Gnupg-users Digest, Vol 135, Issue 42

Sandeep Murthy s.murthy at mykolab.com
Tue Dec 30 00:10:07 CET 2014 

Hi

@Brian Minton and @Doug Barton, thanks for the info.  I use
then GPG suite (https://gpgtools.org/), which has the really
useful GPG Keychain GUI for managing keys.  So I don’t need
to use the command line, but I want to learn how to do so,
hence my question, which was really about the behaviour of
gpg (I am using version 2.0.26).

I think it would be nice to have gpg (on the command line)
show an auto-completion list of the short IDs of all keys
associated with a particular email when the user does

$ gpg --edit-key <email>

simply because although it is easier to remember an email
than a key ID, no matter how short.  Users think in terms
of emails, not key IDs (maybe this would be different for a
regular user of encryption tools).  At the moment what
this does is launches gpg and points it to a revoked key.
This seems wrong, even if the command is ambiguous.
I can always do

$ gpg —edit-key <short key ID>

to edit a specific key, but I’m making a point about having
gpg be neater on the command line.  I don’t know whether
this is an issue with other users, but I thought I would bring
to the forum’s attention.

I’m still relatively new to GnuPG (and using encryption) but
I think what confuses (or overwhelms) a lot of people about
encryption tools is the amount of work involved in key
management - for example, what is the actual difference in
practice between a revoked key and an expired key?  Do
most people here think that it is OK to delete a revoked key
only a sufficient passage of time,

