Gnupg-users Digest, Vol 136, Issue 23
georgeorwellhardwired at riseup.net
georgeorwellhardwired at riseup.net
Thu Jan 15 09:11:33 CET 2015
Subject: cannot build database in GPA in ubuntu and won't generate GPG
key.
Hey.
Every time I use GPA in ubuntu it says, when I start GPA: "GnuPG is
rebuilding the trust database.
This might take a few seconds." And I can wait for hours, while nothing
happens.
And If I try to close the window and try to generate a GPG key, it will
say: "The GPGME library returned an unexpected error. The error
was:"General error." This is probably a bug in GPA. GPA will now try to
recover from this error.
Is there anyone that seen these errors before?
On 2015-01-14 21:51, gnupg-users-request at gnupg.org wrote:
> Send Gnupg-users mailing list submissions to
> gnupg-users at gnupg.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> or, via email, send a message with subject or body 'help' to
> gnupg-users-request at gnupg.org
>
> You can reach the person managing the list at
> gnupg-users-owner at gnupg.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Gnupg-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Are there cases where gpg --verify will exit 0, even if
> verification failed? (Sandeep Murthy)
> 2. Re: Are there cases where gpg --verify will exit 0, even if
> verification failed? (Daniel Kahn Gillmor)
> 3. Re: Are there cases where gpg --verify will exit 0, even if
> verification failed? (Kristian Fiskerstrand)
> 4. Re: Are there cases where gpg --verify will exit 0, even if
> verification failed? (Sandeep Murthy)
> 5. Re: Are there cases where gpg --verify will exit 0, even if
> verification failed? (Werner Koch)
> 6. Re: Are there cases where gpg --verify will exit 0, even if
> verification failed? (Patrick Schleizer)
> 7. Is there a shell script or bash library for parsing gpg's
> --status-fd output? (Patrick Schleizer)
> 8. Re: Vanity Keys (Johan Wevers)
> 9. Re: Are there cases where gpg --verify will exit 0, even if
> verification failed? (Werner Koch)
> 10. Specifying passphrase for batch key generation (Joey Castillo)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 14 Jan 2015 13:22:45 +0000
> From: Sandeep Murthy <s.murthy at mykolab.com>
> To: gnupg-users at gnupg.org
> Subject: Re: Are there cases where gpg --verify will exit 0, even if
> verification failed?
> Message-ID: <3B2D48C6-89BD-452E-B7C5-FED144E13925 at mykolab.com>
> Content-Type: text/plain; charset="utf-8"
>
>>> Are there cases where gpg --verify will exit 0, even if verification
>>> failed?
>
> Verification could fail internally within the gpg program, or
> externally because
> the signature fie does not exist or is incorrectly named or maybe
> corrupt
> e.g.
>
> [srm@~]$ gpg --verify asig.sig; echo $?
> gpg: can't open `asig.sig': No such file or directory
> gpg: verify signatures failed: No such file or directory
> 2
>
> Exit codes in shells indicate problems relating to completion or
> disruption
> of the child process invoked by a parent process.
>
> They will not record unsuccessful events inside the child process
> related to program functions, i.e. if you inside gpg editing a key
> and enter an incorrect subcommand or use it incorrectly then this will
> not affect the exit code, I don?t think.
>
> Sandeep Murthy
> s.murthy at mykolab.com
>
>> On 14 Jan 2015, at 07:51, Dave Pawson <dave.pawson at gmail.com> wrote:
>>
>> In Unix terms, a program that has run successfully to completion
>> exits with status zero, no 'extra' semantic attached?
>>
>> Dave
>>
>> On 13 January 2015 at 19:03, Patrick Schleizer
>> <patrick-mailinglists at whonix.org> wrote:
>>> In another thread...
>>>
>>> Werner Koch
>>>> On Mon, 12 Jan 2015 19:52, patrick-
>>>>> When it exits 0, then this approach is sound, sane and fine?
>>>> You better check the status lines; in particular watch out for
>>>>
>>>> [GNUPG:] VALIDSIG E4B868C8F90C.....
>>>>
>>>> or use gpgv.
>>>
>>> Are there cases where gpg --verify will exit 0, even if verification
>>> failed?
