorenzo at gmail.com Sat Dec 20 12:06:49 2014 From: koalalorenzo at gmail.com (Lorenzo Setale) Date: Sat, 20 Dec 2014 12:06:49 +0100 Subject: GPG on iOS 8 with extensions In-Reply-To: <-3054354837543605068@unknownmsgid> References: <-3054354837543605068@unknownmsgid> Message-ID: <4FDA1B96-7DF2-4BEA-AEF2-5A6E14845492@gmail.com> Hey J?rgen, Thanks for sharing those apps to me. I will probably have a deeper look at those, but still I don?t think they integrate what I am talking about. I don?t want to spend 5$ for an ugly app that is not probably working as I want, but it is better than nothing! If anybody is working on what I was talking about, please let me know. Thanks. Lorenzo Setale http://who.is.lorenzo.setale.me/? > Il giorno 20/dic/2014, alle ore 11:44, J?rgen Polster ha scritto: > > You could use oPenGP under IOS. Due to the constraints of IOS, the > integration is rather limited, but it works. Another candidate would > be iPGMail. > > Regards J -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: Message signed with OpenPGP using GPGMail URL: From wk at gnupg.org Sat Dec 20 12:21:08 2014 From: wk at gnupg.org (Werner Koch) Date: Sat, 20 Dec 2014 12:21:08 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <54945EE5.2090500@sixdemonbag.org> (Robert J. Hansen's message of "Fri, 19 Dec 2014 12:22:45 -0500") References: <874msveem4.fsf__35687.4066791081$1418750491$gmane$org@vigenere.g10code.de> <5491B713.7060804@enigmail.net> <54945BD4.4010109@dougbarton.email> <54945EE5.2090500@sixdemonbag.org> Message-ID: <87h9wqworf.fsf@vigenere.g10code.de> On Fri, 19 Dec 2014 18:22, rjh at sixdemonbag.org said: > While we're on the subject -- it might be nice for GnuPG to be able to > issue proper Authenticode-signed Windows binaries. Code signing > certificates are fairly affordable although the paperwork is a headache. Actually we (Intevation in his case) do this for Gpg4win. People seem to like this although I do not see a real security benefit in it. If you look at the download stats for December | Version | tar/exe | sig | % | |------------+---------+------+----| | 2.1.0/tar | 837 | 419 | 50 | | 2.0.26/tar | 4770 | 1635 | 34 | | 1.4.18/tar | 1451 | 429 | 30 | | 1.4.18/exe | 635 | 110 | 17 | (which also include automated downloads from mirrors not using rsync) It shows that less than 20% of the Windows users check the signatures. It might of course be their first gpg download and thus can't make use of the signature anyway. However, given the number of the tarball downloads it is obvious verification of signatures is not a standard procedure. Thus I do not think that Authenticate would harm even given that it is possible to buy the private key for an existing Authenticode certificate. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jurgenpolster at gmail.com Sat Dec 20 11:44:22 2014 From: jurgenpolster at gmail.com (=?UTF-8?Q?J=C3=BCrgen_Polster?=) Date: Sat, 20 Dec 2014 11:44:22 +0100 Subject: GPG on iOS 8 with extensions In-Reply-To: References: Message-ID: <-3054354837543605068@unknownmsgid> You could use oPenGP under IOS. Due to the constraints of IOS, the integration is rather limited, but it works. Another candidate would be iPGMail. Regards J From beckus at beckus.eu Sat Dec 20 19:20:23 2014 From: beckus at beckus.eu (Christopher Beck) Date: Sat, 20 Dec 2014 19:20:23 +0100 Subject: Different subkeys and the use of a SmartCard Message-ID: <17749912.NscA550NhW@maxwell> Hi, My question concerns the use of different signing sub keys and a smart card. The current setup are two valid signing sub keys. One of them resides on the smart card, the other on one of my computers. The key on the smart card is older than the other one. As described, gpg wants to use the newest sub key only. In my case it means, i cannot sign anything and the message "gpg: signing failed: No secret key" appears. I can also see all of the sub keys assigned to the key by typing "gpg -K" and "gpg --card-status". However, I tried the following on two different hosts: First, I used a Windows PC and gnupg version 2.0.26, imported my public key and then deleted all of the sub keys except the ones on my smart card. I run "gpg --card-status", and then updated the keys by using "gpg --refresh-keys". "gpg -K" still shows every sub key and if they are available, but "gpg --card- status" only shows the main key and the sub keys on the card. Finally, signing works well as expected. Second, on a Linux PC using gnupg version 2.1.1 I did the very same thing as is did on the Windows PC before. But here, "gpg --card-status" still tells me about my other sub keys and therefore singing is not possible after running "gpg --refresh-keys". Now I have a few questions. First, why do these two versions of gnupg differ in their behavior this way? Why does one update the sub key information on "gpg --card-status" and the other one doesn't? Second, is there a simple solution for my problem? I cannot rule out the possibility of having newer signing sub keys than the one on the smart card and I want gpg to use that key, which is available even if there exists a newer one. Third and last, thought it makes sense for gpg to use the newest sub key only (especially for the signing sub key), is there a possibility to force gpg to use a specific sub key? This question could manually solve question number two and could be useful for me on educational purposes (for example to show, what happens, if an older, perhaps revoked or expired, sub key is being used). Thank you in advance and sorry for the long e mail. Kind regards Christopher Beck -- Christopher Beck Gerhart-Hauptmann-Str. 1 91058 Erlangen Tel.: 09131 / 9245437 Fax.: 09131 / 8148708 Jabber: beckus at jabber.org EPVPN: (+49 221 59619) - 5232 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part. URL: From gus_zernial at yahoo.com Fri Dec 19 23:20:14 2014 From: gus_zernial at yahoo.com (Gus Zernial) Date: Fri, 19 Dec 2014 22:20:14 +0000 (UTC) Subject: File Encryption Message-ID: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> I'm a home user of Linux. I'm looking for an encryption utility for my personal password file, preferably one with a graphical user interface. After initial encryption of the file with a master password, I'd like to be able to decrypt and display the cleartext file, using my master password, without destroying the underlying encrypted file. Accordingly, when I close the cleartext version it ceases to exist, leaving only the pre-existing encrypted file. With what program and/or how can I do this? Thx, Gus -------------- next part -------------- An HTML attachment was scrubbed... URL: From aheinecke at intevation.de Sat Dec 20 22:13:17 2014 From: aheinecke at intevation.de (Andre Heinecke) Date: Sat, 20 Dec 2014 22:13:17 +0100 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <87h9wqworf.fsf@vigenere.g10code.de> References: <874msveem4.fsf__35687.4066791081$1418750491$gmane$org@vigenere.g10code.de> <54945EE5.2090500@sixdemonbag.org> <87h9wqworf.fsf@vigenere.g10code.de> Message-ID: <201412202213.27934.aheinecke@intevation.de> Hi, On Saturday 20 December 2014 12:21:08 Werner Koch wrote: > Thus I do not think that Authenticate would harm even given that it is > possible to buy the private key for an existing Authenticode certificate. I actually love authenticode. It means that you can do some steps to get to the "Operating System" level of trust. Sure you can buy your way into this but that is the Operating System level of trust that is asserted through HTTPS connections / Windows Update and so on. It is weak, i grant you that, but it is at least _some_ automatic authentication of binaries. I'm playing a game on a Windows Machine currently (Archeage) that requires administrative access for each launch!,.. and they did not even care to sign their binary. This is just security sadism. (I keep my GNU/Linux partitions on which i do any work or store secrets encrypted) In a different project at intevation we signed all binaries in our installer keeping packaging and building on different systems. As we won't expose our private keys to propietary systems that meant running wine to create the nsis uninstaller, Maybe this is also something for the future of gpg4win. (Btw. We use osslsigncode which is a really great tool that allows you to create authenticode PKCS#7 signatures under GNU/Linux.) With regards to the original question. I'd be happy to sign your experimental gnupg only installers with our code signing certificate (and be quick about it) after verifying your signature. Intevation trusts g10code (we heavilly use gnupg internally where the source is verified by Werner) Regards, Andre -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: This is a digitally signed message part. URL: From dave.pawson at gmail.com Sat Dec 20 22:27:28 2014 From: dave.pawson at gmail.com (Dave Pawson) Date: Sat, 20 Dec 2014 21:27:28 +0000 Subject: File Encryption In-Reply-To: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> Message-ID: Hi Gus. Using symmetrical encryption I do just that on Linux, without the GUI? With a small bash script, you could filter out just the entry you want too. I currently do it with Python and their encryption, but want it for my windows box and Linux, hence gpg. e.g. unlock is source lockp.sh # parameters #usage="Usage $0 # creates $plnfile.txt" if [[ ! -f ${target}/${encfile} ]] then echo Unable to find $1 exit 2 fi # File $1 exists, has .gpg extension, create .txt echo "Decrypt CAST5 encrypted file $1" echo gpg --output ${target}/${plnfile} --decrypt ${target}/${encfile} gpg --output ${target}/${plnfile} --decrypt ${target}/${encfile} ckexit gpg echo "Created ${target}/${plnfile}" more ${target}/${plnfile} with params shared (encrypt / decrypt) as # params for lock.sh and unlock.sh source ~/bin/dpFunctions.sh target=/apps/Dropbox/fp plnfile=test.txt encfile=test.gpg nb dpfunctions are pure bash. Let me know if you want more. HTH On 19 December 2014 at 22:20, Gus Zernial wrote: > I'm a home user of Linux. I'm looking for an encryption utility for my > personal password file, preferably one with a graphical user interface. > > After initial encryption of the file with a master password, I'd like to be > able to decrypt and display the cleartext file, using my master password, > without destroying the underlying encrypted file. Accordingly, when I close > the cleartext version it ceases to exist, leaving only the pre-existing > encrypted file. > > With what program and/or how can I do this? > > Thx, Gus > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk From dougb at dougbarton.email Sat Dec 20 22:50:16 2014 From: dougb at dougbarton.email (Doug Barton) Date: Sat, 20 Dec 2014 13:50:16 -0800 Subject: [Announce] GnuPG 2.1.1 released In-Reply-To: <54947C5B.9090508@hammernoch.net> References: <874msveem4.fsf__35687.4066791081$1418750491$gmane$org@vigenere.g10code.de> <5491B713.7060804@enigmail.net> <54945BD4.4010109@dougbarton.email> <54947C5B.9090508@hammernoch.net> Message-ID: <5495EF18.2070300@dougbarton.email> On 12/19/14 11:28 AM, Ludwig H?gelsch?fer wrote: | On 19.12.14 18:09, Doug Barton wrote: | |> Thank you for the time you've spent on this, but a minor quibble if |> you don't mind. Could you please provide signatures for the dmg |> files, | | Open the .dmg and you'll notice the signature of the Installer | (Install.pkg). If you look at (what in my mind are) the parallels in Windows (exes/installers) and Unix (tarballs) I don't have to perform any actions on them at all prior to verifying the signatures. I'd like to have the same luxury for the dmg file. In addition to the above, the 1 signature only covers that 1 item, there are other items in the dmg file. Now that said, perhaps it is my relative unfamiliarity with the dmg format that is causing my concern. It seems to me (on experience and some reading, both limited) that there are "things" that happen when I open one, similar to the autoplay feature for optical discs in Windows. That's part of the reason I'd like to be able to verify the dmg before opening it. If that last concern is misplaced, then I am less hesitant, however it would still seem to be a good operational practice to sign the whole blob. Admittedly that is less tidy, as now you have two files to keep track of instead of one, but since I use all 3 OS', it's not particularly burdensome from my perspective. Doug From mailinglisten at hauke-laging.de Sun Dec 21 00:20:47 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 21 Dec 2014 00:20:47 +0100 Subject: Different subkeys and the use of a SmartCard In-Reply-To: <17749912.NscA550NhW@maxwell> References: <17749912.NscA550NhW@maxwell> Message-ID: <1581818.9OrHXBsDC6@inno> Am Sa 20.12.2014, 19:20:23 schrieb Christopher Beck: > Third and last, thought it makes sense for gpg to use the newest sub > key only (especially for the signing sub key), is there a possibility > to force gpg to use a specific sub key? This question could manually > solve question number two and could be useful for me on educational > purposes (for example to show, what happens, if an older, perhaps > revoked or expired, sub key is being used). That is possible but AFAIK only via gpg command line parameters. I am not aware of any configuration file magic which would enforce this if gpg is called by another program (mail client) or gpgme is used. If 0x11111111 is the old subkey and 0x22222222 the new one and 0x88888888 the main key then you would usually call gpg this way: gpg --local-user 0x88888888 --sign file Instead you can do this: gpg --local-user 0x11111111! --sign file Please note the "!". Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Sun Dec 21 01:16:26 2014 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 21 Dec 2014 01:16:26 +0100 Subject: Different subkeys and the use of a SmartCard In-Reply-To: <7772176.5FzDu9Pl58@maxwell> References: <17749912.NscA550NhW@maxwell> <1581818.9OrHXBsDC6@inno> <7772176.5FzDu9Pl58@maxwell> Message-ID: <5679750.Eyp6YpnS5V@inno> Am So 21.12.2014, 00:46:40 schrieb Christopher Beck: I noticed that too late: You shall always reply to the list. Usually I demand a list reply first before I answer. > First, I tried to make an alias. This worked well for every > application which uses gpg als a command line tool: $ alias gpg='gpg > --local-user 0x11111111!' That is hard to believe for the simple reason that applications (even shell scripts) don't see shell aliases. You would have to either replace the gpg binary with a wrapper script (which would be overwritten by every update) or put the wrapper script earlier in the PATH (for the relevant applications). The wrapper script would have to detect and replace --local-user 0x11111111 in all variants (-u, long ID, fingerprint) and pass the changed parameter together with the unchanged rest to gpg. I have suggested some time ago to make the config file conditional. There was little enthusiasm about that. For these rather simple case a new option would be sufficient: --key-replace sign 0x88888888 0x11111111 But my suggestions are seldom turned info effect. Make a big donation. ;-) > Second (and working for everything) was adding the line "local-user > 0x11111111!' to the gpg.conf file! Interesting idea. But I assume that leads to each (i.e. not only those requested from 0x88888888) signature being not replaced but being extended by one from 0x11111111. Hauke -- Crypto f?r alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: This is a digitally signed message part. URL: From beckus at beckus.eu Sun Dec 21 01:26:02 2014 From: beckus at beckus.eu (Christopher Beck) Date: Sun, 21 Dec 2014 01:26:02 +0100 Subject: Different subkeys and the use of a SmartCard In-Reply-To: <7772176.5FzDu9Pl58@maxwell> References: <17749912.NscA550NhW@maxwell> <1581818.9OrHXBsDC6@inno> <7772176.5FzDu9Pl58@maxwell> Message-ID: <2415996.Xp4lOkoYoo@maxwell> On Sunday 21 December 2014 00:46:40 Christopher Beck wrote: > Hi, > > On Sunday 21 December 2014 00:20:47 Hauke Laging wrote: > > Am Sa 20.12.2014, 19:20:23 schrieb Christopher Beck: > > > Third and last, thought it makes sense for gpg to use the newest sub > > > key only (especially for the signing sub key), is there a possibility > > > to force gpg to use a specific sub key? This question could manually > > > solve question number two and could be useful for me on educational > > > purposes (for example to show, what happens, if an older, perhaps > > > revoked or expired, sub key is being used). > > > > That is possible but AFAIK only via gpg command line parameters. I am > > not aware of any configuration file magic which would enforce this if gpg > > is called by another program (mail client) or gpgme is used. > > > > If 0x11111111 is the old subkey and 0x22222222 the new one and > > 0x88888888 the main key then you would usually call gpg this way: > > > > gpg --local-user 0x88888888 --sign file > > > > Instead you can do this: > > > > gpg --local-user 0x11111111! --sign file > > > > Please note the "!". > > > > > > Hauke > > I tried that. And thank you! > > First, I tried to make an alias. This worked well for every application > which uses gpg als a command line tool: $ alias gpg='gpg --local-user > 0x11111111!' > > Second (and working for everything) was adding the line "local-user > 0x11111111!' to the gpg.conf file! This should also work on any Windows > host, since the method mentioned above only works on unix lie OSs. > > Thank you again for mentioning that option! > > Beckus Sorry for this second mail, but it does not work well. It signs on the commandline and everywhere, but using this configuration for mail clients, they just stop sending the whole signated message... Well, I hope there is a solution without the need of some wrapper around gpg... Beckus -- Christopher Beck Gerhart-Hauptmann-Str. 1 91058 Erlangen Tel.: 09131 / 9245437 Fax.: 09131 / 8148708 Jabber: beckus at jabber.org EPVPN: (+49 221 59619) - 5232 From rjh at sixdemonbag.org Sun Dec 21 01:32:19 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 20 Dec 2014 19:32:19 -0500 Subject: File Encryption In-Reply-To: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> Message-ID: <54961513.5090406@sixdemonbag.org> > I'm a home user of Linux. I'm looking for an encryption utility for > my personal password file, preferably one with a graphical user > interface. Have you considered either encrypting your /home directory (with dm-crypt, LUKS, pick your poison) and/or using an encrypted folder (TrueCrypt, etc.)? Either of those would possibly be a much more user-friendly experience. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3744 bytes Desc: S/MIME Cryptographic Signature URL: From 2014-667rhzu3dc-lists-groups at riseup.net Sun Dec 21 14:35:48 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sun, 21 Dec 2014 13:35:48 +0000 Subject: File Encryption In-Reply-To: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> Message-ID: <127003574.20141221133548@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Friday 19 December 2014 at 10:20:14 PM, in , Gus Zernial wrote: > I'm a home user of Linux. I'm looking for an encryption > utility for my personal password file, preferably one > with a graphical user interface. > After initial encryption of the file with a master > password, I'd like to be able to decrypt and display > the cleartext file, using my master password, without > destroying the underlying encrypted file. Accordingly, > when I close the cleartext version it ceases to exist, > leaving only the pre-existing encrypted file. > With what program and/or how can I do this? Thx, Gus There are several password managers available that would seem to have most of your required bases covered. Search for "password manager" to find a whole slew. Several are listed on Wikipedia:- . - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Learning without thought is naught; thought without learning is dangerous. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUlszJXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwTIYIAKRrhvXLwoKYghrilE0Tb6vH VdwLSzTTtG6f32k6uRufRyRoJsUNr6rkTm/5D28ZRmGZT5kWo7MGVHrL96m6t3Zn PxAujXZpzONLAe0xjMBSurhe5xN45DmVBqu/Frh4F5Ys0TZJ0NHYSEM5lpQ0ShFu WNtAJEq+MGVoYX+ruoKUIqnvXorTqSJMHgqA+z4vEiOXJ6uLeUce0KnzRrzpUHDj 7zqlW114pYntIgvYdlMGMy2NWSD9D40kPoyVTxqiD+GNJqOX8k/L4s4GOt3984vs Lt0fFZ9bTHMC5JqiKePJKEgF6OeLxiR5whNnJ4I2sd2A5yo3f4lA50SfDnBH/H6I vgQBFgoAZgUCVJbM0F8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45JKQAQA24V/FNaVyfBpBMAwd2viYBBQf skjhTKuxvXsKy9DSyAEAkeqtof5RmCcwxfS4nA2+tUtxlo7MAEObzx2rP47g1go= =15rs -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Sun Dec 21 15:25:41 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sun, 21 Dec 2014 14:25:41 +0000 Subject: Different subkeys and the use of a SmartCard In-Reply-To: <5679750.Eyp6YpnS5V@inno> References: <17749912.NscA550NhW@maxwell> <1581818.9OrHXBsDC6@inno> <7772176.5FzDu9Pl58@maxwell> <5679750.Eyp6YpnS5V@inno> Message-ID: <726965762.20141221142541@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sunday 21 December 2014 at 12:16:26 AM, in , Hauke Laging wrote: > Am So 21.12.2014, 00:46:40 schrieb Christopher Beck: >> Second (and working for everything) was adding the >> line "local-user 0x11111111!' to the gpg.conf file! > Interesting idea. Using two of those lines is how I am signing my messages using both an RSA and an EDDSA subkey. > But I assume that leads to each (i.e. > not only those requested from 0x88888888) signature > being not replaced but being extended by one from > 0x11111111. If you ask for a signature from 0x88888888, GnuPG will sign with subkey 0x11111111 instead. If you specify 0x88888888! (with the "!"), you get sigs from both 0x11111111 and 0x88888888. If you specify any other key, you get 0x11111111 as well. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net No man ever listened himself out of a job -----BEGIN PGP SIGNATURE----- iPwEAQEKAGYFAlSW2GdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDAzRDFCQjE0RDQzNTk4QUI1MTBBMUVGQjAz NjU0NzNCQkVBNkYyRDIACgkQA2VHO76m8tIoRQP+MblLEL7xBaVvX4ZjyIqWq6mT F0vpj1LIPLwoElKXtOhz8mDWPLjoDxUAxYL3g8up9fZtxA4lM/P32b6cvtw4geev vd0FL10Dhlbuo5Zdz8zCCHh0wGh4TN3WBjVHEIlD8ALT+w0Ggl7EGYz1xt+iKVig bLHiQytT1Nw8YYPEo5M= =L9x2 -----END PGP SIGNATURE----- From wk at gnupg.org Mon Dec 22 14:41:09 2014 From: wk at gnupg.org (Werner Koch) Date: Mon, 22 Dec 2014 14:41:09 +0100 Subject: Different subkeys and the use of a SmartCard In-Reply-To: <2415996.Xp4lOkoYoo@maxwell> (Christopher Beck's message of "Sun, 21 Dec 2014 01:26:02 +0100") References: <17749912.NscA550NhW@maxwell> <1581818.9OrHXBsDC6@inno> <7772176.5FzDu9Pl58@maxwell> <2415996.Xp4lOkoYoo@maxwell> Message-ID: <87sig7ssy2.fsf@vigenere.g10code.de> On Sun, 21 Dec 2014 01:26, beckus at beckus.eu said: > Sorry for this second mail, but it does not work well. It signs on the > commandline and everywhere, but using this configuration for mail clients, they > just stop sending the whole signated message... Well, I hope there is a If the mail clients are using gpgme they have no way to specify the use of a specific subkey. My tentative plan to change that and allow for a couple of other things is a new interface to set flags on a gpgme_key_t object and also to allow creation of such an object without the need for running a key listing first. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From Dhiraj.Haritwal at ap.sony.com Mon Dec 22 14:52:02 2014 From: Dhiraj.Haritwal at ap.sony.com (Haritwal, Dhiraj) Date: Mon, 22 Dec 2014 13:52:02 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: <8F0B09FC6339FA439524099BFCABC11F2D398B7D@IRVEXCHMB11.corp.ad.broadcom.com> References: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> <8F0B09FC6339FA439524099BFCABC11F2D398B7D@IRVEXCHMB11.corp.ad.broadcom.com> Message-ID: Thank you very much for all the explanation/links. Now things are bit clear. Now I have to encrypt file with partner's Public Key. I tried with below command which is still showing warning message (gpg: 89709B71: There is no assurance this key belongs to the named user) whereas if I am checking partner_pubkey, it's showing full trust. How can I remove this message. Even I have added partner's public key as trusted. ./gpg --encrypt --recipient partner_pubkey --armor /tmp/test/data.CSV Dhiraj -----Original Message----- From: Bob (Robert) Cavanaugh [mailto:robertc at broadcom.com] Sent: 19 December 2014 23:43 To: Haritwal, Dhiraj; gnupgpacker; gnupg-users at gnupg.org Subject: RE: Unable to encrypt file with private/public key Dhiraj, You need to clarify your terminology: Key pairs are composed of public and private keys. Each person generates a key pair. You freely distribute the PUBLIC key to any and all, you keep your PRIVATE key secret. When you use asymmetric encryption, you encrypt to each separate PUBLIC key for whom you send the message. So if you have three people you are sending the encrypted message to, you will encrypt three separate times. If you have the keys on a keyring the process is automatic. When you receive an encrypted message, you decrypt using your PRIVATE key. If you generate a digital signature, you sign a message using your PRIVATE key. If you use symmetric encryption, your key pairs are not involved. You generate a passphrase that is converted into a key used internally by GPG. Both encryption and decryption must use the same passphrase. You can also generate subkeys based on your original key pair which can be assigned individual functions (signing only, encrypting, etc.). This is not required but in many instances recommended. Use the GPG default settings whenever possible. Does this clear things up? Thanks, Bob Cavanaugh -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Haritwal, Dhiraj Sent: Friday, December 19, 2014 2:36 AM To: gnupgpacker; gnupg-users at gnupg.org Subject: RE: Unable to encrypt file with private/public key Thanks for the clarification, Chris. I got confused with recipient switch. In general (Exchange), Recipient is the one to whom we are sending the data or who will receive data. In our case we are sending the data to partner hence I was using partner's public key to encrypt the file. After I used my private key, the warning has gone & the file is encrypted in .asc format. One more query, partner is saying they are unable to decrypt this file with my private key which they have trusted & asking to encrypt this file with my private key & their public key (already trusted on my