Sandeep Murthy
s.murthy at mykolab.com



> On 29 Dec 2014, at 15:28, gnupg-users-request at gnupg.org wrote:
> 
> Send Gnupg-users mailing list submissions to
> 	gnupg-users at gnupg.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.gnupg.org/mailman/listinfo/gnupg-users
> or, via email, send a message with subject or body 'help' to
> 	gnupg-users-request at gnupg.org
> 
> You can reach the person managing the list at
> 	gnupg-users-owner at gnupg.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Gnupg-users digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: [Gnupg-users] (Brian Minton)
>    2. Using a GPG key as ssh key: ssh socket & coments on "rsa"
>       keys. (Pablo Olmos de Aguilera C.)
>    3. Re: [Gnupg-users] (MFPA)
>    4. Re: Key selection (MFPA)
>    5. RE: Unable to encrypt file with private/public key
>       (Haritwal, Dhiraj)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sat, 27 Dec 2014 18:12:57 -0500
> From: Brian Minton <brian at minton.name>
> To: Sandeep Murthy <s.murthy at mykolab.com>
> Cc: GnuPG Users <gnupg-users at gnupg.org>
> Subject: Re: [Gnupg-users]
> Message-ID:
> 	<CANyOob3prM7tB5Kr8rB7jp8Z717WXPMRSV2p0C_CbXjpcOJVmA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> I would just backup the expired and revoked keys, then delete them.  I
> personally never have used  my revoked keys.  I mean maybe once in a very
> great while, I come across a file encrypted with my old key on my hard
> drive, but that's happened maybe twice in the last ten years.
> On Dec 27, 2014 1:54 PM, "Sandeep Murthy" <s.murthy at mykolab.com> wrote:
> 
> > Hi
> >
> > I have GnuPG/MacGPG2 (v. 2.0.26) on my system (OS X 10.10.1), installed
> > via GPG Tools Suite.
> >
> > I have four keypairs associated with my main email, two of which are
> > revoked and one expired. But if I
> > try to edit the main key associated with email by
> >
> > $ gpg --edit-key <email>
> >
> > then it invokes gpg and points to one of the revoked keys rather than the
> > active key. I have to explicitly
> > give the short ID of the active key to edit that key and get its
> > fingerprint.
> >
> > Is there a way to change this, or I am doing something wrong?
> >
> > Sandeep Murthy
> > s.murthy at mykolab.com
> >
> >
> >
> >
> > _______________________________________________
> > Gnupg-users mailing list
> > Gnupg-users at gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: </pipermail/attachments/20141227/9faa6914/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Sat, 27 Dec 2014 02:22:46 -0300
> From: "Pablo Olmos de Aguilera C." <pablo at odac.co>
> To: gnupg-users at gnupg.org
> Subject: Using a GPG key as ssh key: ssh socket & coments on "rsa"
> 	keys.
> Message-ID:
> 	<1419657766.1420258.207045969.3ABB8A69 at webmail.messagingengine.com>
> Content-Type: text/plain
> 
> I've read about using a GPG key as SSH key, but somehow I can't
> implement it correctly, I have been following the steps outlined in this
> post from 2012[1].
> 
> Here's the steps I have been following:
> 
> 1. Create a new subkey with authentication capabilities:
> 
> sub  rsa4096/989A8388
>      created: 2014-12-19  expires: 2015-12-19  usage: A
> 
> 2. Find keygrip:
> 
> $ gpg --with-keygrip -k pablo
> sub   rsa4096/989A8388 2014-12-19 [expires: 2015-12-19]
>       Keygrip = 5541F31ADF830A61126C8F0167A506F9ABF2D324
> 
> 3. Add the keygrip to sshcontrol
> 
> echo '5541F31ADF830A61126C8F0167A506F9ABF2D324 0' >>
> .config/gnupg/sshcontrol
> 
> This works okay, though, sometimes the SSH_AUTH_LOCK is lost. As a
> workaround I'm exporting the default location:
> 
> export SSH_AUTH_SOCK=/home/pablo/.config/gnupg/S.gpg-agent.ssh
> 
> But I guess something is happening.
> 
> Also, when listing keys, with ssh-add -l:
> 
> 4096 11:22:33:44:55:66:77:88:99..... (none) (RSA)
> 
> The keys (obviously?) doesn't have any comment, which makes a bit hard
> to manage (when I copy them with ssh-add -L to the desired host, I write
> a comment in the `.ssh/authorized_keys` file, but I imagine there that
> it should be a more straightforward way.
> 
> [1]: http://lists.gnupg.org/pipermail/gnupg-users/2012-July/045059.html
> 
> PS.- Please cc me, since I'm not subscribed to the list.
> 
> Regards
> --
> Pablo Olmos de Aguilera C.
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Mon, 29 Dec 2014 00:11:07 +0000
> From: MFPA <2014-667rhzu3dc-lists-groups at riseup.net>
> To: "Sandeep Murthy on GnuPG-Users" <gnupg-users at gnupg.org>
> Subject: Re: [Gnupg-users]
> Message-ID: <229257575.20141229001107 at my_localhost>
> Content-Type: text/plain; charset=utf-8
> 
> Signed PGP part
> 
> 
> On Saturday 27 December 2014 at 5:36:25 PM, in
> <mid:57C2F421-F088-44A5-8007-F4F6B36235F3 at mykolab.com>, Sandeep Murthy
> wrote:
> 
> 
> > I have four keypairs associated with my main email, two
> > of which are revoked and one expired. But if I try to
> > edit the main key associated with email by
> 
> > $ gpg --edit-key <email>
> 
> > then it invokes gpg and points to one of the revoked
> > keys rather than the active key. I have to explicitly
> > give the short ID of the active key to edit that key
> > and get its fingerprint.
> 