>>>
>>> (Suppose one uses a separate --homedir where only legitimate signing
>>> keys are imported.)
>>>
>>>
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users at gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>>
>>
>> --
>> Dave Pawson
>> XSLT XSL-FO FAQ.
>> Docbook FAQ.
>> http://www.dpawson.co.uk
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 873 bytes
> Desc: Message signed with OpenPGP using GPGMail
> URL: </pipermail/attachments/20150114/1b6b111e/attachment-0001.sig>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 14 Jan 2015 08:40:23 -0500
> From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> To: Sandeep Murthy <s.murthy at mykolab.com>, gnupg-users at gnupg.org
> Subject: Re: Are there cases where gpg --verify will exit 0, even if
> verification failed?
> Message-ID: <878uh55vlk.fsf at alice.fifthhorseman.net>
> Content-Type: text/plain; charset=utf-8
>
> On Wed 2015-01-14 08:22:45 -0500, Sandeep Murthy wrote:
>> Exit codes in shells indicate problems relating to completion or
>> disruption
>> of the child process invoked by a parent process.
>>
>> They will not record unsuccessful events inside the child process
>> related to program functions, i.e. if you inside gpg editing a key
>> and enter an incorrect subcommand or use it incorrectly then this will
>> not affect the exit code, I don?t think.
>
> This is not the case. all processes have a return code, whether they
> are invoked by a shell or by other processes. The return code is a
> critical part of the output of a program.
>
> gpg does use the return code to indicate failure of signature
> verification.
>
> consider the results of:
>
> echo test1 > test1.txt
> echo test2 > test2.txt
> gpg --detach-sign --armor test1.txt
> gpg --verify test1.txt.asc test1.txt
> gpg --verify test1.txt.asc test2.txt
>
> the return value of the first --verify should be 0, but the second
> --verify invocation should return 1, indicating that the signature
> cannot be verified over the (different) contents of test2.txt
>
> --dkg
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 14 Jan 2015 15:06:53 +0100
> From: Kristian Fiskerstrand
> <kristian.fiskerstrand at sumptuouscapital.com>
> To: Daniel Kahn Gillmor <dkg at fifthhorseman.net>, Sandeep Murthy
> <s.murthy at mykolab.com>, gnupg-users at gnupg.org
> Subject: Re: Are there cases where gpg --verify will exit 0, even if
> verification failed?
> Message-ID: <54B677FD.8090002 at sumptuouscapital.com>
> Content-Type: text/plain; charset=utf-8
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 01/14/2015 02:40 PM, Daniel Kahn Gillmor wrote:
>> On Wed 2015-01-14 08:22:45 -0500, Sandeep Murthy wrote:
>>> Exit codes in shells indicate problems relating to completion or
>>> disruption of the child process invoked by a parent process.
>>>
>
>
> ..
>
>>
>> the return value of the first --verify should be 0, but the second
>> --verify invocation should return 1, indicating that the signature
>> cannot be verified over the (different) contents of test2.txt
>
> But iirc you will anyways have to check the status-fd for the validity
> of the issuing key.
>
> - --
> - ----------------------------
> Kristian Fiskerstrand
> Blog: http://blog.sumptuouscapital.com
> Twitter: @krifisk
> - ----------------------------
> Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> - ----------------------------
> "A government that robs Peter to pay Paul can always depend on the
> support of Paul."