server). when I am suing both the key identifier's, giving some syntax error. Kindly suggest how can I do this. Dhiraj -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of gnupgpacker Sent: 19 December 2014 15:32 To: gnupg-users at gnupg.org Subject: Unable to encrypt file with private/public key * PGP Signed by an unknown key @Dhiraj: Encrypting: You encrypt a message with recipient's public key, no password is required. (Password is only known by recipient.) Signing: You sign a message with your own private key, you must admit your private key's password. Regards, Chris (RSA-Testkey 0x3E2E0598) > What I have > learned so far from these threads is Signing always require a > passphrase whereas encryption can be done without Passphrase & it requires a Key. > Correct me if my understand is not correct. > I was doing a mistake. I > was trying to encrypt the file with Partner Key hence it was showing > the warning. While sending the file to partner I have to use my own > key which I have share with them to decrypt it. * Unknown Key * 0xD64D3126(L) _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ________________________________ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ________________________________ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. From cr at rheloud.net Mon Dec 22 16:56:32 2014 From: cr at rheloud.net (C. Rossberg) Date: Mon, 22 Dec 2014 16:56:32 +0100 Subject: File Encryption In-Reply-To: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> Message-ID: <20141222155632.GA5377@minsky.labor.koeln.ccc.de> On Fr, 19 Dez 2014, Gus Zernial wrote: > I'm a home user of Linux. I'm looking for an encryption utility for my personal password file, preferably one with a graphical user interface. [...snip...] > With what program and/or how can I do this? General Description: https://en.wikipedia.org/wiki/KeePass On GNU/Linux: https://www.keepassx.org/ - > gentoo http://gpo.zugaina.org/app-admin/keepassx - > debian https://packages.debian.org/search?keywords=keepassx&suite=all§ion=all&searchon=names Keepass is not "for [your] personal password file", instead it allows you to build and manage your own password database. Perhaps it fits your use case. Yours //c From samir at samirnassar.com Mon Dec 22 18:51:39 2014 From: samir at samirnassar.com (Samir Nassar) Date: Mon, 22 Dec 2014 18:51:39 +0100 Subject: File Encryption In-Reply-To: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> Message-ID: <7974369.RtVMJipIzp@forge> On Friday, 2014-12-19 22:20:14 Gus Zernial wrote: > With what program and/or how can I do this? This is off topic, but here are some good introductory materials on password management, strong passwords, and using either Keepass or KeepassX Security in-a-Box: https://securityinabox.org/chapter-3 https://securityinabox.org/keepass_main Surveillance Self-Defence Guide: https://ssd.eff.org/en/module/creating-strong-passwords https://ssd.eff.org/en/module/how-use-keepassx -- Samir Nassar samir at samirnassar.com https://samirnassar.com PGP Fingerprint: EE76 B39E 0778 8F95 F796 B044 FE67 9A90 8E99 7AB2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From pete at heypete.com Tue Dec 23 06:54:15 2014 From: pete at heypete.com (Pete Stephenson) Date: Tue, 23 Dec 2014 00:54:15 -0500 Subject: Unable to encrypt file with private/public key In-Reply-To: References: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> <8F0B09FC6339FA439524099BFCABC11F2D398B7D@IRVEXCHMB11.corp.ad.broadcom.com> Message-ID: On Dec 22, 2014 7:30 AM, "Haritwal, Dhiraj" wrote: > > Thank you very much for all the explanation/links. Now things are bit clear. > Now I have to encrypt file with partner's Public Key. I tried with below command which is still showing warning message (gpg: 89709B71: There is no assurance this key belongs to the named user) whereas if I am checking partner_pubkey, it's showing full trust. How can I remove this message. Even I have added partner's public key as trusted. > > ./gpg --encrypt --recipient partner_pubkey --armor /tmp/test/data.CSV I'm glad things are working better. To resolve the issue with the assurance message, manually verify that the key belongs to the recipient (e.g. meet in person or call them and verify the fingerprint of their key) and then sign the key using GnuPG. (gpg --sign-key 0xKEYID) In GnuPG you vouch that a particular public key belongs to a person (or organization) by signing their public key. This signature can be local or published publicly. "Trust" in GnuPG is different, and reflects how much you trust the other key to correctly vouch for the identity of others. If you set their key as fully trusted, keys that are signed by that key are treated by your copy of GnuPG with the same level of assurance as if you signed them yourself. Typically this should only be reserved for people you know to always check the identity of other people thoroughly and correctly before signing their keys. The default is for trust to be set to "marginal". By combining signatures and trust, one forms a "web of trust": https://en.wikipedia.org/wiki/Web_of_trust Cheers! -Pete -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan at b19.org Tue Dec 23 06:45:04 2014 From: ryan at b19.org (Ryan Sawhill) Date: Tue, 23 Dec 2014 05:45:04 +0000 Subject: File Encryption References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> <127003574.20141221133548@my_localhost> Message-ID: @Gus: I recommend you follow up on the suggestions about password managers; however, if you are dead-set on managing your own encrypted flat file and you want a GUI, pyrite ( http://softwarerecs.stackexchange.com/questions/11254/gnupg-aware-gui-to-encrypt-decrypt-pgp-ascii-on-linux ) is by far your best choice. -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 23 20:18:32 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Tue, 23 Dec 2014 19:18:32 +0000 Subject: File Encryption In-Reply-To: References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> <127003574.20141221133548@my_localhost> Message-ID: <1068640123.20141223191832@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tuesday 23 December 2014 at 5:45:04 AM, in , Ryan Sawhill wrote: > GUI, pyrite ( > http://softwarerecs.stackexchange.com/questions/11254/gnupg-aware-gui-to-encrypt-decrypt-pgp-ascii-on-linux Since Python and GTK can both be used on Windows, does Pyrites work on Windows as well? And/or could it be converted to a standalone Windows executable using something like Py2exe or cx_Freeze? - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net It's better to feed one cat than many mice -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUmcAKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwcm8H/i1wt8vOW6S1duOseQhqdZb/ QUYDtqSnqPKz4PDpaLQErGI11nxA+hwleqWOEXRdAe2krUnExPbjCgLxVaWWzkGf TkhihH8QJUotbfw3uz6xufSnpF1i7xnbN9LX5eb4t/8XmyPvCpjUsN2OFzUPyunc hsmRAYOOz2oih32wbavNY9QlYuRFoNObPOM9I+7LRCvVcZnWX0Le/TPsLxphddge y9JCzwUikImpsHNbqblEOeGK3Lli63FLoesyZSGwmQYzySbtCzvLgfaKMePlUKY8 Pmlu/PPtgpgRhcMnwwRwpkRhlPkqgUe4B3EjP4C6A0lLzxpo9lgTQmA2djVZyyKI vgQBFgoAZgUCVJnAIF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45HUiAQAf5jZYhfXTkSWd3tJKysbS5QJx FplX3eyXq966VKwd4gEAp6LGRxOWBqFy+5uiChzYcg3kwEkk9kRIbG5GXP7Qhgs= =sEJv -----END PGP SIGNATURE----- From ryan at b19.org Tue Dec 23 20:28:32 2014 From: ryan at b19.org (Ryan Sawhill) Date: Tue, 23 Dec 2014 14:28:32 -0500 Subject: File Encryption In-Reply-To: <1068640123.20141223191832@my_localhost> References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> <127003574.20141221133548@my_localhost> <1068640123.20141223191832@my_localhost> Message-ID: On Tue, Dec 23, 2014 at 2:18 PM, MFPA < 2014-667rhzu3dc-lists-groups at riseup.net> wrote: > Since Python and GTK can both be used on Windows, does Pyrites work on > Windows as well? And/or could it be converted to a standalone Windows > executable using something like Py2exe or cx_Freeze? > I have no idea how much work it would require. No one's ever expressed an interest, myself included. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pkalluru at ebay.com Mon Dec 22 11:41:54 2014 From: pkalluru at ebay.com (pkalluru) Date: Mon, 22 Dec 2014 03:41:54 -0700 (MST) Subject: Issue: unknown armor header: \x09Version: GnuPG v2.0.17 (MingW32) Message-ID: <1419244914304-40236.post@n7.nabble.com> Hi Team, Receiving below error while decrypting the message. *unknown armor header: \x09Version: GnuPG v2.0.17 (MingW32)* Please assist me.. Regards, pkalluru -- View this message in context: http://gnupg.10057.n7.nabble.com/Issue-unknown-armor-header-x09Version-GnuPG-v2-0-17-MingW32-tp40236.html Sent from the GnuPG - User mailing list archive at Nabble.com. From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 23 22:43:16 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Tue, 23 Dec 2014 21:43:16 +0000 Subject: File Encryption In-Reply-To: References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> <127003574.20141221133548@my_localhost> <1068640123.20141223191832@my_localhost> Message-ID: <656442875.20141223214316@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 23 December 2014 at 7:28:32 PM, in , Ryan Sawhill wrote: > I have no idea how much work it would require. No one's > ever expressed an interest, myself included. It was more idle curiosity really. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Always forgive your enemies; nothing annoys them so much -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUmeIfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw6o8IALdDsSw5UN7+to5jjZONRUAt DUGHzWrY2xBa6/LMK/CVtpCCPuOIJ1rTj2qVpuohnMyBp/+y7ED81DUA0wWqxz9i c1Azvzt9LKWKobQ7VavmYC972TZbqXi4q7b0Sqc0Q9PZP6s8P4nmIedBIm47NXBg M9tPKhI6SbU62Wfa79/FsHKY6bEn6Hsam+stGjhINBddtO0Pc0sgD2ginfhz5ntU SJxhA/sNeLogaNNMfIYYgfL3bgumz3kKcXhcsP6TXj/vedIXmbW1H9gP944WVX8A auDVkwvb527O/q3MRj8sA0Lz6Z9PIU0cDMWkWhhZ6xfyOvSATZLnRvbznGnl+xKI vgQBFgoAZgUCVJniKl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45CMCAQB2b+kZCS+g0/uo1TDdLXeGXg3y KGlCNo9ztrWl968g0AEANOB6wjLMouGPs3v2CdwdRcB+CYvE7JK7FLE2Y+Z/lAA= =J6Jp -----END PGP SIGNATURE----- From stef at caunter.ca Thu Dec 25 18:51:38 2014 From: stef at caunter.ca (Stefan Caunter) Date: Thu, 25 Dec 2014 12:51:38 -0500 Subject: File Encryption In-Reply-To: <54961513.5090406@sixdemonbag.org> References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> <54961513.5090406@sixdemonbag.org> Message-ID: On Sat, Dec 20, 2014 at 7:32 PM, Robert J. Hansen wrote: >> I'm a home user of Linux. I'm looking for an encryption utility for >> my personal password file, preferably one with a graphical user >> interface. > > Have you considered either encrypting your /home directory (with > dm-crypt, LUKS, pick your poison) and/or using an encrypted folder > (TrueCrypt, etc.)? Either of those would possibly be a much more > user-friendly experience. Do you subscribe the the FUD about TrueCrypt? I haven't read anything objective lately about it. /S From beckus at beckus.eu Fri Dec 26 00:47:11 2014 From: beckus at beckus.eu (Christopher Beck) Date: Fri, 26 Dec 2014 00:47:11 +0100 Subject: Different subkeys and the use of a SmartCard In-Reply-To: <726965762.20141221142541@my_localhost> References: <17749912.NscA550NhW@maxwell> <5679750.Eyp6YpnS5V@inno> <726965762.20141221142541@my_localhost> Message-ID: <2670456.eIyN0W3iW4@maxwell> On Sunday 21 December 2014 14:25:41 MFPA wrote: > On Sunday 21 December 2014 at 12:16:26 AM, in > > , Hauke Laging wrote: > > Am So 21.12.2014, 00:46:40 schrieb Christopher Beck: > >> Second (and working for everything) was adding the > >> line "local-user 0x11111111!' to the gpg.conf file! > > > > Interesting idea. > > Using two of those lines is how I am signing my messages using both > an RSA and an EDDSA subkey. > > > But I assume that leads to each (i.e. > > not only those requested from 0x88888888) signature > > being not replaced but being extended by one from > > 0x11111111. > > If you ask for a signature from 0x88888888, GnuPG will sign with > subkey 0x11111111 instead. > > If you specify 0x88888888! (with the "!"), you get sigs from both > 0x11111111 and 0x88888888. Could that explain, why gpg didn't finish its singing process? As mentioned a few mails before, the primary secret key (0x11111111) is not available. Now I downgraded everything to gnupg 2.0.26, dirmng 1.1.1 and gpgme 1.5.2, because there seems to be a bug [1] [2] and everything works well. I will set up a test box after the x-mas holidays to do further tries. As Werner said > > Sorry for this second mail, but it does not work well. It signs on the > > commandline and everywhere, but using this configuration for mail clients, > > they just stop sending the whole signated message... Well, I hope there > > is a> > If the mail clients are using gpgme they have no way to specify the use > of a specific subkey. > > My tentative plan to change that and allow for a couple of other things > is a new interface to set flags on a gpgme_key_t object and also to > allow creation of such an object without the need for running a key > listing first. it might not be possible when using a gpme based mail client. I'll also check, how kmail invokes gnupg after the holidays. This far, thank you very much! [1]: https://bugs.archlinux.org/task/43173 [2]: https://bugs.g10code.com/gnupg/issue1793 -- Christopher Beck Gerhart-Hauptmann-Str. 1 91058 Erlangen Tel.: 09131 / 9245437 Fax.: 09131 / 8148708 Jabber: beckus at jabber.org EPVPN: (+49 221 59619) - 5232 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part. URL: From stef at scaleengine.com Thu Dec 25 04:41:08 2014 From: stef at scaleengine.com (Stefan Caunter) Date: Wed, 24 Dec 2014 22:41:08 -0500 Subject: File Encryption In-Reply-To: <54961513.5090406@sixdemonbag.org> References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> <54961513.5090406@sixdemonbag.org> Message-ID: On Sat, Dec 20, 2014 at 7:32 PM, Robert J. Hansen wrote: >> I'm a home user of Linux. I'm looking for an encryption utility for >> my personal password file, preferably one with a graphical user >> interface. > > Have you considered either encrypting your /home directory (with > dm-crypt, LUKS, pick your poison) and/or using an encrypted folder > (TrueCrypt, etc.)