> To just view the fingerprints, you could try:-
> 
> gpg --list-keys <email>
> 
> The listing should indicate which keys are revoked or expired.
> 
> 
> 
> --
> Best regards
> 
> MFPA                    mailto:2014-667rhzu3dc-lists-groups at riseup.net
> 
> A closed door is an invitation to knock
> 
> 
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Mon, 29 Dec 2014 01:14:46 +0000
> From: MFPA <2014-667rhzu3dc-lists-groups at riseup.net>
> To: "Doug Barton on GnuPG-Users" <gnupg-users at gnupg.org>
> Subject: Re: Key selection
> Message-ID: <1314470459.20141229011446 at my_localhost>
> Content-Type: text/plain; charset=utf-8
> 
> Signed PGP part
> 
> 
> On Saturday 27 December 2014 at 7:41:41 PM, in
> <mid:549F0B75.1070203 at dougbarton.email>, Doug Barton wrote:
> 
> 
> 
> > If you have multiple keys that match a pattern (such as
> > your e-mail address) then gpg is going to take its best
> > guess as to which one you mean.
> 
> 
> If several signing keys match the "From" email address, my email
> client manages to get GnuPG to return a list so that I can choose
> which key to use for signing. Conversely, if I sign a file from the
> commandline using the --local-user option with a string that matches
> several signing keys, I am not presented with this choice.
> 
> If several encryption keys match the "To" address of an email, there
> is no such choice of keys offered by my MUA and GnuPG picks one to use
> for encryption. GnuPG also picks the key itself when I encrypt from
> the commandline and use a non-unique pattern.
> 
> 
> 
> --
> Best regards
> 
> MFPA                    mailto:2014-667rhzu3dc-lists-groups at riseup.net
> 
> Wise men learn many things from their enemies.
> 
> 
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Mon, 29 Dec 2014 14:57:18 +0000
> From: "Haritwal, Dhiraj" <Dhiraj.Haritwal at ap.sony.com>
> To: Pete Stephenson <pete at heypete.com>
> Cc: "gnupg-users at gnupg.org" <gnupg-users at gnupg.org>
> Subject: RE: Unable to encrypt file with private/public key
> Message-ID:
> 	<BB9B5A6872D97741BFA9070540661288018D5939 at APSINXMS07.ap.sony.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Almost done now. After I signed partner?s public key, that warring has gone.
> 
> I am using below command to encrypt file with my private key & partner?s public key & partner is using my private key & their public key to decrypt it but it?s getting fail. M I using anything wrong here.
> 
> ./gpg --local-user 'MY USER? --recipient partner_pubkey --encrypt --armor /tmp/test/data1.CSV
> 
> Tried to use --sign which is asking passphrase which don?t want to use. Can we sign without passphrase & only with public/private key.
> 
> 
> Dhiraj
> 
> 
> From: Pete Stephenson [mailto:pete at heypete.com]
> Sent: 23 December 2014 11:24
> To: Haritwal, Dhiraj
> Cc: gnupg-users at gnupg.org
> Subject: RE: Unable to encrypt file with private/public key
> 
> 
> On Dec 22, 2014 7:30 AM, "Haritwal, Dhiraj" <Dhiraj.Haritwal at ap.sony.com<mailto:Dhiraj.Haritwal at ap.sony.com>> wrote:
> >
> > Thank you very much for all the explanation/links. Now things are bit clear.
> > Now I have to encrypt file with partner's Public Key. I tried with below command which is still showing warning message (gpg: 89709B71: There is no assurance this key belongs to the named user) whereas if I am checking partner_pubkey, it's showing full trust. How can I remove this message. Even I have added partner's public key as trusted.
> >
> > ./gpg --encrypt --recipient partner_pubkey --armor /tmp/test/data.CSV
> 
> I'm glad things are working better.
> 
> To resolve the issue with the assurance message, manually verify that the key belongs to the recipient (e.g. meet in person or call them and verify the fingerprint of their key) and then sign the key using GnuPG. (gpg --sign-key 0xKEYID)
> 
> In GnuPG you vouch that a particular public key belongs to a person (or organization) by signing their public key. This signature can be local or published publicly.
> 
> "Trust" in GnuPG is different, and reflects how much you trust the other key to correctly vouch for the identity of others. If you set their key as fully trusted, keys that are signed by that key are treated by your copy of GnuPG with the same level of assurance as if you signed them yourself. Typically this should only be reserved for people you know to always check the identity of other people thoroughly and correctly before signing their keys. The default is for trust to be set to "marginal".
> 
> By combining signatures and trust, one forms a "web of trust": https://en.wikipedia.org/wiki/Web_of_trust
> 
> Cheers!
> -Pete
> 
> ________________________________
> 
> This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway..
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: </pipermail/attachments/20141229/183a0715/attachment.html>
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> 
> ------------------------------
> 
> End of Gnupg-users Digest, Vol 135, Issue 42
> ********************************************

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20141229/2a9d6315/attachment.sig>

More information about the Gnupg-users mailing list