> (George Bernard Shaw)
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJUtnf3AAoJEPw7F94F4Tag93cP/3sI+nnS0HK68JEeE3dfCO/5
> pFweOpBSeSOeh5gA2e0UuO0Nm7l1hD2syjFNn18L/fMybVfqodYKnIWkh3v9O8oi
> sNNxDJ8emhWPaE0oV9VpPocEcq5MbZwerF5iIB+rm9d+R2CuqMKpIkEYv2abIxWJ
> tJsMlp9bXWC66QbQBDc9D+okn9yKzJgYdfAilprk7kKPmnSgIVIagwdcQyg9iUks
> dX1q6rsGonYzPOwWk2sZdXyAB2TleYSPq8ySaShtSt4dZ/DFK38l4hYOcOX/OrG1
> bROwTg3fnjISvFHYAJPx1CCrsdN/fIOPATrCITPQLV0IdTUIhrbi6bgTjDvfr8eQ
> NSuggpdjvif1EtDnCQYv6gSoI2egbFFs92bqzLsfm/gVtJJi25d4JRammHNOzjWt
> 0SBxFBAI64cAuReDkLcqnhSu0dccQRQYUjF88a4dP9ldE6eK4HNo8h6vQxbVJ6Y+
> xPQxBCMwHUoLLKWQt+PLBQXqqZFnFOdPRF6Ns+OHsIC3Go/oH7ynY+yKSQHziTRc
> 6TnLMfg4by2bh1RIsBF1nb1wkXcyV9tZXrriaM4H6wwPoR6IDnZnHU2dTcUn8LLT
> c4FBn743TT0OZbVnMhd7e3PdUe6EVE0ZTKXilKqRk36+yEdBcrRj+ihwS9Vy/gt3
> /u59aDPZpS8gTPWFSzjN
> =KsGq
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 14 Jan 2015 15:31:43 +0000
> From: Sandeep Murthy <s.murthy at mykolab.com>
> To: gnupg-users at gnupg.org
> Subject: Re: Are there cases where gpg --verify will exit 0, even if
> verification failed?
> Message-ID: <D214C3E8-F22E-416B-9C86-50AAB7BE74C5 at mykolab.com>
> Content-Type: text/plain; charset=utf-8
>
> I know that all processes have an exit code, what I meant was
> if you invoke gpg interactively like gpg ?edit-key <key ID /email>
> and then execute a wrong subcommand or specify something incorrectly
> then the gpg exit code will not reflect this unless the subcommand
> launches another process.
>
> Sandeep Murthy
> s.murthy at mykolab.com
>
>> On 14 Jan 2015, at 13:40, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
>> wrote:
>>
>> On Wed 2015-01-14 08:22:45 -0500, Sandeep Murthy wrote:
>>> Exit codes in shells indicate problems relating to completion or
>>> disruption
>>> of the child process invoked by a parent process.
>>>
>>> They will not record unsuccessful events inside the child process
>>> related to program functions, i.e. if you inside gpg editing a key
>>> and enter an incorrect subcommand or use it incorrectly then this
>>> will
>>> not affect the exit code, I don?t think.
>>
>> This is not the case. all processes have a return code, whether they
>> are invoked by a shell or by other processes. The return code is a
>> critical part of the output of a program.
>>
>> gpg does use the return code to indicate failure of signature
>> verification.
>>
>> consider the results of:
>>
>> echo test1 > test1.txt
>> echo test2 > test2.txt
>> gpg --detach-sign --armor test1.txt
>> gpg --verify test1.txt.asc test1.txt
>> gpg --verify test1.txt.asc test2.txt
>>
>> the return value of the first --verify should be 0, but the second
>> --verify invocation should return 1, indicating that the signature
>> cannot be verified over the (different) contents of test2.txt
>>
>> --dkg
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 14 Jan 2015 17:18:19 +0100
> From: Werner Koch <wk at gnupg.org>
> To: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> Cc: gnupg-users at gnupg.org
> Subject: Re: Are there cases where gpg --verify will exit 0, even if
> verification failed?
> Message-ID: <87wq4p2v5g.fsf at vigenere.g10code.de>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, 14 Jan 2015 14:40, dkg at fifthhorseman.net said:
>
>> gpg does use the return code to indicate failure of signature
>> verification.
>
> But recall that success does not mean that the signature is good.
> Check the status output or use gpgv.
>
> Shalom-Salam,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 14 Jan 2015 16:40:34 +0000
> From: Patrick Schleizer <patrick-mailinglists at whonix.org>
> To: gnupg-users at gnupg.org
> Subject: Re: Are there cases where gpg --verify will exit 0, even if
> verification failed?
> Message-ID: <54B69C02.5050905 at whonix.org>
> Content-Type: text/plain; charset=windows-1252
>
> Werner Koch:
>> On Wed, 14 Jan 2015 14:40, dkg at fifthhorseman.net said:
>>
>>> gpg does use the return code to indicate failure of signature
>>> verification.
>>
>> But recall that success does not mean that the signature is good.
>> Check the status output or use gpgv.