? Either of those would possibly be a much more > user-friendly experience. Robert: In spite of the fud about TC, do you still like it? I respect your opinion on this. From rjh at sixdemonbag.org Sat Dec 27 05:28:42 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 26 Dec 2014 22:28:42 -0600 Subject: File Encryption In-Reply-To: References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> <54961513.5090406@sixdemonbag.org> Message-ID: <549E357A.4040009@sixdemonbag.org> > Robert: In spite of the fud about TC, do you still like it? First, please don't respect my opinion on it -- I don't think I know enough to have an opinion on it! TrueCrypt has published source and a lot of people looking at it. Prior versions of TrueCrypt sometimes had appalling failures (what was it, in 5.3 it actually stored passphrases in RAM in cleartext), but current versions seem credible. I'm unaware of any published attacks on the latest TrueCrypt, nor am I aware of any research indicating there are numerous problems. The code is a mess, yes -- but that's not by itself evidence of a major problem. Please don't read this as a recommendation. It's more of a, "if you need free software disk encryption for Windows then it's your only real choice, and it doesn't appear to be an obviously stupid one." From 2014-667rhzu3dc-lists-groups at riseup.net Sat Dec 27 14:04:07 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 27 Dec 2014 13:04:07 +0000 Subject: File Encryption In-Reply-To: <549E357A.4040009@sixdemonbag.org> References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> <54961513.5090406@sixdemonbag.org> <549E357A.4040009@sixdemonbag.org> Message-ID: <254869059.20141227130407@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 27 December 2014 at 4:28:42 AM, in , Robert J. Hansen wrote: > The > code is a mess, yes Steve Gibson [0] has a slightly different opinion of the code:- "It is truly lovely. It is beautifully constructed. It is amazing work to be deeply proud of." Maybe he read a different audit report than I found at [1]. [0] [1] - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net If you are afraid to speak against tyranny, then you are already a slave. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUnq55XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwbxYH/RyI00dob4WzLPooylTzNte6 qXAL571Lvx8b02jv22O6qplNaRCpYV0UatlVW4IzxoOUFeyjPSGTWP5hXtOPPqBJ OXh9YhOvRhLyaModEaETxCwna0vDIQUw4IqjOnzKdHwr+2V7gWzPliUGZmUh0cMq b7wrWtOyJ4387iSzcmPs862DDozrkdXM93Jrv/6823ugqaZPZHSNMME36qLfZMUG Kaxxt3m4u8mzAAk1hGjOgK1bC9UuUIR20SRNXYAVhlDRLxyk1z/pwsZ8iiGNRH59 3YjnLyKsKPE3nu8wg6qgsg6/uL43RAgRx3RXPe6PS9sfAcVInSBs/CWtUqJ9oxmI vgQBFgoAZgUCVJ6ugl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45B32AQC2fmmiE+caapEygHYivHJtXe/+ ds6aOc21EGqrJgdtqQEAlxgiCnD0CmPXyXKzGXgiJJCZLS31BeOlirltt/yd3Ag= =Cbkb -----END PGP SIGNATURE----- From s.murthy at mykolab.com Sat Dec 27 18:36:25 2014 From: s.murthy at mykolab.com (Sandeep Murthy) Date: Sat, 27 Dec 2014 17:36:25 +0000 Subject: [Gnupg-users] Message-ID: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> Hi I have GnuPG/MacGPG2 (v. 2.0.26) on my system (OS X 10.10.1), installed via GPG Tools Suite. I have four keypairs associated with my main email, two of which are revoked and one expired. But if I try to edit the main key associated with email by $ gpg --edit-key then it invokes gpg and points to one of the revoked keys rather than the active key. I have to explicitly give the short ID of the active key to edit that key and get its fingerprint. Is there a way to change this, or I am doing something wrong? Sandeep Murthy s.murthy at mykolab.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 873 bytes Desc: Message signed with OpenPGP using GPGMail URL: From dougb at dougbarton.email Sat Dec 27 20:41:41 2014 From: dougb at dougbarton.email (Doug Barton) Date: Sat, 27 Dec 2014 11:41:41 -0800 Subject: Key selection In-Reply-To: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> References: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> Message-ID: <549F0B75.1070203@dougbarton.email> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/27/14 9:36 AM, Sandeep Murthy wrote: | I have four keypairs associated with my main email, two of which | are revoked and one expired. But if I try to edit the main key | associated with email by | | $ gpg --edit-key | | then it invokes gpg and points to one of the revoked keys rather | than the active key. I have to explicitly give the short ID of the | active key to edit that key and get its fingerprint. | | Is there a way to change this, or I am doing something wrong? No, and no. :) If you have multiple keys that match a pattern (such as your e-mail address) then gpg is going to take its best guess as to which one you mean. In this case, the guess isn't what you wanted, so you have to specify the key Id. hope this helps, Doug -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJUnwt1AAoJEFzGhvEaGryEejcIALKK/abYjxcacUN1ZaFf/IvT I9tlcId1CdCma1NP/X2xFmKeIBrRr0ANPb3FUFSMvwNNcZNcbpFsQRijq9+eyMgu OoGPRpBs76DJuSy1QTMcwOyBGdjCqQMC0tJhIMj3qNd9QjsJxbzgqNBc41YIuwG7 4+FT8rRoJaEzxcBnzaz3ObVpBG/tA7LtYX6VOcADmskV6PFZsJDyUlGZcyFniWk1 c9PvJkz1J4P5Meg2i8Ktz6AZCCMuBkLcgiCWgIYTqWQIlcIHR90gP1coesETIrW1 zFNSk6UBeJ8xiOspuiLrd7jELJgXZ2mjWXNhwtrv47ACkpTMEGU4zNmz8WKsMc4= =Cbyi -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat Dec 27 21:26:31 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 27 Dec 2014 14:26:31 -0600 Subject: File Encryption In-Reply-To: <254869059.20141227130407@my_localhost> References: <516562864.1472822.1419027614775.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com> <54961513.5090406@sixdemonbag.org> <549E357A.4040009@sixdemonbag.org> <254869059.20141227130407@my_localhost> Message-ID: <549F15F7.5070604@sixdemonbag.org> > Steve Gibson [0] has a slightly different opinion of the code:- > > "It is truly lovely. It is beautifully constructed. It is amazing > work to be deeply proud of." I do not personally find Gibson to be a credible commentator. He's made a lot of really embarrassing brainos over the years -- like when he predicted that TCP raw sockets would be the coming of the Information Apocalypse. There have been lots of other examples. Check out his Wikipedia page under "Controversies"; these have all been errors of such magnitude that I'd be wearing a paper bag over my head. I know a lot of people listen to him, but ... frankly, I do not have a high opinion of his skills and commentary. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From brian at minton.name Sun Dec 28 00:12:57 2014 From: brian at minton.name (Brian Minton) Date: Sat, 27 Dec 2014 18:12:57 -0500 Subject: [Gnupg-users] In-Reply-To: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> References: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> Message-ID: I would just backup the expired and revoked keys, then delete them. I personally never have used my revoked keys. I mean maybe once in a very great while, I come across a file encrypted with my old key on my hard drive, but that's happened maybe twice in the last ten years. On Dec 27, 2014 1:54 PM, "Sandeep Murthy" wrote: > Hi > > I have GnuPG/MacGPG2 (v. 2.0.26) on my system (OS X 10.10.1), installed > via GPG Tools Suite. > > I have four keypairs associated with my main email, two of which are > revoked and one expired. But if I > try to edit the main key associated with email by > > $ gpg --edit-key > > then it invokes gpg and points to one of the revoked keys rather than the > active key. I have to explicitly > give the short ID of the active key to edit that key and get its > fingerprint. > > Is there a way to change this, or I am doing something wrong? > > Sandeep Murthy > s.murthy at mykolab.com > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pablo at odac.co Sat Dec 27 06:22:46 2014 From: pablo at odac.co (Pablo Olmos de Aguilera C.) Date: Sat, 27 Dec 2014 02:22:46 -0300 Subject: Using a GPG key as ssh key: ssh socket & coments on "rsa" keys. Message-ID: <1419657766.1420258.207045969.3ABB8A69@webmail.messagingengine.com> I've read about using a GPG key as SSH key, but somehow I can't implement it correctly, I have been following the steps outlined in this post from 2012[1]. Here's the steps I have been following: 1. Create a new subkey with authentication capabilities: sub rsa4096/989A8388 created: 2014-12-19 expires: 2015-12-19 usage: A 2. Find keygrip: $ gpg --with-keygrip -k pablo sub rsa4096/989A8388 2014-12-19 [expires: 2015-12-19] Keygrip = 5541F31ADF830A61126C8F0167A506F9ABF2D324 3. Add the keygrip to sshcontrol echo '5541F31ADF830A61126C8F0167A506F9ABF2D324 0' >> .config/gnupg/sshcontrol This works okay, though, sometimes the SSH_AUTH_LOCK is lost. As a workaround I'm exporting the default location: export SSH_AUTH_SOCK=/home/pablo/.config/gnupg/S.gpg-agent.ssh But I guess something is happening. Also, when listing keys, with ssh-add -l: 4096 11:22:33:44:55:66:77:88:99..... (none) (RSA) The keys (obviously?) doesn't have any comment, which makes a bit hard to manage (when I copy them with ssh-add -L to the desired host, I write a comment in the `.ssh/authorized_keys` file, but I imagine there that it should be a more straightforward way. [1]: http://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html PS.- Please cc me, since I'm not subscribed to the list. Regards -- Pablo Olmos de Aguilera C. From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 29 01:11:07 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 29 Dec 2014 00:11:07 +0000 Subject: [Gnupg-users] In-Reply-To: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> References: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> Message-ID: <229257575.20141229001107@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 27 December 2014 at 5:36:25 PM, in , Sandeep Murthy wrote: > I have four keypairs associated with my main email, two > of which are revoked and one expired. But if I try to > edit the main key associated with email by > $ gpg --edit-key > then it invokes gpg and points to one of the revoked > keys rather than the active key. I have to explicitly > give the short ID of the active key to edit that key > and get its fingerprint. To just view the fingerprints, you could try:- gpg --list-keys The listing should indicate which keys are revoked or expired. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net A closed door is an invitation to knock -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUoJweXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwkt4IAIvoL9O5y+RI4dCAY75B4ufL jVdXCWDtA8WfuD9FoaQO8WG4rtKTdqmPy/ofVZ/AKjlHqQ+HMv8ylgYvpEk49Xlu O/BSo9c5IwZAg5pryDK8g+LUEZZPu7iV0iZL5FGXDrsiLFurMx9fLp6ioIempTiZ XF3Fma5wsFTtGoJ2/0uhc+Esc0ta7in9e7OA3S8Z5PTTWc1JH5grSttRt0lhKRrr Zmuwqw1j/IxDQbu2gNuCbAntQIJEdZV6Zw4QTGvXxy6ysKmmCEGjaCYENo+QbnWC 9vi0vvAvR++8gxg0sSgE6EagePwQoXt3D4vEEPKRvqSq2URJ41qf4mpqIjOkEC6I vgQBFgoAZgUCVKCcSF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45C6RAQDnfWEM8+3eFxqaCStMdZyLhOfu eUNgfXNUtwV03BUYqAEAPmtHQSj5aAstTiMl7N6zANuAjMUAa7GfR6h+l5g80g0= =NNuz -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 29 02:14:46 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 29 Dec 2014 01:14:46 +0000 Subject: Key selection In-Reply-To: <549F0B75.1070203@dougbarton.email> References: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> <549F0B75.1070203@dougbarton.email> Message-ID: <1314470459.20141229011446@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 27 December 2014 at 7:41:41 PM, in , Doug Barton wrote: > If you have multiple keys that match a pattern (such as > your e-mail address) then gpg is going to take its best > guess as to which one you mean. If several signing keys match the "From" email address, my email client manages to get GnuPG to return a list so that I can choose which key to use for signing. Conversely, if I sign a file from the commandline using the --local-user option with a string that matches several signing keys, I am not presented with this choice. If several encryption keys match the "To" address of an email, there is no such choice of keys offered by my MUA and GnuPG picks one to use for encryption. GnuPG also picks the key itself when I encrypt from the commandline and use a non-unique pattern. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Wise men learn many things from their enemies. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUoKsJXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwRLQH/jv2BxTQ6ZhHHpQoar2MMcM7 MCMPpZ+7w3WIE6e1NLhyJFMvCZqY56d48i9uMMDRf0hXWAZDzezG3OPnoAlNllv3 LJ9iar0oPynN3olV5OctALvDhVG3+W5VrZh9elARa/C8BY3/mEhRrRfVpFOyui1I X7z8UUByu2+VwbDHqB72FuX6jGLFawfgZLG8cQl3OkgFlGMNmEo1eJGoUWcIv48D IxR0c9rNFQmvBunQ95xdnGRA/ZVDAB+LFPvf9WMAsctx8OV4wRmX9Mft0H8ipK9e 16+nFTGxERJnvf96JPZTUAYw6E2T7TgpggtvuV8+rwM00W+8FG4k8d4A9SIo2qmI vgQBFgoAZgUCVKCrCV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45ITNAQA5yF8MjHah5uts7wlD8yE8q3DK E0IBgEqLDDfp7YUWcwEAasLbOk4Mncn9D0gzqn7NIfUXYAfP0IJYDQs7HjsDoAc= =6OrH -----END PGP SIGNATURE----- From Dhiraj.Haritwal at ap.sony.com Mon Dec 29 15:57:18 2014 From: Dhiraj.Haritwal at ap.sony.com (Haritwal, Dhiraj) Date: Mon, 29 Dec 2014 14:57:18 +0000 Subject: Unable to encrypt file with private/public key In-Reply-To: References: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> <8F0B09FC6339FA439524099BFCABC11F2D398B7D@IRVEXCHMB11.corp.ad.broadcom.com> Message-ID: Almost done now. After I signed partner?s public key, that warring has gone. I am using below command to encrypt file with my private key & partner?s public key & partner is using my private key & their public key to decrypt it but it?s getting fail. M I using anything wrong here. ./gpg --local-user 'MY USER? --recipient partner_pubkey --encrypt --armor /tmp/test/data1.CSV Tried to use --sign which is asking passphrase which don?t want to use. Can we sign without passphrase & only with public/private key. Dhiraj From: Pete Stephenson [mailto:pete at heypete.com] Sent: 23 December 2014 11:24 To: Haritwal, Dhiraj Cc: gnupg-users at gnupg.org Subject: RE: Unable to encrypt file with private/public key On Dec 22, 2014 7:30 AM, "Haritwal, Dhiraj" > wrote: > > Thank you very much for all the explanation/links. Now things are bit clear. > Now I have to encrypt file with partner's Public Key. I tried with below command which is still showing warning message (gpg: 89709B71: There is no assurance this key belongs to the named user) whereas if I am checking partner_pubkey, it's showing full trust. How can I remove this message. Even I have added partner's public key as trusted. > > ./gpg --encrypt --recipient partner_pubkey --armor /tmp/test/data.CSV I'm glad things are working better. To resolve the issue with the assurance message, manually verify that the key belongs to the recipient (e.g. meet in person or call them and verify the fingerprint of their key) and then sign the key using GnuPG. (gpg --sign-key 0xKEYID) In GnuPG you vouch that a particular public key belongs to a person (or organization) by signing their public key. This signature can be local or published publicly. "Trust" in GnuPG is different, and reflects how much you trust the other key to correctly vouch for the identity of others. If you set their key as fully trusted, keys that are signed by that key are treated by your copy of GnuPG with the same level of assurance as if you signed them yourself. Typically this should only be reserved for people you know to always check the identity of other people thoroughly and correctly before signing their keys. The default is for trust to be set to "marginal". By combining signatures and trust, one forms a "web of trust": https://en.wikipedia.org/wiki/Web_of_trust Cheers! -Pete ________________________________ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nico at enigmail.net Mon Dec 29 03:01:34 2014 From: nico at enigmail.net (nico at enigmail.net) Date: Mon, 29 Dec 2014 03:01:34 +0100 Subject: Guys please all see In-Reply-To: <1314470459.20141229011446@my_localhost> References: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> <549F0B75.1070203@dougbarton.email> <1314470459.20141229011446@my_localhost> Message-ID: <54A0B5FE.9090603@enigmail.net> Guys please all see >> http://media.ccc.de/browse/congress/2014/31c3_-_6258_-_en_-_saal_1_-_201412282030_-_reconstructing_narratives_-_jacob_-_laura_poitras.html#video to understand the important role, GPG plays. Support us, please! From brian at minton.name Mon Dec 29 22:59:28 2014 From: brian at minton.name (Brian Minton) Date: Mon, 29 Dec 2014 16:59:28 -0500 Subject: Issue: unknown armor header: \x09Version: GnuPG v2.0.17 (MingW32) In-Reply-To: <1419244914304-40236.post@n7.nabble.com> References: <1419244914304-40236.post@n7.nabble.com> Message-ID: On Mon, Dec 22, 2014 at 5:41 AM, pkalluru wrote: > > *unknown armor header: \x09Version: GnuPG v2.0.17 (MingW32)* 0x09 is a tab character. That sounds like a whitespace error. From s.murthy at mykolab.com Tue Dec 30 00:10:07 2014 From: s.murthy at mykolab.com (Sandeep Murthy) Date: Mon, 29 Dec 2014 23:10:07 +0000 Subject: Gnupg-users Digest, Vol 135, Issue 42 In-Reply-To: References: Message-ID: Hi @Brian Minton and @Doug Barton, thanks for the info. I use then GPG suite (https://gpgtools.org/), which has the really useful GPG Keychain GUI for managing keys. So I don?t need to use the command line, but I want to learn how to do so, hence my question, which was really about the behaviour of gpg (I am using version 2.0.26). I think it would be nice to have gpg (on the command line) show an auto-completion list of the short IDs of all keys associated with a particular email when the user does $ gpg --edit-key simply because although it is easier to remember an email than a key ID, no matter how short. Users think in terms of emails, not key IDs (maybe this would be different for a regular user of encryption tools). At the moment what this does is launches gpg and points it to a revoked key. This seems wrong, even if the command is ambiguous. I can always do $ gpg ?edit-key to edit a specific key, but I?m making a point about having gpg be neater on the command line. I don?t know whether this is an issue with other users, but I thought I would bring to the forum?s attention. I?m still relatively new to GnuPG (and using encryption) but I think what confuses (or overwhelms) a lot of people about encryption tools is the amount of work involved in key management - for example, what is the actual difference in practice between a revoked key and an expired key? Do most people here think that it is OK to delete a revoked key only a sufficient passage of time, Sandeep Murthy s.murthy at mykolab.com > On 29 Dec 2014, at 15:28, gnupg-users-request at gnupg.org wrote: > > Send Gnupg-users mailing list submissions to > gnupg-users at gnupg.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.gnupg.org/mailman/listinfo/gnupg-users > or, via email, send a message with subject or body 'help' to > gnupg-users-request at gnupg.org > > You can reach the person managing the list at > gnupg-users-owner at gnupg.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Gnupg-users digest..." > > > Today's Topics: > > 1. Re: [Gnupg-users] (Brian Minton) > 2. Using a GPG key as ssh key: ssh socket & coments on "rsa" > keys. (Pablo Olmos de Aguilera C.) > 3. Re: [Gnupg-users] (MFPA) > 4. Re: Key selection (MFPA) > 5. RE: Unable to encrypt file with private/public key > (Haritwal, Dhiraj) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 27 Dec 2014 18:12:57 -0500 > From: Brian Minton > To: Sandeep Murthy > Cc: GnuPG Users > Subject: Re: [Gnupg-users] > Message-ID: > > Content-Type: text/plain; charset="utf-8" > > I would just backup the expired and revoked keys, then delete them. I > personally never have used my revoked keys. I mean maybe once in a very > great while, I come across a file encrypted with my old key on my hard > drive, but that's happened maybe twice in the last ten years. > On Dec 27, 2014 1:54 PM, "Sandeep Murthy" wrote: > > > Hi > > > > I have GnuPG/MacGPG2 (v. 2.0.26) on my system (OS X 10.10.1), installed > > via GPG Tools Suite. > > > > I have four keypairs associated with my main email, two of which are > > revoked and one expired. But if I > > try to edit the main key associated with email by > > > > $ gpg --edit-key > > > > then it invokes gpg and points to one of the revoked keys rather than the > > active key. I have to explicitly > > give the short ID of the active key to edit that key and get its > > fingerprint. > > > > Is there a way to change this, or I am doing something wrong? > > > > Sandeep Murthy > > s.murthy at mykolab.com > > > > > > > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > ------------------------------ > > Message: 2 > Date: Sat, 27 Dec 2014 02:22:46 -0300 > From: "Pablo Olmos de Aguilera C." > To: gnupg-users at gnupg.org > Subject: Using a GPG key as ssh key: ssh socket & coments on "rsa" > keys. > Message-ID: > <1419657766.1420258.207045969.3ABB8A69 at webmail.messagingengine.com> > Content-Type: text/plain > > I've read about using a GPG key as SSH key, but somehow I can't > implement it correctly, I have been following the steps outlined in this > post from 2012[1]. > > Here's the steps I have been following: > > 1. Create a new subkey with authentication capabilities: > > sub rsa4096/989A8388 > created: 2014-12-19 expires: 2015-12-19 usage: A > > 2. Find keygrip: > > $ gpg --with-keygrip -k pablo > sub rsa4096/989A8388 2014-12-19 [expires: 2015-12-19] > Keygrip = 5541F31ADF830A61126C8F0167A506F9ABF2D324 > > 3. Add the keygrip to sshcontrol > > echo '5541F31ADF830A61126C8F0167A506F9ABF2D324 0' >> > .config/gnupg/sshcontrol > > This works okay, though, sometimes the SSH_AUTH_LOCK is lost. As a > workaround I'm exporting the default location: > > export SSH_AUTH_SOCK=/home/pablo/.config/gnupg/S.gpg-agent.ssh > > But I guess something is happening. > > Also, when listing keys, with ssh-add -l: > > 4096 11:22:33:44:55:66:77:88:99..... (none) (RSA) > > The keys (obviously?) doesn't have any comment, which makes a bit hard > to manage (when I copy them with ssh-add -L to the desired host, I write > a comment in the `.ssh/authorized_keys` file, but I imagine there that > it should be a more straightforward way. > > [1]: http://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html > > PS.- Please cc me, since I'm not subscribed to the list. > > Regards > -- > Pablo Olmos de Aguilera C. > > > > ------------------------------ > > Message: 3 > Date: Mon, 29 Dec 2014 00:11:07 +0000 > From: MFPA <2014-667rhzu3dc-lists-groups at riseup.net> > To: "Sandeep Murthy on GnuPG-Users" > Subject: Re: [Gnupg-users] > Message-ID: <229257575.20141229001107 at my_localhost> > Content-Type: text/plain; charset=utf-8 > > Signed PGP part > > > On Saturday 27 December 2014 at 5:36:25 PM, in > , Sandeep Murthy > wrote: > > > > I have four keypairs associated with my main email, two > > of which are revoked and one expired. But if I try to > > edit the main key associated with email by > > > $ gpg --edit-key > > > then it invokes gpg and points to one of the revoked > > keys rather than the active key. I have to explicitly > > give the short ID of the active key to edit that key > > and get its fingerprint. > > To just view the fingerprints, you could try:- > > gpg --list-keys > > The listing should indicate which keys are revoked or expired. > > > > -- > Best regards > > MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net > > A closed door is an invitation to knock > > > > > > ------------------------------ > > Message: 4 > Date: Mon, 29 Dec 2014 01:14:46 +0000 > From: MFPA <2014-667rhzu3dc-lists-groups at riseup.net> > To: "Doug Barton on GnuPG-Users" > Subject: Re: Key selection > Message-ID: <1314470459.20141229011446 at my_localhost> > Content-Type: text/plain; charset=utf-8 > > Signed PGP part > > > On Saturday 27 December 2014 at 7:41:41 PM, in > , Doug Barton wrote: > > > > > If you have multiple keys that match a pattern (such as > > your e-mail address) then gpg is going to take its best > > guess as to which one you mean. > > > If several signing keys match the "From" email address, my email > client manages to get GnuPG to return a list so that I can choose > which key to use for signing. Conversely, if I sign a file from the > commandline using the --local-user option with a string that matches > several signing keys, I am not presented with this choice. > > If several encryption keys match the "To" address of an email, there > is no such choice of keys offered by my MUA and GnuPG picks one to use > for encryption. GnuPG also picks the key itself when I encrypt from > the commandline and use a non-unique pattern. > > > > -- > Best regards > > MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net > > Wise men learn many things from their enemies. > > > > > > ------------------------------ > > Message: 5 > Date: Mon, 29 Dec 2014 14:57:18 +0000 > From: "Haritwal, Dhiraj" > To: Pete Stephenson > Cc: "gnupg-users at gnupg.org" > Subject: RE: Unable to encrypt file with private/public key > Message-ID: > > Content-Type: text/plain; charset="utf-8" > > Almost done now. After I signed partner?s public key, that warring has gone. > > I am using below command to encrypt file with my private key & partner?s public key & partner is using my private key & their public key to decrypt it but it?s getting fail. M I using anything wrong here. > > ./gpg --local-user 'MY USER? --recipient partner_pubkey --encrypt --armor /tmp/test/data1.CSV > > Tried to use --sign which is asking passphrase which don?t want to use. Can we sign without passphrase & only with public/private key. > > > Dhiraj > > > From: Pete Stephenson [mailto:pete at heypete.com] > Sent: 23 December 2014 11:24 > To: Haritwal, Dhiraj > Cc: gnupg-users at gnupg.org > Subject: RE: Unable to encrypt file with private/public key > > > On Dec 22, 2014 7:30 AM, "Haritwal, Dhiraj" > wrote: > > > > Thank you very much for all the explanation/links. Now things are bit clear. > > Now I have to encrypt file with partner's Public Key. I tried with below command which is still showing warning message (gpg: 89709B71: There is no assurance this key belongs to the named user) whereas if I am checking partner_pubkey, it's showing full trust. How can I remove this message. Even I have added partner's public key as trusted. > > > > ./gpg --encrypt --recipient partner_pubkey --armor /tmp/test/data.CSV > > I'm glad things are working better. > > To resolve the issue with the assurance message, manually verify that the key belongs to the recipient (e.g. meet in person or call them and verify the fingerprint of their key) and then sign the key using GnuPG. (gpg --sign-key 0xKEYID) > > In GnuPG you vouch that a particular public key belongs to a person (or organization) by signing their public key. This signature can be local or published publicly. > > "Trust" in GnuPG is different, and reflects how much you trust the other key to correctly vouch for the identity of others. If you set their key as fully trusted, keys that are signed by that key are treated by your copy of GnuPG with the same level of assurance as if you signed them yourself. Typically this should only be reserved for people you know to always check the identity of other people thoroughly and correctly before signing their keys. The default is for trust to be set to "marginal". > > By combining signatures and trust, one forms a "web of trust": https://en.wikipedia.org/wiki/Web_of_trust > > Cheers! > -Pete > > ________________________________ > > This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > ------------------------------ > > End of Gnupg-users Digest, Vol 135, Issue 42 > ******************************************** -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 873 bytes Desc: Message signed with OpenPGP using GPGMail URL: From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 30 00:51:14 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 29 Dec 2014 23:51:14 +0000 Subject: Guys please all see In-Reply-To: <54A0B5FE.9090603@enigmail.net> References: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> <549F0B75.1070203@dougbarton.email> <1314470459.20141229011446@my_localhost> <54A0B5FE.9090603@enigmail.net> Message-ID: <748007345.20141229235114@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Monday 29 December 2014 at 2:01:34 AM, in , nico at enigmail.net wrote: > Guys please all see >>> http://media.ccc.de/browse/congress/2014/31c3_-_6258_-_en_-_saal_1_-_201412282030_-_reconstructing_narratives_-_jacob_-_laura_poitras.html#video > to understand the important role, GPG plays. I'm not entirely sure how this relates to the thread in which you posted it. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net You can't build a reputation on what you are going to do -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUoejzXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwFcAH/RcqKRDPHKvKnd8CMAP464+h zv4LjC/MGHlqy4Pd6CeMedfhQc2MkK+Dlh30eCAQAG85AmDy030jjIYq2IaXwb0a 2qdQpCbR12viXJdcFqzU2U/1r4D9E0kuYVT83mOZ+3+3ULjeALGES+5+kn/k7XRy koT39mBUIrNNxnF8H2QvMddmdgie+ItLyFLt0R9b/3wuGa6WnnGhNI/PECegVkH9 rRwXn36GCpK3NkEP80ZLxeWPGBCknIJGnZtDSH0E1o0mfJADKSbAcOq8VeLcJhuN 4A5O1dQKwZXgilIbwHdSpBWH2VP8puLqfV98av0ml5tMbZZOa8m1KSd1SvxL98eI vgQBFgoAZgUCVKHo818UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45L7/AQBxPJEXpAljQhxWVGhqSSC8PR6D xvOJrBkq+l6UFH/R3wEACri0zAYTJ1hgAiw/CXnEbJnnWFBlnDA4+zwujzz6aQg= =aaDG -----END PGP SIGNATURE----- From aaron.toponce at gmail.com Mon Dec 29 23:47:16 2014 From: aaron.toponce at gmail.com (Aaron Toponce) Date: Mon, 29 Dec 2014 15:47:16 -0700 Subject: Thoughts on Keybase In-Reply-To: <548F2B16.1030703@sixdemonbag.org> References: <548F2B16.1030703@sixdemonbag.org> Message-ID: <20141229224714.GA26328@eightyeight.xmission.com> On Mon, Dec 15, 2014 at 01:40:22PM -0500, Robert J. Hansen wrote: > Keybase (https://keybase.io) is trying to solve the Web of Trust problem in > a new way. They're currently in beta, but I was able to snag an invitation. > (I have no invites to give out, unfortunately.) FWIW, I have 3 invites. If you want to grab me off-list. https://keybase.io/atoponce -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 502 bytes Desc: not available URL: From pete at heypete.com Tue Dec 30 03:44:29 2014 From: pete at heypete.com (Pete Stephenson) Date: Mon, 29 Dec 2014 18:44:29 -0800 Subject: Unable to encrypt file with private/public key In-Reply-To: References: <000001d01b72$defa4630$9ceed290$@on.yourweb.de> <8F0B09FC6339FA439524099BFCABC11F2D398B7D@IRVEXCHMB11.corp.ad.broadcom.com> Message-ID: On Dec 29, 2014 6:57 AM, "Haritwal, Dhiraj" wrote: > > Almost done now. After I signed partner?s public key, that warring has gone. Great! > I am using below command to encrypt file with my private key & partner?s public key & partner is using my private key & their public key to decrypt it but it?s getting fail. M I using anything wrong here. > > > > ./gpg --local-user 'MY USER? --recipient partner_pubkey --encrypt --armor /tmp/test/data1.CSV That looks reasonable. When you say you're getting a fail, what error message are you seeing? Also, it seems that you're still mixing up the terms for private and public keys: this makes it a bit confusing to follow what you're doing. You should be encrypting the message to your partner's public key (you can additionally encrypt it to other public keys, such as your own. This is useful if you want to be able to read the message after you sent it.) and your partner should use their private key to decrypt it. > Tried to use --sign which is asking passphrase which don?t want to use. Can we sign without passphrase & only with public/private key. Signing a message requires the sender's (i.e., your) private key to generate the signature. In order to unlock the private key so that it can be used to sign the message, you need to provide the passphrase for your private key. Short answer: no. You need to use your passphrase (and private key) to sign a message. > Dhiraj > > > > > > From: Pete Stephenson [mailto:pete at heypete.com] > Sent: 23 December 2014 11:24 > To: Haritwal, Dhiraj > Cc: gnupg-users at gnupg.org > > Subject: RE: Unable to encrypt file with private/public key > > > > On Dec 22, 2014 7:30 AM, "Haritwal, Dhiraj" wrote: > > > > > Thank you very much for all the explanation/links. Now things are bit clear. > > Now I have to encrypt file with partner's Public Key. I tried with below command which is still showing warning message (gpg: 89709B71: There is no assurance this key belongs to the named user) whereas if I am checking partner_pubkey, it's showing full trust. How can I remove this message. Even I have added partner's public key as trusted. > > > > ./gpg --encrypt --recipient partner_pubkey --armor /tmp/test/data.CSV > > I'm glad things are working better. > > To resolve the issue with the assurance message, manually verify that the key belongs to the recipient (e.g. meet in person or call them and verify the fingerprint of their key) and then sign the key using GnuPG. (gpg --sign-key 0xKEYID) > > In GnuPG you vouch that a particular public key belongs to a person (or organization) by signing their public key. This signature can be local or published publicly. > > "Trust" in GnuPG is different, and reflects how much you trust the other key to correctly vouch for the identity of others. If you set their key as fully trusted, keys that are signed by that key are treated by your copy of GnuPG with the same level of assurance as if you signed them yourself. Typically this should only be reserved for people you know to always check the identity of other people thoroughly and correctly before signing their keys. The default is for trust to be set to "marginal". > > By combining signatures and trust, one forms a "web of trust": https://en.wikipedia.org/wiki/Web_of_trust > > Cheers! > -Pete > > > ________________________________ > > This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave.pawson at gmail.com Tue Dec 30 08:21:21 2014 From: dave.pawson at gmail.com (Dave Pawson) Date: Tue, 30 Dec 2014 07:21:21 +0000 Subject: MOOC's Message-ID: https://www.futurelearn.com/courses/introduction-to-cyber-security Starting shortly, free Open course on cyber security. regards -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk From kelly at prtime.org Tue Dec 30 10:49:49 2014 From: kelly at prtime.org (Kelly Dean) Date: Tue, 30 Dec 2014 09:49:49 +0000 Subject: GPG (v. 1.4.12) is not user-friendly Message-ID: # gpg key.gpg pub 2048D/7FBDEF9B 2014-09-24 GNU ELPA Signing Agent # gpg key.gpg --fingerprint usage: gpg [options] [filename] # gpg --fingerprint key.gpg gpg: error reading key: public key not found # man gpg # mkdir tmp # cp key.gpg tmp/pubring.gpg # gpg --fingerprint --homedir tmp/ gpg: WARNING: unsafe permissions on homedir `tmp/' gpg: tmp//trustdb.gpg: trustdb created tmp//pubring.gpg ---------------- pub 2048D/7FBDEF9B 2014-09-24 [expires: 2019-09-23] Key fingerprint = CA44 2C00 F917 74F1 7F59 D9B0 474F 0583 7FBD EF9B uid GNU ELPA Signing Agent # rm tmp/ -r From ryan at b19.org Wed Dec 31 04:59:44 2014 From: ryan at b19.org (Ryan Sawhill) Date: Wed, 31 Dec 2014 03:59:44 +0000 Subject: GPG (v. 1.4.12) is not user-friendly References: Message-ID: I disagree with your subject, and propose that you google for a tutorial since the man page clearly didn't work for you. (As far as I can tell, you were trying to import someone's pubkey, in which case you should simply have used: gpg --import FILE) -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Dec 31 13:41:43 2014 From: wk at gnupg.org (Werner Koch) Date: Wed, 31 Dec 2014 13:41:43 +0100 Subject: Issue: unknown armor header: \x09Version: GnuPG v2.0.17 (MingW32) In-Reply-To: (Brian Minton's message of "Mon, 29 Dec 2014 16:59:28 -0500") References: <1419244914304-40236.post@n7.nabble.com> Message-ID: <87vbkshtyw.fsf@vigenere.g10code.de> On Mon, 29 Dec 2014 22:59, brian at minton.name said: > 0x09 is a tab character. That sounds like a whitespace error. which means that at some point in the transport chain the data was mangled by broken software. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From philip.jackson at nordnet.fr Wed Dec 31 13:42:49 2014 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Wed, 31 Dec 2014 13:42:49 +0100 Subject: photo-ID Message-ID: <54A3EF49.2050300@nordnet.fr> I've been looking for documentation with info on adding a photo id to a gpg key. The instructions for adding are available but I can't find any advice for the size, format, dpi etc of the image to be used. I guess that the image size should be kept down somewhat to avoid making the key too large. And it appears that not all software will display the image at the same size. Can anyone offer practical advice on the image parameters ? Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 557 bytes Desc: OpenPGP digital signature URL: From brian at minton.name Wed Dec 31 14:27:31 2014 From: brian at minton.name (Brian Minton) Date: Wed, 31 Dec 2014 08:27:31 -0500 Subject: GPG (v. 1.4.12) is not user-friendly In-Reply-To: References: Message-ID: It seemed to me that all Kelly was trying to do was print the fingerprint of a key from a file. On Tue, Dec 30, 2014 at 10:59 PM, Ryan Sawhill wrote: > I disagree with your subject, and propose that you google for a tutorial > since the man page clearly didn't work for you. > > (As far as I can tell, you were trying to import someone's pubkey, in which > case you should simply have used: gpg --import FILE) > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From s.murthy at mykolab.com Wed Dec 31 14:27:43 2014 From: s.murthy at mykolab.com (Sandeep Murthy) Date: Wed, 31 Dec 2014 13:27:43 +0000 Subject: photo-ID In-Reply-To: <54A3EF49.2050300@nordnet.fr> References: <54A3EF49.2050300@nordnet.fr> Message-ID: Hi Philip Actually, there is information in the Manual (https://www.gnupg.org/documentation/manuals.html) about adding photos to your keys, the relevant section is 4.1.3 (of the HTML version of the manual) on key management, which is this page https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html#OpenPGP-Key-Management. The command is the `addphoto` subcommand of `?edit-key` - one adds a photo by executing `$ gpg ?edit-key addphoto` which prints out the following message (after the key information and associated emails): ``` Pick an image to use for your photo ID. The image must be a JPEG file. Remember that the image is stored within your public key. If you use a very large picture, your key will become very large as well! Keeping the image close to 240x288 is a good size to use. Enter JPEG filename for photo ID: ``` This message indicates acceptable dimensions but not size. However some GUI key management tools, such as Keychain tool from the GPG Suite (https://gpgtools.org/) specify that photos must be < 500 KB and the recommended size be < 15 KB. Sandeep Murthy s.murthy at mykolab.com > On 31 Dec 2014, at 12:42, Philip Jackson wrote: > > I've been looking for documentation with info on adding a photo id to a gpg key. > The instructions for adding are available but I can't find any advice for the > size, format, dpi etc of the image to be used. > > I guess that the image size should be kept down somewhat to avoid making the key > too large. And it appears that not all software will display the image at the > same size. > > Can anyone offer practical advice on the image parameters ? > > Philip > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 873 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rjh at sixdemonbag.org Wed Dec 31 15:31:31 2014 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 31 Dec 2014 09:31:31 -0500 Subject: photo-ID In-Reply-To: <54A3EF49.2050300@nordnet.fr> References: <54A3EF49.2050300@nordnet.fr> Message-ID: <05827616-4C64-4E5D-B80C-0B6B4F0C90CC@sixdemonbag.org> > I've been looking for documentation with info on adding a photo id to a gpg key. > The instructions for adding are available but I can't find any advice for the > size, format, dpi etc of the image to be used. The major problem is there is very little good advice about this, and what there is keeps changing. For a long time the PGP Desktop product used 120x144 as a picture size. Back when a high-resolution display was 800x600 it made a lot of sense; now, when my laptop has a 2880x1800 display, a 120x144 image is literally smaller than a postage stamp. GnuPG adopted the photo-ID feature a few years later and technology had already progressed to the point where the GnuPG advice was 240x288. That advice hasn?t changed in over ten years; it?s probably out of date by now. With respect to what format should be used, the de-facto standard seems to be JPEG. I personally don?t find photo ID to be a useful feature. They?re too static. The photo ID on my certificate, for instance, is almost ten years old. If you need photo ID, a better route would appear to be something like keybase.io, which offers some neat tools for binding a certificate to photographs, social media accounts, and whatnot. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3634 bytes Desc: not available URL: From nico at josuttis.de Wed Dec 31 14:20:35 2014 From: nico at josuttis.de (Nicolai Josuttis) Date: Wed, 31 Dec 2014 14:20:35 +0100 Subject: The praise of GnuPG @31C3 and why it is important (was: Guys please all see) In-Reply-To: <748007345.20141229235114@my_localhost> References: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> <549F0B75.1070203@dougbarton.email> <1314470459.20141229011446@my_localhost> <54A0B5FE.9090603@enigmail.net> <748007345.20141229235114@my_localhost> Message-ID: <54A3F823.3050603@josuttis.de> OK, for those who didn't have time to see the talk at 31C3 as a whole and therefore wondering why this is an important talk, let me point out and quote some content from >> http://media.ccc.de/browse/congress/2014/31c3_-_6258_-_en_-_saal_1_-_201412282030_-_reconstructing_narratives_-_jacob_-_laura_poitras.html#video with the timepoints to be able to see/hear/double-check it yourself and some add-ons in [...] to understand the context. All quotes except the last by Jacob Appelbaum. 26:33 : PPTP, ipsec, SSL, TLS, SSH are broken by NSA 31:23 : we found that they [NSA] consistently break various different types of encryption 33:40 : we want to show one PRISM record (the record contains: "no decrypt available for this OTR encrypted message") 34:22 : basically everyone that uses cryptography is broken except for two things: OTR and PGP (36:06) 37:08 : the sad part is that not everyone is using it but the good news is that when you use it it appears to work (when you verified the fingerprint for example) 37:38 : they [NSA] themselves find that they are blinded when you use properly implemented cryptography. 37:46 : GnuPG and OTR are two things that actually stop the spies from spying on you with PRISM 40:11 : if you use redphone and signal, if you use something like TOR and GnuPG with a properly sized key ... if you use OTR if you use jabber.ccc.de ... if you use encontered together you blind them 42:41 : Werner Koch [GnuPG], ... could you stand up? ... Ian Goldberg [OTR], ... ... Christine Corbett [Signal], stand up and keep standing ... These people without even knowing it and without even trying they beat them! 43:55 : Laura Poitras: Last night I screened my film Citizenfour here ... Somebody ask what an they do to support the work that Snowden has done and the Journalists. ... Everybody should fund the work that you guys do ... because literally, my work would not be possible without the work that you do. So, I would like it if everybody in this room when they leave here in the next week to reach out and fund these projects because without these projects the journalism that Glenn [Greenwald] and I and Jake have done would literally not be possible Am 30.12.2014 um 00:51 schrieb MFPA: > I'm not entirely sure how this relates to the thread in which you > posted it. -- Nicolai M. Josuttis www.josuttis.de mailto:nico at enigmail.net PGP fingerprint: CFEA 3B9F 9D8E B52D BD3F 7AF6 1C16 A70A F92D 28F5 From nico at josuttis.de Wed Dec 31 16:55:07 2014 From: nico at josuttis.de (Nicolai Josuttis) Date: Wed, 31 Dec 2014 16:55:07 +0100 Subject: The praise of GnuPG @31C3 Message-ID: <54A41C5B.3050507@josuttis.de> Disclaimer: Sorry guys, I first wrote these emails as part of another thread. (Not enough sleep over the last days of 31C3 ...) But because IMO this is something important for this list, please allow me to redistribute it as separate thread, again. For those who didn't have time to see it yet, there was an important talk at 31C3 about the social and technical status and consequences of encryption by Jacob Applebaum and Laura Poitras. As a side effect it covers GnuPG significantly. So, please watch it completely at: > http://media.ccc.de/browse/congress/2014/31c3_-_6258_-_en_-_saal_1_-_201412282030_-_reconstructing_narratives_-_jacob_-_laura_poitras.html#video:43:10 For those not having enough time let me point out and quote some content from the talk with the timepoints in the video to be able to see/hear/double-check it yourself. I also added sometime some add-ons in [...] to understand the context. All quotes except the last are by Jacob Appelbaum. [26:33]: PPTP, ipsec, SSL, TLS, SSH are broken by NSA [31:23]: we found that they [NSA] consistently break various different types of encryption [33:40]: we want to show one PRISM record (the record contains: "no decrypt available for this OTR encrypted message") [34:22]: basically everyone that uses cryptography is broken except for two things: OTR and PGP ([36:06]) [37:08]: the sad part is that not everyone is using it but the good news is that when you use it it appears to work (when you verified the fingerprint for example) [37:38]: they [NSA] themselves find that they are blinded when you use properly implemented cryptography. [37:46]: GnuPG and OTR are two things that actually stop the spies from spying on you with PRISM [40:11]: if you use redphone and signal, if you use something like TOR and GnuPG with a properly sized key ... if you use OTR if you use jabber.ccc.de ... if you use encontered together you blind them [42:41]: Werner Koch [GnuPG], ... could you stand up? ... Ian Goldberg [OTR], ... ... Christine Corbett [Signal], stand up and keep standing! ... These people without even knowing it and without even trying they beat them! 43:55 : Laura Poitras: Last night I screened my film Citizenfour here ... Somebody ask what an they do to support the work that Snowden has done and the Journalists. ... Everybody should fund the work that you guys do ... because literally, my work would not be possible without the work that you do. So, I would like it if everybody in this room when they leave here in the next week to reach out and fund these projects because without these projects the journalism that Glenn [Greenwald] and I and Jake have done would literally not be possible -- Nicolai M. Josuttis www.josuttis.de PGP Fingerprint: EA25 EF48 BF20 01E4 1FAB 0C1C DEF9 FC80 8A1C 44D0 From dkg at fifthhorseman.net Wed Dec 31 17:54:44 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 31 Dec 2014 11:54:44 -0500 Subject: Key selection In-Reply-To: <549F0B75.1070203@dougbarton.email> References: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> <549F0B75.1070203@dougbarton.email> Message-ID: <54A42A54.2090509@fifthhorseman.net> On 12/27/2014 02:41 PM, Doug Barton wrote: > On 12/27/14 9:36 AM, Sandeep Murthy wrote: > | I have four keypairs associated with my main email, two of which > | are revoked and one expired. But if I try to edit the main key > | associated with email by > | > | $ gpg --edit-key > | > | then it invokes gpg and points to one of the revoked keys rather > | than the active key. I have to explicitly give the short ID of the > | active key to edit that key and get its fingerprint. > | > | Is there a way to change this, or I am doing something wrong? > > No, and no. :) > > If you have multiple keys that match a pattern (such as your e-mail > address) then gpg is going to take its best guess as to which one you > mean. The short version of the story is that its best guess really isn't very good for any existing version of gnupg. Its "best guess" is just based on a linear scan of the keyring, returning the first certificate with a matching user ID. The linear scan is based on the date that each key was first added to your keyring. While this is a disappointing guess, it's also very predictable (within one known keyring), and controllable. One way to control it is to export all the old keys to a file, then delete them from your keyring, then re-import the file. Now you'll have all the keys available, but the first one in the keyring will be the one you want. If you have any local (non-exportable) signatures, make sure you pass "--export-options export-local" when exporting them, and "--import-options import-local" when re-importing the file. ------ Ideally, GnuPG would use more sophisticated mechanisms to select the "right" key (e.g. by considering calculated validity and expiration and revocation information). And conceivably, it could return an error if there were multiple matches. These are fixes that are much more likely to be possible with the keybox format used by the 2.1 series, though, so if you want to see that happen, please try to test out GnuPG 2.1. the wider deployment it gets, the better chances we'll have to improve matching in general. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From ml at mareichelt.com Wed Dec 31 19:11:35 2014 From: ml at mareichelt.com (Markus Reichelt) Date: Wed, 31 Dec 2014 19:11:35 +0100 Subject: The praise of GnuPG @31C3 In-Reply-To: <54A41C5B.3050507@josuttis.de> References: <54A41C5B.3050507@josuttis.de> Message-ID: <20141231181135.GC24591@pc21.mareichelt.com> * Nicolai Josuttis wrote: > For those who didn't have time to see it yet, > there was an important talk at 31C3 > about the social and technical status and consequences of > encryption by Jacob Applebaum and Laura Poitras. > As a side effect it covers GnuPG significantly. > > So, please watch it completely at: > http://media.ccc.de/browse/congress/2014/31c3_-_6258_-_en_-_saal_1_-_201412282030_-_reconstructing_narratives_-_jacob_-_laura_poitras.html#video:43:10 I fully agree and thank you for posting this, I was about to myself If one just got 6 mins to spare: https://www.youtube.com/watch?v=0SgGMj3Mf88#t=40m31s ->> https://www.gnupg.org/donate/ !! -- left blank, right bald From s.murthy at mykolab.com Wed Dec 31 22:09:24 2014 From: s.murthy at mykolab.com (Sandeep Murthy) Date: Wed, 31 Dec 2014 21:09:24 +0000 Subject: Key selection In-Reply-To: <54A42A54.2090509@fifthhorseman.net> References: <57C2F421-F088-44A5-8007-F4F6B36235F3@mykolab.com> <549F0B75.1070203@dougbarton.email> <54A42A54.2090509@fifthhorseman.net> Message-ID: <03B194EF-130A-4E0E-9E05-D9AF1183155F@mykolab.com> Hi I didn?t mean to suggest that `gpg` should do any guessing in this situation. Maybe I?m wrong and this is a minor issue, but from a simple request-response model point of view when `gpg ?edit-key` is invoked by a user with an argument which i not a specific key ID but an email which is associated with multiple keys in the keychain then it seems it should certainly not cause `gpg` to point to any revoked or expired key, as is happening now (for me anyway). This is clearly a bug, and surely there?s an easy fix for it - check whether there are any active (non-expired, non-revoked) keys, if so present the list to the user to choose, if not print an appropriate message that would cause the user to either generate a new key for that email, and edit that key, or do a lookup on another source where they have stored keys. This issue