>
> Do you mean, for example, the signature could be valid, but the key
> that
> signed it could be revoked and gpg would still exit 0?
>
> Or can you tell another example please where gpg would exit 0, but
> where
> where the signature is bad?
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 14 Jan 2015 16:44:47 +0000
> From: Patrick Schleizer <patrick-mailinglists at whonix.org>
> To: gnupg-users at gnupg.org
> Subject: Is there a shell script or bash library for parsing gpg's
> --status-fd output?
> Message-ID: <54B69CFF.5080506 at whonix.org>
> Content-Type: text/plain; charset=utf-8
>
> Hi!
>
> Is there a shell script or bash library for parsing gpg's --status-fd
> output?
>
> I mean, I could code it myself. But why duplicate effort and risk
> messing up. Maybe there is some existing or even recommended or even
> official library to do this?
>
> (What I mean by parsing is: to get from lines such as "[GNUPG:] GOODSIG
> 416..." to variables such as goodsig=true, fingerprint=416... and so
> forth.)
>
> Cheers,
> Patrick
>
>
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 14 Jan 2015 19:23:48 +0100
> From: Johan Wevers <johanw at vulcan.xs4all.nl>
> To: gnupg-users at gnupg.org
> Subject: Re: Vanity Keys
> Message-ID: <54B6B434.6050200 at vulcan.xs4all.nl>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 13-01-2015 21:38, Werner Koch wrote:
>
>> Well, we could also change the code
>> to trial verify with all key ids but that takes longer than needed and
>> may by itself be used as a DoS.
>
> You don't need to test all keyID's - just those with the same key ID.
> Assuming this is a rare occasion and someone's keyring is not flooded
> with keys with the same ID (in that case you are probably under some
> kind of attack and might investigate), you can even detect and store
> this condition somewere when importing the key and checking this
> probably very short list if key ID's that appear multiple times.
>
> I wonder what this would do with the keyserver network. They probably
> need adapting too.
>
> --
> ir. J.C.A. Wevers
> PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
>
>
>
>
> ------------------------------
>
> Message: 9
> Date: Wed, 14 Jan 2015 21:15:54 +0100
> From: Werner Koch <wk at gnupg.org>
> To: Patrick Schleizer <patrick-mailinglists at whonix.org>
> Cc: gnupg-users at gnupg.org
> Subject: Re: Are there cases where gpg --verify will exit 0, even if
> verification failed?
> Message-ID: <87a91l2k5h.fsf at vigenere.g10code.de>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, 14 Jan 2015 17:40, patrick-mailinglists at whonix.org said:
>
>> Do you mean, for example, the signature could be valid, but the key
>> that
>> signed it could be revoked and gpg would still exit 0?
>
> Sure. It is just to complex to put it into one number. Consider the
> case for multiple signatures - who is going to decide whether the
> signature is valid. This has all been discussed about 15 years ago
> with the result of writing the gpgv binary which is suitable for most
> automated signature verification use cases.
>
>
> Shalom-Salam,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>
>
>
>
> ------------------------------
>
> Message: 10
> Date: Wed, 14 Jan 2015 15:59:51 -0500
> From: Joey Castillo <jose.castillo at gmail.com>
> To: gnupg-users at gnupg.org
> Subject: Specifying passphrase for batch key generation
> Message-ID:
> <CAAocvpu_1oe9Rpu-kNmpdDskg9VgOi-sY=2YVPhvujUU_MyDag at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Reading the manual for batch GPG key generation in GnuPG 2.1, I see
> the following note:
>
>> Since GnuPG version 2.1 it is not anymore possible to specify a
>> passphrase for unattended key generation. The passphrase command is
>> simply ignored and ?%ask-passpharse? is thus implicitly enabled.
>
> I'm running into an issue now with a module I was using to generate
> keys in a python script (python-gnupg). Its method was to generate a
> set of parameters, including the passphrase parameter, and pass that
> via stdin to gpg --batch --gen-key.
>
> Now that we cannot specify a passphrase in the batch parameters, what
> is the preferred method for batch key generation with a specified
> passphrase?
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
> ------------------------------
>
> End of Gnupg-users Digest, Vol 136, Issue 23
> ********************************************
More information about the Gnupg-users
mailing list