is specific to the command line program, not any GUI based program like Keychain (from MacGPG2 suite), because there the user can see the keys and know which one to edit. Sandeep Murthy s.murthy at mykolab.com > On 31 Dec 2014, at 16:54, Daniel Kahn Gillmor wrote: > > On 12/27/2014 02:41 PM, Doug Barton wrote: >> On 12/27/14 9:36 AM, Sandeep Murthy wrote: >> | I have four keypairs associated with my main email, two of which >> | are revoked and one expired. But if I try to edit the main key >> | associated with email by >> | >> | $ gpg --edit-key >> | >> | then it invokes gpg and points to one of the revoked keys rather >> | than the active key. I have to explicitly give the short ID of the >> | active key to edit that key and get its fingerprint. >> | >> | Is there a way to change this, or I am doing something wrong? >> >> No, and no. :) >> >> If you have multiple keys that match a pattern (such as your e-mail >> address) then gpg is going to take its best guess as to which one you >> mean. > > The short version of the story is that its best guess really isn't very > good for any existing version of gnupg. > > Its "best guess" is just based on a linear scan of the keyring, > returning the first certificate with a matching user ID. The linear > scan is based on the date that each key was first added to your keyring. > > While this is a disappointing guess, it's also very predictable (within > one known keyring), and controllable. One way to control it is to > export all the old keys to a file, then delete them from your keyring, > then re-import the file. Now you'll have all the keys available, but > the first one in the keyring will be the one you want. If you have any > local (non-exportable) signatures, make sure you pass "--export-options > export-local" when exporting them, and "--import-options import-local" > when re-importing the file. > > ------ > > Ideally, GnuPG would use more sophisticated mechanisms to select the > "right" key (e.g. by considering calculated validity and expiration and > revocation information). And conceivably, it could return an error if > there were multiple matches. These are fixes that are much more likely > to be possible with the keybox format used by the 2.1 series, though, so > if you want to see that happen, please try to test out GnuPG 2.1. the > wider deployment it gets, the better chances we'll have to improve > matching in general. > > --dkg > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 873 bytes Desc: Message signed with OpenPGP using GPGMail URL: From 2014-667rhzu3dc-lists-groups at riseup.net Wed Dec 31 22:27:16 2014 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 31 Dec 2014 21:27:16 +0000 Subject: photo-ID In-Reply-To: <05827616-4C64-4E5D-B80C-0B6B4F0C90CC@sixdemonbag.org> References: <54A3EF49.2050300@nordnet.fr> <05827616-4C64-4E5D-B80C-0B6B4F0C90CC@sixdemonbag.org> Message-ID: <1274982321.20141231212716@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 31 December 2014 at 2:31:31 PM, in , Robert J. Hansen wrote: > I personally don?t find photo ID to be a useful > feature. They?re too static. The photo ID on my > certificate, for instance, is almost ten years old. Just as much use as the photo in a passport, then. (-; - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net Adults are obsolete children. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJUpGpFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwSegH/A+sE8KT/MWAlC7lsCwFYcIr ByYqXx989QD13oS2wV0t0O6oG01oQFSMYuWXQTFqi/w5hZ6Ll+U9jUk634G/eIvv nBbE0LE+1vOqKz2FhQpPpPwJjTd2dnXJgN5pIJAO6+JRoJdjfXZh3t8TlAbWKRsL 0O4wRL+gS/ZD0kQ1oAFrN1lqQaRctJ5LQ9btBynxVNRu48bsdCwUzWt/Zl3PIO3+ muhPGK++7zUnnFNgCxP3Rq3XofPBTBKYyrHuxuJibhbnRQq7832Tb93fBuFs+X7I WUOP0IHGOkZnmHE8mQHowAnKVxP8MMzol6JjxG+7nnFemDmL3QKoXyFdqHHHGKaI vgQBFgoAZgUCVKRqT18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45MRyAQDoDXqphXWfSpoHhQKxBd6HphjM p/pj6YwLAaf6j7HqtwEAt0FiP/AWhoOTKGmbZN4rDWw5Jc3z1qMK7UnTczbNggg= =YHhC -----END PGP SIGNATURE----- From s.murthy at mykolab.com Wed Dec 31 22:54:37 2014 From: s.murthy at mykolab.com (Sandeep Murthy) Date: Wed, 31 Dec 2014 21:54:37 +0000 Subject: photo-ID In-Reply-To: <05827616-4C64-4E5D-B80C-0B6B4F0C90CC@sixdemonbag.org> References: <54A3EF49.2050300@nordnet.fr> <05827616-4C64-4E5D-B80C-0B6B4F0C90CC@sixdemonbag.org> Message-ID: <2A75FF8F-EE33-4B43-83A7-6E3AAF8C2F4B@mykolab.com> I don?t agree. Why isn?t the photo ID feature not useful? Surely any piece of information that would help another person, with whom you are proposing to communicate, to identify you first, is a good thing. Before they can trust you enough to sign the key (which can?t be very often using the PGP model) they must be able to identify you, and a photo ID helps them to put a name to a face, or at least provides a reference point with which to do other checks, before signing the key, let alone encrypting - someone?s photo ID to do a google image search on it, bringing up other information that could be useful. Maybe I?m wrong but the problem with GPG is that it has too few verification tools, like the photo ID. In my keychain I have 35 public keys for different individuals with whom I may want to communicate via GPG, but I?ve probably only signed a fraction of them, maybe 10, and only a handful of those are people I know personally. I always sign my messages, but if you are unable to trust someone enough to sign they key (or even their signature) then I?m not sure that PGP is very useful or fulfils its purpose. As for the photo ID feature itself surely there are technical fixes for that, including allowing people to upload slightly larger images than would bepossible with the recommended dimensions without increasing the key size. For reference, passport photographs are pretty small, as we are all aware, (I think 35 by 45 mm in the EU), and when we send email a scan of our passport page for some job application or whatever it is not likely to be a good. s.murthy at mykolab.com > On 31 Dec 2014, at 14:31, Robert J. Hansen wrote: > > >> I've been looking for documentation with info on adding a photo id to a gpg key. >> The instructions for adding are available but I can't find any advice for the >> size, format, dpi etc of the image to be used. > > The major problem is there is very little good advice about this, and what there is keeps changing. For a long time the PGP Desktop product used 120x144 as a picture size. Back when a high-resolution display was 800x600 it made a lot of sense; now, when my laptop has a 2880x1800 display, a 120x144 image is literally smaller than a postage stamp. > > GnuPG adopted the photo-ID feature a few years later and technology had already progressed to the point where the GnuPG advice was 240x288. That advice hasn?t changed in over ten years; it?s probably out of date by now. > > With respect to what format should be used, the de-facto standard seems to be JPEG. > > I personally don?t find photo ID to be a useful feature. They?re too static. The photo ID on my certificate, for instance, is almost ten years old. If you need photo ID, a better route would appear to be something like keybase.io, which offers some neat tools for binding a certificate to photographs, social media accounts, and whatnot. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 873 bytes Desc: Message signed with OpenPGP using GPGMail URL: From philip.jackson at nordnet.fr Wed Dec 31 22:57:44 2014 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Wed, 31 Dec 2014 22:57:44 +0100 Subject: photo-ID In-Reply-To: References: <54A3EF49.2050300@nordnet.fr> Message-ID: <54A47158.2050407@nordnet.fr> On 31/12/14 14:27, Sandeep Murthy wrote: > https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html#OpenPGP-Key-Management. > > The command is the `addphoto` subcommand of `?edit-key` - one adds a photo by executing > > `$ gpg ?edit-key addphoto` > > which prints out the following message (after the key information and associated emails): > > ``` > Pick an image to use for your photo ID. The image must be a JPEG file. > Remember that the image is stored within your public key. If you use a > very large picture, your key will become very large as well! > Keeping the image close to 240x288 is a good size to use. Thanks, Sandeep. I had found that page but didn't realise that I'd actually have to implement the command to get the additional info on a suggested size. That is not actually very clever - it hardly permits you to prepare an image before installing it to the key. Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 557 bytes Desc: OpenPGP digital signature URL: From philip.jackson at nordnet.fr Wed Dec 31 23:21:12 2014 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Wed, 31 Dec 2014 23:21:12 +0100 Subject: photo-ID In-Reply-To: <05827616-4C64-4E5D-B80C-0B6B4F0C90CC@sixdemonbag.org> References: <54A3EF49.2050300@nordnet.fr> <05827616-4C64-4E5D-B80C-0B6B4F0C90CC@sixdemonbag.org> Message-ID: <54A476D8.3060201@nordnet.fr> On 31/12/14 15:31, Robert J. Hansen wrote: > >> I've been looking for documentation with info on adding a photo id to a gpg key. >> The instructions for adding are available but I can't find any advice for the >> size, format, dpi etc of the image to be used. > > The major problem is there is very little good advice about this, and what there is keeps changing. For a long time the PGP Desktop product used 120x144 as a picture size. Back when a high-resolution display was 800x600 it made a lot of sense; now, when my laptop has a 2880x1800 display, a 120x144 image is literally smaller than a postage stamp. > > GnuPG adopted the photo-ID feature a few years later and technology had already progressed to the point where the GnuPG advice was 240x288. That advice hasn?t changed in over ten years; it?s probably out of date by now. > > With respect to what format should be used, the de-facto standard seems to be JPEG. > > I personally don?t find photo ID to be a useful feature. They?re too static. The photo ID on my certificate, for instance, is almost ten years old. If you need photo ID, a better route would appear to be something like keybase.io, which offers some neat tools for binding a certificate to photographs, social media accounts, and whatnot. > I take your point, Robert, regarding size. I've just tried a 240x288 image at 72 dpi and it is really small on my screen but it only weighs 29kB. I'll have a look at your suggestion, keybase.io. Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 557 bytes Desc: OpenPGP digital signature URL: From dominyktiller at gmail.com Wed Dec 31 20:36:28 2014 From: dominyktiller at gmail.com (Dominyk Tiller) Date: Wed, 31 Dec 2014 19:36:28 +0000 Subject: Fwd: Re: [Announce] GnuPG 2.1.1 released In-Reply-To: <549336EC.7070209@gmail.com> References: <549336EC.7070209@gmail.com> Message-ID: <54A4503C.9090804@gmail.com> Hi Werner, Apologies, I'm an idiot. The option is still there. ------------------------------------------------------------------------ Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-dependency-tracking speeds up one-time build --enable-dependency-tracking do not reject slow dependency extractors --disable-gpg do not build the gpg program --disable-gpgsm do not build the gpgsm program --disable-agent do not build the agent program --disable-scdaemon do not build the scdaemon program --disable-g13 do not build the g13 program --disable-dirmngr do not build the dirmngr program --disable-tools do not build the tools program --disable-doc do not build the doc program --enable-symcryptrun build the symcryptrun program --disable-gpgtar do not build the gpgtar program --enable-gpg2-is-gpg Set installed name of gpg2 to gpg ------------------------------------------------------------------------ Apologies for the false positive before. Cheers, and Happy New Year, Dom Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. -------- Forwarded Message -------- Subject: Re: [Announce] GnuPG 2.1.1 released Date: Thu, 18 Dec 2014 20:19:56 +0000 From: Dominyk Tiller To: gnupg-users at gnupg.org CC: wk at gnupg.org Apologies, that option is indeed gone. I was trying to pass it anyhow, in order to use an external (but up-to-date) gpg-agent as my agent, because that's how I was configuring the 2.0.x branch, "--disable-agent --with-agent-pgm=/usr/local/opt/gpg-agent/bin/gpg-agent". When I went to build this new release of the 2.1.x branch I just automatically passed those configure options, and when the configure script didn't flag the option as unrecognised I wondered if it was a bug that it was erroring out. I should have probably double-checked to see if I was just being stupid ;). Cheers for the reply, Dom Sent from OS X. If you wish to communicate more securely my PGP Public Key is 0x872524db9d74326c. On 18/12/2014 08:35, Werner Koch wrote: > On Wed, 17 Dec 2014 13:54, dominyktiller at gmail.com said: > >> I'm still hitting a new one though. If you attempt to compile using an >> external gpg-agent, rather than one with the package, you hit this: > > You mean an option --disable-agent? Do we still have this option - it > needs to be removed. gpg-agent is not optional. > > > > Salam-Shalom, > > Werner > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: