From free10pro at gmail.com Fri Apr 1 04:34:12 2016 From: free10pro at gmail.com (Paul R. Ramer) Date: Thu, 31 Mar 2016 19:34:12 -0700 Subject: [Announce] GnuPG 2.0.29 released In-Reply-To: <871t6qj3yv.fsf@wheatstone.g10code.de> References: <871t6qj3yv.fsf@wheatstone.g10code.de> Message-ID: <56FDDE24.1030406@gmail.com> On 03/31/2016 04:12 AM, Werner Koch wrote: > Hello! > > We are pleased to announce the availability of a new stable GnuPG-2.0 > release: Version 2.0.30. This is a maintenance release which fixes a > couple of bugs. The subject line is about v2.0.29 instead of v2.0.30. Just FYI. -Paul From mick.crane at gmail.com Fri Apr 1 04:05:18 2016 From: mick.crane at gmail.com (mick crane) Date: Fri, 01 Apr 2016 03:05:18 +0100 Subject: where is gnupg configure file Message-ID: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> hello, I made a key pair a couple of years ago but I never used them. Now I try to make new Debian email server ( just for me ) all nice and tidy. there is enigma plugin for roundmail. I imported my private and public keys and they seem to be in the keyring as "gnupg -K --list-secret-keys" lists the secret keys but ~/.gnupg/private-keys-v1.d directory is empty. Using enigma it doesn't seem able to find the keys. First what I would like to do is find a configure file for gnupg ? cheers mick -- key ID: 0x4BFEBB31 From dashohoxha at gmail.com Fri Apr 1 05:35:16 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Fri, 1 Apr 2016 05:35:16 +0200 Subject: where is gnupg configure file In-Reply-To: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> References: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> Message-ID: On Fri, Apr 1, 2016 at 4:05 AM, mick crane wrote: > > First what I would like to do is find a configure file for gnupg ? > Did you check ~/.gnupg/gpg.conf ? If it does not exist just create it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mick.crane at gmail.com Fri Apr 1 05:52:21 2016 From: mick.crane at gmail.com (mick crane) Date: Fri, 01 Apr 2016 04:52:21 +0100 Subject: where is gnupg configure file In-Reply-To: References: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> Message-ID: <1f1bafdc77673ad7a6462b08cf4085a8@rapunzel.local> On 2016-04-01 04:35, Dashamir Hoxha wrote: > On Fri, Apr 1, 2016 at 4:05 AM, mick crane > wrote: > >> First what I would like to do is find a configure file for gnupg ? > > Did you check ~/.gnupg/gpg.conf ? > If it does not exist just create it. Ah OK, so there is no other config file somewhere with pristine install ( Debian) Is there any point me exporting private keys and putting them in private-keys-v1.d directory ? -- key ID: 0x4BFEBB31 From viktordick86 at gmail.com Fri Apr 1 07:49:59 2016 From: viktordick86 at gmail.com (Viktor Dick) Date: Fri, 1 Apr 2016 07:49:59 +0200 Subject: where is gnupg configure file In-Reply-To: <1f1bafdc77673ad7a6462b08cf4085a8@rapunzel.local> References: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> <1f1bafdc77673ad7a6462b08cf4085a8@rapunzel.local> Message-ID: <56FE0C07.7010609@gmail.com> Are you sure that you are using gpg2? private-keys-v1.d only contains private keys for gpg2. gpg1 stores them in ~/.gnupg/secring.gpg or something like that. If enigmail uses gpg2 and you created your key with gpg1, they will not see the same keys. '--version' is your friend. IIRC, using the key with gpg2 will import it from gpg1. There was a nice online FAQ entry or something alike where the process is described, but I can't find it at the moment. Regards, Viktor -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From mick.crane at gmail.com Fri Apr 1 10:21:22 2016 From: mick.crane at gmail.com (mick crane) Date: Fri, 01 Apr 2016 09:21:22 +0100 Subject: where is gnupg configure file In-Reply-To: <56FE0C07.7010609@gmail.com> References: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> <1f1bafdc77673ad7a6462b08cf4085a8@rapunzel.local> <56FE0C07.7010609@gmail.com> Message-ID: <5f16c728c9c4962217428c13d2d62ec5@rapunzel.local> On 2016-04-01 06:49, Viktor Dick wrote: > Are you sure that you are using gpg2? private-keys-v1.d only contains > private keys for gpg2. gpg1 stores them in ~/.gnupg/secring.gpg or > something like that. If enigmail uses gpg2 and you created your key > with > gpg1, they will not see the same keys. '--version' is your friend. > > IIRC, using the key with gpg2 will import it from gpg1. There was a > nice > online FAQ entry or something alike where the process is described, but > I can't find it at the moment. > > Regards, > Viktor version is 1.4.18 from what I read I don't think I can use gpg2 because Debian GNU/Linux 8 (jessie)apt uses gpg1 at present. I'm certain private-keys-v1.d was there before I attempted to use enigma/roundcube. there is this but I do not know if that is everything required for gpg2 mick at rapunzel:~$ locate gpg2 /usr/bin/gpg2 /usr/lib/gnupg2/gpg2keys_curl /usr/lib/gnupg2/gpg2keys_finger /usr/lib/gnupg2/gpg2keys_hkp /usr/lib/gnupg2/gpg2keys_ldap /usr/share/bash-completion/completions/gpg2 /usr/share/man/man1/gpg2.1.gz I have asked on roundcube list. -- key ID: 0x4BFEBB31 From wk at gnupg.org Fri Apr 1 10:33:53 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 01 Apr 2016 10:33:53 +0200 Subject: [Announce] GnuPG 2.0.29 released In-Reply-To: <56FDDE24.1030406@gmail.com> (Paul R. Ramer's message of "Thu, 31 Mar 2016 19:34:12 -0700") References: <871t6qj3yv.fsf@wheatstone.g10code.de> <56FDDE24.1030406@gmail.com> Message-ID: <87wpohg232.fsf@wheatstone.g10code.de> On Fri, 1 Apr 2016 04:34, free10pro at gmail.com said: > The subject line is about v2.0.29 instead of v2.0.30. Just FYI. Yeah, I know. Sorry. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Fri Apr 1 10:35:59 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 01 Apr 2016 10:35:59 +0200 Subject: where is gnupg configure file In-Reply-To: <56FE0C07.7010609@gmail.com> (Viktor Dick's message of "Fri, 1 Apr 2016 07:49:59 +0200") References: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> <1f1bafdc77673ad7a6462b08cf4085a8@rapunzel.local> <56FE0C07.7010609@gmail.com> Message-ID: <87shz5g1zk.fsf@wheatstone.g10code.de> On Fri, 1 Apr 2016 07:49, viktordick86 at gmail.com said: > Are you sure that you are using gpg2? private-keys-v1.d only contains > private keys for gpg2. gpg1 stores them in ~/.gnupg/secring.gpg or Actually only GnuPG 2.1 (?modern?) uses private-keys-v1.d/ for OpenPGP. 2.0 uses that directory only for S/MIME keys (with the gpgsm tool). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Fri Apr 1 12:45:29 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 1 Apr 2016 12:45:29 +0200 Subject: What am I missing? (Again) In-Reply-To: <56FD63DC.8000909@digitalbrains.com> References: <56FC8032.1040403@mail.ru> <56FCD794.1070505@vulcan.xs4all.nl> <56FD63DC.8000909@digitalbrains.com> Message-ID: <56FE5149.8020306@digitalbrains.com> On 31/03/16 19:52, Peter Lebbing wrote: > (offline attack). 10 bits of entropy, seriously.... (PIN consisting of 4 decimal > numbers taken as example, I don't know what Apple uses) 10^3 != 10^4. 10^4 is approximately 2^13, so 13 bits of entropy. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From free10pro at gmail.com Fri Apr 1 18:52:26 2016 From: free10pro at gmail.com (Paul R. Ramer) Date: Fri, 1 Apr 2016 09:52:26 -0700 Subject: where is gnupg configure file In-Reply-To: <5f16c728c9c4962217428c13d2d62ec5@rapunzel.local> References: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> <1f1bafdc77673ad7a6462b08cf4085a8@rapunzel.local> <56FE0C07.7010609@gmail.com> <5f16c728c9c4962217428c13d2d62ec5@rapunzel.local> Message-ID: <56FEA74A.7030608@gmail.com> On 04/01/2016 01:21 AM, mick crane wrote: > from what I read I don't think I can use gpg2 because > Debian GNU/Linux 8 (jessie)apt uses gpg1 at present. > I'm certain private-keys-v1.d was there before I attempted to use > enigma/roundcube. Debian has a package for GnuPG 2, which is gnupg2. If it is not installed you can install it. > there is this but I do not know if that is everything required for gpg2 > > mick at rapunzel:~$ locate gpg2 > /usr/bin/gpg2 > /usr/lib/gnupg2/gpg2keys_curl > /usr/lib/gnupg2/gpg2keys_finger > /usr/lib/gnupg2/gpg2keys_hkp > /usr/lib/gnupg2/gpg2keys_ldap > /usr/share/bash-completion/completions/gpg2 > /usr/share/man/man1/gpg2.1.gz This should mean that you have the gnupg2 package installed, which is all you need to run gpg2. You can confirm that the gnupg2 package is installed by running the following: dpkg-query --list gnupg2 Cheers, -Paul From peter at digitalbrains.com Fri Apr 1 19:21:53 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 1 Apr 2016 19:21:53 +0200 Subject: where is gnupg configure file In-Reply-To: <5f16c728c9c4962217428c13d2d62ec5@rapunzel.local> References: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> <1f1bafdc77673ad7a6462b08cf4085a8@rapunzel.local> <56FE0C07.7010609@gmail.com> <5f16c728c9c4962217428c13d2d62ec5@rapunzel.local> Message-ID: <56FEAE31.5040608@digitalbrains.com> On 01/04/16 10:21, mick crane wrote: > from what I read I don't think I can use gpg2 because > Debian GNU/Linux 8 (jessie)apt uses gpg1 at present. GnuPG 1.4 and GnuPG 2.x are co-installable, they can function side-by-side. If you take the Jessie GnuPG 2.0 package, you get 2.0, which will use the same key storage as 1.4. GnuPG 1.4.12 (with backported fixes from later releases) is in package gnupg, and the binary is called gpg. GnuPG 2.0.26 with backports is in package gnupg2, and the binary is called gpg2. You appear to have both installed. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From eva.milou at gmail.com Fri Apr 1 17:03:41 2016 From: eva.milou at gmail.com (Eva Bouwman (renee)) Date: Fri, 01 Apr 2016 17:03:41 +0200 Subject: Translate to dutch Message-ID: <11229761.4pRxggyFSz@renee-hpmk> hi, No idea how to reach the one able to answer my question, it is not my intention to post to the mailing list, but I have no idea how to get in contact otherwise. I recently started using KDE-mint and right now I am reading about implementing safety to my system. I think it is important to share your knowledge with "average-pc-users" in what you are doing and why. That's why I thought while I am reading your documents I can start to translate them into Dutch, is this something you would like to receive? I got inspired with my parents in mind, reading and understanding English is a big issue for them and I would like to start documenting an easy to understand start-up document, which explains why and how its working with a how to implement. Is there any preference from your point of view in where to start, what document you would like to be translated? Please let me know, I am not able to support you financially but this is something I can do, to share the importance of your knowledge and application to the Dutch understanding online. Kind regards, Eva Bouwman From dashohoxha at gmail.com Fri Apr 1 23:57:07 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Fri, 1 Apr 2016 23:57:07 +0200 Subject: Translate to dutch In-Reply-To: <11229761.4pRxggyFSz@renee-hpmk> References: <11229761.4pRxggyFSz@renee-hpmk> Message-ID: Hi Eva, Would you consider using this easy tool: https://github.com/dashohoxha/egpg ? I am not sure how much easy it is, but the intention is for beginers. I would love some feedback from some Dutch parent average-pc-users (if you can write a suitable doc for them). This is not a direct answer to your question, sorry for that. Regards, Dashamir On Fri, Apr 1, 2016 at 5:03 PM, Eva Bouwman (renee) wrote: > hi, > > No idea how to reach the one able to answer my question, it is not my > intention to post to the mailing list, but I have no idea how to get in > contact otherwise. > I recently started using KDE-mint and right now I am reading about > implementing safety to my system. > > I think it is important to share your knowledge with "average-pc-users" in > what you are doing and why. That's why I thought while I am reading your > documents I can start to translate them into Dutch, is this something you > would like to receive? > > I got inspired with my parents in mind, reading and understanding English > is a big issue for them and I would like to start documenting an easy to > understand start-up document, which explains why and how its working with a > how to implement. Is there any preference from your point of view in where > to start, what document you would like to be translated? > > Please let me know, I am not able to support you financially but this is > something I can do, to share the importance of your knowledge and > application to the Dutch understanding online. > > Kind regards, > Eva Bouwman > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Sat Apr 2 00:36:39 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 1 Apr 2016 18:36:39 -0400 Subject: Translate to dutch In-Reply-To: <11229761.4pRxggyFSz@renee-hpmk> References: <11229761.4pRxggyFSz@renee-hpmk> Message-ID: <56FEF7F7.5060506@sixdemonbag.org> Eva -- We have a Russian translation for the GnuPG FAQ, but not a Dutch. If you'd care to contribute one, I'd love to link to it from the main FAQ. :) From jhs at berklix.com Sat Apr 2 00:33:59 2016 From: jhs at berklix.com (Julian H. Stacey) Date: Sat, 02 Apr 2016 00:33:59 +0200 Subject: Translate to dutch In-Reply-To: Your message "Fri, 01 Apr 2016 23:57:07 +0200." Message-ID: <201604012234.u31MXxGD054334@fire.js.berklix.net> Hi, Reference: > From: Dashamir Hoxha > Date: Fri, 1 Apr 2016 23:57:07 +0200 Dashamir Hoxha wrote: > --===============1973221138== > Content-Type: multipart/alternative; boundary=001a1143d312c5cf29052f7375e8 > > --001a1143d312c5cf29052f7375e8 > Content-Type: text/plain; charset=UTF-8 > > Hi Eva, > > Would you consider using this easy tool: https://github.com/dashohoxha/egpg > ? > I am not sure how much easy it is, but the intention is for beginers. > I would love some feedback from some Dutch parent average-pc-users > (if you can write a suitable doc for them). > > This is not a direct answer to your question, sorry for that. > > Regards, > Dashamir > > On Fri, Apr 1, 2016 at 5:03 PM, Eva Bouwman (renee) > wrote: > > > hi, > > > > No idea how to reach the one able to answer my question, it is not my > > intention to post to the mailing list, but I have no idea how to get in > > contact otherwise. > > I recently started using KDE-mint and right now I am reading about > > implementing safety to my system. > > > > I think it is important to share your knowledge with "average-pc-users" in > > what you are doing and why. That's why I thought while I am reading your > > documents I can start to translate them into Dutch, is this something you > > would like to receive? > > > > I got inspired with my parents in mind, reading and understanding English > > is a big issue for them and I would like to start documenting an easy to > > understand start-up document, which explains why and how its working with a > > how to implement. Is there any preference from your point of view in where > > to start, what document you would like to be translated? > > > > Please let me know, I am not able to support you financially but this is > > something I can do, to share the importance of your knowledge and > > application to the Dutch understanding online. > > > > Kind regards, > > Eva Bouwman Some other people are interested in translating & discussing translator tools for various PD/ free source software inckuding eg: http://www.freebsd.org/community/mailinglists.html http://lists.freebsd.org/mailman/listinfo/freebsd-translators Dutch -- majordomo at nl.FreeBSD.org http://www.freebsd.org/nl/ & I guess there may be similar for linux communities. & as gpg runs on various bsd & linux etc, any work done on translating generic gpg to Dutch could be available via OS dependent ports wrappers, in case of freebsd: http://www.freebsd.org/cgi/ports.cgi?query=gnupg&stype=all http://svnweb.freebsd.org/ports/head/security/gnupg/ & I assume linux has similar. Cheers, Julian -- Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich http://berklix.eu/jhs/ Mail plain text, No quoted-printable, HTML, base64, MS.doc. Prefix old lines '> ' Reply below old, like play script. Break lines by 80. Let Brits in EU vote on Brexit https://petition.parliament.uk/petitions/112142 From mick.crane at gmail.com Sat Apr 2 02:06:18 2016 From: mick.crane at gmail.com (mick crane) Date: Sat, 02 Apr 2016 01:06:18 +0100 Subject: where is gnupg configure file In-Reply-To: <56FEAE31.5040608@digitalbrains.com> References: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> <1f1bafdc77673ad7a6462b08cf4085a8@rapunzel.local> <56FE0C07.7010609@gmail.com> <5f16c728c9c4962217428c13d2d62ec5@rapunzel.local> <56FEAE31.5040608@digitalbrains.com> Message-ID: On 2016-04-01 18:21, Peter Lebbing wrote: > On 01/04/16 10:21, mick crane wrote: >> from what I read I don't think I can use gpg2 because >> Debian GNU/Linux 8 (jessie)apt uses gpg1 at present. > > GnuPG 1.4 and GnuPG 2.x are co-installable, they can function > side-by-side. If you take the Jessie GnuPG 2.0 package, you get 2.0, > which will use the same key storage as 1.4. > > GnuPG 1.4.12 (with backported fixes from later releases) is in package > gnupg, and the binary is called gpg. GnuPG 2.0.26 with backports is in > package gnupg2, and the binary is called gpg2. You appear to have both > installed. is clearer I think but issue is does jessie apt work with gpg being gpg2 ? I can just try but I spent best part of a week making my new server thingy as I would like it and I don't want to change something without knowing what I am doing. -- key ID: 0x4BFEBB31 From ineiev at gnu.org Sat Apr 2 06:27:03 2016 From: ineiev at gnu.org (Ineiev) Date: Sat, 2 Apr 2016 00:27:03 -0400 Subject: Translate to dutch In-Reply-To: <201604012234.u31MXxGD054334@fire.js.berklix.net> References: <201604012234.u31MXxGD054334@fire.js.berklix.net> Message-ID: <20160402042703.GA24255@gnu.org> On Sat, Apr 02, 2016 at 12:33:59AM +0200, Julian H. Stacey wrote: > & as gpg runs on various bsd & linux etc, any work done on translating generic > gpg to Dutch could be available via OS dependent ports wrappers, > in case of freebsd: > http://www.freebsd.org/cgi/ports.cgi?query=gnupg&stype=all > http://svnweb.freebsd.org/ports/head/security/gnupg/ > & I assume linux has similar. I wonder why to do the same work multiple times (once for every OS) rather than to maintain a single translation upstream. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: From jhs at berklix.com Sat Apr 2 10:55:25 2016 From: jhs at berklix.com (Julian H. Stacey) Date: Sat, 02 Apr 2016 10:55:25 +0200 Subject: Translate to dutch In-Reply-To: Your message "Sat, 02 Apr 2016 09:55:05 +0200." <2651540.MI23aX0vUX@renee-hpmk> Message-ID: <201604020855.u328tPrX058447@fire.js.berklix.net> Hi, Reference: > From: Eva Bouwman > Date: Sat, 02 Apr 2016 09:55:05 +0200 Eva Bouwman wrote: > I will start where Dashamir suggested , I will also try to connect to the > Dutch community regarding translating. > > Personally I tend to agree with Julian. My idea was not to write a OS > dependent document, in my opinion the target audience will be narrowed down. I Yes, language docu. for all OS's is best in one generic gpg source. Just thought I'd give links to some translations tools & forums, & mention OSs will have variegated ways of making/ wrapping gpg into their own extended OS, along with 20 or 30 thousand other ported packages (25,894 in case of http://www.freebsd.org/ports/ ) so idealy ports inc. gpg might use/ be using standards that translators forums might be aware of, eg top README.NL or README.HOLLAND or README.DUTCH, whatever that might be a list of paths to more Dutch docu. buried deeper in the generic gpg source tree ? Cheers, Julian -- Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich http://berklix.eu/jhs/ Mail plain text, No quoted-printable, HTML, base64, MS.doc. Prefix old lines '> ' Reply below old, like play script. Break lines by 80. Let Brits in EU vote on Brexit https://petition.parliament.uk/petitions/112142 From peter at digitalbrains.com Sat Apr 2 12:42:31 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 2 Apr 2016 12:42:31 +0200 Subject: where is gnupg configure file In-Reply-To: References: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> <1f1bafdc77673ad7a6462b08cf4085a8@rapunzel.local> <56FE0C07.7010609@gmail.com> <5f16c728c9c4962217428c13d2d62ec5@rapunzel.local> <56FEAE31.5040608@digitalbrains.com> Message-ID: <56FFA217.7040906@digitalbrains.com> On 02/04/16 02:06, mick crane wrote: > is clearer I think but issue is does jessie apt work with gpg being gpg2 ? apt will not ever use gpg2. On a normal Debian system, GnuPG 1.4 is always installed. However, you can install and have installed GnuPG 2.0, which will just be an additional installed package. It will in no way replace anything from the GnuPG 1.4 package. When you type (just as an example) $ gpg --version you will be using GnuPG 1.4. When you type $ gpg2 --version you will be using GnuPG 2.0. To reiterate, apt will always use GnuPG 1.4 from the gnupg package (and gpgv from the gpgv package). You can use GnuPG 2.0 by starting your command line with gpg2 as the program name. This is all for Debian jessie. In the next release, some things will change. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From mick.crane at gmail.com Sat Apr 2 18:25:36 2016 From: mick.crane at gmail.com (mick crane) Date: Sat, 02 Apr 2016 17:25:36 +0100 Subject: where is gnupg configure file In-Reply-To: <56FFA217.7040906@digitalbrains.com> References: <9c00c947d0e3490186187126f3defd3f@rapunzel.local> <1f1bafdc77673ad7a6462b08cf4085a8@rapunzel.local> <56FE0C07.7010609@gmail.com> <5f16c728c9c4962217428c13d2d62ec5@rapunzel.local> <56FEAE31.5040608@digitalbrains.com> <56FFA217.7040906@digitalbrains.com> Message-ID: <8536d489d9936bda27bdbc38a9a98ff6@rapunzel.local> On 2016-04-02 11:42, Peter Lebbing wrote: > To reiterate, apt will always use GnuPG 1.4 from the gnupg package (and > gpgv from the gpgv package). You can use GnuPG 2.0 by starting your > command line with gpg2 as the program name. > > This is all for Debian jessie. In the next release, some things will > change. > > HTH, > > Peter. yes thanks -- key ID: 0x4BFEBB31 From c.kremsmayr at gmx.net Sun Apr 3 11:22:47 2016 From: c.kremsmayr at gmx.net (Christine Kremsmayr) Date: Sun, 3 Apr 2016 11:22:47 +0200 Subject: How to interprete the output of --export-ownertrust? Message-ID: <5700E0E7.3080206@gmx.net> Hi everyone, with the command gpg2 --export-ownertrust I can cause GnuPG to display the owner trust values of the public keys in my keyring. The problem: I don't know how to interprete the numbers to the right of the fingerprints: ----- C:\Users\ckr>gpg2 --export-ownertrust gpg: verwende Vertrauensmodell PGP # Liste der zugewiesenen Trustwerte, erzeugt am 02/28/16 13:42:21 Mitteleurop?ische Zeit # ("gpg --import-ownertrust" um sie zu restaurieren) 356EE781EE3C34C00D605BD075B39FCADA0D42EF:3: 87441C8D5FA9D2D46F3CFE8FBD17F2430CE312D4:6: B59D9B8DA5895CF837844F4EC440EB6B86F0B249:6: C4C3767EFE9BF995431824EF6AD043812A4BF322:6: 3C41B1B124266AF139B902F24DC129B8831622ED:5: ----- What is the meaniong of 3? And of 6? Does anybody know what the possible values are that can be displayed? Is there a mapping between these numbers and the owner trust values like "unknown", "marginal", "complete" and so on? I know, the answer lies in the source code. But unfortunately I am not able to read or understand source code. Best regards Christine From dashohoxha at gmail.com Sun Apr 3 13:30:19 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Sun, 3 Apr 2016 13:30:19 +0200 Subject: How to interprete the output of --export-ownertrust? In-Reply-To: <5700E0E7.3080206@gmx.net> References: <5700E0E7.3080206@gmx.net> Message-ID: On Sun, Apr 3, 2016 at 11:22 AM, Christine Kremsmayr wrote: > Hi everyone, > > with the command gpg2 --export-ownertrust I can cause GnuPG to display the > owner trust values of the public keys in my keyring. > The problem: I don't know how to interprete the numbers to the right of > the fingerprints: > > ----- > C:\Users\ckr>gpg2 --export-ownertrust > gpg: verwende Vertrauensmodell PGP > # Liste der zugewiesenen Trustwerte, erzeugt am 02/28/16 13:42:21 > Mitteleurop?ische Zeit > # ("gpg --import-ownertrust" um sie zu restaurieren) > 356EE781EE3C34C00D605BD075B39FCADA0D42EF:3: > 87441C8D5FA9D2D46F3CFE8FBD17F2430CE312D4:6: > B59D9B8DA5895CF837844F4EC440EB6B86F0B249:6: > C4C3767EFE9BF995431824EF6AD043812A4BF322:6: > 3C41B1B124266AF139B902F24DC129B8831622ED:5: > ----- > > What is the meaniong of 3? And of 6? Does anybody know what the possible > values are that can be displayed? > > Is there a mapping between these numbers and the owner trust values like > "unknown", "marginal", "complete" and so on? > I know, the answer lies in the source code. But unfortunately I am not > able to read or understand source code. > The mapping is this (as far as I know): 4->full, 3->marginal, 2->none, 1->unknown I am not sure where did I find this, but surely not from the source code. -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Sun Apr 3 13:56:57 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 3 Apr 2016 13:56:57 +0200 Subject: How to interprete the output of --export-ownertrust? In-Reply-To: References: <5700E0E7.3080206@gmx.net> Message-ID: <57010509.9090702@digitalbrains.com> On 03/04/16 13:30, Dashamir Hoxha wrote: > The mapping is this (as far as I know): > 4->full, 3->marginal, 2->none, 1->unknown Nope, that's just how you enter them in the dialog: > Please decide how far you trust this user to correctly verify other users' keys > (by looking at passports, checking fingerprints from different sources, etc.) > > 1 = I don't know or won't say > 2 = I do NOT trust > 3 = I trust marginally > 4 = I trust fully > 5 = I trust ultimately > m = back to the main menu > > Your decision? I don't know what the numbers in a trust database export mean; at the very least, they seem to be one higher than the choices in the dialog (note there are 6's in the output. On a quick check, this corresponded to an ultimately trusted key, and a 4 corresponded to a marginally trusted key). However; this is meant as a machine-readable format, not a human-readable one. I would have expected it to be documented in doc/DETAILS, but I didn't find it with two scans through the document. gpg2 --edit-key is for human consumption, gpg2 --export-ownertrust is for a later --import-ownertrust, not for human consumption. Christine, what are you trying to accomplish? Why do you need this output from --export-ownertrust? Also, when you start a new topic, could you please post a fresh new message to the mailing list, instead of replying to an unrelated post? People who use threading mail readers see this thread as part of the "where is gnupg configure file" thread. They might even miss your message altogether when they're not interested in that topic and ignore any further messages in that thread. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Mon Apr 4 09:16:33 2016 From: wk at gnupg.org (Werner Koch) Date: Mon, 04 Apr 2016 09:16:33 +0200 Subject: How to interprete the output of --export-ownertrust? In-Reply-To: <57010509.9090702@digitalbrains.com> (Peter Lebbing's message of "Sun, 3 Apr 2016 13:56:57 +0200") References: <5700E0E7.3080206@gmx.net> <57010509.9090702@digitalbrains.com> Message-ID: <87pou5c08e.fsf@wheatstone.g10code.de> On Sun, 3 Apr 2016 13:56, peter at digitalbrains.com said: > gpg2 --edit-key is for human consumption, gpg2 --export-ownertrust is > for a later --import-ownertrust, not for human consumption. Exactly - it does not constitute an open API; the format is private to gpg. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Mon Apr 4 10:58:20 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 4 Apr 2016 10:58:20 +0200 Subject: How to interprete the output of --export-ownertrust? In-Reply-To: <57010509.9090702@digitalbrains.com> References: <5700E0E7.3080206@gmx.net> <57010509.9090702@digitalbrains.com> Message-ID: <57022CAC.3050207@digitalbrains.com> On 03/04/16 13:56, Peter Lebbing wrote: > Also, when you start a new topic, could you please post a fresh new > message to the mailing list, instead of replying to an unrelated post? Two people mailed me to say they didn't think this had happened (thanks!). They are right; sorry for my mistake. For some unknown reason, /my/ mail reader thought it would be a good idea to mix the threads, it was not Christine who did this. I have no idea why, it's an odd bug. You can see what it looks like for me[1]. I totally did not expect the problem to be on my side, but the mail was clearly posted correctly. Again, my apologies to Christine. Cheers, Peter. [1] http://digitalbrains.com/tmp/icedove-wrong-threading -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From c.kremsmayr at gmx.net Mon Apr 4 13:07:26 2016 From: c.kremsmayr at gmx.net (Christine Kremsmayr) Date: Mon, 4 Apr 2016 13:07:26 +0200 Subject: Procedure of deriving a pruivate key from the password Message-ID: <57024AEE.9040803@gmx.net> I only have a vague and incomplete understandig of the procedure in which GnuPG derives a private key from a password. As far as I know each private key is stored in the private keyring by a string-to-key-function. The generation of the private key is as following: 1. The user creates a password. 2. GnuPG adds an accidential bit sequence (= salt) to the password. The bit sequence is stored seperatedly from the password. 3. Password and Salt (bit sequence) are concatenated. 4. This concatenation is hased by the hash function in use (--s2k-digest-algo). Steps 2 to 4 builds up one iteration. I can control the number of iterations by the option --s2k-count. After the last iteration the resulting hash value is mangled. The result of this mangling process ist the private key. Question 1: What exactly is "mangling"? Question 2: Did I get a correct understanding of the key derivation process or am I wrong? (Sry for my weird english.) Best regards Christine From dashohoxha at gmail.com Mon Apr 4 13:29:58 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Mon, 4 Apr 2016 13:29:58 +0200 Subject: Procedure of deriving a pruivate key from the password In-Reply-To: <57024AEE.9040803@gmx.net> References: <57024AEE.9040803@gmx.net> Message-ID: On Mon, Apr 4, 2016 at 1:07 PM, Christine Kremsmayr wrote: > I only have a vague and incomplete understandig of the procedure in which > GnuPG derives a private key from a password. To my understanding, the key is not derived from the passphrase, it is generated independently of it. The passphrase is used to encrypt the private key, in order to protect it. This is symmetric encryption and the passphrase is stored nowhere. I am not sure whether this helped you to understand it or made you even more confuse. -------------- next part -------------- An HTML attachment was scrubbed... URL: From eva.milou at gmail.com Sat Apr 2 09:55:05 2016 From: eva.milou at gmail.com (Eva Bouwman) Date: Sat, 02 Apr 2016 09:55:05 +0200 Subject: Translate to dutch In-Reply-To: <20160402042703.GA24255@gnu.org> References: <201604012234.u31MXxGD054334@fire.js.berklix.net> <20160402042703.GA24255@gnu.org> Message-ID: <2651540.MI23aX0vUX@renee-hpmk> I will start where Dashamir suggested , I will also try to connect to the Dutch community regarding translating. Personally I tend to agree with Julian. My idea was not to write a OS dependent document, in my opinion the target audience will be narrowed down. I think that is a pity, because of the message you are sending is a important one. Before I got in touch I started with the mini-how-to and my intention was to send it to you so it could be posted as one of the available languages, but it needs a little more explaining from keywords, like encryption and keys how does it work. That's why I asked your input in where to start and if you are interested to post it on your website. So far my input, always open for feedback and a different approach. Regards Eva Op zaterdag 2 april 2016 00:27:03 schreef Ineiev: > On Sat, Apr 02, 2016 at 12:33:59AM +0200, Julian H. Stacey wrote: > > & as gpg runs on various bsd & linux etc, any work done on translating > > generic gpg to Dutch could be available via OS dependent ports wrappers, > > > > in case of freebsd: > > http://www.freebsd.org/cgi/ports.cgi?query=gnupg&stype=all > > http://svnweb.freebsd.org/ports/head/security/gnupg/ > > > > & I assume linux has similar. > > I wonder why to do the same work multiple times (once for every OS) > rather than to maintain a single translation upstream. From rjh at sixdemonbag.org Mon Apr 4 14:15:05 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 4 Apr 2016 08:15:05 -0400 Subject: Procedure of deriving a pruivate key from the password In-Reply-To: <57024AEE.9040803@gmx.net> References: <57024AEE.9040803@gmx.net> Message-ID: <57025AC9.2020500@sixdemonbag.org> > I only have a vague and incomplete understandig of the procedure in > which GnuPG derives a private key from a password. Private keys aren't derived from passphrases. > After the last iteration the resulting hash value is mangled. The result > of this mangling process ist the private key. The result is used as an AES256 key and used to decrypt the private key file. From flapflap at riseup.net Mon Apr 4 18:34:26 2016 From: flapflap at riseup.net (flapflap) Date: Mon, 4 Apr 2016 16:34:26 +0000 Subject: Translate to dutch In-Reply-To: <2651540.MI23aX0vUX@renee-hpmk> References: <201604012234.u31MXxGD054334@fire.js.berklix.net> <20160402042703.GA24255@gnu.org> <2651540.MI23aX0vUX@renee-hpmk> Message-ID: <57029792.6070308@riseup.net> Eva Bouwman: > Before I got in touch I started with the mini-how-to and my intention was to > send it to you so it could be posted as one of the available languages, but it > needs a little more explaining from keywords, like encryption and keys how > does it work. That's why I asked your input in where to start and if you are > interested to post it on your website. If you have questions on cryptography, keys etc. or want to get in touch with other dutch people (e.g. reviewers, co-translators, clarification/discussion of domain specific terms), you could also look for events/cyptoparties in your area: https://www.cryptoparty.in/location#netherlands https://privacycafe.bof.nl/ ~flapflap From dashohoxha at gmail.com Mon Apr 4 20:28:26 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Mon, 4 Apr 2016 20:28:26 +0200 Subject: Award for the Advancement of Free Software Message-ID: http://www.fsf.org/news/library-freedom-project-and-werner-koch-are-2015-free-software-awards-winners Congratulations! -------------- next part -------------- An HTML attachment was scrubbed... URL: From mostafa.shahdadi at icloud.com Mon Apr 4 17:39:13 2016 From: mostafa.shahdadi at icloud.com (mostafa shahdadi) Date: Mon, 04 Apr 2016 20:09:13 +0430 Subject: where is gnupg configure file Message-ID: <549C3AA0-00BA-40B1-9D39-411A4095F2D5@icloud.com> Sent from my iPad From dougb at dougbarton.email Tue Apr 5 06:37:45 2016 From: dougb at dougbarton.email (Doug Barton) Date: Mon, 4 Apr 2016 21:37:45 -0700 Subject: How to interprete the output of --export-ownertrust? In-Reply-To: <57022CAC.3050207@digitalbrains.com> References: <5700E0E7.3080206@gmx.net> <57010509.9090702@digitalbrains.com> <57022CAC.3050207@digitalbrains.com> Message-ID: <57034119.7060403@dougbarton.email> On 04/04/2016 01:58 AM, Peter Lebbing wrote: > On 03/04/16 13:56, Peter Lebbing wrote: >> Also, when you start a new topic, could you please post a fresh new >> message to the mailing list, instead of replying to an unrelated post? > > Two people mailed me to say they didn't think this had happened > (thanks!). They are right; sorry for my mistake. > > For some unknown reason, /my/ mail reader thought it would be a good > idea to mix the threads, it was not Christine who did this. I have no > idea why, it's an odd bug. You can see what it looks like for me[1]. I > totally did not expect the problem to be on my side, but the mail was > clearly posted correctly. Again, my apologies to Christine. As someone who is also hyper-sensitive to that issue, I've been right where you're at. :) I learned to check the headers, and look for References: (sometimes spelled In-Reply-To:) with one or more message Ids after. The problem you're seeing is that sometimes tbird's index gets corrupt. You can either rebuild the folder, or sometimes copying the new thread out of the folder, then copying it back in, does the trick. hth, Doug From peter at digitalbrains.com Tue Apr 5 11:06:40 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 5 Apr 2016 11:06:40 +0200 Subject: Translate to dutch In-Reply-To: <2651540.MI23aX0vUX@renee-hpmk> References: <201604012234.u31MXxGD054334@fire.js.berklix.net> <20160402042703.GA24255@gnu.org> <2651540.MI23aX0vUX@renee-hpmk> Message-ID: <57038020.7000705@digitalbrains.com> On 02/04/16 09:55, Eva Bouwman wrote: > I will start where Dashamir suggested , [...] > Personally I tend to agree with Julian. My idea was not to write a OS > dependent document, in my opinion the target audience will be narrowed down. These two statements seem to be in opposition. Dashamir's project has a pretty narrow target audience. His code will not run on Windows, and the project is aimed at people comfortable with working at the command line, whereas most beginners will use a GUI tool. If you want to reach a big audience, you should probably work on either GnuPG documentation itself or documentation for a commonly used GUI tool, perhaps Kleopatra or Enigmail? Personally, I use the command line, I'm not that accustomed to the GUI tools. By the way, I'm Dutch and I enjoy playing with language. If you run into trouble translating something, I might be able to help. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dashohoxha at gmail.com Tue Apr 5 11:31:25 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 5 Apr 2016 11:31:25 +0200 Subject: Translate to dutch In-Reply-To: <57038020.7000705@digitalbrains.com> References: <201604012234.u31MXxGD054334@fire.js.berklix.net> <20160402042703.GA24255@gnu.org> <2651540.MI23aX0vUX@renee-hpmk> <57038020.7000705@digitalbrains.com> Message-ID: On Tue, Apr 5, 2016 at 11:06 AM, Peter Lebbing wrote: > On 02/04/16 09:55, Eva Bouwman wrote: > > I will start where Dashamir suggested , [...] > > > Personally I tend to agree with Julian. My idea was not to write a OS > > dependent document, in my opinion the target audience will be narrowed > down. > > These two statements seem to be in opposition. Dashamir's project has a > pretty narrow target audience. His code will not run on Windows, and the > Mind what you say ;) http://www.theverge.com/2016/3/30/11331014/microsoft-windows-linux-ubuntu-bash > project is aimed at people comfortable with working at the command line, > whereas most beginners will use a GUI tool. If you want to reach a big > audience, you should probably work on either GnuPG documentation itself > or documentation for a commonly used GUI tool, perhaps Kleopatra or > Enigmail? Personally, I use the command line, I'm not that accustomed to > the GUI tools. > GnuPG is also aimed at people comfortable with working at the command line. So I would say that the potential audience of EasyGPG is greater than that of plain GPG. I can't make any comparison to GUI tools, but there are at least two people here that are not accustomed at them (me and you). Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From paolo.bolzoni.brown at gmail.com Tue Apr 5 11:37:29 2016 From: paolo.bolzoni.brown at gmail.com (Paolo Bolzoni) Date: Tue, 5 Apr 2016 11:37:29 +0200 Subject: Translate to dutch In-Reply-To: References: <201604012234.u31MXxGD054334@fire.js.berklix.net> <20160402042703.GA24255@gnu.org> <2651540.MI23aX0vUX@renee-hpmk> <57038020.7000705@digitalbrains.com> Message-ID: > GnuPG is also aimed at people comfortable with working at the command line. > So I would say that the potential audience of EasyGPG is greater than that > of plain GPG. Wait? What? I am missing one important detail, a part of slightly obnoxious advertisement in this mailing list, how do you plan to attract people to use your bash scripts? From peter at digitalbrains.com Tue Apr 5 12:06:25 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 5 Apr 2016 12:06:25 +0200 Subject: Translate to dutch In-Reply-To: References: <201604012234.u31MXxGD054334@fire.js.berklix.net> <20160402042703.GA24255@gnu.org> <2651540.MI23aX0vUX@renee-hpmk> <57038020.7000705@digitalbrains.com> Message-ID: <57038E21.2080900@digitalbrains.com> Dashamir, note I wasn't attacking your project. I was pointing out that it seemed to me that Eva said she wanted to spend her volunteered time in one way but at the same time seemed about to spend it in another. She wanted to reach a large audience, I was merely giving context so she could make better informed choices. On 05/04/16 11:31, Dashamir Hoxha wrote: > GnuPG is also aimed at people comfortable with working at the command line. > So I would say that the potential audience of EasyGPG is greater than that > of plain GPG. Documentation is more than invocation. You can document a whole lot of GnuPG, OpenPGP and what not without ever instructing someone to type something on the command line. But maybe I should have described it as "GnuPG and OpenPGP", which is what I meant. > I can't make any comparison to GUI tools, but there are at least two people > here that are not accustomed at them (me and you). Well, that's a bit disingenious, I'm not the target audience of /your/ project either. I'm quite comfortable with GnuPG on the command line. I do have Enigmail by the way, for its main feature, the integration to Thunderbird. E-mail is a thing I don't do on the command line (yet?). Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dashohoxha at gmail.com Tue Apr 5 12:28:04 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 5 Apr 2016 12:28:04 +0200 Subject: Translate to dutch In-Reply-To: <57038E21.2080900@digitalbrains.com> References: <201604012234.u31MXxGD054334@fire.js.berklix.net> <20160402042703.GA24255@gnu.org> <2651540.MI23aX0vUX@renee-hpmk> <57038020.7000705@digitalbrains.com> <57038E21.2080900@digitalbrains.com> Message-ID: On Tue, Apr 5, 2016 at 12:06 PM, Peter Lebbing wrote: > Dashamir, note I wasn't attacking your project. > I wasn't attacking yours either. I simply expressed my opinion, and maybe I am wrong. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mls at dabpunkt.eu Tue Apr 5 14:57:59 2016 From: mls at dabpunkt.eu (Daniel Baur) Date: Tue, 5 Apr 2016 14:57:59 +0200 Subject: How to interprete the output of --export-ownertrust? In-Reply-To: <57034119.7060403@dougbarton.email> References: <5700E0E7.3080206@gmx.net> <57010509.9090702@digitalbrains.com> <57022CAC.3050207@digitalbrains.com> <57034119.7060403@dougbarton.email> Message-ID: <5703B657.7050004@dabpunkt.eu> Hello, Am 05.04.2016 um 06:37 schrieb Doug Barton: > I learned to check the headers, and look for References: (sometimes > spelled In-Reply-To:) with one or more message Ids after. while it is off-topic: The In-Reply-to and References-header are not the same. The in-reply-to-header tells you, for which message a message is a direct reply. The reference-header tells to which emails the mail belongs. Now-adays the reference-header are not very useful anymore, but in the old-times it could happen that a reply reached a third party before the original message reached the third. Example: You have 3 emails. Starter: Message-ID: A Answer: Message-ID: B, In-reply-to: A, References: A Answer-Answer: Message-ID: C, In-reply: B, References: An, B If the answer-answer (C) reaches you before the answer (B), your email-program still knows that it somehow belongs to the starter-eMail (A). When the answer (B) reaches you, your eMail-programm can sort it in the right position, using the in-reply-to-field. Sincerely, DaB. P.S: I learned it the hard way that people that use the reply-button for new emails that not so bad like the smartphone-guys that write an new email for an reply. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 880 bytes Desc: OpenPGP digital signature URL: From jon at sprig.gs Tue Apr 5 16:59:24 2016 From: jon at sprig.gs (Jon Spriggs) Date: Tue, 5 Apr 2016 15:59:24 +0100 Subject: Scripting GPG without retaining keys Message-ID: Hi all, I'm trying to write a script which encrypts against keys retrieved from a keyserver but doesn't cache them. I've got the following: gpg --no-options --trust-model always --no-default-keyring --keyserver ldap://keyserver.example.com --keyserver-options auto-key-retrieve --recipient user at example.com --encrypt a_file.txt I keep getting "gpg: user at example.com: skipped: No public key" However, if I replace --recipient and --encrypt with --search-keys user at example.com I get the key back. Is this a failure in my understanding of the gpg command line, or have I missed some fundamental part of the documentation somewhere? Thanks in advance! -- Jon "The Nice Guy" Spriggs From wk at gnupg.org Tue Apr 5 19:56:32 2016 From: wk at gnupg.org (Werner Koch) Date: Tue, 05 Apr 2016 19:56:32 +0200 Subject: Scripting GPG without retaining keys In-Reply-To: (Jon Spriggs's message of "Tue, 5 Apr 2016 15:59:24 +0100") References: Message-ID: <8760vwym5r.fsf@wheatstone.g10code.de> On Tue, 5 Apr 2016 16:59, jon at sprig.gs said: > Is this a failure in my understanding of the gpg command line, or have > I missed some fundamental part of the documentation somewhere? auto-key-retrieve This option enables the automatic retrieving of keys from a keyserver when _verifying_ signatures made by keys that are not on the local keyring. [...] What you want is --auto-key-locate local,keyserver Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dougb at dougbarton.email Wed Apr 6 07:01:01 2016 From: dougb at dougbarton.email (Doug Barton) Date: Tue, 5 Apr 2016 22:01:01 -0700 Subject: How to interprete the output of --export-ownertrust? In-Reply-To: <5703B657.7050004@dabpunkt.eu> References: <5700E0E7.3080206@gmx.net> <57010509.9090702@digitalbrains.com> <57022CAC.3050207@digitalbrains.com> <57034119.7060403@dougbarton.email> <5703B657.7050004@dabpunkt.eu> Message-ID: <5704980D.5010100@dougbarton.email> On 04/05/2016 05:57 AM, Daniel Baur wrote: > while it is off-topic: The In-Reply-to and References-header are not the > same. Depending on the mail client that may or may not be true. :) But more importantly, the existence of either header will tell the person looking at the headers that the message is not new, it's a response of some sort; which was the point I was trying to make. When considering extending the life of an off-topic thread it's worthwhile to consider how much you're benefiting the members of the list, vs: https://xkcd.com/386/ From cannon at cannon-ciota.info Wed Apr 6 09:38:04 2016 From: cannon at cannon-ciota.info (CANNON NATHANIEL CIOTA) Date: Wed, 06 Apr 2016 07:38:04 +0000 Subject: Using gpg for ssh access In-Reply-To: <56EA7B8B.70503@incenp.org> References: <79b08d207d51fc1995d4823c1639b7bc@cannon-ciota.info> <56EA7B8B.70503@incenp.org> Message-ID: <1bbb6a1abef3564655dcfcc5f90d2b89@cannon-ciota.info> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/17/2016 07:32 AM, CANNON NATHANIEL CIOTA wrote: Can someone inform the correct procedure for using gpg to access ssh? - ---- On Thursday 17 March 2016 at 10:40:27, Damien Goutte-Gattat wrote: If I may, I wrote two blog posts on this subject: * http://www.incenp.org/notes/2014/gnupg-for-ssh-authentication.html (for GnuPG 2.0) * http://www.incenp.org/notes/2015/gnupg-for-ssh-authentication.html (for GnuPG 2.1) I hope you?ll find them useful. If not, do not hesitate to ask for clarifications. From what you said, the step you probably missed is to use gpg-agent as a drop-in replacement for ssh-agent. - ---- Thanks for the info. Today I had chance to try this out, still having trouble using ssh with gpg. Can you please clarify what steps are to be used on server side and steps on client side? My current scenario, both server and client are linux command line interface only. My smartcard has a subkey for use with authentication. Thanks Cannon -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXBLw8AAoJEAYDai9lH2mwx5IP/22poO7uUJ871ZRGG41g624N 5DMNygpitvmUg1S6CW0rPwuAw/QUtsNMxiq/zeTeaAxeiV9WYT/it+5WXXMgO8L2 2sdVfEveHkj+hGXWj6D00XPBk85Zmsxw5sqbY2HTTtcB06qhrPyGVTzdhvRpNGGZ FyjbsUr0qWPU1WDr4F63lt0oslKPiFVvJdDcGji1u0bbSX5BKf6Cq8+YYKhm3Dog netO2jtzkWPfN9DUKzVWPWogoMqGWo80IJi51Uyslwd5cHn0Ns+kCly9qXkPIRaH /blZuqXduVDbg663iHADxT855DgWk3UgwcwGZ2s5vc63nOJjowlT++TCI73Y8nPq jzRVrdgadkqxVQH6sX6N02ZHUQEjwg3RhlRlo/f8SW2tHTqpyhuES32Q+IQql1vG SD8supKZ+KyYNNjVodqmBw6bgHh2tkVducF5KgKQT43kPci/oy0XoyenE2Gvz5Ku pZnMYQbg/QV6ZQjWnROutbS2A2qV5IdIJGQxEXGpxfI0VyaINhT/Lb0DWJxxEaVW LeR7CKxdudstBiGuXL1e2LdJzYinh2j6nAEFJqe0GaEjiM2jiIQBNbLc2cerp827 orC+v8wmC6hufnFWtPrq8730FXh/UYnNI/NH1eF9wDjqeDJ/s4/beIQ6ZMaKp0qa Bp2mhnI3SfwkjJVFQGn0 =sqXi -----END PGP SIGNATURE----- -- Cannon N. Ciota Digital Identity (namecoin): id/cannon Website: www.cannon-ciota.info Email: cannon at cannon-ciota.info PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2 From dgouttegattat at incenp.org Wed Apr 6 12:48:40 2016 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Wed, 6 Apr 2016 12:48:40 +0200 Subject: Using gpg for ssh access In-Reply-To: <1bbb6a1abef3564655dcfcc5f90d2b89@cannon-ciota.info> References: <79b08d207d51fc1995d4823c1639b7bc@cannon-ciota.info> <56EA7B8B.70503@incenp.org> <1bbb6a1abef3564655dcfcc5f90d2b89@cannon-ciota.info> Message-ID: <5704E988.1030004@incenp.org> On 04/06/2016 09:38 AM, CANNON NATHANIEL CIOTA wrote: > Thanks for the info. Today I had chance to try this out, still having > trouble using ssh with gpg. Can you please clarify what steps are to be > used on server side and steps on client side? My current scenario, both > server and client are linux command line interface only. My smartcard > has a subkey for use with authentication. Then if GPG Agent is up and running and configured to act as a SSH agent, it should automatically detect the authentication subkey and make it available to SSH clients. First, could you please tell us which version of GnuPG you are using? Most importantly, we need to know if you're using 2.0 or 2.1. Then, check whether SSH support is enabled in GPG Agent. You can use the following command: gpg-connect-agent "GETINFO ssh_socket_name" /bye which should print the path to the SSH socket if SSH support is enabled, or give you an error message if it is not. If SSH support is not enabled, enable it by adding the following line: enable-ssh-support in the configuration for GPG Agent (~/.gnupg/gpg-agent.conf, you may need to create that file if it does not already exist), then kill the agent: gpgconf --kill gpg-agent and re-run the first command again. Once you have confirmed that SSH support is available from the agent, check the value of the SSH_AUTH_SOCK environment variable. That variable must point to the agent's SSH socket (as returned by the GETINFO command above) in order for SSH clients to know how to contact the agent. Then, insert your card into your card reader and run `ssh-add -L`. If everything went fine, that command should print the public part of your authentication subkey, in a format suitable for inclusion into an authorized_keys file on your server. If something did *not* go fine, please report any error message. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From dick.visser at geant.org Wed Apr 6 12:14:14 2016 From: dick.visser at geant.org (Dick Visser) Date: Wed, 6 Apr 2016 12:14:14 +0200 Subject: Change the location of the gpg-agent socket? Message-ID: Hi I'm using gnupg 2.1.11 on OSX. This works great. I'm using BOX as a sync tool to keep my .gnupg directory backed up. However, BOX chokes on the unix socket 'S.gpg-agent' that's there when the agent is running. I've searched through the docs but couldn't find a way to configure the location of the socket, other than at compile time. Any ideas how to achieve this at runtime? Many thanks! Dick Visser From andrewg at andrewg.com Wed Apr 6 14:08:37 2016 From: andrewg at andrewg.com (Andrew Gallagher) Date: Wed, 6 Apr 2016 13:08:37 +0100 Subject: Change the location of the gpg-agent socket? In-Reply-To: References: Message-ID: <9E46BE58-4BA9-4D35-AB41-F663E998909A@andrewg.com> > On 6 Apr 2016, at 11:14, Dick Visser wrote: > > Hi > > I'm using gnupg 2.1.11 on OSX. This works great. > I'm using BOX as a sync tool to keep my .gnupg directory backed up. > However, BOX chokes on the unix socket 'S.gpg-agent' that's there when > the agent is running. > I've searched through the docs but couldn't find a way to configure > the location of the socket, other than at compile time. Would it not make more sense to add an exclusion for the socket in your backup config? Andrew From dick.visser at geant.org Wed Apr 6 16:24:00 2016 From: dick.visser at geant.org (Dick Visser) Date: Wed, 6 Apr 2016 16:24:00 +0200 Subject: Change the location of the gpg-agent socket? In-Reply-To: <9E46BE58-4BA9-4D35-AB41-F663E998909A@andrewg.com> References: <9E46BE58-4BA9-4D35-AB41-F663E998909A@andrewg.com> Message-ID: It would, but that's not possible, so that's why i was asking. Background, .gnupg being a configuration directory, and sockets seem like a weird thing for a configuration directory. System sockets aren't created in /etc/ either but usually in /var/run or something. Dick On 6 April 2016 at 14:08, Andrew Gallagher wrote: > >> On 6 Apr 2016, at 11:14, Dick Visser wrote: >> >> Hi >> >> I'm using gnupg 2.1.11 on OSX. This works great. >> I'm using BOX as a sync tool to keep my .gnupg directory backed up. >> However, BOX chokes on the unix socket 'S.gpg-agent' that's there when >> the agent is running. >> I've searched through the docs but couldn't find a way to configure >> the location of the socket, other than at compile time. > > Would it not make more sense to add an exclusion for the socket in your backup config? > > Andrew > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Wed Apr 6 17:09:34 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 06 Apr 2016 17:09:34 +0200 Subject: Change the location of the gpg-agent socket? In-Reply-To: (Dick Visser's message of "Wed, 6 Apr 2016 16:24:00 +0200") References: <9E46BE58-4BA9-4D35-AB41-F663E998909A@andrewg.com> Message-ID: <87oa9mwz81.fsf@wheatstone.g10code.de> On Wed, 6 Apr 2016 16:24, dick.visser at geant.org said: > Background, .gnupg being a configuration directory, and sockets seem No, it is not a configuration directory. All your keys and other var data lives there as well. > like a weird thing for a configuration directory. System sockets > aren't created in /etc/ either but usually in /var/run or something. It is not a system socket but a per-user socket. Anyway, we are planning to move the socket to /run/user//gnupg/ to keep the socket name short enough for the socket API. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From philip.colmer at linaro.org Wed Apr 6 17:33:41 2016 From: philip.colmer at linaro.org (Philip Colmer) Date: Wed, 6 Apr 2016 16:33:41 +0100 Subject: Using LDAP keyservers with gpg 2.1.11 Message-ID: I've configured our LDAP server to act as a keyserver for use with GnuPG. In testing, with version 1.x and 2.0, sending keys to the keyserver works. However, with version 2.1.11, it isn't working. Enabling debug options where I can find them gives me this output: gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing cardio ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: chan_3 <- # Home: /home/ubuntu/.gnupg gpg: DBG: chan_3 <- # Config: /home/ubuntu/.gnupg/dirmngr.conf gpg: DBG: chan_3 <- OK Dirmngr 2.1.11 at your service gpg: DBG: chan_4 <- # Home: /home/ubuntu/.gnupg gpg: DBG: chan_4 <- # Config: /home/ubuntu/.gnupg/dirmngr.conf gpg: DBG: chan_4 <- OK Dirmngr 2.1.11 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_4 -> GETINFO version gpg: DBG: chan_4 <- D 2.1.11 gpg: DBG: chan_4 <- OK gpg: DBG: chan_4 -> KEYSERVER --clear ldaps://:@login.linaro.org gpg: DBG: chan_4 <- OK gpg: DBG: chan_4 -> KEYSERVER gpg: DBG: chan_4 <- S KEYSERVER ldaps://uid=:@login.linaro.org gpg: DBG: chan_4 <- OK gpg: DBG: [not enabled in the source] keydb_new gpg: DBG: [not enabled in the source] keydb_search enter gpg: DBG: keydb_search: 1 search descriptions: gpg: DBG: keydb_search 0: SHORT_KID: 'DC6F3C29' gpg: DBG: keydb_search: searching keyring (resource 0 of 1) gpg: DBG: keyring_search: need_uid = 0; need_words = 0; need_keyid = 1; need_fpr = 0; any_skip = 0 gpg: DBG: fd_cache_open (/home/ubuntu/.gnupg/pubring.gpg) not cached gpg: DBG: iobuf-2.0: open '/home/ubuntu/.gnupg/pubring.gpg' desc=file_filter(fd) fd=5 gpg: DBG: keyring_search: initializing offset table. (need_keyid: 1 => 1) gpg: DBG: keyring_search: searching from start of resource. gpg: DBG: iobuf-2.0: underflow: buffer size: 8192; still buffered: 0 => space for 8192 bytes gpg: DBG: iobuf-2.0: underflow: A->FILTER (8192 bytes) gpg: DBG: iobuf-2.0: A->FILTER() returned rc=0 (ok), read 1211 bytes gpg: DBG: parse_packet(iob=2): type=6 length=269 (search.keyring.c.1115) gpg: DBG: keyring_search: packet starting at offset 0 matched descriptor 0 gpg: DBG: keyring_search: returning success gpg: DBG: free_packet() type=6 gpg: DBG: keydb_search: searched keyring (resource 0 of 1) => Success gpg: DBG: [not enabled in the source] keydb_search leave (found) gpg: DBG: [not enabled in the source] keydb_get_keybock enter gpg: DBG: fd_cache_open (/home/ubuntu/.gnupg/pubring.gpg) not cached gpg: DBG: iobuf-3.0: open '/home/ubuntu/.gnupg/pubring.gpg' desc=file_filter(fd) fd=6 gpg: DBG: iobuf-3.0: underflow: buffer size: 8192; still buffered: 0 => space for 8192 bytes gpg: DBG: iobuf-3.0: underflow: A->FILTER (8192 bytes) gpg: DBG: iobuf-3.0: A->FILTER() returned rc=0 (ok), read 1211 bytes gpg: DBG: parse_packet(iob=3): type=6 length=269 (parse.keyring.c.414) gpg: DBG: parse_packet(iob=3): type=13 length=40 (parse.keyring.c.414) gpg: DBG: parse_packet(iob=3): type=2 length=318 (parse.keyring.c.414) gpg: DBG: parse_packet(iob=3): type=12 length=2 (parse.keyring.c.414) gpg: DBG: free_packet() type=12 gpg: DBG: parse_packet(iob=3): type=14 length=269 (parse.keyring.c.414) gpg: DBG: parse_packet(iob=3): type=2 length=293 (parse.keyring.c.414) gpg: DBG: parse_packet(iob=3): type=12 length=2 (parse.keyring.c.414) gpg: DBG: free_packet() type=12 gpg: DBG: iobuf-3.0: underflow: buffer size: 8192; still buffered: 0 => space for 8192 bytes gpg: DBG: iobuf-3.0: underflow: A->FILTER (8192 bytes) gpg: DBG: iobuf-3.0: A->FILTER() returned rc=-1 (EOF), read 0 bytes gpg: DBG: /home/ubuntu/.gnupg/pubring.gpg: close fd/handle 6 gpg: DBG: fd_cache_close (/home/ubuntu/.gnupg/pubring.gpg) new slot created gpg: DBG: iobuf-3.0: close '?' gpg: DBG: [not enabled in the source] keydb_get_keyblock leave gpg: DBG: build_packet() type=6 gpg: DBG: iobuf-4.0: close '?' gpg: DBG: build_packet() type=13 gpg: DBG: build_packet() type=2 gpg: DBG: iobuf-5.0: close '?' gpg: DBG: build_packet() type=14 gpg: DBG: iobuf-6.0: close '?' gpg: DBG: build_packet() type=2 gpg: DBG: iobuf-7.0: close '?' gpg: DBG: iobuf-2.0: close 'file_filter(fd)' gpg: DBG: /home/ubuntu/.gnupg/pubring.gpg: close fd/handle 5 gpg: DBG: fd_cache_close (/home/ubuntu/.gnupg/pubring.gpg) new slot created gpg: DBG: iobuf-1.0: close '?' gpg: sending key DC6F3C29 to ldaps://:@login.linaro.org gpg: DBG: chan_4 -> KS_PUT gpg: DBG: chan_4 <- INQUIRE KEYBLOCK gpg: DBG: chan_4 -> [ 44 20 99 01 25 30 44 04 56 fe 8f d2 01 08 00 c2 ...(982 byte(s) skipped) ] gpg: DBG: chan_4 -> [ 44 20 20 4f ad 28 53 1c 95 8a ae 0f 57 5f 35 fc ...(231 byte(s) skipped) ] gpg: DBG: chan_4 -> END gpg: DBG: chan_4 <- INQUIRE KEYBLOCK_INFO gpg: DBG: chan_4 -> D pub::2048:1:4625A9B1DC6F3C29:1459523538:1460128338::::::::::%0Auid:::::1459523538::::Philip Colmer :::::::%0Asig::::4625A9B1DC6F3C29:1459523538:::::::::::%0Asub::2048:1:87E613C66F047E92:1459523538:1460128338::::::::::%0A gpg: DBG: chan_4 -> END gpg: DBG: chan_4 <- ERR 167772346 No keyserver available gpg: DBG: free_packet() type=6 gpg: DBG: free_packet() type=13 gpg: DBG: free_packet() type=2 gpg: DBG: free_packet() type=14 gpg: DBG: free_packet() type=2 gpg: keyserver send failed: No keyserver available gpg: keyserver send failed: No keyserver available gpg: DBG: chan_4 -> BYE gpg: DBG: [not enabled in the source] stop I can't seem to turn up the debugging any higher in order to find out why Dirmngr is reporting "No keyserver available". I can't find that message in the source code either so I can't add any extra debugging statements. Does anyone know what changed between 2.0 and 2.1 that would specifically affect LDAP keyserver operation? Or, failing that, what I should be looking at in order to troubleshoot this further? Thanks. Philip From junkemail at paulapplegate.com Wed Apr 6 20:06:43 2016 From: junkemail at paulapplegate.com (Paul Applegate) Date: Wed, 6 Apr 2016 14:06:43 -0400 Subject: Git clone error Message-ID: <344601BC-30E0-4D07-A33C-FADFEA127E65@paulapplegate.com> I get the following error when I try to clone gnupg: Cloning into 'gnupg'... fatal: read error: Connection reset by peer I?ve tried to clone it from two different IP addresses. Is there something wrong with the repository? Thanks, Paul From wk at gnupg.org Thu Apr 7 10:07:02 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Apr 2016 10:07:02 +0200 Subject: Git clone error In-Reply-To: <344601BC-30E0-4D07-A33C-FADFEA127E65@paulapplegate.com> (Paul Applegate's message of "Wed, 6 Apr 2016 14:06:43 -0400") References: <344601BC-30E0-4D07-A33C-FADFEA127E65@paulapplegate.com> Message-ID: <87h9fdu9jt.fsf@wheatstone.g10code.de> On Wed, 6 Apr 2016 20:06, junkemail at paulapplegate.com said: > I?ve tried to clone it from two different IP addresses. Is there something wrong with the repository? No, just DoS. Try again. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Apr 7 16:40:10 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Apr 2016 16:40:10 +0200 Subject: Using LDAP keyservers with gpg 2.1.11 In-Reply-To: (Philip Colmer's message of "Wed, 6 Apr 2016 16:33:41 +0100") References: Message-ID: <8760vtscs5.fsf@wheatstone.g10code.de> On Wed, 6 Apr 2016 17:33, philip.colmer at linaro.org said: > However, with version 2.1.11, it isn't working. Enabling debug options > where I can find them gives me this output: Please enable debugging for dirmngr and restart dirmngr. All network access is done via the dirmngr daemon which is started when needed. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From philip.colmer at linaro.org Thu Apr 7 16:58:24 2016 From: philip.colmer at linaro.org (Philip Colmer) Date: Thu, 7 Apr 2016 15:58:24 +0100 Subject: Using LDAP keyservers with gpg 2.1.11 In-Reply-To: <8760vtscs5.fsf@wheatstone.g10code.de> References: <8760vtscs5.fsf@wheatstone.g10code.de> Message-ID: On 7 April 2016 at 15:40, Werner Koch wrote: > On Wed, 6 Apr 2016 17:33, philip.colmer at linaro.org said: > >> However, with version 2.1.11, it isn't working. Enabling debug options >> where I can find them gives me this output: > > Please enable debugging for dirmngr and restart dirmngr. All network > access is done via the dirmngr daemon which is started when needed. I've configured debugging for dirmngr in dirmngr.conf as follows: debug-level guru debug-all dirmngr is running with its homedir set to the directory containing that conf file. If I should be doing something different to get more debugging info out of dirmngr, please clarify. At the moment, the only information I seem to be getting is: gpg: DBG: chan_4 <- ERR 167772346 No keyserver available Which doesn't really tell me much, and I cannot figure out where in the source code this is happening. Regards Philip From kristian.fiskerstrand at sumptuouscapital.com Thu Apr 7 18:03:59 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 7 Apr 2016 18:03:59 +0200 Subject: Using LDAP keyservers with gpg 2.1.11 In-Reply-To: References: <8760vtscs5.fsf@wheatstone.g10code.de> Message-ID: <570684EF.2020307@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/07/2016 04:58 PM, Philip Colmer wrote: > On 7 April 2016 at 15:40, Werner Koch wrote: >> On Wed, 6 Apr 2016 17:33, philip.colmer at linaro.org said: >> >>> However, with version 2.1.11, it isn't working. Enabling debug >>> options where I can find them gives me this output: >> >> Please enable debugging for dirmngr and restart dirmngr. All >> network access is done via the dirmngr daemon which is started >> when needed. > > I've configured debugging for dirmngr in dirmngr.conf as follows: > > debug-level guru debug-all > > dirmngr is running with its homedir set to the directory > containing that conf file. > > If I should be doing something different to get more debugging > info out of dirmngr, please clarify. At the moment, the only > information I seem to be getting is: > > gpg: DBG: chan_4 <- ERR 167772346 No keyserver available is ldap listed as a schema when doing KEYSERVER --help ? you can also check if ldd /usr/bin/dirmngr shows a linkage to libldap - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJXBoTrAAoJECULev7WN52F3MkH/iR6xVI49aBItDWtP+AShovp 6bnQ1E2iEA0FXo04LdKw4ab/REnsGXsOqVvtyjndqIO32lFzw4dw73wwJUq0m12N xqQuNJASMs+Gu/jzQh/JiYmorilZgt+S7QgElIIureeD1oH3gKAvFalrATxex03e 0nG0bQQE/WJnpRITP8qW9pP0XWR8bqUiOd9bIAmeHntuZj1RJif87a4ntcWPc7xt X3cLRphIL+AxGk2kL8g0Y4ojbZ0GQfyYHlg6X6cYXIIu7Pv4cdmzCUGjoMuex70K +uFv1TP+TNV30oJwDea72zegty04H8QvreCx6dGAni+PNwcF96J8csi0RX7UGqM= =U3Uh -----END PGP SIGNATURE----- From kristian.fiskerstrand at sumptuouscapital.com Fri Apr 8 12:55:55 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Fri, 8 Apr 2016 12:55:55 +0200 Subject: Using LDAP keyservers with gpg 2.1.11 In-Reply-To: References: <8760vtscs5.fsf@wheatstone.g10code.de> <570684EF.2020307@sumptuouscapital.com> Message-ID: <57078E3B.8070704@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/08/2016 12:38 PM, Philip Colmer wrote: > On 7 April 2016 at 17:03, Kristian Fiskerstrand > wrote: >> is ldap listed as a schema when doing KEYSERVER --help ? you can >> also check if ldd /usr/bin/dirmngr shows a linkage to libldap > > Sorry - how do I check the schema? I'm not sure what command you > are asking me to run. $ dirmngr OK Dirmngr 2.1.11 at your service KEYSERVER --help S # Known schemata: S # hkp S # hkps S # http S # finger S # kdns S # ldap S # (Use an URL for engine specific help.) OK > > With regards to the ldd command, no, there is no linkage to > libldap. I have the libldap package installed, so do I need to do > something to get gnupg to link to it when I build it? > you need the appropriate header files for the library (-dev packages as well) and for good measure I specify --with-ldap in the gnupg build - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJXB443AAoJECULev7WN52FO2wIAMbGQp92GrEtCwF0wXZ6PJTA otCRJC37Wvcsk+2zcW1Tkfe+zauSDblsTAy6GkrYTvWGdzR/Bt+vSFU8A8qzTe/Q QBPtYU6I5ErPdj3VGpPZ7ruboH/R3pRT6DREd4Ag/FqqaHoEPA9+ePvpzgXOZiS6 9DktTodvqZDhxhI7xjbGVeGnq8YfrXTshjEyAThpIjOHQBFheMvdmHc9yvvFWnFn jpnXRJK2XiGiorvigsAtBhXwoGzwdFjyEsXL3ljSEUUQRWDlvEnwUPCThGu1FwiU eK/6wS3XZ67gWUE0bY5nZQNDrf1hYTqrlBHZq9PuuRwSY8oW2O83VhAi381AFwE= =tAhY -----END PGP SIGNATURE----- From philip.colmer at linaro.org Fri Apr 8 13:19:14 2016 From: philip.colmer at linaro.org (Philip Colmer) Date: Fri, 8 Apr 2016 12:19:14 +0100 Subject: Using LDAP keyservers with gpg 2.1.11 In-Reply-To: <57078E3B.8070704@sumptuouscapital.com> References: <8760vtscs5.fsf@wheatstone.g10code.de> <570684EF.2020307@sumptuouscapital.com> <57078E3B.8070704@sumptuouscapital.com> Message-ID: On 8 April 2016 at 11:55, Kristian Fiskerstrand wrote: >>> is ldap listed as a schema when doing KEYSERVER --help ? you can >>> also check if ldd /usr/bin/dirmngr shows a linkage to libldap Thanks for this suggestion. dirmngr wasn't listing ldap, so I've installed the extra bits, rebuilt and now it is. However, unfortunately, now --send-key breaks earlier than it was :( gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing cardio ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: chan_3 <- # Home: /home/ubuntu/.gnupg gpg: DBG: chan_3 <- # Config: /home/ubuntu/.gnupg/dirmngr.conf gpg: DBG: chan_3 <- OK Dirmngr 2.1.11 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_3 -> GETINFO version gpg: DBG: chan_3 <- D 2.1.11 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KEYSERVER --clear ldaps://:@login.linaro.org?dc=linaro,dc=org gpg: DBG: chan_3 <- ERR 167772161 General error gpg: no keyserver known gpg: keyserver send failed: No keyserver available gpg: DBG: chan_3 -> BYE gpg: DBG: [not enabled in the source] stop This used to be the output ... gpg: DBG: [not enabled in the source] start gpg: DBG: chan_3 <- # Home: /home/ubuntu/.gnupg gpg: DBG: chan_3 <- # Config: /home/ubuntu/.gnupg/dirmngr.conf gpg: DBG: chan_3 <- OK Dirmngr 2.1.11 at your service gpg: DBG: chan_4 <- # Home: /home/ubuntu/.gnupg gpg: DBG: chan_4 <- # Config: /home/ubuntu/.gnupg/dirmngr.conf gpg: DBG: chan_4 <- OK Dirmngr 2.1.11 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_4 -> GETINFO version gpg: DBG: chan_4 <- D 2.1.11 gpg: DBG: chan_4 <- OK gpg: DBG: chan_4 -> KEYSERVER --clear ldaps://:@login.linaro.org gpg: DBG: chan_4 <- OK gpg: DBG: chan_4 -> KEYSERVER gpg: DBG: chan_4 <- S KEYSERVER ldaps://uid=:@login.linaro.org gpg: DBG: chan_4 <- OK gpg: DBG: [not enabled in the source] keydb_new gpg: DBG: [not enabled in the source] keydb_search enter Regards Philip From philip.colmer at linaro.org Fri Apr 8 12:38:46 2016 From: philip.colmer at linaro.org (Philip Colmer) Date: Fri, 8 Apr 2016 11:38:46 +0100 Subject: Using LDAP keyservers with gpg 2.1.11 In-Reply-To: <570684EF.2020307@sumptuouscapital.com> References: <8760vtscs5.fsf@wheatstone.g10code.de> <570684EF.2020307@sumptuouscapital.com> Message-ID: On 7 April 2016 at 17:03, Kristian Fiskerstrand wrote: > is ldap listed as a schema when doing KEYSERVER --help ? you can also > check if ldd /usr/bin/dirmngr shows a linkage to libldap Sorry - how do I check the schema? I'm not sure what command you are asking me to run. With regards to the ldd command, no, there is no linkage to libldap. I have the libldap package installed, so do I need to do something to get gnupg to link to it when I build it? Regards Philip From erik.nellessen at informatik.hu-berlin.de Fri Apr 8 17:28:00 2016 From: erik.nellessen at informatik.hu-berlin.de (Erik Nellessen) Date: Fri, 8 Apr 2016 15:28:00 +0000 Subject: Perform only asymmetric encryption/decryption Message-ID: <5707CE00.4070705@informatik.hu-berlin.de> When I encrypt data using GnuPG, GnuPG uses hybrid encryption. This really is a good idea for most use cases. But in my (I admit, rather special) use case, only using asymmetric encryption/decryption is what I need. Is it possible to use asymmetric encryption only? The interface I would wish to have takes plain data and provides an RSA encrypted cipher text (and vice versa for decryption). Does GnuPG provide any kind of interface for direct asymmetric encryption/decryption operations? I guess I could try do it similar to the write_pubkey_enc function in the file g10/encrypt.c. But is there an easier/more official way? What I want to do is certainly possible using OpenSSL. But as I am changing an existing system, a possibility to do this with GnuPG would be the easiest way for me. Kind regards, Erik Nellessen From arthur at ulfeldt.com Fri Apr 8 18:27:31 2016 From: arthur at ulfeldt.com (Arthur Ulfeldt) Date: Fri, 8 Apr 2016 09:27:31 -0700 Subject: Perform only asymmetric encryption/decryption In-Reply-To: <5707CE00.4070705@informatik.hu-berlin.de> References: <5707CE00.4070705@informatik.hu-berlin.de> Message-ID: I'm not sure I totally understand your requiremens, though if you are looking to run RSA encryption on strings and are not using any of the authentication parts of gpg, then openssl is the way to go. I suspect it's not possible with gpg's provided interface. If using pgp is really more convenient then letting it do hybrid encryption will be much easier though it sounds like you have a good reason for wanting to avoid that. Den 8. apr. 2016 9.18 AM skrev "Erik Nellessen" < erik.nellessen at informatik.hu-berlin.de>: > When I encrypt data using GnuPG, GnuPG uses hybrid encryption. This really > is a good idea for most use cases. But in my (I admit, rather special) use > case, only using asymmetric encryption/decryption is what I need. Is it > possible to use asymmetric encryption only? The interface I would wish to > have takes plain data and provides an RSA encrypted cipher text (and vice > versa for decryption). > > Does GnuPG provide any kind of interface for direct asymmetric > encryption/decryption operations? I guess I could try do it similar to the > write_pubkey_enc function in the file g10/encrypt.c. But is there an > easier/more official way? > > What I want to do is certainly possible using OpenSSL. But as I am > changing an existing system, a possibility to do this with GnuPG would be > the easiest way for me. > > Kind regards, > Erik Nellessen > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewg at andrewg.com Fri Apr 8 19:42:47 2016 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 8 Apr 2016 18:42:47 +0100 Subject: Perform only asymmetric encryption/decryption In-Reply-To: <5707CE00.4070705@informatik.hu-berlin.de> References: <5707CE00.4070705@informatik.hu-berlin.de> Message-ID: <5707ED97.3020606@andrewg.com> On 08/04/16 16:28, Erik Nellessen wrote: > When I encrypt data using GnuPG, GnuPG uses hybrid encryption. This > really is a good idea for most use cases. But in my (I admit, rather > special) use case, only using asymmetric encryption/decryption is > what I need. Is it possible to use asymmetric encryption only? The > interface I would wish to have takes plain data and provides an RSA > encrypted cipher text (and vice versa for decryption). A bit more info about your use case might be helpful (and intriguing!). If you're just trying to create a new asym-encrypted copy of an existing GPG session key (or something similar) then there might be a way. If you're thinking of encrypting large amounts of data directly with asym-encryption, then I'll question your sanity. ;-) A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From erik.nellessen at informatik.hu-berlin.de Sun Apr 10 12:56:09 2016 From: erik.nellessen at informatik.hu-berlin.de (Erik Nellessen) Date: Sun, 10 Apr 2016 10:56:09 +0000 Subject: Perform only asymmetric encryption/decryption In-Reply-To: <5707ED97.3020606@andrewg.com> References: <5707CE00.4070705@informatik.hu-berlin.de> <5707ED97.3020606@andrewg.com> Message-ID: <570A3149.80600@informatik.hu-berlin.de> No, this is not about encrypting large amounts of data with asymmetric encryption. ;) It is about encrypting and decrypting small strings, which are still way smaller than the public/private key. So I guess this could be possible using the interfaces for encrypting/decrypting a data encryption key. What is the best way in OpenPGP to encrypt/decrypt small strings using asymmetric encryption/decryption directly? Kind regards, Erik Andrew Gallagher: > On 08/04/16 16:28, Erik Nellessen wrote: >> When I encrypt data using GnuPG, GnuPG uses hybrid encryption. This >> really is a good idea for most use cases. But in my (I admit, rather >> special) use case, only using asymmetric encryption/decryption is >> what I need. Is it possible to use asymmetric encryption only? The >> interface I would wish to have takes plain data and provides an RSA >> encrypted cipher text (and vice versa for decryption). > > A bit more info about your use case might be helpful (and intriguing!). > If you're just trying to create a new asym-encrypted copy of an existing > GPG session key (or something similar) then there might be a way. If > you're thinking of encrypting large amounts of data directly with > asym-encryption, then I'll question your sanity. ;-) > > A > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From neal at walfield.org Mon Apr 11 09:40:13 2016 From: neal at walfield.org (Neal H. Walfield) Date: Mon, 11 Apr 2016 09:40:13 +0200 Subject: Perform only asymmetric encryption/decryption In-Reply-To: <570A3149.80600@informatik.hu-berlin.de> References: <5707CE00.4070705@informatik.hu-berlin.de> <5707ED97.3020606@andrewg.com> <570A3149.80600@informatik.hu-berlin.de> Message-ID: <87d1pwsiea.wl-neal@walfield.org> On Sun, 10 Apr 2016 12:56:09 +0200, Erik Nellessen wrote: > No, this is not about encrypting large amounts of data with asymmetric encryption. ;) It is about encrypting and decrypting small strings, which are still way smaller than the public/private key. So I guess this could be possible using the interfaces for encrypting/decrypting a data encryption key. What is the best way in OpenPGP to encrypt/decrypt small strings using asymmetric encryption/decryption directly? You can extract the session key using --show-session-key and set the session key using --override-session-key $ echo | gpg2 --no-options -c | gpg2 --show-session-key -d gpg: session key: '7:7BF4443B3652BD25CEC2BA641135AC58' The format of the session key is algorithm id and the hex-encoded data. The created message has the following form: echo | gpg2 --no-options -c | gpg2 --list-packets # off=0 ctb=8c tag=3 hlen=2 plen=13 :symkey enc packet: version 4, cipher 7, s2k 3, hash 2 salt 6E31D6F821C697BD, count 24117248 (231) # off=15 ctb=d2 tag=18 hlen=2 plen=54 new-ctb :encrypted data packet: length: 54 mdc_method: 2 # off=36 ctb=a3 tag=8 hlen=1 plen=0 indeterminate :compressed packet: algo=1 # off=38 ctb=cb tag=11 hlen=2 plen=7 new-ctb :literal data packet: mode b (62), created 1460360139, name="", raw data: 1 bytes That is, it has an SK-ESK packet and a symmetrically encrypted packet. You just want the SK-ESK, which should be relatively straightforward to extract. Unfortunately, IIRC, if GnuPG doesn't have an encrypted body, it won't show the session key when --show-session-key is used. But, this can be changed relatively easily. A more fundamental problem is that GnuPG will warn (or perhaps error out?) if the provided session key is weak. Good luck! :) Neal From erik.nellessen at informatik.hu-berlin.de Mon Apr 11 10:49:32 2016 From: erik.nellessen at informatik.hu-berlin.de (Erik Nellessen) Date: Mon, 11 Apr 2016 08:49:32 +0000 Subject: Perform only asymmetric encryption/decryption In-Reply-To: <87d1pwsiea.wl-neal@walfield.org> References: <5707CE00.4070705@informatik.hu-berlin.de> <5707ED97.3020606@andrewg.com> <570A3149.80600@informatik.hu-berlin.de> <87d1pwsiea.wl-neal@walfield.org> Message-ID: <570B651C.9010906@informatik.hu-berlin.de> If I understand it correctly, --override-session-key does not allow me to set the session key before encryption. It allows me to set the session key when decrypting, so I can do it without using the private key. The option is used to reveal the content of messages without revealing the private key. See: http://security.stackexchange.com/questions/115231/how-to-decrypt-a-message-using-only-session-key But following this approach, I would need to be able to change the session key before encryption. So I think this does not solve the problem yet. Am I right? Any other ideas? Kind regards, Erik Neal H. Walfield: > On Sun, 10 Apr 2016 12:56:09 +0200, > Erik Nellessen wrote: >> No, this is not about encrypting large amounts of data with asymmetric encryption. ;) It is about encrypting and decrypting small strings, which are still way smaller than the public/private key. So I guess this could be possible using the interfaces for encrypting/decrypting a data encryption key. What is the best way in OpenPGP to encrypt/decrypt small strings using asymmetric encryption/decryption directly? > > You can extract the session key using --show-session-key and set the > session key using --override-session-key > > $ echo | gpg2 --no-options -c | gpg2 --show-session-key -d > gpg: session key: '7:7BF4443B3652BD25CEC2BA641135AC58' > > The format of the session key is algorithm id and the hex-encoded > data. > > The created message has the following form: > > echo | gpg2 --no-options -c | gpg2 --list-packets > # off=0 ctb=8c tag=3 hlen=2 plen=13 > :symkey enc packet: version 4, cipher 7, s2k 3, hash 2 > salt 6E31D6F821C697BD, count 24117248 (231) > # off=15 ctb=d2 tag=18 hlen=2 plen=54 new-ctb > :encrypted data packet: > length: 54 > mdc_method: 2 > # off=36 ctb=a3 tag=8 hlen=1 plen=0 indeterminate > :compressed packet: algo=1 > # off=38 ctb=cb tag=11 hlen=2 plen=7 new-ctb > :literal data packet: > mode b (62), created 1460360139, name="", > raw data: 1 bytes > > That is, it has an SK-ESK packet and a symmetrically encrypted packet. > You just want the SK-ESK, which should be relatively straightforward > to extract. Unfortunately, IIRC, if GnuPG doesn't have an encrypted > body, it won't show the session key when --show-session-key is used. > But, this can be changed relatively easily. > > A more fundamental problem is that GnuPG will warn (or perhaps error > out?) if the provided session key is weak. > > Good luck! > > :) Neal > From neal at walfield.org Mon Apr 11 11:33:52 2016 From: neal at walfield.org (Neal H. Walfield) Date: Mon, 11 Apr 2016 11:33:52 +0200 Subject: Perform only asymmetric encryption/decryption In-Reply-To: <570B651C.9010906@informatik.hu-berlin.de> References: <5707CE00.4070705@informatik.hu-berlin.de> <5707ED97.3020606@andrewg.com> <570A3149.80600@informatik.hu-berlin.de> <87d1pwsiea.wl-neal@walfield.org> <570B651C.9010906@informatik.hu-berlin.de> Message-ID: <87a8l0sd4v.wl-neal@walfield.org> On Mon, 11 Apr 2016 10:49:32 +0200, Erik Nellessen wrote: > > If I understand it correctly, --override-session-key does not allow me to set the session key before encryption. It allows me to set the session key when decrypting, so I can do it without using the private key. The option is used to reveal the content of messages without revealing the private key. > > See: http://security.stackexchange.com/questions/115231/how-to-decrypt-a-message-using-only-session-key > > But following this approach, I would need to be able to change the session key before encryption. So I think this does not solve the problem yet. Am I right? Any other ideas? You're right. If you are willing to modify GnuPG, this is easy to change, however. (Look at seskey.c:make_session_key and have it use the contents of opt.override_session_key rather than generate a random key.) :) Neal From wk at gnupg.org Mon Apr 11 15:16:17 2016 From: wk at gnupg.org (Werner Koch) Date: Mon, 11 Apr 2016 15:16:17 +0200 Subject: Perform only asymmetric encryption/decryption In-Reply-To: <570A3149.80600@informatik.hu-berlin.de> (Erik Nellessen's message of "Sun, 10 Apr 2016 10:56:09 +0000") References: <5707CE00.4070705@informatik.hu-berlin.de> <5707ED97.3020606@andrewg.com> <570A3149.80600@informatik.hu-berlin.de> Message-ID: <87fuusi8v2.fsf@wheatstone.g10code.de> On Sun, 10 Apr 2016 12:56, erik.nellessen at informatik.hu-berlin.de said: > No, this is not about encrypting large amounts of data with asymmetric > encryption. ;) It is about encrypting and decrypting small strings, > which are still way smaller than the public/private key. So I guess You better stick to the hybrid encryption scheme unless you want to violate implicit security assumptions. In particular we know that we use the public key algorithm to encrypt a random string (the session key). In any case you are working outside of the OpenPGP spec and thus you would be better off to have someone design you a new protocol to suit your special purpose. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From philip.colmer at linaro.org Mon Apr 11 15:43:10 2016 From: philip.colmer at linaro.org (Philip Colmer) Date: Mon, 11 Apr 2016 14:43:10 +0100 Subject: Using LDAP keyservers with gpg 2.1.11 In-Reply-To: References: <8760vtscs5.fsf@wheatstone.g10code.de> <570684EF.2020307@sumptuouscapital.com> <57078E3B.8070704@sumptuouscapital.com> Message-ID: OK ... I've done some more digging. The command KEYSERVER --clear was failing because it doesn't like the embedded username and password, i.e. it only works if the configuration just specifies ldaps://login.linaro.org. So, stripping the username and password out gets *that* bit of the code to work but ultimately fails when the code tries to send the key because it no longer has any authentication information. How/where am I supposed to specify the username and password? I've tried specifying: keyserver-options binddn="uid=user1,ou=PGP Keys,dc=EXAMPLE,dc=ORG" keyserver-options bindpw=PASSWORD which is what https://wiki.gnupg.org/LDAPKeyserver suggests, but the software complains they are unrecognised; I suspect that gnupg 2.1 removed those but it isn't clear if they got replaced by something else. Thanks. Philip On 8 April 2016 at 12:19, Philip Colmer wrote: > On 8 April 2016 at 11:55, Kristian Fiskerstrand > wrote: >>>> is ldap listed as a schema when doing KEYSERVER --help ? you can >>>> also check if ldd /usr/bin/dirmngr shows a linkage to libldap > > Thanks for this suggestion. dirmngr wasn't listing ldap, so I've > installed the extra bits, rebuilt and now it is. > > However, unfortunately, now --send-key breaks earlier than it was :( > > gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache > memstat trust hashing cardio ipc clock lookup extprog > gpg: DBG: [not enabled in the source] start > gpg: DBG: chan_3 <- # Home: /home/ubuntu/.gnupg > gpg: DBG: chan_3 <- # Config: /home/ubuntu/.gnupg/dirmngr.conf > gpg: DBG: chan_3 <- OK Dirmngr 2.1.11 at your service > gpg: DBG: connection to the dirmngr established > gpg: DBG: chan_3 -> GETINFO version > gpg: DBG: chan_3 <- D 2.1.11 > gpg: DBG: chan_3 <- OK > gpg: DBG: chan_3 -> KEYSERVER --clear > ldaps://:@login.linaro.org?dc=linaro,dc=org > gpg: DBG: chan_3 <- ERR 167772161 General error > gpg: no keyserver known > gpg: keyserver send failed: No keyserver available > gpg: DBG: chan_3 -> BYE > gpg: DBG: [not enabled in the source] stop > > This used to be the output ... > > gpg: DBG: [not enabled in the source] start > gpg: DBG: chan_3 <- # Home: /home/ubuntu/.gnupg > gpg: DBG: chan_3 <- # Config: /home/ubuntu/.gnupg/dirmngr.conf > gpg: DBG: chan_3 <- OK Dirmngr 2.1.11 at your service > gpg: DBG: chan_4 <- # Home: /home/ubuntu/.gnupg > gpg: DBG: chan_4 <- # Config: /home/ubuntu/.gnupg/dirmngr.conf > gpg: DBG: chan_4 <- OK Dirmngr 2.1.11 at your service > gpg: DBG: connection to the dirmngr established > gpg: DBG: chan_4 -> GETINFO version > gpg: DBG: chan_4 <- D 2.1.11 > gpg: DBG: chan_4 <- OK > gpg: DBG: chan_4 -> KEYSERVER --clear ldaps://:@login.linaro.org > gpg: DBG: chan_4 <- OK > gpg: DBG: chan_4 -> KEYSERVER > gpg: DBG: chan_4 <- S KEYSERVER ldaps://uid=:@login.linaro.org > gpg: DBG: chan_4 <- OK > gpg: DBG: [not enabled in the source] keydb_new > gpg: DBG: [not enabled in the source] keydb_search enter > > Regards > > Philip From w at uter.be Mon Apr 11 14:13:18 2016 From: w at uter.be (Wouter Verhelst) Date: Mon, 11 Apr 2016 14:13:18 +0200 Subject: Deleting a smart card secret key stub from the secret keyring Message-ID: <20160411121318.GB10077@grep.be> Hi, I recently bought an OpenPGP smart card, and am now evaluating before deciding whether to move my secret key to the card. To that end, I've generated (and destroyed, by way of "gpg2 --edit-card"'s factory-reset command) a number of keys. However, I noticed that the factory-reset doesn't delete the secret key stub from my secret keyring; and now I get this: wouter at gangtai:~$ LC_ALL=C gpg2 --delete-secret-key b36c8212 gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec rsa4096/B36C8212 2016-04-02 Wouter Verhelst (Debian) Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y gpg: deleting secret key failed: Not possible with a card based key gpg: deleting secret subkey failed: Not possible with a card based key gpg: deleting secret subkey failed: Not possible with a card based key gpg: b36c8212: delete key failed: Not possible with a card based key How do I tell GnuPG that this secret key is no longer in existence, and that it should remove it from its list of secret keys? I've removed it from the card, and I didn't create a backup copy (since this was only a test key, after all). I suppose I could just wipe out my entire secret keyring, but I'd rather not do that, since it contains my production GPG keys... -- < ron> I mean, the main *practical* problem with C++, is there's like a dozen people in the world who think they really understand all of its rules, and pretty much all of them are just lying to themselves too. -- #debian-devel, OFTC, 2016-02-12 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From wk at gnupg.org Tue Apr 12 19:08:44 2016 From: wk at gnupg.org (Werner Koch) Date: Tue, 12 Apr 2016 19:08:44 +0200 Subject: Deleting a smart card secret key stub from the secret keyring In-Reply-To: <20160411121318.GB10077@grep.be> (Wouter Verhelst's message of "Mon, 11 Apr 2016 14:13:18 +0200") References: <20160411121318.GB10077@grep.be> Message-ID: <87lh4ig3fn.fsf@wheatstone.g10code.de> On Mon, 11 Apr 2016 14:13, w at uter.be said: > How do I tell GnuPG that this secret key is no longer in existence, and > that it should remove it from its list of secret keys? I've removed it gpg --with-keygrip -k b36c8212 Which gives you a /Keygrip/. For a card based key gpg-agent creates a file ~/.gnupg/private-keys-v1.d/KEYGRIP.key to store public key parameters and the serial number of the card,. so that gpg-agent can ask you to insert the card it wants to use. Just delete that file, howeverit will e re-created whe you insert a card. gpg-connect-agent 'keyinfo --list' /bye prints a list of all keys known by gpg-agent with additional information. gpg-connect-agent 'help keyinfo' /bye documents the used output format. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From w at uter.be Wed Apr 13 09:57:07 2016 From: w at uter.be (Wouter Verhelst) Date: Wed, 13 Apr 2016 09:57:07 +0200 Subject: Deleting a smart card secret key stub from the secret keyring In-Reply-To: <87lh4ig3fn.fsf@wheatstone.g10code.de> References: <20160411121318.GB10077@grep.be> <87lh4ig3fn.fsf@wheatstone.g10code.de> Message-ID: <20160413075707.GB2722@grep.be> On Tue, Apr 12, 2016 at 07:08:44PM +0200, Werner Koch wrote: > On Mon, 11 Apr 2016 14:13, w at uter.be said: > > > How do I tell GnuPG that this secret key is no longer in existence, and > > that it should remove it from its list of secret keys? I've removed it > > gpg --with-keygrip -k b36c8212 > > Which gives you a /Keygrip/. For a card based key gpg-agent creates a > file > > ~/.gnupg/private-keys-v1.d/KEYGRIP.key > > to store public key parameters and the serial number of the card,. so > that gpg-agent can ask you to insert the card it wants to use. Just > delete that file, Thanks, that worked. > howeverit will e re-created whe you insert a card. Presumably, when I insert the card with the same key? -- < ron> I mean, the main *practical* problem with C++, is there's like a dozen people in the world who think they really understand all of its rules, and pretty much all of them are just lying to themselves too. -- #debian-devel, OFTC, 2016-02-12 From thecissou98 at hotmail.fr Thu Apr 14 22:41:45 2016 From: thecissou98 at hotmail.fr (Francis Le Roy) Date: Thu, 14 Apr 2016 22:41:45 +0200 Subject: Problem with decrypt Message-ID: Hi, I'm trying to decrypt a cipher using gpgme. I have a correct cipher and have imported the private key but the plain result of gpgme_op_decrypt is empty. The error returned is GPG_ERR_NO_ERROR... Thanks. F. Please CC me, I haven't subscribed to the mailing list. From wk at gnupg.org Fri Apr 15 17:42:37 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 15 Apr 2016 17:42:37 +0200 Subject: [Announce] Libgcrypt 1.7.0 released Message-ID: <87vb3iyj2q.fsf@wheatstone.g10code.de> Hello! The GnuPG Project is pleased to announce the availability of Libgcrypt version 1.7.0. This is a new stable version of Libgcrypt with full API and ABI compatibiliy to the 1.6 series. Its main features are new algorithms, curves, and performance improvements. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. Noteworthy changes between version 1.6.0 and 1.7.0: =================================================== * New algorithms and modes: - SHA3-224, SHA3-256, SHA3-384, SHA3-512, and MD2 hash algorithms. - SHAKE128 and SHAKE256 extendable-output hash algorithms. - ChaCha20 stream cipher. - Poly1305 message authentication algorithm - ChaCha20-Poly1305 Authenticated Encryption with Associated Data mode. - OCB mode. - HMAC-MD2 for use by legacy applications. * New curves for ECC: - Curve25519. - sec256k1. - GOST R 34.10-2001 and GOST R 34.10-2012. * Performance: - Improved performance of KDF functions. - Assembler optimized implementations of Blowfish and Serpent on ARM. - Assembler optimized implementation of 3DES on x86. - Improved AES using the SSSE3 based vector permutation method by Mike Hamburg. - AVX/BMI is used for SHA-1 and SHA-256 on x86. This is for SHA-1 about 20% faster than SSSE3 and more than 100% faster than the generic C implementation. - 40% speedup for SHA-512 and 72% for SHA-1 on ARM Cortex-A8. - 60-90% speedup for Whirlpool on x86. - 300% speedup for RIPE MD-160. - Up to 11 times speedup for CRC functions on x86. * Other features: - Improved ECDSA and FIPS 186-4 compliance. - Support for Montgomery curves. - gcry_cipher_set_sbox to tweak S-boxes of the gost28147 cipher algorithm. - gcry_mpi_ec_sub to subtract two points on a curve. - gcry_mpi_ec_decode_point to decode an MPI into a point object. - Emulation for broken Whirlpool code prior to 1.6.0. [from 1.6.1] - Flag "pkcs1-raw" to enable PCKS#1 padding with a user supplied hash part. - Parameter "saltlen" to set a non-default salt length for RSA PSS. - A SP800-90A conforming DRNG replaces the former X9.31 alternative random number generator. - Map deprecated RSA algo number to the RSA algo number for better backward compatibility. [from 1.6.2] - Use ciphertext blinding for Elgamal decryption [CVE-2014-3591]. See http://www.cs.tau.ac.il/~tromer/radioexp/ for details. [from 1.6.3] - Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical]. [from 1.6.3] - Flag "no-keytest" for ECC key generation. Due to a bug in the parser that flag will also be accepted but ignored by older version of Libgcrypt. [from 1.6.4] - Speed up the random number generator by requiring less extra seeding. [from 1.6.4] - Always verify a created RSA signature to avoid private key leaks due to hardware failures. [from 1.6.4] - Mitigate side-channel attack on ECDH with Weierstrass curves [CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for details. [from 1.6.5] * Internal changes: - Moved locking out to libgpg-error. - Support of the SYSROOT envvar in the build system. - Refactor some code. - The availability of a 64 bit integer type is now mandatory. * Bug fixes: - Fixed message digest lookup by OID (regression in 1.6.0). - Fixed a build problem on NetBSD - Fixed memory leaks in ECC code. - Fixed some asm build problems and feature detection bugs. For interface changes relative to the 1.6.0 release see below [4]. Note that the 1.6 series will enter end-of-life state on 2017-06-30. Download ======== Source code is hosted at the GnuPG FTP server and its mirrors as listed at https://gnupg.org/download/mirrors.html . On the primary server the source tarball and its digital signature are: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.0.tar.bz2 (2477k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.0.tar.bz2.sig That file is bzip2 compressed. A gzip compressed version is here: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.0.tar.gz (3309k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.0.tar.gz.sig The same files are also available via HTTP: https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.0.tar.bz2 https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.0.tar.bz2.sig https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.0.tar.gz https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.0.tar.gz.sig In order to check that the version of Libgcrypt you downloaded is an original and unmodified file please follow the instructions found at . In short, you may use one of the following mthods: - Check the supplied OpenPGP signature. For example to check the signature of the file libgcrypt-1.7.0.tar.bz2 you would use this command: gpg --verify libgcrypt-1.7.0.tar.bz2.sig libgcrypt-1.7.0.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. - If you are not able to use GnuPG, you have to verify the SHA-1 checksum: sha1sum libgcrypt-1.7.0.tar.bz2 and check that the output matches the first line from the following list: f840b737faafded451a084ae143285ad68bbfb01 libgcrypt-1.7.0.tar.bz2 b6b6cfea349ca18a658a18a6365f5e2ca78fe1cc libgcrypt-1.7.0.tar.gz You should also verify that the checksums above are authentic by matching them with copies of this announcement. Those copies can be found at other mailing lists, web sites, and search engines. Copying ======= Libgcrypt is distributed under the terms of the GNU Lesser General Public License (LGPLv2.1+). The helper programs as well as the documentation are distributed under the terms of the GNU General Public License (GPLv2+). The file LICENSES has notices about contributions that require that these additional notices are distributed. Support ======= For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. A listing with commercial support offers for Libgcrypt and related software is available at the GnuPG web site [2]. If you are a developer and you may need a certain feature for your project, please do not hesitate to bring it to the gcrypt-devel mailing list for discussion. Maintenance and development of Libgcrypt is mostly financed by donations; see . We currently employ 3 full-time developers, one part-timer, and one contractor to work on GnuPG and closely related software like Libgcrypt. Thanks ====== We like to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Also many thanks to all our donors [3]. Special thanks go to Jussi Kivilinna for all of his performance improvement work. For the GnuPG hackers, Werner p.s. This is an announcement only mailing list. Please send replies only to the gcrypt-devel 'at' gnupg.org mailing list. [1] https://lists.gnupg.org/mailman/listinfo/gcrypt-devel [2] https://www.gnupg.org/service.html [3] https://gnupg.org/donate/kudos.html [4] Interface changes relative to the 1.6.0 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gcry_cipher_final NEW macro. GCRY_CIPHER_MODE_CFB8 NEW constant. GCRY_CIPHER_MODE_OCB NEW. GCRY_CIPHER_MODE_POLY1305 NEW. gcry_cipher_set_sbox NEW macro. gcry_mac_get_algo NEW. GCRY_MAC_HMAC_MD2 NEW. GCRY_MAC_HMAC_SHA3_224 NEW. GCRY_MAC_HMAC_SHA3_256 NEW. GCRY_MAC_HMAC_SHA3_384 NEW. GCRY_MAC_HMAC_SHA3_512 NEW. GCRY_MAC_POLY1305 NEW. GCRY_MAC_POLY1305_AES NEW. GCRY_MAC_POLY1305_CAMELLIA NEW. GCRY_MAC_POLY1305_SEED NEW. GCRY_MAC_POLY1305_SERPENT NEW. GCRY_MAC_POLY1305_TWOFISH NEW. gcry_md_extract NEW. GCRY_MD_FLAG_BUGEMU1 NEW [from 1.6.1]. GCRY_MD_GOSTR3411_CP NEW. GCRY_MD_SHA3_224 NEW. GCRY_MD_SHA3_256 NEW. GCRY_MD_SHA3_384 NEW. GCRY_MD_SHA3_512 NEW. GCRY_MD_SHAKE128 NEW. GCRY_MD_SHAKE256 NEW. gcry_mpi_ec_decode_point NEW. gcry_mpi_ec_sub NEW. GCRY_PK_EDDSA NEW constant. GCRYCTL_GET_TAGLEN NEW. GCRYCTL_SET_SBOX NEW. GCRYCTL_SET_TAGLEN NEW. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Fri Apr 15 19:03:29 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 15 Apr 2016 19:03:29 +0200 Subject: Problem with decrypt In-Reply-To: (Francis Le Roy's message of "Thu, 14 Apr 2016 22:41:45 +0200") References: Message-ID: <87d1pqyfby.fsf@wheatstone.g10code.de> On Thu, 14 Apr 2016 22:41, thecissou98 at hotmail.fr said: > I'm trying to decrypt a cipher using gpgme. I have a correct cipher and > have imported the private key but the plain result of gpgme_op_decrypt > is empty. The error returned is GPG_ERR_NO_ERROR... Which means success. In general you test for an error this way: err = gpgme_foo (&data); if (err) Of course you could also do if (err != 0) report_error_foo (gpg_strerror (err)); else process_returned_data (data); which is identical to the above or if (err != GPG_ERR_NO_ERROR) report_error_foo (gpg_strerror (err)); else process_returned_data (data); which is also identical because GPG_ERR_NO_ERROR expands to 0. I would prefer the first becuase it is easier to read. If you need more help, I suggest to post a snippet of your code. Salam-Shalom, Werner ps. And yes, some put the constant first like if (0 == err) to detect an unintentional assignment to the lvalue. However, modern compilers are pretty good in warning about unintentional assignments and thus _I_ do not use that. Comparing false or true is anyway better done without an explicit compare operator - that pattern is easier to parse for the brain. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From thecissou98 at hotmail.fr Sat Apr 16 10:37:13 2016 From: thecissou98 at hotmail.fr (Francis Le Roy) Date: Sat, 16 Apr 2016 10:37:13 +0200 Subject: Problem with decrypt In-Reply-To: <87d1pqyfby.fsf@wheatstone.g10code.de> References: <87d1pqyfby.fsf@wheatstone.g10code.de> Message-ID: Hi,? I am using the? If(err) way to check if there is an error as GPG_ERR_NO_ERR is 0. But actually the gpgme_op_decrypt operation is successful. However, when I do something like : int len = gpgme_data_seek(plaintextdata, 0, SEEK_END); len is equal to zero.? So I assume that the data haven't been decrypted or written to the buffer. Thanks.? F.? Le 15 avr. 2016 19:05, ? 19:05, Werner Koch a ?crit: >On Thu, 14 Apr 2016 22:41, thecissou98 at hotmail.fr said: > >> I'm trying to decrypt a cipher using gpgme. I have a correct cipher >and >> have imported the private key but the plain result of >gpgme_op_decrypt >> is empty. The error returned is GPG_ERR_NO_ERROR... > >Which means success. In general you test for an error this way: > > err = gpgme_foo (&data); > if (err) > >Of course you could also do > > if (err != 0) > report_error_foo (gpg_strerror (err)); > else > process_returned_data (data); > >which is identical to the above or > > if (err != GPG_ERR_NO_ERROR) > report_error_foo (gpg_strerror (err)); > else > process_returned_data (data); > >which is also identical because GPG_ERR_NO_ERROR expands to 0. I would >prefer the first becuase it is easier to read. > >If you need more help, I suggest to post a snippet of your code. > > >Salam-Shalom, > > Werner > > >ps. >And yes, some put the constant first like > if (0 == err) >to detect an unintentional assignment to the lvalue. However, modern >compilers are pretty good in warning about unintentional assignments >and >thus _I_ do not use that. Comparing false or true is anyway better >done >without an explicit compare operator - that pattern is easier to parse >for the brain. > >-- >Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- An HTML attachment was scrubbed... URL: From brett at jemstep.com Tue Apr 19 09:42:54 2016 From: brett at jemstep.com (Brett Cave) Date: Tue, 19 Apr 2016 09:42:54 +0200 Subject: Using a passphrase FD from variable and piped data for encryption Message-ID: Hi all, I'm wondering if anyone uses gpg piping data to it (on a *nix system) while also providing a passphrase-fd? Might be more of a bash / shell question that GPG itself... Example: I want to create an encrypted archive. I don't want to write the passphrase to the local fs and don't want it to be visible in the process list. To create an archive, and then encrypt it using a variable in 2 steps: tar zxf dir.tgz dir echo $PASSPHRASE | gpg -c --passphrase-fd 0 -o dir.tgz.gpg dir.tgz This way, the passphrase is never written to the fs and does not show up in the process list - it is only in-memory. Is it possible to do this in a single step using a different FD some how? I can do it with a redirect from a file.... tar zcf - /path/to/stuff | gpg -c --passphrase-fd 0 -o dir.tgz.gpg 1<> passphrase-file But how can it be done from a variable? tar zcf - /path/to/stuff | gpg -c --passphrase-fd 0 -o dir.tgz.gpg 1<>$(echo $passphrase-var) The last command doesn't work, but sort of indicates what I'm trying to do. (I've read the previous threads discussing "why even bother encrypting if you don't trust the system" and other "why" questions. There may be flaws in this approach too, this is purely for "because I want to know how to do it this way" sort of question). Thanks, Brett -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Tue Apr 19 11:59:44 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 19 Apr 2016 11:59:44 +0200 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: References: Message-ID: <57160190.3020900@digitalbrains.com> On 19/04/16 09:42, Brett Cave wrote: > Hi all, I'm wondering if anyone uses gpg piping data to it (on a *nix > To create an archive, and then encrypt it using a variable in 2 steps: > tar zxf dir.tgz dir > echo $PASSPHRASE | gpg -c --passphrase-fd 0 -o dir.tgz.gpg dir.tgz > > This way, the passphrase is never written to the fs and does not show up > in the process list - it is only in-memory. That doesn't seem to be the case, though. $PASSPHRASE is expanded and fed as an argument to echo. For instance: $ ARGS=f $ ps $ARGS [...] 26958 pts/1 Ss 0:01 /bin/bash 27915 pts/1 R+ 0:00 \_ ps f [...] In addition, there's a good chance your environment variable ends up in your swap space. > But how can it be done from a variable? I'm certainly not suggesting you use this method, but out of an academical interest, I got it to work with: $ tar zcf - . | gpg -c --passphrase-fd 3 -o dir.tgz.gpg 3< <(echo test) I'm redirecting twice. First, I redirect "echo test" to an FD or FIFO of Bash's choosing. Then I connect that to fd 3, so I can name fd 3 as the passphrase-fd. <(echo test) is expanded to a filename, either of the form /dev/fd/X or of some named FIFO created by bash, if I understand the Bash manual correctly. The space between the two less-than's is necessary. > [...] this is purely for "because I want to know > how to do it this way" sort of question). Which was my motivation exactly :). Oh, by the way, your plaintext was already on disk. The only reason to worry about the passphrase being on disk is that you might reuse the passphrase, right? Asymmetric crypto would nicely avoid the issue by never needing the secret part to encrypt data in the first place. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dashohoxha at gmail.com Tue Apr 19 14:12:19 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 19 Apr 2016 14:12:19 +0200 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: <57160190.3020900@digitalbrains.com> References: <57160190.3020900@digitalbrains.com> Message-ID: I have written a small password utility, where passwords are stored on an encrypted archive. I use something like this: - https://github.com/dashohoxha/pw/blob/master/src/pw.sh#L26-L27 I think that all these three ways are the same (security-wise), isn't it? The second way (described by Peter) is just more complex and more difficult to understand, but not safer. Am I right? Dashamir On Tue, Apr 19, 2016 at 11:59 AM, Peter Lebbing wrote: > On 19/04/16 09:42, Brett Cave wrote: > > Hi all, I'm wondering if anyone uses gpg piping data to it (on a *nix > > To create an archive, and then encrypt it using a variable in 2 steps: > > tar zxf dir.tgz dir > > echo $PASSPHRASE | gpg -c --passphrase-fd 0 -o dir.tgz.gpg dir.tgz > > > > This way, the passphrase is never written to the fs and does not show up > > in the process list - it is only in-memory. > > That doesn't seem to be the case, though. $PASSPHRASE is expanded and > fed as an argument to echo. For instance: > > $ ARGS=f > $ ps $ARGS > [...] > 26958 pts/1 Ss 0:01 /bin/bash > 27915 pts/1 R+ 0:00 \_ ps f > [...] > > In addition, there's a good chance your environment variable ends up in > your swap space. > > > But how can it be done from a variable? > > I'm certainly not suggesting you use this method, but out of an > academical interest, I got it to work with: > > $ tar zcf - . | gpg -c --passphrase-fd 3 -o dir.tgz.gpg 3< <(echo test) > > I'm redirecting twice. First, I redirect "echo test" to an FD or FIFO of > Bash's choosing. Then I connect that to fd 3, so I can name fd 3 as the > passphrase-fd. <(echo test) is expanded to a filename, either of the > form /dev/fd/X or of some named FIFO created by bash, if I understand > the Bash manual correctly. The space between the two less-than's is > necessary. > > > [...] this is purely for "because I want to know > > how to do it this way" sort of question). > > Which was my motivation exactly :). > > Oh, by the way, your plaintext was already on disk. The only reason to > worry about the passphrase being on disk is that you might reuse the > passphrase, right? > > Asymmetric crypto would nicely avoid the issue by never needing the > secret part to encrypt data in the first place. > > HTH, > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Tue Apr 19 17:20:33 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 19 Apr 2016 17:20:33 +0200 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: References: <57160190.3020900@digitalbrains.com> Message-ID: <57164CC1.8030705@digitalbrains.com> On 19/04/16 14:12, Dashamir Hoxha wrote: > The second way (described by Peter) is just more complex and more > difficult to understand, but not safer. Am I right? It's not safer. Regarding the complexity, however, the data to encrypt is already on fd 0, so you would need to move either the data or the passphrase to another fd, I think. The example from your code on GitHub doesn't get data piped to it, so it doesn't need multiple fd's, which is the point where it gets more complicated. Depending on how --passphrase-file is implemented, it might be possible to use --passphrase-file <(echo pass), which isn't very complicated. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dougb at dougbarton.email Tue Apr 19 21:18:35 2016 From: dougb at dougbarton.email (Doug Barton) Date: Tue, 19 Apr 2016 12:18:35 -0700 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: References: <57160190.3020900@digitalbrains.com> Message-ID: <5716848B.6020701@dougbarton.email> On 04/19/2016 05:12 AM, Dashamir Hoxha wrote: > I have written a small password utility, where passwords are stored on > an encrypted archive. This is a bad idea. You should instead use one of the well-established solutions created and peer-reviewed by knowledgeable folks. Personally I'm a big fan of KeePass. Doug From dashohoxha at gmail.com Tue Apr 19 21:34:42 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 19 Apr 2016 21:34:42 +0200 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: <5716848B.6020701@dougbarton.email> References: <57160190.3020900@digitalbrains.com> <5716848B.6020701@dougbarton.email> Message-ID: On Tue, Apr 19, 2016 at 9:18 PM, Doug Barton wrote: > On 04/19/2016 05:12 AM, Dashamir Hoxha wrote: > >> I have written a small password utility, where passwords are stored on >> an encrypted archive. >> > > This is a bad idea. You should instead use one of the well-established > solutions created and peer-reviewed by knowledgeable folks. Personally I'm > a big fan of KeePass. Would you like to peer-review it? (If you consider yourself knowledgeable.) Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From brett at jemstep.com Tue Apr 19 12:33:42 2016 From: brett at jemstep.com (Brett Cave) Date: Tue, 19 Apr 2016 12:33:42 +0200 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: <57160190.3020900@digitalbrains.com> References: <57160190.3020900@digitalbrains.com> Message-ID: On Tue, Apr 19, 2016 at 11:59 AM, Peter Lebbing wrote: > On 19/04/16 09:42, Brett Cave wrote: > > Hi all, I'm wondering if anyone uses gpg piping data to it (on a *nix > > To create an archive, and then encrypt it using a variable in 2 steps: > > tar zxf dir.tgz dir > > echo $PASSPHRASE | gpg -c --passphrase-fd 0 -o dir.tgz.gpg dir.tgz > > > > This way, the passphrase is never written to the fs and does not show up > > in the process list - it is only in-memory. > > That doesn't seem to be the case, though. $PASSPHRASE is expanded and > fed as an argument to echo. For instance: > Yes, it is for the duration of the echo command, but not for the duration of the gpg run: $ tar zcf - somebigdir | gpg -c --passphrase-fd 0 -o test.tgz.gpg 1< <(echo foo) ^Z (ctrl + z) [1]+ Stopped tar.. etc $ ps faux | egrep 'foo|echo' # only matches the grep, there's no echo process running any more $ ps faux | grep gpg # gpg command found running without passphrase, e.g. pid 2023 $ lsof -p 2023 # libraries, binary, pipes and output files open - no passphrase files listed. The window to grab the passphrase: $ time echo foo foo real 0m0.000s user 0m0.000s sys 0m0.000s > $ ARGS=f > $ ps $ARGS > [...] > 26958 pts/1 Ss 0:01 /bin/bash > 27915 pts/1 R+ 0:00 \_ ps f > [...] > > In addition, there's a good chance your environment variable ends up in > your swap space. > 1 of the flaws of this approach, unless of course kernel swappiness is adjusted. > > > But how can it be done from a variable? > > I'm certainly not suggesting you use this method, but out of an > academical interest, I got it to work with: > > $ tar zcf - . | gpg -c --passphrase-fd 3 -o dir.tgz.gpg 3< <(echo test) > ah - I was trying `3< $(echo test)` - needed the double redirect. Thanks! > > I'm redirecting twice. First, I redirect "echo test" to an FD or FIFO of > Bash's choosing. Then I connect that to fd 3, so I can name fd 3 as the > passphrase-fd. <(echo test) is expanded to a filename, either of the > form /dev/fd/X or of some named FIFO created by bash, if I understand > the Bash manual correctly. The space between the two less-than's is > necessary. > > > [...] this is purely for "because I want to know > > how to do it this way" sort of question). > > Which was my motivation exactly :). > > Oh, by the way, your plaintext was already on disk. The only reason to > worry about the passphrase being on disk is that you might reuse the > passphrase, right? > If the plaintext is never persisted and the passphrase isn't either / available from the process list... For the sake of simplicity / example, I hypothetically referred to a source directory with tar. For practical purposes, this approach could be used with remote service data, where the plaintext and plain key is never written to disk (e.g. http client that invokes a remote call to dump config data, a mysqldump from a remote server, etc). As far as symmetric encryption goes, not having plaintext or plainkey ever persisted or viewable is a little more secure (a compromise would require memory access or network packet sniffing if remote), although understandably still flawed. > > Asymmetric crypto would nicely avoid the issue by never needing the > secret part to encrypt data in the first place. > > HTH, > Thanks, helped plenty :) > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at < > http://cp.mcafee.com/d/avndxNJ5xN6XVEVd7bPxKVJ554QsEETd78VUSyyyqekkkkrLCQkkQnXzDAjhOrhhhd7bPatSjhOr8h-sMk8-HivHsKr4vlFfRKndTd7adT4hP_nVNZdxNB_HTbECzBV_AkSnCkmhTkhjmKCHtdDBgY-F6lK1FJ4SyrLP3P329EVpoK-rKr01Ei8ODFV2eOxjBYjKyDBlLwIhmbBvb5RLDYjqTP-8agAhBfjO4tB2DbCSm1OpI5-Aq80Dik29EwQQgbriyNeeQYQg2Usq87oRld41DoOQwvVEwS21EwmAJW1EwgSuCy1SIjh1YbhbbjBm1JMQsCQePlc7QZ0mYp > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dougb at dougbarton.email Wed Apr 20 03:27:01 2016 From: dougb at dougbarton.email (Doug Barton) Date: Tue, 19 Apr 2016 18:27:01 -0700 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: References: <57160190.3020900@digitalbrains.com> <5716848B.6020701@dougbarton.email> Message-ID: <5716DAE5.7050805@dougbarton.email> On 04/19/2016 12:34 PM, Dashamir Hoxha wrote: > On Tue, Apr 19, 2016 at 9:18 PM, Doug Barton > wrote: > > On 04/19/2016 05:12 AM, Dashamir Hoxha wrote: > > I have written a small password utility, where passwords are > stored on > an encrypted archive. > > > This is a bad idea. You should instead use one of the > well-established solutions created and peer-reviewed by > knowledgeable folks. Personally I'm a big fan of KeePass. > > > Would you like to peer-review it? Of course not. I already said that it's a bad idea. I can't be any clearer than that. Doug From dashohoxha at gmail.com Wed Apr 20 07:39:01 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Wed, 20 Apr 2016 07:39:01 +0200 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: <5716DAE5.7050805@dougbarton.email> References: <57160190.3020900@digitalbrains.com> <5716848B.6020701@dougbarton.email> <5716DAE5.7050805@dougbarton.email> Message-ID: On Wed, Apr 20, 2016 at 3:27 AM, Doug Barton wrote: > On 04/19/2016 12:34 PM, Dashamir Hoxha wrote: > >> On Tue, Apr 19, 2016 at 9:18 PM, Doug Barton > > wrote: >> >> On 04/19/2016 05:12 AM, Dashamir Hoxha wrote: >> >> I have written a small password utility, where passwords are >> stored on >> an encrypted archive. >> >> >> This is a bad idea. You should instead use one of the >> well-established solutions created and peer-reviewed by >> knowledgeable folks. Personally I'm a big fan of KeePass. >> >> >> Would you like to peer-review it? >> > > Of course not. I already said that it's a bad idea. I can't be any clearer > than that. I thought you could point out what is wrong with it, hopefully something that can be fixed. But that's OK. I have tried KeePassX, there is nothing wrong with it. But I still prefer my own tool. By the way, it is a fork of the well known `pass` tool, so it didn't just come out of thin air. Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Wed Apr 20 08:09:48 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 20 Apr 2016 02:09:48 -0400 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: References: <57160190.3020900@digitalbrains.com> <5716848B.6020701@dougbarton.email> <5716DAE5.7050805@dougbarton.email> Message-ID: <2fd82aa8-82c6-7a7f-30d7-870198baf074@sixdemonbag.org> > I thought you could point out what is wrong with it, hopefully > something that can be fixed. But that's OK. You're asking people to sign on for a literally never-ending process. (Peer review never ends, after all. Ask the OpenBSD guys.) There's nothing wrong with that. You should always feel free to ask other people to help. But in order to get the best-qualified people on board, your project should offer something new: a new capability, a new security guarantee, a new resistance to attacks, a new *something*. Because without some new improvement, what motivation is there for anyone to switch? It's good to scratch your own itch. If you want to use this tool you've built, more power to you. But other people probably won't unless you can give them specific reasons to care. From dashohoxha at gmail.com Wed Apr 20 09:10:27 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Wed, 20 Apr 2016 09:10:27 +0200 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: <2fd82aa8-82c6-7a7f-30d7-870198baf074@sixdemonbag.org> References: <57160190.3020900@digitalbrains.com> <5716848B.6020701@dougbarton.email> <5716DAE5.7050805@dougbarton.email> <2fd82aa8-82c6-7a7f-30d7-870198baf074@sixdemonbag.org> Message-ID: On Wed, Apr 20, 2016 at 8:09 AM, Robert J. Hansen wrote: > > I thought you could point out what is wrong with it, hopefully > > something that can be fixed. But that's OK. > > You're asking people to sign on for a literally never-ending process. > (Peer review never ends, after all. Ask the OpenBSD guys.) There's > nothing wrong with that. You should always feel free to ask other > people to help. But in order to get the best-qualified people on board, > your project should offer something new: a new capability, a new > security guarantee, a new resistance to attacks, a new *something*. > Because without some new improvement, what motivation is there for > anyone to switch? > > It's good to scratch your own itch. If you want to use this tool you've > built, more power to you. But other people probably won't unless you > can give them specific reasons to care. You are right. I don't think that it can satisfy the requirements of everybody because they are sometimes conflicting. But I use it because it is simpler and easier, comand-line based, and scriptable. And I also believe that it is not less secure than the other solutions. Anyway, myself I don't have high security requirements, and, except for trying to use good practices, I am not a security expert. So, I cannot guaranty for everybody. Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Wed Apr 20 11:21:35 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 20 Apr 2016 11:21:35 +0200 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: References: <57160190.3020900@digitalbrains.com> <5716848B.6020701@dougbarton.email> <5716DAE5.7050805@dougbarton.email> <2fd82aa8-82c6-7a7f-30d7-870198baf074@sixdemonbag.org> Message-ID: <57174A1F.8000206@digitalbrains.com> On 20/04/16 09:10, Dashamir Hoxha wrote: > And I also believe that it is not less secure than the other solutions. You mean like Phil Zimmerman believed BassOmatic was secure? Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dashohoxha at gmail.com Wed Apr 20 12:36:41 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Wed, 20 Apr 2016 12:36:41 +0200 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: <57174A1F.8000206@digitalbrains.com> References: <57160190.3020900@digitalbrains.com> <5716848B.6020701@dougbarton.email> <5716DAE5.7050805@dougbarton.email> <2fd82aa8-82c6-7a7f-30d7-870198baf074@sixdemonbag.org> <57174A1F.8000206@digitalbrains.com> Message-ID: On Wed, Apr 20, 2016 at 11:21 AM, Peter Lebbing wrote: > On 20/04/16 09:10, Dashamir Hoxha wrote: > > And I also believe that it is not less secure than the other solutions. > > You mean like Phil Zimmerman believed BassOmatic was secure? > Thanks for comparing me to Phil Zimmerman. I am taking this as a compliment :) What I mean is that the security of `pw` depends on `gpg` encryption/decryption. It can use both symmetric and assymetric encryption, depending of how you want to use it. I also try to be careful on the script about not leaking the passphrase somehow. This is for the case of symmetric enryption. For the assymetric encryption the passphrase is handled by the pinentry, so it is as safe as `gpg` itself. I don't think that the encryption used by KeePass (and other tools like it) is stronger or safer than the encryption of `gpg`. If there are any problems, most probably they are on my script, and I beleive that they can be fixed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dashohoxha at gmail.com Wed Apr 20 12:44:10 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Wed, 20 Apr 2016 12:44:10 +0200 Subject: Using a passphrase FD from variable and piped data for encryption In-Reply-To: <571751D5.1020601@digitalbrains.com> References: <57160190.3020900@digitalbrains.com> <5716848B.6020701@dougbarton.email> <5716DAE5.7050805@dougbarton.email> <2fd82aa8-82c6-7a7f-30d7-870198baf074@sixdemonbag.org> <57174A1F.8000206@digitalbrains.com> <571751D5.1020601@digitalbrains.com> Message-ID: On Wed, Apr 20, 2016 at 11:54 AM, Peter Lebbing wrote: > PS: Quick note: that the security depends on GnuPG does not mean that it > inherits the security of GnuPG. You are right. After decrypting the archive, it is the responsibility of the script to handle it safely, before encrypting it again. Cheers, Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From philip.colmer at linaro.org Wed Apr 20 17:44:58 2016 From: philip.colmer at linaro.org (Philip Colmer) Date: Wed, 20 Apr 2016 16:44:58 +0100 Subject: How to specify LDAP authentication details with dirmngr/GnuPG 2.1? Message-ID: I'm trying to use GnuPG 2.1 and using an LDAP server as the keyserver. >From what I can tell, the keyserver configuration has moved from gpg to dirmngr but I am really struggling to figure out how I should be configuring GnuPG/dirmngr so that it knows how to authenticate with the LDAP server. I'm editing the dirmngr.conf file but I cannot come up with a combination of settings that not only specifies the LDAP server as the keyserver (that's the easy bit) but also specifies the username and password to use with it. I've tried separating with colons, I've tried using something like: ldap://:password at server I've tried: keyserver ldap://server binddn="username" bindpw=password Does anyone know the correct way to specify a username and password for use with an LDAP keyserver, please? Thanks. Philip From rjh at sixdemonbag.org Thu Apr 21 01:45:34 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 20 Apr 2016 19:45:34 -0400 Subject: gpgme-sharp API missing Message-ID: <5718149E.4090703@sixdemonbag.org> On https://wiki.gnupg.org/APIs , gpgme-sharp is listed as being in alpha status for .NET. Unfortunately, the link is dead and there's no sign of where it's moved to. For a while it was hosted on GitHub, but apparently no more. If anyone has a copy of the gpgme-sharp source code I'd be happy to host it on my own GitHub account. But either way, the link on the wiki needs to be either updated or removed. From wk at gnupg.org Thu Apr 21 14:43:44 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 21 Apr 2016 14:43:44 +0200 Subject: gpgme-sharp API missing In-Reply-To: <5718149E.4090703@sixdemonbag.org> (Robert J. Hansen's message of "Wed, 20 Apr 2016 19:45:34 -0400") References: <5718149E.4090703@sixdemonbag.org> Message-ID: <874mavb08v.fsf@wheatstone.g10code.de> On Thu, 21 Apr 2016 01:45, rjh at sixdemonbag.org said: > If anyone has a copy of the gpgme-sharp source code I'd be happy to host > it on my own GitHub account. But either way, the link on the wiki needs > to be either updated or removed. Do you know whether this is a working implementation and whether it is stand-alone API or a binding for GPGME? In the latter case it should go into GPGME proper. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Apr 21 15:06:10 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 21 Apr 2016 15:06:10 +0200 Subject: Financial Results for 2015 Message-ID: <87vb3b9kn1.fsf@wheatstone.g10code.de> Hello, find below the full text of a new blog entry by me. If you have questions or want to comment, please group reply to this mail. Shalom-Salam, Werner 1 Financial Results for 2015 ???????????????????????????? Having prepared the annual accounts for g10^code GmbH, the legal entity employing some of the GnuPG hackers, I can now share a financial report. Please read on if you are interested in how well the donation campaign last year worked and how we spend your money. 1.1 Balance Sheet as of 2015-12-31 ?????????????????????????????????? Let us start by looking at the balance sheet, which describes our financial status. The following table shows the actual [balance sheet] with a few accounts pooled up. Note that for display purposes all values have been rounded to a full Euro, and thus there are minor mismatches in the Sums. ???????????????????????????????????????????????????????????????? Asset (2014) Liability (2014) ???????????????????????????????????????????????????????????????? Tangible assets 3880 (791) Stock of goods 0 (122) Cash balance 360 (469) Bank balance KSD 207453 (34522) PayPal and others balance 3842 (711) Accounts receivable 4774 (0) Accounts receivable other 497 (18408) Common capital stock 25000 (25000) Loss carried forward 0 (23019) Profit carried forward 11338 (0) Net profit 115350 (34357) Shareholder loans 0 (10000) Accounts payable 0 (3510) Accounts payable other 27974 (0) GnuPG development fund 72 (72) Provision for taxes 41070 (5103) ???????????????????????????????????????????????????????????????? Sums 220804 (78042) (220804) (78042) ???????????????????????????????????????????????????????????????? The /Bank balance KSD/ is the money that we had at the end of the year in our accounts at the local savings bank. The /PayPal/ row gives the amount of money in the PayPal account and in a Gandi prepaid account. /Accounts receivable/ are mostly outstanding demands from the Linux Foundation for work done in December. From the /Common capital stock/ of 25000 Euro 50% are held by Walter Koch and 50% by Werner Koch, the owners of g10^code. The /Net profit/ gained in 2014 was back then used to make up for the /Loss carried forward/ in 2014 and the remaining 11000 Euro are set as /Profit carried forward/ to 2015. The major part of the /Accounts payable other/ is due to my profit sharing bonus. The /GnuPG development fund/ is the rest of a campaign which collected prize money for the GnuPG logo. [balance sheet] file:data/g10code-bilanz-2015-pub.pdf 1.2 Profit and Loss from 2015-01-01 to 2015-12-31 ????????????????????????????????????????????????? Now let us see how much money we earned and how we spent it. The following table shows the actual [profit and loss sheet] with a few accounts pooled up. As above, the values have again been rounded to the nearest Euro. ???????????????????????????????????????????????????????????? Debit (2014) Credit (2014) ???????????????????????????????????????????????????????????? Revenues 57251 (80435) Revenues from donations 283538 (0) Revenues other 218 (163) Salaries 108719 (31800) Social insurance 18060 (0) Contractors 33165 (0) Write-offs 1532 (1656) Connectivity and hosting 2012 (2874) Rents 2681 (2653) Interest expenses 550 (0) Travel expenses 3499 (1014) Other expenses 5169 (6244) Donations 5100 (1) Taxes 45171 (0) Net profit 115350 (34357) ???????????????????????????????????????????????????????????? Sums 341007 (80597) 341007 (80597) ???????????????????????????????????????????????????????????? The /Revenues/ are mainly due to funding from the Linux Foundation for 60,000 USD (54,000 EUR). The /Revenues from donations/ are mainly made up of 100,000 USD from Stripe and Facebook (89,000 EUR), 113,000 EUR received via PayPal, and 80,000 EUR via Stripe (credit cards). Note that in 2014 we posted all donations to the /Revenues/ account and not to a separate donations account. As with almost all software companies, the majority of expenses are staff costs (we've hired three programmers). Not counting taxes, which are due to the annual profit, we have total costs of 180,000 EUR with 160,000 spent on /Salaries/, /Social insurance/, and /Contractors/. My share is 47,400 EUR regular salary of which I need to pay social insurances myself plus a profit sharing bonus of 25000 EUR. That bonus is exceptionally high due to the huge net profit that we made in 2015; it is very unlikely that a bonus will be due this or next year. The /Rents/ are for the room used as an office in my house. The /Interest/ was paid for a loan that I gave to g10^code in 2012 and which was redeemed in 2015. /Other expenses/ sums up money spent for magazines, power, office supplies, advertising, conference fees, legal costs, etc. Having received a lot of donations I considered it to be fair to put some money (5100 EUR) to support [Netzpolitik.org], [FSFE], [Kindernothilfe], [Freundeskreis f?r Fl?chtlinge in Erkrath], [Wikimedia], and [OpenMusicContest]. Because g10^code GmbH is still not tax exempted we will need to pay about 45,000 /Taxes/ in 2015 on the 115,000 Euro of /Net profit/. Due to the net loss that we expect for 2016, a tax refund can be expected in 2017. [profit and loss sheet] file:data/g10code-bilanz-2015-pub.pdf [Netzpolitik.org] https://netzpolitik.org [FSFE] https://fsfe.org [Kindernothilfe] https://www.kindernothilfe.de [Freundeskreis f?r Fl?chtlinge in Erkrath] http://www.freundeskreis-fluechtlinge-erkrath.de/ [Wikimedia] https://wikimedia.de [OpenMusicContest] https://openmusiccontest.org 1.3 Planning 2016 and 2017 ?????????????????????????? Along with the paid projects we are currently working on, the two large donations that we are expecting (from Facebook and Stripe), the Linux Foundation grant, and a small stream of individual donations, g10^code will be able to operate with its current staff until the end of 2017. Obviously, we need a longer term plan. Things are a bit delayed, because the original plan to turn g10^code into a charitable company did not worked out and we need to look into other options before starting a new campaign. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: From Alexander.Strobel at giepa.de Thu Apr 21 14:24:50 2016 From: Alexander.Strobel at giepa.de (Alexander Strobel) Date: Thu, 21 Apr 2016 14:24:50 +0200 Subject: gpgme-sharp API missing In-Reply-To: <5718149E.4090703@sixdemonbag.org> References: <5718149E.4090703@sixdemonbag.org> Message-ID: <5718C692.9090204@giepa.de> Am 21.04.2016 um 01:45 schrieb Robert J. Hansen: > On https://wiki.gnupg.org/APIs , gpgme-sharp is listed as being in alpha > status for .NET. Unfortunately, the link is dead and there's no sign of > where it's moved to. For a while it was hosted on GitHub, but > apparently no more. > > If anyone has a copy of the gpgme-sharp source code I'd be happy to host > it on my own GitHub account. But either way, the link on the wiki needs > to be either updated or removed. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > I dont have a copy of it but I know that it was in 3rd Party section of the "Outlook Privacy Plugin" git repo of dejavusecurity: https://github.com/dejavusecurity/OutlookPrivacyPlugin It was removed from the repo on May 27th, 2015. Hope this helps Alex Strobel www.gpg4o.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Thu Apr 21 16:05:18 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 21 Apr 2016 10:05:18 -0400 Subject: gpgme-sharp API missing In-Reply-To: <874mavb08v.fsf@wheatstone.g10code.de> References: <5718149E.4090703@sixdemonbag.org> <874mavb08v.fsf@wheatstone.g10code.de> Message-ID: <4753aa9c-0bab-bd35-2361-eb30a7f25df3@sixdemonbag.org> > Do you know whether this is a working implementation and whether it is > stand-alone API or a binding for GPGME? In the latter case it should go > into GPGME proper. I haven't looked at it in a few years. My recollection is that it was a barely-working GPGME binding. From dashohoxha at gmail.com Fri Apr 22 17:38:42 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Fri, 22 Apr 2016 17:38:42 +0200 Subject: EasyGnuPG v0.9 Message-ID: Hi, I have made another release of EasyGnuPG. Things that have changed since the last time that I posted here are: - Small fixes and improvements (some of which were suggested here). - Finished automated testing scripts [1]. - Bash autocompletion [2]. - Making the egpg key-ring the default one [3]. - Spliting the key into partial keys and using a dongle [4]. Any comments or feedback is welcome. Actually I would prefer the task tool of GitHub [5] for reporting bugs and feature requests, but either way is Ok. I would like some help on these issues (if somebody can help): - How to use `egpg` properly with mutt, alpine, etc. - I think that it should be possible to customize Linux desktops (LXDE, XFCE, GNOME, KDE, etc.) to add key-combinations (shortcuts) or context-menus, to run some command on a selected file. This could be useful for the commands `egpg seal`, `egpg open`, `egpg sign`, `egpg verify`, etc. But I have no idea how to do this. - Write a script/command that automates the process of copying a key to a smartcard [6]. I could have tried it myself but I don't have any smartcards. Regards, Dashamir [1]: https://github.com/dashohoxha/egpg/tree/master/tests [2]: https://github.com/dashohoxha/egpg/blob/master/src/bash-completion.sh [3]: https://github.com/dashohoxha/egpg/wiki/default-gnupghome [4]: https://github.com/dashohoxha/egpg/wiki/split-key [5]: https://github.com/dashohoxha/egpg/issues [6]: https://github.com/dashohoxha/egpg/issues/10 -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel at hillsdalecorp.com Sun Apr 24 18:51:36 2016 From: daniel at hillsdalecorp.com (Daniel H. Werner) Date: Sun, 24 Apr 2016 09:51:36 -0700 Subject: Help needed Message-ID: Colleagues, I need some help. I downloaded GPGTools on my Mac laptop (I have not done it on my Mac desktop yet as I want to be sure I know what I am doing!!!) and did the Install. I Imported my existing keys. And I have several question/problems: 1) When I open a new email message window, I see a green box in the upper right hand corner which is labeled ?OpenPGP?. Is that right? 2) Should I be able to toggle GPG on and off; 3) I composed a short Test message to send to myself. In order to Encrypt it, I selected the text, went to Services and selected Encrypt. That gave me the encrypted code in a new window. It seemed to me that I then had to select that text, copy and then paste it into the new message. There has to be a simpler way to perform these functions? What are they? 4) My existing keys were created (in 2009 in PGP) at 2048 length. Should I change them to 4096? If so, how? 5) Even if I do not Encrypt the outgoing message, I get a window asking for my Passphrase. In the older PGP version, I had the option to cache the Passphrase so I did not have to enter it every time. How do I simplify this function? In advance, Thank You everyone for your help. Daniel _______________________________ Daniel H. Werner Portland, OR 97202 USA (503) 709-0950 Confidentiality Notice: The information contained in this e-mail is confidential and for the intended recipient(s) alone. It may contain privileged and confidential information and is covered by Non-Disclosure Agreements. If you are not an intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this e-mail in error, please notify us immediately. Thank You. _______________________________ Daniel H. Werner, President Hillsdale Corporation 9 Oregon Yacht Club Portland, OR 97202 USA www.hillsdalecorp.com Cell: (503) 709-0950 Confidentiality Notice: The information contained in this e-mail is confidential and for the intended recipient(s) alone. It may contain privileged and confidential information and is covered by Non-Disclosure Agreements. If you are not an intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this e-mail in error, please notify us immediately. Thank You. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: HSDL_Logo_H.smjpg.jpg Type: image/jpeg Size: 8411 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: HSDL_Logo_H.smjpg.jpg Type: image/jpeg Size: 8411 bytes Desc: not available URL: From dashohoxha at gmail.com Sun Apr 24 19:16:24 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Sun, 24 Apr 2016 19:16:24 +0200 Subject: Help needed In-Reply-To: References: Message-ID: On Sun, Apr 24, 2016 at 6:51 PM, Daniel H. Werner wrote: > > 4) My existing keys were created (in 2009 in PGP) at 2048 length. Should > I change them to 4096? If so, how? > I think that 2048 is still OK. But if you decide to upgrade, you can find some good advice here: https://johnlane.ie/i-have-a-new-gnupg-key.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Sun Apr 24 19:59:51 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 24 Apr 2016 19:59:51 +0200 Subject: Help needed In-Reply-To: References: Message-ID: <571D0997.1060005@digitalbrains.com> On 24/04/16 19:16, Dashamir Hoxha wrote: > I think that 2048 is still OK. Yes; it is also the current default, so no need to upgrade the key. > But if you decide to upgrade, you can find some good advice here: > https://johnlane.ie/i-have-a-new-gnupg-key.html I consider "stick to the defaults" better advice. That website makes it all rather complicated. As for the OP's other questions, I can't answer them very well because I don't know MacOS, but I can give you advice: could you please indicate what software you are using? What mail client, what other GnuPG-related software? You say you compose a mail, and you select Services from somewhere. This seems /really/ little to go on if we don't know in what program you compose a mail and where this Services comes from (it might be that same mail application, I don't know). FWIW, no, with a good e-mail plugin you don't have to copy-paste anything to different windows. That's not a nice interface at all. And when you are asked for your password, that is not because you are /encrypting/, you never need a password to encrypt. It's asking for your password because you are /signing/, I think. And the time to cache a passphrase is set with the option default-cache-ttl in the file gpg-agent.conf in your GnuPG home directory (I don't know where that is on MacOS, it could just be ~/.gnupg), as follows: default-cache-ttl 3600 The argument is in seconds. The default is 10 minutes, so if you are asked for your passphrase within 10 minutes, I expect something didn't install properly... I hope someone who actually uses MacOS can help you further with specific advice. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From paolo.bolzoni.brown at gmail.com Sun Apr 24 20:01:37 2016 From: paolo.bolzoni.brown at gmail.com (Paolo Bolzoni) Date: Sun, 24 Apr 2016 20:01:37 +0200 Subject: Help needed In-Reply-To: References: Message-ID: You are strongly advised to read the gpg frequently asked questions, here is the link: https://www.gnupg.org/faq/gnupg-faq.html Here a particularly relevant question: https://www.gnupg.org/faq/gnupg-faq.html#please_use_ecc On Sun, Apr 24, 2016 at 7:16 PM, Dashamir Hoxha wrote: > On Sun, Apr 24, 2016 at 6:51 PM, Daniel H. Werner > wrote: >> >> 4) My existing keys were created (in 2009 in PGP) at 2048 length. Should >> I change them to 4096? If so, how? > > > I think that 2048 is still OK. > But if you decide to upgrade, you can find some good advice here: > https://johnlane.ie/i-have-a-new-gnupg-key.html > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From free10pro at gmail.com Sun Apr 24 19:18:49 2016 From: free10pro at gmail.com (Paul R. Ramer) Date: Sun, 24 Apr 2016 10:18:49 -0700 Subject: Help needed In-Reply-To: References: Message-ID: <571CFFF9.1090106@gmail.com> On 04/24/2016 09:51 AM, Daniel H. Werner wrote: > I downloaded GPGTools on my Mac laptop (I have not done it on my Mac desktop yet > as I want to be sure I know what I am doing!!!) and did the Install. > I Imported my existing keys. > And I have several question/problems: First off, I can't answer all of your questions, because I am not familiar with GPGTools. But I have provided answers to some of your questions. > 1) When I open a new email message window, I see a green box in the upper right > hand corner which is labeled ?OpenPGP?. Is that right? Yes, it is. If you visit https://gpgtools.org/ and scroll to the bottom of the page, you will see slides that you can click through. One of them shows a screenshot of this. > 2) Should I be able to toggle GPG on and off; I believe so. The slide that I referred to above says that you can click the lock button (it is a button with a glyph in the form of a lock) to encrypt your email to the recipient. > 3) I composed a short Test message to send to myself. In order to Encrypt it, I > selected the text, went to Services and selected Encrypt. That gave me the > encrypted code in a new window. It seemed to me that I then had to select that > text, copy and then paste it into the new message. There has to be a simpler > way to perform these functions? What are they? I believe you are supposed to click the lock button I mentioned above. Please see the section of website that I referred to earlier. > 4) My existing keys were created (in 2009 in PGP) at 2048 length. Should I > change them to 4096? If so, how? No, that is not necessary. Do know that many people have *strong* opinions about key length that are based little empirical fact. [1] See the GnuPG FAQ topic about this. [2] > 5) Even if I do not Encrypt the outgoing message, I get a window asking for my > Passphrase. In the older PGP version, I had the option to cache the Passphrase > so I did not have to enter it every time. How do I simplify this function? I am sorry. I don't know the answer to this question. Hope that helps, -Paul [1] I apologized to the list if I have opened that horrendous can of worms again by answering this question. [2] https://gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 From me at jojoob.de Sun Apr 24 19:14:10 2016 From: me at jojoob.de (Johannes Burk) Date: Sun, 24 Apr 2016 19:14:10 +0200 Subject: Help needed In-Reply-To: References: Message-ID: > 1) When I open a new email message window, I see a green box in the upper right hand corner which is labeled ?OpenPGP?. Is that right? > 2) Should I be able to toggle GPG on and off; Yes, the green box in the upper right of the new message window indicates that the GPGTools are integrated into Mail app. In addition there are to buttons on the right in the subject row. The left one (open/closed lock) indicates if the mail is going to be encrypted and the other one if the message will be signed. > 3) I composed a short Test message to send to myself. In order to Encrypt it, I selected the text, went to Services and selected Encrypt. That gave me the encrypted code in a new window. It seemed to me that I then had to select that text, copy and then paste it into the new message. There has to be a simpler way to perform these functions? What are they? It should not be necessary to encrypt the message manually as you described. If you compose a message to a recipient for which you have a trusted key in your keychain the message should automatically become encrypted, indicated by the button described above. > 5) Even if I do not Encrypt the outgoing message, I get a window asking for my Passphrase. In the older PGP version, I had the option to cache the Passphrase so I did not have to enter it every time. How do I simplify this function? By default GPGTools signs all outgoing messages. Therefor GPG asks for your password because it needs your private key to sign the message. From vallir63 at gmail.com Sun Apr 24 20:40:21 2016 From: vallir63 at gmail.com (MuthuSankaraNarayanan Valliammal) Date: Sun, 24 Apr 2016 20:40:21 +0200 Subject: Help needed In-Reply-To: References: Message-ID: I have this problem. I am writing an application in android for the GNUPG. for that I want to add the commands in the android package itself. whether I need to install the Gaurdian GNUPG and then call the commands from my application, or can I able to call the application gnupg with the library in my application itself, I can integrate the gnupg?. this is for android application. thanks, regards, MVS On Sun, Apr 24, 2016 at 7:14 PM, Johannes Burk wrote: > > > 1) When I open a new email message window, I see a green box in the > upper right hand corner which is labeled ?OpenPGP?. Is that right? > > 2) Should I be able to toggle GPG on and off; > > Yes, the green box in the upper right of the new message window indicates > that the GPGTools are integrated into Mail app. > In addition there are to buttons on the right in the subject row. The left > one (open/closed lock) indicates if the mail is going to be encrypted and > the other one if the message will be signed. > > > 3) I composed a short Test message to send to myself. In order to > Encrypt it, I selected the text, went to Services and selected Encrypt. > That gave me the encrypted code in a new window. It seemed to me that I > then had to select that text, copy and then paste it into the new message. > There has to be a simpler way to perform these functions? What are they? > > It should not be necessary to encrypt the message manually as you > described. If you compose a message to a recipient for which you have a > trusted key in your keychain the message should automatically become > encrypted, indicated by the button described above. > > > 5) Even if I do not Encrypt the outgoing message, I get a window asking > for my Passphrase. In the older PGP version, I had the option to cache the > Passphrase so I did not have to enter it every time. How do I simplify this > function? > > By default GPGTools signs all outgoing messages. Therefor GPG asks for > your password because it needs your private key to sign the message. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Sun Apr 24 20:49:11 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 24 Apr 2016 20:49:11 +0200 Subject: Help needed In-Reply-To: References: Message-ID: <571D1527.90205@digitalbrains.com> On 24/04/16 20:40, MuthuSankaraNarayanan Valliammal wrote: > I have this problem. I am writing an application in android for the > GNUPG. for that I want to add the commands in the android package > itself. Could you please start a new thread instead of changing the subject of this thread to something else entirely? Thanks! Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From vallir63 at gmail.com Sun Apr 24 12:49:18 2016 From: vallir63 at gmail.com (MuthuSankaraNarayanan Valliammal) Date: Sun, 24 Apr 2016 12:49:18 +0200 Subject: Can I able to integrate GNUPG windows version directly with the Android application Message-ID: Dear Sir, can I able to integrate the GNUPG windows application directly in Android. or need to use the GNUPG Android Gaurdian application and then set the relevant paths, then apply that for running?. Please let me know. thanks , regards MVS -------------- next part -------------- An HTML attachment was scrubbed... URL: From free10pro at gmail.com Sun Apr 24 22:19:27 2016 From: free10pro at gmail.com (Paul R. Ramer) Date: Sun, 24 Apr 2016 13:19:27 -0700 Subject: Help needed In-Reply-To: <571D0997.1060005@digitalbrains.com> References: <571D0997.1060005@digitalbrains.com> Message-ID: <571D2A4F.3040700@gmail.com> On 04/24/2016 10:59 AM, Peter Lebbing wrote: > As for the OP's other questions, I can't answer them very well because I > don't know MacOS, but I can give you advice: could you please indicate > what software you are using? What mail client, what other GnuPG-related > software? You say you compose a mail, and you select Services from > somewhere. This seems /really/ little to go on if we don't know in what > program you compose a mail and where this Services comes from (it might > be that same mail application, I don't know). He is using Apple's default client called "Mail". GPGTools provides a plug-in for Mail. What he means by Services is the Services menu. It can be accessed by a right-click or by accessing Mac OS X's menu bar. Services is an cool "Mac thing" that allows programs to integrate with each other (however, there may be analogs in other systems that I am not thinking about). It is kind of like plug-ins that you can access in any program. For example in this case, the user could be using a GUI text editor. The user highlights some text, chooses the encryption option from Services, and gets ASCII armored text as an output. Using a web browser and webmail, the user could do the same operation and get the same result. It is not dependent on which program the Service menu is accessed from. No switching between programs is required while doing this, nor having to consciously run the program whose "services" are being used. You can read more about it Wikipedia. [1] > FWIW, no, with a good e-mail plugin you don't have to copy-paste > anything to different windows. That's not a nice interface at all. Correct. He is just using it the hard way. ;-) This "First Steps" tutorial should be the way to go. [2] Cheers, -Paul [1] https://en.wikipedia.org/wiki/Services_menu [2] https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-mail From antony at blazrsoft.com Sun Apr 24 22:22:01 2016 From: antony at blazrsoft.com (Antony Prince) Date: Sun, 24 Apr 2016 16:22:01 -0400 Subject: Can I able to integrate GNUPG windows version directly with the Android application In-Reply-To: References: Message-ID: <571D2AE9.4000907@blazrsoft.com> On 4/24/2016 6:49 AM, MuthuSankaraNarayanan Valliammal wrote: > Dear Sir, > > can I able to integrate the GNUPG windows application directly in Android. > or need to use the GNUPG Android Gaurdian application and then set the > relevant paths, > then apply that for running?. > Guardianproject has a port of gnupg to android[1] that might be of some use to you. [1]https://github.com/guardianproject/gnupg-for-android -- Antony Prince Key ID: 0xAF3D4087301B1B19 Fingerprint: 591F F17F 7A4A A8D0 F659 C482 AF3D 4087 301B 1B19 URL: http://pool.sks-keyservers.net/pks/lookup?op=get&search=0xAF3D4087301B1B19 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From antony at blazrsoft.com Sun Apr 24 22:27:53 2016 From: antony at blazrsoft.com (Antony Prince) Date: Sun, 24 Apr 2016 16:27:53 -0400 Subject: Can I able to integrate GNUPG windows version directly with the Android application In-Reply-To: References: Message-ID: <571D2C49.10002@blazrsoft.com> On 4/24/2016 6:49 AM, MuthuSankaraNarayanan Valliammal wrote: > Dear Sir, > > can I able to integrate the GNUPG windows application directly in Android. > or need to use the GNUPG Android Gaurdian application and then set the > relevant paths, > then apply that for running?. > I just realized the project I linked was the exact one you were talking about. :-) In this case though, I'd say there's no need to re-invent the wheel. They've already got it ported to Android and if you can fit it to your needs, then I'd go with that. -- Antony Prince Key ID: 0xAF3D4087301B1B19 Fingerprint: 591F F17F 7A4A A8D0 F659 C482 AF3D 4087 301B 1B19 URL: http://pool.sks-keyservers.net/pks/lookup?op=get&search=0xAF3D4087301B1B19 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From Alexander.Strobel at giepa.de Mon Apr 25 09:46:49 2016 From: Alexander.Strobel at giepa.de (Alexander Strobel) Date: Mon, 25 Apr 2016 09:46:49 +0200 Subject: gpgme-sharp API missing In-Reply-To: <5718149E.4090703@sixdemonbag.org> References: <5718149E.4090703@sixdemonbag.org> Message-ID: <571DCB69.80905@giepa.de> Next try to send an email to the list. My last one did not show up here, so sorry if I am double posting. Am 21.04.2016 um 01:45 schrieb Robert J. Hansen: > If anyone has a copy of the gpgme-sharp source code I'd be happy to host > it on my own GitHub account. But either way, the link on the wiki needs > to be either updated or removed. I dont have a copy of but I know that it was in 3rd Party section of the "Outlook Privacy Plugin" git repo of dejavusecurity: It was removed from the repo on May 27th, 2015. Best regards Alex Strobel www.gpg4o.com From peter at digitalbrains.com Mon Apr 25 11:35:55 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 25 Apr 2016 11:35:55 +0200 Subject: (OT) gpgme-sharp API missing In-Reply-To: <571DCB69.80905@giepa.de> References: <5718149E.4090703@sixdemonbag.org> <571DCB69.80905@giepa.de> Message-ID: <571DE4FB.4040807@digitalbrains.com> On 25/04/16 09:46, Alexander Strobel wrote: > Next try to send an email to the list. My last one did not show up here, > so sorry if I am double posting. The mail you sent Thu, 21 Apr 2016 14:24:50 +0200 showed up in my mailbox at Thu, 21 Apr 2016 15:46:05 +0200. The mailing list always adds a delay which can vary. Additionally, mails from non-members are moderated by a variable-delay human. But it did arrive. It's on the web archives as well[1]. No idea when it showed up there :). HTH, Peter. [1] https://lists.gnupg.org/pipermail/gnupg-users/2016-April/055805.html -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Mon Apr 25 11:36:58 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 25 Apr 2016 11:36:58 +0200 Subject: Help needed In-Reply-To: <571D2A4F.3040700@gmail.com> References: <571D0997.1060005@digitalbrains.com> <571D2A4F.3040700@gmail.com> Message-ID: <571DE53A.90306@digitalbrains.com> On 24/04/16 22:19, Paul R. Ramer wrote: > What he means by Services is the Services menu. It can be accessed by a > right-click or by accessing Mac OS X's menu bar. Services is an cool > "Mac thing" that allows programs to integrate with each other (however, > there may be analogs in other systems that I am not thinking about). It > is kind of like plug-ins that you can access in any program. Ah, thanks for the clarification :). Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From Alexander.Strobel at giepa.de Mon Apr 25 14:31:46 2016 From: Alexander.Strobel at giepa.de (Alexander Strobel) Date: Mon, 25 Apr 2016 14:31:46 +0200 Subject: (OT) gpgme-sharp API missing In-Reply-To: <571DE4FB.4040807@digitalbrains.com> References: <5718149E.4090703@sixdemonbag.org> <571DCB69.80905@giepa.de> <571DE4FB.4040807@digitalbrains.com> Message-ID: <571E0E32.8010407@giepa.de> Am 25.04.2016 um 11:35 schrieb Peter Lebbing: > On 25/04/16 09:46, Alexander Strobel wrote: >> Next try to send an email to the list. My last one did not show up here, >> so sorry if I am double posting. > > The mail you sent Thu, 21 Apr 2016 14:24:50 +0200 showed up in my > mailbox at Thu, 21 Apr 2016 15:46:05 +0200. The mailing list always adds > a delay which can vary. Additionally, mails from non-members are > moderated by a variable-delay human. > > But it did arrive. It's on the web archives as well[1]. No idea when it > showed up there :). Thanks for the hint to look at the web archives. Strangely enough, even until today it does not show up in my inbox... Therefore I thought it wasn't delivered to the list. Thank you for clarifying :) Best regards Alex Strobel www.gpg4o.com From dashohoxha at gmail.com Mon Apr 25 14:52:29 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Mon, 25 Apr 2016 14:52:29 +0200 Subject: Paper backup Message-ID: Hi, I have added a feature to egpg to export the key and convert it to 3D barcode images, included in a PDF file: https://github.com/dashohoxha/egpg/blob/master/src/fn/qrencode.sh This PDF file can be printed and used as a paper backup. It can be restored with the help of a webcam and a barcode reader program (like zbar). What do you think of paper backups, are they useful? I have seen some advice that recommend them, and even claim that they are safer and more durable/reliable than digital backups. I think that lots of people are still familiar and comfortable with storing and keeping hard-copy documents safe and secure (although we live in the digital age). It could also be nice to generate a PDF page that has the gpg key information in the format of a business card: name, email, fingerprint (maybe in barcode format as well). It can repeat several copies of the business card in the same page (for example in 5 rows and 2 columns). Any idea or advice on how to implement this? Maybe starting with a latex template and converting it to PDF? Or any simpler way? Thanks, Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From paolo.bolzoni.brown at gmail.com Mon Apr 25 15:06:50 2016 From: paolo.bolzoni.brown at gmail.com (Paolo Bolzoni) Date: Mon, 25 Apr 2016 15:06:50 +0200 Subject: Paper backup In-Reply-To: References: Message-ID: I did something similar for the revocation certificate. I used LaTeX preparing this template for the students: http://www.inf.unibz.it/dis/teaching/INFSEC/ex/revocation.tar.xz I think paper backup are a good idea. For example, I keep mine with my passport, if my passport (and so revocation certificate) get stolen I have bigger problems than someone revoking my key. Besides the QR encoding make easy to copy text, even long to computers (with maximum redundancy you can store up to 3000 ascii chars). The only disadvantage I see is that some applications read the code in unexpected ways. For example instead of showing you the text they will open random websites. I tried to look around for a "standard" way to state that a QR contains only plain text, but with no avail. However, even if not standard starting the text with "TEXT:" seems to stop many apps from "tupidly interpret the text. Honestly I don't really get this egpg for reasons we already discussed, but LaTeX template for sharing the key or keeping the revocation information are indeed a good idea. On Mon, Apr 25, 2016 at 2:52 PM, Dashamir Hoxha wrote: > Hi, > > I have added a feature to egpg to export the key and convert it to 3D > barcode > images, included in a PDF file: > https://github.com/dashohoxha/egpg/blob/master/src/fn/qrencode.sh > This PDF file can be printed and used as a paper backup. It can be restored > with the help of a webcam and a barcode reader program (like zbar). > > What do you think of paper backups, are they useful? I have seen some > advice that recommend them, and even claim that they are safer and > more durable/reliable than digital backups. > I think that lots of people are still familiar and comfortable with storing > and > keeping hard-copy documents safe and secure (although we live in the > digital age). > > It could also be nice to generate a PDF page that has the gpg key > information > in the format of a business card: name, email, fingerprint (maybe in barcode > format as well). It can repeat several copies of the business card in the > same > page (for example in 5 rows and 2 columns). > Any idea or advice on how to implement this? Maybe starting with a latex > template and converting it to PDF? Or any simpler way? > > Thanks, > Dashamir > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From 2014-667rhzu3dc-lists-groups at riseup.net Mon Apr 25 15:07:02 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 25 Apr 2016 14:07:02 +0100 Subject: (OT) gpgme-sharp API missing In-Reply-To: <571E0E32.8010407@giepa.de> References: <5718149E.4090703@sixdemonbag.org> <571DCB69.80905@giepa.de> <571DE4FB.4040807@digitalbrains.com> <571E0E32.8010407@giepa.de> Message-ID: <18410647619.20160425140702@riseup.net> Hi On Monday 25 April 2016 at 1:31:46 PM, in , Alexander Strobel wrote: > Strangely enough, even until today it does not show > up in my inbox... > Therefore I thought it wasn't delivered to the list. If the same applies to all three of your messages, I suggest checking your subscription options at . You might have the option to receive a copy of your own posts turned off. -- Best regards MFPA I would like to help you out. Which way did you come in? From peter at digitalbrains.com Mon Apr 25 15:11:12 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 25 Apr 2016 15:11:12 +0200 Subject: Paper backup In-Reply-To: References: Message-ID: <571E1770.30404@digitalbrains.com> On 25/04/16 14:52, Dashamir Hoxha wrote: > What do you think of paper backups, are they useful? Yes, but I much prefer paperkey[1] for that rather than complete (minimal) secret key files. Also consider the longevity of the format: if you want to restore it in 10 years, do you still have the equipment and software to do so? Do you expect to use your key in 20 years?[2] Provided we can still work with OpenPGP v4 file formats, paperkey has got this covered. I have never used my paper backup. Prudence suggests you should try to OCR it; laziness suggested otherwise in my case. Worst case, I type it in. It's purely for when the digital media fail. Which they will, using common consumer storage media. HTH, Peter. [1] http://www.jabberwocky.com/software/paperkey/ [2] It's real nice to hear people talk about this, but there are so many things that could change. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Mon Apr 25 15:53:11 2016 From: wk at gnupg.org (Werner Koch) Date: Mon, 25 Apr 2016 15:53:11 +0200 Subject: Paper backup In-Reply-To: (Dashamir Hoxha's message of "Mon, 25 Apr 2016 14:52:29 +0200") References: Message-ID: <87lh41yeuw.fsf@wheatstone.g10code.de> On Mon, 25 Apr 2016 14:52, dashohoxha at gmail.com said: > It could also be nice to generate a PDF page that has the gpg key > information > in the format of a business card: name, email, fingerprint (maybe in barcode See misc/vcards/vcard-template.tex in the gnupg-doc repo on how we print the GnuPG cards. It might be useful to add "-i" to the qrencode call, though. As input you use a file with address data blocks like this: Type: gpg Name: Werner Koch Title: Mail: wk at gnupg.org Jabber: wk at xxx Ptype: m Phone: +49-xxxx Fpr: 8061 5870 F5BA D690 3336 86D0 F2AD 85AC 1E42 B367 Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From rjh at sixdemonbag.org Mon Apr 25 16:01:40 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 25 Apr 2016 10:01:40 -0400 Subject: Paper backup In-Reply-To: References: Message-ID: <571E2344.1070706@sixdemonbag.org> > This PDF file can be printed and used as a paper backup. It can be restored > with the help of a webcam and a barcode reader program (like zbar). Why not use Paperkey and QR-encode that instead? > What do you think of paper backups, are they useful? It depends. For some users, sure. For other users, no. From rjh at sixdemonbag.org Mon Apr 25 16:08:30 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 25 Apr 2016 10:08:30 -0400 Subject: Paper backup In-Reply-To: <571E1770.30404@digitalbrains.com> References: <571E1770.30404@digitalbrains.com> Message-ID: <571E24DE.5090404@sixdemonbag.org> > [2] It's real nice to hear people talk about this, but there are so many > things that could change. It annoys me when I hear people talk about this. :) IMO, it's the sort of thing that tends to get parroted by people who haven't thought things through. When people talk about key length and say "so I'm good for twenty years," I wince. Because they also need to be talking about the rather extreme measures they'll also need to take to ensure their private key is never compromised, they're able to read their data, the data is preserved, the certificate is preserved, etcetera, for a 20-year period. When talking about anything past about a five-year window, you really need to spend more time thinking about the data archiving problem than you do about cryptography. Preaching to the choir, Peter, I know... From dashohoxha at gmail.com Mon Apr 25 16:30:08 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Mon, 25 Apr 2016 16:30:08 +0200 Subject: Paper backup In-Reply-To: <87lh41yeuw.fsf@wheatstone.g10code.de> References: <87lh41yeuw.fsf@wheatstone.g10code.de> Message-ID: On Mon, Apr 25, 2016 at 3:53 PM, Werner Koch wrote: > > See misc/vcards/vcard-template.tex in the gnupg-doc repo on how we print > the GnuPG cards. It might be useful to add "-i" to the qrencode call, > This looks promising, I will have a look at it. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dashohoxha at gmail.com Mon Apr 25 16:38:46 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Mon, 25 Apr 2016 16:38:46 +0200 Subject: Paper backup In-Reply-To: <571E2344.1070706@sixdemonbag.org> References: <571E2344.1070706@sixdemonbag.org> Message-ID: On Mon, Apr 25, 2016 at 4:01 PM, Robert J. Hansen wrote: > > This PDF file can be printed and used as a paper backup. It can be > restored > > with the help of a webcam and a barcode reader program (like zbar). > > Why not use Paperkey and QR-encode that instead? > The idea of Paperkey is to reduce the output, so that it can be easily typed by hand (when you need to restore the key). For a 4096 key, the output of Paperkey is still too big to be typed by hand, and even too big to be QR-encoded straight away. You have to split it and QR-encode each piece separately. But once you have to split the data and QR-encode it, it doesn't make much difference whether you have 2 pages of output or 8 pages. So, it doesn't make sense reducing the output, and it doesn't make sense using Paperkey anymore. At this point Paperkey only makes things more complex, instead of making them simpler. Thanks to everybody for the feedback. Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From paolo.bolzoni.brown at gmail.com Tue Apr 26 09:38:38 2016 From: paolo.bolzoni.brown at gmail.com (Paolo Bolzoni) Date: Tue, 26 Apr 2016 09:38:38 +0200 Subject: Paper backup In-Reply-To: References: <571E2344.1070706@sixdemonbag.org> Message-ID: On Mon, Apr 25, 2016 at 4:38 PM, Dashamir Hoxha wrote: > On Mon, Apr 25, 2016 at 4:01 PM, Robert J. Hansen > wrote: > But once you have to split the data and QR-encode it, it doesn't make much > difference whether you have 2 pages of output or 8 pages. So, it doesn't > make sense > reducing the output, and it doesn't make sense using Paperkey anymore. At > this point > Paperkey only makes things more complex, instead of making them simpler. Just don't forget that any machine-readable format like QR should put togheter with a human readable one. Because your cannot be sure how easy it to read a QR when you need it. From daniel at pocock.pro Tue Apr 26 09:53:06 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Tue, 26 Apr 2016 09:53:06 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards Message-ID: <571F1E62.30203@pocock.pro> There has been some discussion on debian-devel[1] about making a bootable Debian Live CD specifically for GnuPG The benefit is that everything on the CD is self-contained, it can't be tampered with, it can run without network support in the kernel and the workflow would be controlled by a script. All the details, including workflow, are described in a wiki[2] I have some questions about this: - has anybody already seen anything like this? Nobody likes re-inventing the wheel - can we call all the necessary GnuPG commands from a script without the user interacting directly with GnuPG, using "--batch" / unattanded operation? The sequence of commands involved would be similar to this blog[3] - what would be the preferred way for the GUI to obtain and keep the master key passphrase without prompting the user to re-enter it for every operation? - would anybody else like to suggest improvements to the workflow? 1. https://lists.debian.org/msgid-search/571DD206.1070502 at pocock.pro 2. https://wiki.debian.org/OpenPGP/CleanRoomLiveEnvironment 3. https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ From Alexander.Strobel at giepa.de Tue Apr 26 10:20:37 2016 From: Alexander.Strobel at giepa.de (Alexander Strobel) Date: Tue, 26 Apr 2016 10:20:37 +0200 Subject: (OT) gpgme-sharp API missing In-Reply-To: <18410647619.20160425140702@riseup.net> References: <5718149E.4090703@sixdemonbag.org> <571DCB69.80905@giepa.de> <571DE4FB.4040807@digitalbrains.com> <571E0E32.8010407@giepa.de> <18410647619.20160425140702@riseup.net> Message-ID: <571F24D5.2050604@giepa.de> Am 25.04.2016 um 15:07 schrieb MFPA: >> Strangely enough, even until today it does not show >> up in my inbox... > > If the same applies to all three of your messages, I suggest checking > your subscription options at > . You might have > the option to receive a copy of your own posts turned off. Thank you for the hint. It was a problem with this single email only. All other emails showed up in the past. Best regards Alex Strobel www.gpg4o.com From paolo.bolzoni.brown at gmail.com Tue Apr 26 10:46:12 2016 From: paolo.bolzoni.brown at gmail.com (Paolo Bolzoni) Date: Tue, 26 Apr 2016 10:46:12 +0200 Subject: Is there a foolproof tutorial to start with gpgme? Message-ID: Dear list, gpgme is very interesting, but it appears quite daunting to start from the documentation alone. There is some ready to comple example somewhere with easy tasks like signature checking or compiling? Cheers, Paolo From lachlan at twopif.net Tue Apr 26 11:23:42 2016 From: lachlan at twopif.net (Lachlan Gunn) Date: Tue, 26 Apr 2016 18:53:42 +0930 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F1E62.30203@pocock.pro> References: <571F1E62.30203@pocock.pro> Message-ID: <571F339E.7050309@twopif.net> > There has been some discussion on debian-devel[1] about making a > bootable Debian Live CD specifically for GnuPG I have thought for a while that something like this would be a good idea, it's been sitting on the list of things to have a go at for a while, so I'm glad to see that someone is actually doing it. It could be useful to include other kinds of key management than GnuPG, e.g. for code-signing. Maybe not shown to the user in the first instance, but it seems like a good idea to have it in the image. > - would anybody else like to suggest improvements to the workflow? I realise it's a livecd, but I would suggest explicitly banishing anything resembling swap support from the image if possible. I also think that insisting that the user print a revocation cert before continuing is a bit harsh; I don't have a printer connected to my airgapped machine, for example, but since I have multiple backups of the private key I'm not too worried. As far as smartcards, that PKCS#11 tool hasn't had a release since 2011 according to its website. In any case, even if you do get it working then ultimately you have to use whatever type the user has in the reader, which at the moment is essentially always an OpenPGP card. Plus as I understand it you need to distribute all of the per-card drivers for PKCS#11, which tend to be non-free. I think this may be offtopic, but one related thing that I'd also like to look into at some point is whether one can use SELinux to do red/black-separation style stuff. Since this livecd is only really meant for signing it isn't terribly useful, I don't think, unless you wanted to do something like prevent exported private keys from being written to non-special media for example. Thanks, Lachlan From lachlan at twopif.net Tue Apr 26 11:44:12 2016 From: lachlan at twopif.net (Lachlan Gunn) Date: Tue, 26 Apr 2016 19:14:12 +0930 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F339E.7050309@twopif.net> References: <571F1E62.30203@pocock.pro> <571F339E.7050309@twopif.net> Message-ID: <571F386C.1030903@twopif.net> >> - would anybody else like to suggest improvements to the workflow? One thing that I forgot to mention is that it would be good to have some way to copy master keys to new media or to rewrite them to existing ones. This could be prompted if some but not all disks have master keys for example. Automatic extension of the expiry dates should catch cases where the key has been corrupted, but if it can be disabled then it might be a good idea to check them. I can't remember the exact details of how expiration dates work with subkeys so you may need to do this yourself anyway. Anyway, thanks again for having gotten the ball rolling on this, if I get some time I'd be keen to lend a hand. Thanks, Lachlan From dashohoxha at gmail.com Tue Apr 26 12:52:47 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 26 Apr 2016 12:52:47 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F1E62.30203@pocock.pro> References: <571F1E62.30203@pocock.pro> Message-ID: On Tue, Apr 26, 2016 at 9:53 AM, Daniel Pocock wrote: > > There has been some discussion on debian-devel[1] about making a > bootable Debian Live CD specifically for GnuPG > > The benefit is that everything on the CD is self-contained, it can't be > tampered with, it can run without network support in the kernel and the > workflow would be controlled by a script. All the details, including > workflow, are described in a wiki[2] > > I have some questions about this: > > - has anybody already seen anything like this? Nobody likes > re-inventing the wheel > > - can we call all the necessary GnuPG commands from a script without the > user interacting directly with GnuPG, using "--batch" / unattanded > operation? The sequence of commands involved would be similar to this > blog[3] > > - what would be the preferred way for the GUI to obtain and keep the > master key passphrase without prompting the user to re-enter it for > every operation? > > - would anybody else like to suggest improvements to the workflow? > A project similar in goals (simplifying GnuPG by automating tasks and emphasising best practices) is this one: https://github.com/dashohoxha/egpg You can find the answer to some of the questions above by looking at its code. But I really think that you can incorporate it in your project, maybe extending it with new workflows that it doesn't have yet (related to using smartcards etc.). In my opinion, the first thing to be done is to build a .deb package for it, so that it can be installed easily on all Debian derived systems, then you can also use it in your special Live CD system. This is the task about it: https://github.com/dashohoxha/egpg/issues/19 -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel at pocock.pro Tue Apr 26 13:16:18 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Tue, 26 Apr 2016 13:16:18 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: References: <571F1E62.30203@pocock.pro> Message-ID: <571F4E02.1080100@pocock.pro> On 26/04/16 12:52, Dashamir Hoxha wrote: > On Tue, Apr 26, 2016 at 9:53 AM, Daniel Pocock > wrote: > > > There has been some discussion on debian-devel[1] about making a > bootable Debian Live CD specifically for GnuPG > > The benefit is that everything on the CD is self-contained, it can't be > tampered with, it can run without network support in the kernel and the > workflow would be controlled by a script. All the details, including > workflow, are described in a wiki[2] > > I have some questions about this: > > - has anybody already seen anything like this? Nobody likes > re-inventing the wheel > > - can we call all the necessary GnuPG commands from a script without the > user interacting directly with GnuPG, using "--batch" / unattanded > operation? The sequence of commands involved would be similar to this > blog[3] > > - what would be the preferred way for the GUI to obtain and keep the > master key passphrase without prompting the user to re-enter it for > every operation? > > - would anybody else like to suggest improvements to the workflow? > > > A project similar in goals (simplifying GnuPG by automating tasks and > emphasising best practices) is this one: https://github.com/dashohoxha/egpg > You can find the answer to some of the questions above by looking at its > code. > But I really think that you can incorporate it in your project, maybe > extending it with new workflows that it doesn't have yet (related to > using smartcards etc.). > > In my opinion, the first thing to be done is to build a .deb package for > it, so that it can be installed easily on all Debian derived systems, > then you can also use it in your special Live CD system. > This is the task about it: https://github.com/dashohoxha/egpg/issues/19 > Thanks for pointing this out Could you add a section to the wiki about this, with an itemized list of the tasks that need to be done, e.g. * packaging egpg and uploading to Debian * anybody can upload it to https://mentors.debian.net for a DD to sponsor * creating whiptail front-end for egpg * creating smartcard support for egpg Please add any other individual tasks that would be necessary Regards, Daniel From peter at digitalbrains.com Tue Apr 26 13:32:42 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 26 Apr 2016 13:32:42 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: References: <571F1E62.30203@pocock.pro> Message-ID: <571F51DA.8060809@digitalbrains.com> On 26/04/16 12:52, Dashamir Hoxha wrote: > A project similar in goals (simplifying GnuPG by automating tasks and > emphasising best practices) is this one: https://github.com/dashohoxha/egpg > You can find the answer to some of the questions above by looking at its > code. I think you are taking the "plugging my project" approach too far. While generating exposure is definitely a good component of making your project succesful, I think a bit more modesty is in order. If I had a say in it: Just create your own threads (not too many please :), don't mention your project in every thread where it has some common ground. This is my personal opinion. I don't get to say what you do. But I feel the need to express this opinion now. Regarding your choice of words and also modesty, the answers to the questions are not in your code. Your /opinions/ on the matter are in your code. You do not get to decide what is truth, what is the answer. Incidentally, the answer is 42, so you're late to the party... ;P I hadn't even read the following until I almost trimmed it from the mail and it caught my eye... so ... > In my opinion, the first thing to be done is to build a .deb package for > it, so that it can be installed easily on all Debian derived systems, > then you can also use it in your special Live CD system. > This is the task about it: https://github.com/dashohoxha/egpg/issues/19 Wait, wait, wait... I sincerely hope you're not suggesting that the first thing Daniel Pocock and others need to do is build a .deb package for your project, that instead you meant this to read as "the first thing /I/ should do is build a .deb package for egpg", so that they can play with your code. I wouldn't even agree with the latter; but the former is just... I hope you can pick your own adjective. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dashohoxha at gmail.com Tue Apr 26 14:16:42 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 26 Apr 2016 14:16:42 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F4E02.1080100@pocock.pro> References: <571F1E62.30203@pocock.pro> <571F4E02.1080100@pocock.pro> Message-ID: On Tue, Apr 26, 2016 at 1:16 PM, Daniel Pocock wrote: > > Could you add a section to the wiki about this, with an itemized list of > the tasks that need to be done, e.g. > > * packaging egpg and uploading to Debian > * anybody can upload it to https://mentors.debian.net for a DD to > sponsor > * creating whiptail front-end for egpg > * creating smartcard support for egpg > > Please add any other individual tasks that would be necessary > I manage the tasks of the project on GitHub: https://github.com/dashohoxha/egpg/issues -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel at pocock.pro Tue Apr 26 14:20:40 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Tue, 26 Apr 2016 14:20:40 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F4E02.1080100@pocock.pro> Message-ID: <571F5D18.30901@pocock.pro> On 26/04/16 14:16, Dashamir Hoxha wrote: > On Tue, Apr 26, 2016 at 1:16 PM, Daniel Pocock > wrote: > > Could you add a section to the wiki about this, with an itemized list of > the tasks that need to be done, e.g. > > * packaging egpg and uploading to Debian > * anybody can upload it to https://mentors.debian.net for a DD to > sponsor > * creating whiptail front-end for egpg > * creating smartcard support for egpg > > Please add any other individual tasks that would be necessary > > > I manage the tasks of the project on GitHub: > https://github.com/dashohoxha/egpg/issues > You can use the wiki to link to the Github tasks that are relevant to using epgp in the Live CD, you don't have to copy the details of each task, just link to them From dashohoxha at gmail.com Tue Apr 26 14:23:30 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 26 Apr 2016 14:23:30 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F51DA.8060809@digitalbrains.com> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> Message-ID: On Tue, Apr 26, 2016 at 1:32 PM, Peter Lebbing wrote: > > I think you are taking the "plugging my project" approach too far. While > generating exposure is definitely a good component of making your > project succesful, I think a bit more modesty is in order. If I had a > Peter, I already know your opinion on my project and my modesty, you don't have to bash every message that I write. I hope that you will tolerate my lack of modesty, what else can I do? Cheers, Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From dashohoxha at gmail.com Tue Apr 26 14:24:34 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 26 Apr 2016 14:24:34 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F5D18.30901@pocock.pro> References: <571F1E62.30203@pocock.pro> <571F4E02.1080100@pocock.pro> <571F5D18.30901@pocock.pro> Message-ID: On Tue, Apr 26, 2016 at 2:20 PM, Daniel Pocock wrote: > > > I manage the tasks of the project on GitHub: > > https://github.com/dashohoxha/egpg/issues > > > > You can use the wiki to link to the Github tasks that are relevant to > using epgp in the Live CD, you don't have to copy the details of each > task, just link to them > It doesn't seem reasonable to me. -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Tue Apr 26 14:52:28 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 26 Apr 2016 14:52:28 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> Message-ID: <571F648C.5090504@digitalbrains.com> On 26/04/16 14:23, Dashamir Hoxha wrote: > Peter, I already know your opinion on my project and my modesty, > you don't have to bash every message that I write. Quote or it didn't happen. I think I've treated you respectfully, though I already noted my first reply to your first message here could have been framed nicer. But that was the single exception. The respect is starting to evaporate a bit at the moment, though. Besides, I haven't spent much time on a lot of your messages, let alone respond to every one of them or anything near such a thing. > I hope that you will tolerate my lack of modesty, what else can I do? Not impose extra work on random people[1], put your personal opinions in proper perspective and represent your project as what it is, i.e., a brand-spanking-new piece of code, one developer and a very small user base? Or am I also wrong about that? By the way, if I disagree with advice you give others here, such as here advising to include your tool on the live CD, or the other day pointing a new user to some webpage claiming he needed something more than the default settings and do difficult stuff without knowing anything about their requirements other than that they were already having some difficulty with GnuPG in the first place, I will say so. Even if it takes a ridicully long sentence that should probably be split into proper parts. And I do it without bashing your messages, even though you seem to take it personal. Peter. [1] I'm thinking of suggesting to someone they translate your project when this person clearly indicates they'd like to reach a broad user base with the effort they spend on that, and other instances. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dashohoxha at gmail.com Tue Apr 26 15:05:50 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 26 Apr 2016 15:05:50 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F648C.5090504@digitalbrains.com> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <571F648C.5090504@digitalbrains.com> Message-ID: On Tue, Apr 26, 2016 at 2:52 PM, Peter Lebbing wrote: > > And I do it without bashing your messages, even though you > seem to take it personal. > Please keep the discussion technical. If you don't agree with me this is fine. But when you express your opinion about my lack of modesty, this is getting personal. And I don't care about your personal opinion about me, whoever you are. Respectfully, Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Tue Apr 26 15:11:29 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 26 Apr 2016 09:11:29 -0400 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F51DA.8060809@digitalbrains.com> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> Message-ID: <571F6901.5000105@sixdemonbag.org> > Wait, wait, wait... I sincerely hope you're not suggesting that the > first thing Daniel Pocock and others need to do is build a .deb package > for your project, that instead you meant this to read as "the first > thing /I/ should do is build a .deb package for egpg", so that they can > play with your code. I wouldn't even agree with the latter; but the > former is just... I hope you can pick your own adjective. I'd like to make it clear that I'm not talking about Dashamir here. What I'm saying here applies more broadly to libre software in general. The libre community is a reputation culture. People keep track of how much others give (and how valuable it is) and use that to determine how much to give back (and how valuable it'll be). Well-managed projects (GitHub pages, build environments, bug trackers, etc.) enjoy more reputation than poorly-managed projects, and benevolent dictators for life enjoy more reputation than tyrannical martinets. When asking other people to do things for you, it pays to keep in mind how valuable the community has deemed your contributions. If you haven't earned much reputation, you might want to do that before you go about asking people to do things for you. Just my two cents' worth. :) From worzel at gmx.co.uk Tue Apr 26 14:47:40 2016 From: worzel at gmx.co.uk (Ian Prideaux) Date: Tue, 26 Apr 2016 13:47:40 +0100 Subject: Import a pkcs12 certificate chain Message-ID: <571F636C.6070504@gmx.co.uk> Hi All, I've got a system which exchanges files with third parties. One of them requires that the key is generated from a certificate. I create the CSR and get it signed by a CA. I then create a pkcs12 file containing the CA's root & intermediate certificates, and the certificate that they created from my CSR. We then send our certificate to the third party. Currently, I'm using PGP Command Line 10.2 build 335 Copyright (C) 2011 Symantec Corporation but I want to start using gpg (GnuPG) 2.0.27 libgcrypt 1.5.3 because that's what's supplied in Solaris11u3. The Symantec command is: pgp --new-passphrase newpp --passphrase oldpp --import CertificateChain.p12 However, I can't figure out what the gpg2 command is, or even if gnupg is capable of this. I don't really understand what this is achieving that ordinary keys don't. Please can someone help? Thanks. From rjh at sixdemonbag.org Tue Apr 26 15:37:49 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 26 Apr 2016 09:37:49 -0400 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <571F648C.5090504@digitalbrains.com> Message-ID: <571F6F2D.7080507@sixdemonbag.org> > Please keep the discussion technical. If you don't agree with me > this is fine. But when you express your opinion about my lack of > modesty, this is getting personal. He can't do that, shouldn't do that, shouldn't even want to do that. You're a human being, not a machine. You deserve to be treated as a person, not as a system of inputs and outputs. Ideas should be criticized or praised purely on a technical basis, but people should be criticized or praised purely on a *human* basis. I've looked over your egpg code. My bloodless technical evaluation is simple: "it is nowhere near ready for production environments." And I think if you read over the other technical criticisms you've received, you'll see this is pretty much a consensus opinion. By your own admission, it has not received any kind of peer review or independent code audit. And yet, you feel it's appropriate to recommend to the Debian folks they put this code on a live CD image they intend for use in high-risk environments, *and* you think they should put together a .deb package for you. That you believe your project is ready for inclusion into a live CD image meant for hostile environments is, I think, enough to make me question your wisdom. And that *is* a personal judgment, and I make no apologies for that. From dashohoxha at gmail.com Tue Apr 26 15:40:25 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 26 Apr 2016 15:40:25 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F6901.5000105@sixdemonbag.org> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <571F6901.5000105@sixdemonbag.org> Message-ID: On Tue, Apr 26, 2016 at 3:11 PM, Robert J. Hansen wrote: > > When asking other people to do things for you, it pays to keep in mind > how valuable the community has deemed your contributions. If you > haven't earned much reputation, you might want to do that before you go > about asking people to do things for you. > Thanks Robert, it does make sense. What you said is definitely true. I have no power to force people to do something for me. But I have the right to say what I think should be done (up to my understanding). I cannot build a DEB package and I am not going to do that. But I can ask other people to do it... if they can, if they wish, if they find it reasonable, if they find it useful, etc. It is up to them to make their decision... which will not affect me either way. -------------- next part -------------- An HTML attachment was scrubbed... URL: From worzel at gmx.co.uk Tue Apr 26 15:01:10 2016 From: worzel at gmx.co.uk (Ian Prideaux) Date: Tue, 26 Apr 2016 14:01:10 +0100 Subject: Import a pkcs12 certificate chain In-Reply-To: <571F636C.6070504@gmx.co.uk> References: <571F636C.6070504@gmx.co.uk> Message-ID: <571F6696.6040301@gmx.co.uk> > We then send our certificate to the third party > I was wrong. We don't send them the certificate, we send them the public key generated when the certificate chain is imported. What does all the extra messing about with certificates achieve, and how can I get gnupg to do it? Thanks. On 26/04/16 13:47, Ian Prideaux wrote: > Hi All, > > I've got a system which exchanges files with third parties. One of them > requires that the key is generated from a certificate. I create the CSR > and get it signed by a CA. I then create a pkcs12 file containing the > CA's root & intermediate certificates, and the certificate that they > created from my CSR. We then send our certificate to the third party. > > Currently, I'm using > PGP Command Line 10.2 build 335 Copyright (C) 2011 Symantec Corporation > but I want to start using > gpg (GnuPG) 2.0.27 libgcrypt 1.5.3 > because that's what's supplied in Solaris11u3. > > The Symantec command is: > pgp --new-passphrase newpp --passphrase oldpp --import CertificateChain.p12 > > However, I can't figure out what the gpg2 command is, or even if gnupg > is capable of this. I don't really understand what this is achieving > that ordinary keys don't. > > Please can someone help? > > Thanks. > > > > > > > From peter at digitalbrains.com Tue Apr 26 15:43:09 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 26 Apr 2016 15:43:09 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <571F648C.5090504@digitalbrains.com> Message-ID: <571F706D.8040203@digitalbrains.com> On 26/04/16 15:05, Dashamir Hoxha wrote: > Please keep the discussion technical. If you don't agree with me > this is fine. But when you express your opinion about my lack of > modesty, this is getting personal. This is not true: you are taking the word modesty out of the context I used it in. > And I don't care about your personal opinion about me, whoever you > are. What you care about affects only you, and you can do to yourself whatever you wish. I only butt in when it affects others. I've also never until the previous message said anything about my personal opinion of you ("respect evaporating a bit"), since it is, indeed, irrelevant. You are inventing your own version of me, someone with who's responses are emotionally motivated, a version that has little basis in reality. I'm done with this topic. After some doubt, I will post this to the list, though. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dgouttegattat at incenp.org Tue Apr 26 16:09:45 2016 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Tue, 26 Apr 2016 16:09:45 +0200 Subject: Import a pkcs12 certificate chain In-Reply-To: <571F636C.6070504@gmx.co.uk> References: <571F636C.6070504@gmx.co.uk> Message-ID: <234edccf-5749-da68-c91d-7171b805e82c@incenp.org> On 04/26/2016 02:47 PM, Ian Prideaux wrote: > The Symantec command is: pgp --new-passphrase newpp --passphrase > oldpp --import CertificateChain.p12 > > However, I can't figure out what the gpg2 command is, or even if > gnupg is capable of this. I am not sure I understand your workflow and what you want to achieve exactly. But, as a starting point, you must know that the gpg2 program only deals with OpenPGP keys and messages. To manipulate X.509 certificates, you need gpgsm (another component of the GnuPG project) instead. Presumably, the command you need should be $ gpgsm --import CertificateChain.p12 to import the certificate and key from the PKCS#12 file into your keyring. Then you would probably use the --export command to export back the certificate only and send it to your third party. Hope that helps somehow, Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From daniel at pocock.pro Tue Apr 26 16:57:16 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Tue, 26 Apr 2016 16:57:16 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <571F6901.5000105@sixdemonbag.org> Message-ID: <571F81CC.2040904@pocock.pro> On 26/04/16 15:40, Dashamir Hoxha wrote: > On Tue, Apr 26, 2016 at 3:11 PM, Robert J. Hansen > wrote: > > When asking other people to do things for you, it pays to keep in mind > how valuable the community has deemed your contributions. If you > haven't earned much reputation, you might want to do that before you go > about asking people to do things for you. > > > Thanks Robert, it does make sense. What you said is definitely true. > I have no power to force people to do something for me. But I have the right > to say what I think should be done (up to my understanding). > I cannot build a DEB package and I am not going to do that. But I can ask > other people to do it... if they can, if they wish, if they find it > reasonable, > if they find it useful, etc. It is up to them to make their decision... > which will > not affect me either way. > Yes, you can do that, in Debian you can file an RFP bug: https://wiki.debian.org/RFP If other people are interested in your package they will discover the bug report and collaborate to make a package. You said you cannot build a package, well, Debian is 100% open and transparent, our full packaging documentation is online: https://wiki.debian.org/IntroDebianPackaging and various references are at the bottom You don't have to be a Debian Developer, anybody on the Internet can register with https://mentors.debian.net and upload a package they created: http://mentors.debian.net/ Regards, Daniel From dashohoxha at gmail.com Tue Apr 26 17:29:46 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 26 Apr 2016 17:29:46 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F81CC.2040904@pocock.pro> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <571F6901.5000105@sixdemonbag.org> <571F81CC.2040904@pocock.pro> Message-ID: On Tue, Apr 26, 2016 at 4:57 PM, Daniel Pocock wrote: > > > On 26/04/16 15:40, Dashamir Hoxha wrote: > > On Tue, Apr 26, 2016 at 3:11 PM, Robert J. Hansen > > wrote: > > > > When asking other people to do things for you, it pays to keep in > mind > > how valuable the community has deemed your contributions. If you > > haven't earned much reputation, you might want to do that before you > go > > about asking people to do things for you. > > > > > > Thanks Robert, it does make sense. What you said is definitely true. > > I have no power to force people to do something for me. But I have the > right > > to say what I think should be done (up to my understanding). > > I cannot build a DEB package and I am not going to do that. But I can ask > > other people to do it... if they can, if they wish, if they find it > > reasonable, > > if they find it useful, etc. It is up to them to make their decision... > > which will > > not affect me either way. > > > > Yes, you can do that, in Debian you can file an RFP bug: > > https://wiki.debian.org/RFP > > If other people are interested in your package they will discover the > bug report and collaborate to make a package. > > You said you cannot build a package, well, Debian is 100% open and > transparent, our full packaging documentation is online: > > https://wiki.debian.org/IntroDebianPackaging > > and various references are at the bottom > > You don't have to be a Debian Developer, anybody on the Internet can > register with https://mentors.debian.net and upload a package they > created: > > http://mentors.debian.net/ I don't want to do that. It doesn't seem reasonable to me. On the other hand, EasyGnuPG is free software, anybody (that finds it useful) can build a DEB package from it. Regards, Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel at pocock.pro Tue Apr 26 17:31:56 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Tue, 26 Apr 2016 17:31:56 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <571F6901.5000105@sixdemonbag.org> <571F81CC.2040904@pocock.pro> Message-ID: <571F89EC.7040408@pocock.pro> On 26/04/16 17:29, Dashamir Hoxha wrote: > On Tue, Apr 26, 2016 at 4:57 PM, Daniel Pocock > wrote: > > > > On 26/04/16 15:40, Dashamir Hoxha wrote: > > On Tue, Apr 26, 2016 at 3:11 PM, Robert J. Hansen > > >> wrote: > > > > When asking other people to do things for you, it pays to keep in mind > > how valuable the community has deemed your contributions. If you > > haven't earned much reputation, you might want to do that before you go > > about asking people to do things for you. > > > > > > Thanks Robert, it does make sense. What you said is definitely true. > > I have no power to force people to do something for me. But I have the right > > to say what I think should be done (up to my understanding). > > I cannot build a DEB package and I am not going to do that. But I can ask > > other people to do it... if they can, if they wish, if they find it > > reasonable, > > if they find it useful, etc. It is up to them to make their decision... > > which will > > not affect me either way. > > > > Yes, you can do that, in Debian you can file an RFP bug: > > https://wiki.debian.org/RFP > > If other people are interested in your package they will discover the > bug report and collaborate to make a package. > > You said you cannot build a package, well, Debian is 100% open and > transparent, our full packaging documentation is online: > > https://wiki.debian.org/IntroDebianPackaging > > and various references are at the bottom > > You don't have to be a Debian Developer, anybody on the Internet can > register with https://mentors.debian.net and upload a package they > created: > > http://mentors.debian.net/ > > > I don't want to do that. It doesn't seem reasonable to me. Can you please tell me what you mean when you say "It doesn't seem reasonable to me"? Alternatively, what would be reasonable? From paolo.bolzoni.brown at gmail.com Tue Apr 26 17:32:59 2016 From: paolo.bolzoni.brown at gmail.com (Paolo Bolzoni) Date: Tue, 26 Apr 2016 17:32:59 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F89EC.7040408@pocock.pro> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <571F6901.5000105@sixdemonbag.org> <571F81CC.2040904@pocock.pro> <571F89EC.7040408@pocock.pro> Message-ID: I am kinda lost, what is the topic again? On Tue, Apr 26, 2016 at 5:31 PM, Daniel Pocock wrote: > > > On 26/04/16 17:29, Dashamir Hoxha wrote: >> On Tue, Apr 26, 2016 at 4:57 PM, Daniel Pocock > > wrote: >> >> >> >> On 26/04/16 15:40, Dashamir Hoxha wrote: >> > On Tue, Apr 26, 2016 at 3:11 PM, Robert J. Hansen >> > >> wrote: >> > >> > When asking other people to do things for you, it pays to keep in mind >> > how valuable the community has deemed your contributions. If you >> > haven't earned much reputation, you might want to do that before you go >> > about asking people to do things for you. >> > >> > >> > Thanks Robert, it does make sense. What you said is definitely true. >> > I have no power to force people to do something for me. But I have the right >> > to say what I think should be done (up to my understanding). >> > I cannot build a DEB package and I am not going to do that. But I can ask >> > other people to do it... if they can, if they wish, if they find it >> > reasonable, >> > if they find it useful, etc. It is up to them to make their decision... >> > which will >> > not affect me either way. >> > >> >> Yes, you can do that, in Debian you can file an RFP bug: >> >> https://wiki.debian.org/RFP >> >> If other people are interested in your package they will discover the >> bug report and collaborate to make a package. >> >> You said you cannot build a package, well, Debian is 100% open and >> transparent, our full packaging documentation is online: >> >> https://wiki.debian.org/IntroDebianPackaging >> >> and various references are at the bottom >> >> You don't have to be a Debian Developer, anybody on the Internet can >> register with https://mentors.debian.net and upload a package they >> created: >> >> http://mentors.debian.net/ >> >> >> I don't want to do that. It doesn't seem reasonable to me. > > Can you please tell me what you mean when you say "It doesn't seem > reasonable to me"? > > Alternatively, what would be reasonable? > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From dashohoxha at gmail.com Tue Apr 26 17:36:22 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 26 Apr 2016 17:36:22 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F89EC.7040408@pocock.pro> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <571F6901.5000105@sixdemonbag.org> <571F81CC.2040904@pocock.pro> <571F89EC.7040408@pocock.pro> Message-ID: On Tue, Apr 26, 2016 at 5:31 PM, Daniel Pocock wrote: > > > I don't want to do that. It doesn't seem reasonable to me. > > Can you please tell me what you mean when you say "It doesn't seem > reasonable to me"? > > Alternatively, what would be reasonable? > Somebody else reviews it and finds it useful to be built a DEB package for it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Tue Apr 26 18:44:44 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 26 Apr 2016 12:44:44 -0400 Subject: Is there a foolproof tutorial to start with gpgme? In-Reply-To: References: Message-ID: <571F9AFC.8080602@sixdemonbag.org> > There is some ready to comple example somewhere with easy tasks like > signature checking or compiling? A while ago I wrote a brief GPGME application to iterate over keys on a keyring -- I used it to benchmark whether GPGME or piping GnuPG output to a Perl script would be faster for processing large keyrings. I've cleaned up the code, put a proper CMake build environment on it, and you can download it at: https://github.com/rjhansen/gpgme-example Please note: since CMake doesn't have a plugin (yet) to automatically detect GPGME, and since Homebrew's gpgme-config application is completely broken (seriously, it refers to paths that don't even exist on my system), certain paths are hardcoded. Open src/CMakeLists.txt and look at lines 2-7. You'll need to edit those to reflect your own system. Beyond that, it should work for you. If it doesn't, let me know! From rjh at sixdemonbag.org Tue Apr 26 19:31:15 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 26 Apr 2016 13:31:15 -0400 Subject: Req: 64-bit GnuPG/GPGME for Windows Message-ID: <571FA5E3.9030009@sixdemonbag.org> How difficult would it be to get a 64-bit GnuPG and GPGME binary package built for Windows? The existing one appears to be 32-bit only, and my development environment is 64-bit only. (This is not a high-priority item. Please, no one go to any special lengths.) From brian at minton.name Tue Apr 26 19:58:55 2016 From: brian at minton.name (Brian Minton) Date: Tue, 26 Apr 2016 17:58:55 +0000 Subject: Req: 64-bit GnuPG/GPGME for Windows In-Reply-To: <571FA5E3.9030009@sixdemonbag.org> References: <571FA5E3.9030009@sixdemonbag.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Does the speedo make file always build a 32 bit version? -----BEGIN PGP SIGNATURE----- iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXH6w4 AAoJEGuOs6Blz7qpzJAA/j3scwJNjftJY/sSw/ADk3YCxDaokrIaOmqqcWoNmHit AP0S3Hh70UOM56zz30eFqd68x24l+mbDMLt/62jkMSH6ng== =UKD1 -----END PGP SIGNATURE----- On Tue, Apr 26, 2016, 1:33 PM Robert J. Hansen wrote: > How difficult would it be to get a 64-bit GnuPG and GPGME binary package > built for Windows? The existing one appears to be 32-bit only, and my > development environment is 64-bit only. > > (This is not a high-priority item. Please, no one go to any special > lengths.) > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Tue Apr 26 22:30:30 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Tue, 26 Apr 2016 21:30:30 +0100 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F1E62.30203@pocock.pro> References: <571F1E62.30203@pocock.pro> Message-ID: <1446307140.20160426213030@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tuesday 26 April 2016 at 8:53:06 AM, in , Daniel Pocock wrote: > There has been some discussion on debian-devel[1] > about making a > bootable Debian Live CD specifically for GnuPG > The benefit is that everything on the CD is > self-contained, it can't be > tampered with, it can run without network support in > the kernel and the > workflow would be controlled by a script. All the > details, including > workflow, are described in a wiki[2] > I have some questions about this: > - has anybody already seen anything like this? > Nobody likes > re-inventing the wheel [0] is a How-To for creating an OpenPGP keypair for use with GnuPG on an airgapped system (using Tails) and exporting the subkeys for day-to-day use. There is a link [1] to a second guide to export the subkeys to an OpenPGP smartcard. [0] [1] - -- Best regards MFPA Always be on the lookout for conspicuousness -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXH8/mXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw12sIAIWgCSDX3Zdltj2I5f3acyQ4 XGkUJlnTgSMwdJCT2/CFiJA5FFjCFoHl8Vq9wu91fx1xTT06/SwmTtKM9nBV1FYp h49dBRhonFDiTKtaXKzpTHM3nXBcGtaDJZG4BAbGZOJXUNrck50ZSlQf9F6c+2xd sgXYkxHNd4nBbfAgG/2KgZIxnjIuNPQD3VtrMrLzOO7LYcAoFi/QCPK5F35eh4qM uVBezMec1vvqa9RqW8Vtx2OlXHwDLVj7bqvnRdfxo3UTI3oXqCe6/xKWwqZhjIOq XJifQfOSCQgis6EQoVBTg0AJIS6s7X/ez2jJUWJCysX6Cp+vEsCOfFo8g08MrBSI vgQBFgoAZgUCVx/P5l8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45LsAAQDO7QuqoZyipXNYfVIbuSsKrQXc Ko1su9gQSCXQmOfQTAD8D1ppRAz8y0k+dhLVivVfykwMXNU8VogbhlHbQbtyEg8= =OJBH -----END PGP SIGNATURE----- From robert.cavanaugh at broadcom.com Tue Apr 26 20:11:20 2016 From: robert.cavanaugh at broadcom.com (Bob (Robert) Cavanaugh) Date: Tue, 26 Apr 2016 11:11:20 -0700 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F51DA.8060809@digitalbrains.com> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> Message-ID: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter and All, I completely agree. I think that this "project" is now outside the scope of this group and should either split off into its own group or the author should stop self-promoting. My reading of the group consensus is that this set of scripts is tolerated not endorsed or recommended. I have seen multiple posts specifically warning against practices promulgated by this set of scripts and while there are nothing wrong with experimenting and requesting feedback from the group I personally feel a line is crossed when this group is used as the medium to promote a personal project. On 4/26/2016 4:32 AM, Peter Lebbing wrote: > On 26/04/16 12:52, Dashamir Hoxha wrote: >> A project similar in goals (simplifying GnuPG by automating tasks >> and emphasising best practices) is this one: >> https://github.com/dashohoxha/egpg You can find the answer to >> some of the questions above by looking at its code. > > I think you are taking the "plugging my project" approach too far. > While generating exposure is definitely a good component of making > your project succesful, I think a bit more modesty is in order. If > I had a say in it: Just create your own threads (not too many > please :), don't mention your project in every thread where it has > some common ground. > > This is my personal opinion. I don't get to say what you do. But I > feel the need to express this opinion now. > > Regarding your choice of words and also modesty, the answers to > the questions are not in your code. Your /opinions/ on the matter > are in your code. You do not get to decide what is truth, what is > the answer. Incidentally, the answer is 42, so you're late to the > party... ;P > > I hadn't even read the following until I almost trimmed it from the > mail and it caught my eye... so ... > >> In my opinion, the first thing to be done is to build a .deb >> package for it, so that it can be installed easily on all Debian >> derived systems, then you can also use it in your special Live CD >> system. This is the task about it: >> https://github.com/dashohoxha/egpg/issues/19 > > Wait, wait, wait... I sincerely hope you're not suggesting that > the first thing Daniel Pocock and others need to do is build a .deb > package for your project, that instead you meant this to read as > "the first thing /I/ should do is build a .deb package for egpg", > so that they can play with your code. I wouldn't even agree with > the latter; but the former is just... I hope you can pick your own > adjective. > > Cheers, > > Peter. > - -- Thanks, Bob Cavanaugh -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXH69FAAoJENFeiMzlp+pmuucIALiAgIC4l4B0F4FseQ8cO5te urPlzfPkPUYKKQT57yLuURoak1ilaco0ln8HB1IOswos5yFkQFDFLtDhJ+j07ole UjMb0h3VT/Jv3N/zAujIoZoV4kE+eNZKGFbkfMeGi6CHeXXAkTBlWtoFnXU9rwRE 2xovURzmD5dyF8Mn9s61b4QQqiR7XcDgnO0cPQxU1haJZ4NBEDNtEO1kICRTgMdd qOq0XMtvXt/jqL/Gj73fYzuyUuyqAHj4kpb4IyxKlJ8J/xANaCpGmJcusmz2RivJ CIEjRg1Ou00HXsiSV/a27yuKNf5y88OvzWpt4Z7FbVtValL9K8i02otBi048gTo= =7wRC -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Apr 26 22:51:37 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 26 Apr 2016 16:51:37 -0400 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> Message-ID: <571FD4D9.90706@sixdemonbag.org> > My reading of the group > consensus is that this set of scripts is tolerated not endorsed or > recommended. Well, yeah, but let's keep in mind the GnuPG community endorses/recommends very little. Not even something like Enigmail gets an endorsement or recommendation from GnuPG. By and large, GnuPG just focuses on GnuPG, and I think that's a good policy that's served everyone well. :) > I personally feel a line is crossed when this group is used as > the medium to promote a personal project. Well, there's a little bit of a chicken-and-the-egg problem here. If new projects are told "don't evangelize here", how will they let users who might be interested in their project know it exists? Evangelization is important. I don't think we want to adopt a no-evangelization rule, but at the same time, we want to keep it within limits, too. We don't have a rule on this subject. I don't think we need one, either. But speaking just for myself, I'd advise people not promote their projects more than every other month. Six announcements a year ought to be plenty to let people know about a new project. From eric.pruitt at gmail.com Tue Apr 26 23:31:19 2016 From: eric.pruitt at gmail.com (Eric Pruitt) Date: Tue, 26 Apr 2016 14:31:19 -0700 Subject: Querying gpg-agent configuration options Message-ID: <20160426213119.GA27769@sinister.codevat.com> Is it possible to query the configuration of a running gpg-agent? In particular, I would like to query the running agent to see what values are being used for default-cache-ttl and max-cache-ttl. I have reviewed the documentation for gpg-connect-agent and its commands but haven't found what I'm looking for. Thanks, Eric From free10pro at gmail.com Wed Apr 27 04:13:29 2016 From: free10pro at gmail.com (Paul R. Ramer) Date: Tue, 26 Apr 2016 19:13:29 -0700 Subject: Querying gpg-agent configuration options In-Reply-To: <20160426213119.GA27769@sinister.codevat.com> References: <20160426213119.GA27769@sinister.codevat.com> Message-ID: <57202049.4080305@gmail.com> On 04/26/2016 02:31 PM, Eric Pruitt wrote: > Is it possible to query the configuration of a running gpg-agent? In > particular, I would like to query the running agent to see what > values are being used for default-cache-ttl and max-cache-ttl. I have > reviewed the documentation for gpg-connect-agent and its commands but > haven't found what I'm looking for. I didn't see any indication of such a feature from the man page, but you could just look at the gpg-agent.conf file. The man page says it defaults to $GNUPGHOME/gpg-agent.conf. If you want to do this in an automated way, just parse the text file for the values that are set for the options you want to look at. Hope that helps, -Paul From eric.pruitt at gmail.com Wed Apr 27 04:20:37 2016 From: eric.pruitt at gmail.com (Eric Pruitt) Date: Tue, 26 Apr 2016 19:20:37 -0700 Subject: Querying gpg-agent configuration options In-Reply-To: <57202049.4080305@gmail.com> References: <20160426213119.GA27769@sinister.codevat.com> <57202049.4080305@gmail.com> Message-ID: <20160427022037.GA18546@sinister.codevat.com> On Tue, Apr 26, 2016 at 07:13:29PM -0700, Paul R. Ramer wrote: > I didn't see any indication of such a feature from the man page, but you > could just look at the gpg-agent.conf file. It's not that simple. I would also need to account for flags passed into the application via the command line (--default-cache-ttl, etc.) which can also change the configuration file used. On top of that, the configuration file does not necessarily reflect the state of the running agent e.g. if the configuration were modified after the agent was launched and a reload command never issued to the application or if the configuration file was deleted. For certain desktop environments, things are further complicated -- if I recall correctly, the GNOME keyring doesn't necessarily read its configuration from the GPG home directory. Eric From lachlan at twopif.net Wed Apr 27 03:35:19 2016 From: lachlan at twopif.net (Lachlan Gunn) Date: Wed, 27 Apr 2016 11:05:19 +0930 Subject: OT: Peer review (was: making a Debian Live CD for managing GnuPG master key and smartcards) In-Reply-To: <571FD4D9.90706@sixdemonbag.org> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> Message-ID: <57201757.6080608@twopif.net> > Well, there's a little bit of a chicken-and-the-egg problem here. If > new projects are told "don't evangelize here", how will they let users > who might be interested in their project know it exists? Evangelization > is important. I don't think we want to adopt a no-evangelization rule, > but at the same time, we want to keep it within limits, too. Yep, I think this is important. I'd also suggest that actively attempting to lure potential contributors to a project from their own mailing list is a bit of a no-no as well. A topic that someone mentioned in this thread was peer-review. Is there any venue out there for seeking third-party security review for open-source code? I don't mean anything professional, but just something Stack-Overflow-ey. A few of my projects involve crypto or some other kind of security functionality, and I feel a bit uncomfortable evangelising too much without having had someone else go over them more thoroughly than Coverity can. Here wouldn't be a good venue as they tend to range from unrelated to competing (don't judge, I just need an MIT-licenced way to check an OpenPGP signature), but given the amount of misguided security code out there, it seems like somewhere more generally-oriented might be useful. Even restricting to GnuPG itself, obviously not every one-man-band using GPG in a script can expect to come here and get a code audit. Thanks, Lachlan From free10pro at gmail.com Wed Apr 27 05:29:19 2016 From: free10pro at gmail.com (Paul R. Ramer) Date: Tue, 26 Apr 2016 20:29:19 -0700 Subject: Querying gpg-agent configuration options In-Reply-To: <20160427022037.GA18546@sinister.codevat.com> References: <20160426213119.GA27769@sinister.codevat.com> <57202049.4080305@gmail.com> <20160427022037.GA18546@sinister.codevat.com> Message-ID: <5720320F.3010500@gmail.com> On 04/26/2016 07:20 PM, Eric Pruitt wrote: > On Tue, Apr 26, 2016 at 07:13:29PM -0700, Paul R. Ramer wrote: >> I didn't see any indication of such a feature from the man page, but you >> could just look at the gpg-agent.conf file. > > It's not that simple. I would also need to account for flags passed into > the application via the command line (--default-cache-ttl, etc.) which > can also change the configuration file used. On top of that, the > configuration file does not necessarily reflect the state of the running > agent e.g. if the configuration were modified after the agent was > launched and a reload command never issued to the application or if the > configuration file was deleted. For certain desktop environments, things > are further complicated -- if I recall correctly, the GNOME keyring > doesn't necessarily read its configuration from the GPG home directory. I see. I didn't think about the GNOME example. While I knew that the configuration file couldn't tell you everything about a running instance, it was the only thing I could think of. As I said earlier, the man page doesn't seem to say anything about this. Hopefully, someone else with more knowledge can give you a better answer. -Paul From robert.cavanaugh at broadcom.com Tue Apr 26 23:40:06 2016 From: robert.cavanaugh at broadcom.com (Bob (Robert) Cavanaugh) Date: Tue, 26 Apr 2016 14:40:06 -0700 Subject: Evangelzation discussion :Was [Re: making a Debian Live CD for managing GnuPG master key and smartcards] In-Reply-To: <571FD4D9.90706@sixdemonbag.org> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> Message-ID: New thread for this topic... Robert, All good points, no argument. I particularly agree regarding the frequency. By all means promote your own product if you believe in it. However, I stand by my opinion that there should be a clear demarcation between GnuPG and its official distribution opposed to applications, utilities, etc that GnuPG and its official distributed utilities. Their author(s) should not imply that their project is part of GnuPG. I just re-checked; egpg is not listed on the gnupg.org 'Download' page. It is not even listed on the 'Frontends' tab, which I find somewhat surprising, as that should be the appropriate place to be listed? On 4/26/2016 1:51 PM, Robert J. Hansen wrote: > > We don't have a rule on this subject. I don't think we need one, > either. But speaking just for myself, I'd advise people not promote > their projects more than every other month. Six announcements a year > ought to be plenty to let people know about a new project. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Thanks, Bob Cavanaugh Principal Firmware Engineer Broadcom Limited -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xE5A7EA66.asc Type: application/pgp-keys Size: 7910 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Wed Apr 27 11:10:04 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 27 Apr 2016 11:10:04 +0200 Subject: Website usability issue Message-ID: <572081EC.3020700@digitalbrains.com> Hi all, Using a netbook with a touchpad, Debian Jessie/stable and Iceweasel 38.7.1esr-1~deb8u1 (Debian package), I encounter an issue with the menu at the top of the website. When you hover the pointer over a menu category (Home, Donate, Download, ...) it folds down and subpages appear. However, there is a small slit between the category and the pages. If I'm not quick enough with the touchpad movement, and manage to hover over the slit while moving down, the menu folds up again just as I'm about to select a page. At the moment, I'm having more difficulty keeping it open than not. I'm sure this depends on pointer device, acceleration settings and the amount of caffeine in the user... (none as of yet). I'm not familiar with website development, but perhaps the slit can be made a transparent part of the menu, such that it doesn't register as "no longer hovering over the menu"? Oh, I also use Privoxy and Ghostery. I disabled Privoxy and did a full page reload (Ctrl-Shift-R), but the problem persisted. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Wed Apr 27 11:31:19 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 27 Apr 2016 11:31:19 +0200 Subject: Evangelzation discussion In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> Message-ID: <572086E7.30702@digitalbrains.com> On 26/04/16 23:40, Bob (Robert) Cavanaugh wrote: > All good points, no argument. I particularly agree regarding the > frequency. By all means promote your own product if you believe in > it. I also think it's a good idea if you can read about related software on this list, but I think that authors should be reluctant to promote their own stuff in other threads. With care, it can be done, though. Incidentally, the software will also need to be free software, as per the rules for FSF lists. > However, I stand by my opinion that there should be a clear > demarcation between GnuPG and its official distribution opposed to > applications, utilities, etc that GnuPG and its official > distributed utilities. Yes, I think it would be better if stuff like GPGME, libassuan, libgcrypt, libgpg-error, libksba and pinentry got their own category on the website rather than being a peer to the other stuff in related software... > Their author(s) should not imply that their > project is part of GnuPG. I can't think of an instance where this appeared to be the case, though. Then again, I know what is part of GnuPG and what not, so I might not have noticed indeed. > I just re-checked; egpg is not listed on the gnupg.org 'Download' > page. It is not even listed on the 'Frontends' tab, which I find > somewhat surprising, as that should be the appropriate place to be > listed? While "related software" is a large list, I don't think it's meant to be exhaustive. I'm also not sure what the qualifications are to be considered for being added (other than being free software). I think this is done informally, on an ad-hoc basis. My 2 cents, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Wed Apr 27 11:32:21 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 27 Apr 2016 11:32:21 +0200 Subject: Querying gpg-agent configuration options In-Reply-To: <20160426213119.GA27769@sinister.codevat.com> (Eric Pruitt's message of "Tue, 26 Apr 2016 14:31:19 -0700") References: <20160426213119.GA27769@sinister.codevat.com> Message-ID: <87inz3qtwa.fsf@wheatstone.g10code.de> On Tue, 26 Apr 2016 23:31, eric.pruitt at gmail.com said: > particular, I would like to query the running agent to see what values > are being used for default-cache-ttl and max-cache-ttl. I have reviewed You may read the options from gpg-agent.conf using: gpgconf --list-options gpg-agent \ | awk -F: '$1=="default-cache-ttl" {print $0}' which result in an output like this (line wrapped): default-cache-ttl:24:0:expire cached PINs after N seconds:3:3:N:600::900 Here we see that the default value used by gpg-agent is 600 seconds and the currently configured value is 900 seconds. To get only the value, change the $0 in the awk command to $10. For details see the man page of gpgconf. gpgconf also allows to change these values; gpgme has an interface for that too. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Apr 27 11:45:06 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 27 Apr 2016 11:45:06 +0200 Subject: Req: 64-bit GnuPG/GPGME for Windows In-Reply-To: <571FA5E3.9030009@sixdemonbag.org> (Robert J. Hansen's message of "Tue, 26 Apr 2016 13:31:15 -0400") References: <571FA5E3.9030009@sixdemonbag.org> Message-ID: <87eg9rqtb1.fsf@wheatstone.g10code.de> On Tue, 26 Apr 2016 19:31, rjh at sixdemonbag.org said: > How difficult would it be to get a 64-bit GnuPG and GPGME binary package > built for Windows? The existing one appears to be 32-bit only, and my > development environment is 64-bit only. I can't see a real reason for not using the 32 bit GnuPG version, thus working on a 64 bit version has a low priority. The pending task for GnuPG is to consolidate the OS objects used to access files, pipes, and sockets. In the 32 bit version our hacks to detect the type of the objects work reasonable well, but they won't work with 64 bit because sizeof(int) < sizeof(void*). We make extensive use of converting pointers (Windows' "HANDLE") to "int" and vice versa - this can't work on 64-bit. There are some other problems as well. The planned solution is to use a new kind of object to wrap all those different OS objects. The use of the estream interface (e.g. es_printf) from libgpg-error is a first step in this direction and will eventually be extended to provide such a wrapper interface. For GPGME there is clearly a need for 64 bit compatibility. It is already possible to build GPGME for 64 bit but certain features do not yet work; using OpenPGP (gpg) should work. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Apr 27 11:53:41 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 27 Apr 2016 11:53:41 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571FD4D9.90706@sixdemonbag.org> (Robert J. Hansen's message of "Tue, 26 Apr 2016 16:51:37 -0400") References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> Message-ID: <87a8kfqswq.fsf@wheatstone.g10code.de> On Tue, 26 Apr 2016 22:51, rjh at sixdemonbag.org said: > Well, there's a little bit of a chicken-and-the-egg problem here. If > new projects are told "don't evangelize here", how will they let users > who might be interested in their project know it exists? Evangelization For me it is okay to do that from time to time, but they shall not take over a thread. Many of us do not have the time to follow each thread and thus the subject should be on topic. An while I am talking about the netiquette: Pretty please trim your quotes and do not top-post. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From paolo.bolzoni.brown at gmail.com Wed Apr 27 12:00:08 2016 From: paolo.bolzoni.brown at gmail.com (Paolo Bolzoni) Date: Wed, 27 Apr 2016 12:00:08 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <87a8kfqswq.fsf@wheatstone.g10code.de> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> Message-ID: Since the thread is already quite lost I chip in with a question. What is the matter with top posting? Is my client that is weird showing the text from the beginnig, where what I want to read is? Top posting sounds even more ad-hoc that bottom posting where you have to scroll down to find what you want to read... From peter at digitalbrains.com Wed Apr 27 12:04:26 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 27 Apr 2016 12:04:26 +0200 Subject: (OT) Netiquette In-Reply-To: <87a8kfqswq.fsf@wheatstone.g10code.de> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> Message-ID: <57208EAA.8010108@digitalbrains.com> On 27/04/16 11:53, Werner Koch wrote: > For me it is okay to do that from time to time, but they shall not take > over a thread. Many of us do not have the time to follow each thread > and thus the subject should be on topic. Right, I should have changed the Subject:-line on my first reply here, since it was clearly not about the Live CD anymore... my apologies... Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From flapflap at riseup.net Wed Apr 27 13:35:17 2016 From: flapflap at riseup.net (flapflap) Date: Wed, 27 Apr 2016 11:35:17 +0000 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <1446307140.20160426213030@riseup.net> References: <571F1E62.30203@pocock.pro> <1446307140.20160426213030@riseup.net> Message-ID: <5720A3F5.9000600@riseup.net> MFPA: > [0] is a How-To for creating an OpenPGP keypair for use with GnuPG on > an airgapped system (using Tails) and exporting the subkeys for > day-to-day use. There is a link [1] to a second guide to export the > subkeys to an OpenPGP smartcard. I was also about suggesting Tails, so thanks for doing that for me :) Daniel Pocock: > The benefit is that everything on the CD is self-contained, it can't be > tampered with, it can run without network support in the kernel and the > workflow would be controlled by a script. All the details, including > workflow, are described in a wiki[2] Tails can be instructed in the Tails Greeter to disable all network access [0]. As far as I understand it, Tails unconditionally blacklists the drivers of all network devices [1]. If network access is enabled in the Greeter, the blacklist is deleted [2] and the related services are restarted; if network access is not enabled, the blacklist stays in place. Yet, Tails might not be what you want because you have a different usage pattern and thread model in mind. For instance Tails ships non-free software (and isn't happy about that) but needs to balance with the possibility to run on almost every device a non-technical savvy user wants it to boot from (which might not be the case for your use case). [0] https://tails.boum.org/doc/first_steps/startup_options/offline_mode/index.en.html [1] https://git-tails.immerda.ch/tails/tree/config/chroot_local-hooks/80-block-network?id=744ad738707e2527f694bdbe12463ddbdb76ddf0 [2] https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/usr/local/lib/tails-unblock-network?id=744ad738707e2527f694bdbe12463ddbdb76ddf0 From worzel at gmx.co.uk Wed Apr 27 13:47:32 2016 From: worzel at gmx.co.uk (Ian Prideaux) Date: Wed, 27 Apr 2016 12:47:32 +0100 Subject: Import a pkcs12 certificate chain In-Reply-To: <234edccf-5749-da68-c91d-7171b805e82c@incenp.org> References: <571F636C.6070504@gmx.co.uk> <234edccf-5749-da68-c91d-7171b805e82c@incenp.org> Message-ID: <5720A6D4.8050301@gmx.co.uk> On 26/04/16 15:09, Damien Goutte-Gattat wrote: > On 04/26/2016 02:47 PM, Ian Prideaux wrote: >> The Symantec command is: pgp --new-passphrase newpp --passphrase >> oldpp --import CertificateChain.p12 >> >> However, I can't figure out what the gpg2 command is, or even if >> gnupg is capable of this. > > I am not sure I understand your workflow and what you want to achieve > exactly. > No, I'm not sure either. This is a system that I've inherited, with no documentation :-( Every other third party uses keypairs that are generated by the pgp --gen-key command. I don't understand what is gained by using a keypair which is generated from a certificate chain. > But, as a starting point, you must know that the gpg2 program only deals > with OpenPGP keys and messages. To manipulate X.509 certificates, you > need gpgsm (another component of the GnuPG project) instead. > > Presumably, the command you need should be > > $ gpgsm --import CertificateChain.p12 > > to import the certificate and key from the PKCS#12 file into your > keyring. Then you would probably use the --export command to export back > the certificate only and send it to your third party. > Yes that works. However I'm having trouble exporting the old certificate-generated-keys from symantec. gpg2 uses the same keyring format as symantec, so I can just copy and rename the keyring files. gpgsm uses it's own keyring format, and doesn't interoperate with gpg2. I'd have to write code specifically to deal with that one customer. From daniel at pocock.pro Wed Apr 27 14:58:40 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Wed, 27 Apr 2016 14:58:40 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <87a8kfqswq.fsf@wheatstone.g10code.de> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> Message-ID: <5720B780.7050702@pocock.pro> On 27/04/16 11:53, Werner Koch wrote: > On Tue, 26 Apr 2016 22:51, rjh at sixdemonbag.org said: > >> Well, there's a little bit of a chicken-and-the-egg problem here. If >> new projects are told "don't evangelize here", how will they let users >> who might be interested in their project know it exists? Evangelization > > For me it is okay to do that from time to time, but they shall not take > over a thread. Many of us do not have the time to follow each thread > and thus the subject should be on topic. > Back to the original topic then, does anybody else have any feedback on the questions I raised? - can we call all the necessary GnuPG commands[1] from a script without the user interacting directly with GnuPG, using "--batch" / unattanded operation? The sequence of commands involved would be similar to this blog[3] - what would be the preferred way for the GUI to obtain and keep the master key passphrase without prompting the user to re-enter it for every operation? - would anybody else like to suggest improvements to the workflow? 1. https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ From peter at digitalbrains.com Wed Apr 27 15:39:39 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 27 Apr 2016 15:39:39 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F1E62.30203@pocock.pro> References: <571F1E62.30203@pocock.pro> Message-ID: <5720C11B.2000909@digitalbrains.com> On 26/04/16 09:53, Daniel Pocock wrote: > There has been some discussion on debian-devel[1] about making a > bootable Debian Live CD specifically for GnuPG I think this is interesting, and I would probably use it. But I'm just doing it out of interest, not because I have particular security needs (other than protect my network and the hosts on it from network-based hackers). > - has anybody already seen anything like this? Nobody likes > re-inventing the wheel I'm not personally familiar with them, and I see Tails is even mentioned on the wiki, so you're already aware of it. > - can we call all the necessary GnuPG commands from a script without the > user interacting directly with GnuPG, using "--batch" / unattanded > operation? The sequence of commands involved would be similar to this > blog[3] A bunch of stuff can be sanely scripted, but unfortunately there are also cases where this can lead to a very suboptimal or kludgy solution and GPGME would be the better way to go. I notice in the blog this person used GnuPG 1.4.x. I don't know why he does that; I would recommend GnuPG 2.0.x. GnuPG 2.1 introduces some more commands and features that are well suited to scripting, but I think it could well be too new for a Debian Live CD. You mgi In fact, you mention ECC keys on the wiki. GnuPG 1.4 does not and will never support ECC keys. Incidentally, when you use GnuPG 2.x, you can drop the 'use-agent' statement from the configuration file which is a 1.4 thing: 2.x always uses the agent. > - what would be the preferred way for the GUI to obtain and keep the > master key passphrase without prompting the user to re-enter it for > every operation? I am of the strong opinion that this should be left to the default GnuPG mechanism: the agent, combined with a (stock) pinentry. The agent will remember passphrases for 10 minutes by default, but it is configurable (not to an unlimited number, but there is some number like INT_MAX or similar to emulate it). The pinentry is responsible for securely querying the user and the agent for securely keeping the secret in memory. They have been expressly designed with this purpose. In your specific use case, with swap and network disabled, I suppose it would matter less, but if you find agent and pinentry unsatisfactory, perhaps the correct course would be to discuss improvements to them rather than spin your own solution. > - would anybody else like to suggest improvements to the workflow? I have some suggestions. You state that a smartcard reader with dedicated PIN-pad protects from keyloggers. While there is some truth to it, it is not a panacea. The firmware of the reader should not have a security issue where it accepts rogue firmware updates, for instance. Or you could turn on the microphone and listen for the cadence of the keypresses, or pop up a message to the user saying that the PIN-pad of the particular reader is not supported and request them to type on the regular keyboard. The latter could take the form of a downgrade attack, where the malware strips the part of the USB configuration descriptor describing the PIN-pad support. In fact, I think this is the most low-tech solution that would work pretty well in practice, so I'm putting my money on this "solution". It works equally well with a hardware dongle hidden in the connector of the smartcard reader, like a hardware keylogger in the keyboard cable. You save the private keys to flash storage. I'd like an option to use writable optical storage. It's cheaper (per storage unit), you can refresh it every so often for a low price (completely disintegrating the old disc and throwing it out). Additionally, I think paperkey[1] would make an excellent addition to the software installed. Although I heard that a 4096-bit RSA key[2] would take a lot of typing if it didn't scan with OCR. Oh, a good OCR-font for printing, also good to include. Anyway, I considered a 2048-bit RSA key quite typable in an emergency; I have paper backups of my master and my encryption keys. The signature key is unneeded as you can just create a new one when you lose it. I'd recommend a reading of the questions in the GnuPG FAQ[3], and checking whether any apply to your project. Thought, discussion and consensus have gone into the drafting of the FAQ, it is a valuable source of information. I'd suggest to support only OpenPGP smartcards, not PKCS #11 tokens. The latter requires a lot of tinkering to get to work, and to make it into a Live CD that runs on a fair multitude of systems? I think it would be difficult, and the cost/benefit tradeoff seems bad. OpenPGP compatible cards are not expensive. They were designed to offer a good alternative to PKCS #11 in the first place. Regarding expiry periods, I think they are too soon. I think the main feature of expiry is to eventually disable a key to which the private part has been lost. The purpose of this is to ease the selection process when fetching a key from the keyservers. I consider several years to be sufficient for this purpose, and subkeys need not expire sooner than master keys. Finally, I'll finish with how I've done it myself: - I burned a generic Linux Live CD; I'm fairly sure it was Knoppix. - I removed the cables from any hard disks and unplugged everything that was not needed, especially network cables. I didn't have any wireless communication in the system, otherwise it would have been removed if possible. I didn't remove any expansion cards. - I booted the Live CD, and created RSA keys with GnuPG. - I burned the private keys to a DVD-R, passwordless. - I printed a paperkey backup, passwordless. I don't have a revocation certificate as I can revoke the key with the private key material, which I intend not to lose. It was a personal choice, it is not a recommendation. - I transferred the keys to smartcards. I use a setup with a smartcard holding the master key and another two holding (identical) signature and encryption keys. One of those two also has an auth subkey. Unfortunately, the multi-smartcard solution requires packet surgery on the private key files to work in GnuPG 1.4 and 2.0: otherwise it will only ever accept either the master key one or a subkey one, but never both. - I deleted all private key material. - I inserted a USB stick, mounted it, and copied the public keys to it. - I turned the PC off. It was a few years ago, I might have a mistake in the details. The DVD-R and the printout are stored in a secure location. I decided that I didn't want to forget the passphrase to them and that a very simple password would not offer any real security, so I'm depending on the physical security of the storage. By now, I'm used to using a password manager, and I think I would never forget the password I currently use for that (difficulty: you've already memorized it, per XKCD[4]), so I might use that instead. I hope this will be of use to you. I don't have any experience with a situation where I depended on the security of it all, nor experience with the other side of the equation, trying to break someone else's security. I'm just a hobbyist. But a lot of thought has gone into it, and I vied to keep the thought process academical and well-funded, and not based on gut feeling. No warranties though... Thanks for your efforts! I appreciate them; Debian in general and this Live CD in particular. HTH, Peter. [1] http://www.jabberwocky.com/software/paperkey/ [2] I'm not going to debate recommended key lengths. But please be aware that the GnuPG FAQ[3] has a section about it. [3] https://gnupg.org/faq/gnupg-faq.html [4] http://xkcd.com/936/ -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Wed Apr 27 15:44:51 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 27 Apr 2016 15:44:51 +0200 Subject: (OT) Ignoring a subthread In-Reply-To: <5720B780.7050702@pocock.pro> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720B780.7050702@pocock.pro> Message-ID: <5720C253.9020802@digitalbrains.com> On 27/04/16 14:58, Daniel Pocock wrote: > Back to the original topic then, does anybody else have any feedback on > the questions I raised? If we keep the proper discussion out of this particular subtree of the topic, some mail readers actually offer the possibility to ignore the subtree. With Icedove, I could click right on a parent post, and select "Ignore Subthread", and I would never be notified of any discussion here.[1] I spent some time writing up an on-topic response and posted it as a child of the Original Post. Peter. [1] (Note the hyopthetical) -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Wed Apr 27 15:55:04 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 27 Apr 2016 15:55:04 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <5720C11B.2000909@digitalbrains.com> References: <571F1E62.30203@pocock.pro> <5720C11B.2000909@digitalbrains.com> Message-ID: <5720C4B8.5050908@digitalbrains.com> On 27/04/16 15:39, Peter Lebbing wrote: > could well be too new for a Debian Live CD. You mgi Ouch. After I had accidentally deleted my footnotes along with unused quote, I did a whole bunch of "Undo", then copy the footnotes, then "Redo" again. However, it is clear I didn't "Redo" enough. I sure hope this is all that is lost :'(. It was supposed to say: > You might want to ask Werner Koch what his stance on this is. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Wed Apr 27 17:41:37 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 27 Apr 2016 11:41:37 -0400 Subject: Req: 64-bit GnuPG/GPGME for Windows In-Reply-To: <87eg9rqtb1.fsf@wheatstone.g10code.de> References: <571FA5E3.9030009@sixdemonbag.org> <87eg9rqtb1.fsf@wheatstone.g10code.de> Message-ID: <5720DDB1.3010306@sixdemonbag.org> > I can't see a real reason for not using the 32 bit GnuPG version, thus > working on a 64 bit version has a low priority. Besides my contract requiring 64-bit deliverables? :) A 32-bit GnuPG standalone executable is okay, but my code needs to be 64-bit, which means a 64-bit GPGME DLL. From rjh at sixdemonbag.org Wed Apr 27 17:48:23 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 27 Apr 2016 11:48:23 -0400 Subject: Top-posting (was: Re: making a Debian...) In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> Message-ID: <5720DF47.9040201@sixdemonbag.org> > What is the matter with top posting? A: Yes. Just not top-posting. Q: Are both allowed here? A: Quote a few lines, write your response to those few lines, quote a few lines, write your response, and so on. This is called inline-posting. Q: What if it's a long message? A: Quote as much of the material as you need for context, place it at the top of the message, and write your response beneath it. This is called bottom-posting. Q: So what should I do instead? A: Normally the stuff preceding text is relevant to what comes after it. When you top-post, the following text is relevant to what precedes it. It's reversed. Q: What do you mean? A: It reverses the usual flow of reading. Q: What's the problem with top-posting? From andrewg at andrewg.com Wed Apr 27 17:53:28 2016 From: andrewg at andrewg.com (Andrew Gallagher) Date: Wed, 27 Apr 2016 16:53:28 +0100 Subject: Top-posting In-Reply-To: <5720DF47.9040201@sixdemonbag.org> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> Message-ID: <5720E078.8030005@andrewg.com> On 27/04/16 16:48, Robert J. Hansen wrote: >> What is the matter with top posting? > > A: Yes. Just not top-posting. > Q: Are both allowed here? > > A: Quote a few lines, write your response to those few lines, quote a > few lines, write your response, and so on. This is called inline-posting. > Q: What if it's a long message? > > A: Quote as much of the material as you need for context, place it at > the top of the message, and write your response beneath it. This is > called bottom-posting. > Q: So what should I do instead? > > A: Normally the stuff preceding text is relevant to what comes after it. > When you top-post, the following text is relevant to what precedes it. > It's reversed. > Q: What do you mean? > > A: It reverses the usual flow of reading. > Q: What's the problem with top-posting? I am SO going to shamelessly steal this. A From eric.pruitt at gmail.com Wed Apr 27 18:02:41 2016 From: eric.pruitt at gmail.com (Eric Pruitt) Date: Wed, 27 Apr 2016 09:02:41 -0700 Subject: Querying gpg-agent configuration options In-Reply-To: <87inz3qtwa.fsf@wheatstone.g10code.de> References: <20160426213119.GA27769@sinister.codevat.com> <87inz3qtwa.fsf@wheatstone.g10code.de> Message-ID: <20160427160241.GA7445@sinister.codevat.com> On Wed, Apr 27, 2016 at 11:32:21AM +0200, Werner Koch wrote: > You may read the options from gpg-agent.conf using: > > gpgconf --list-options gpg-agent \ > | awk -F: '$1=="default-cache-ttl" {print $0}' > > which result in an output like this (line wrapped): > > default-cache-ttl:24:0:expire cached PINs > after N seconds:3:3:N:600::900 > > Here we see that the default value used by gpg-agent is 600 seconds and > the currently configured value is 900 seconds. To get only the value, > change the $0 in the awk command to $10. For details see the man page > of gpgconf. gpgconf also allows to change these values; gpgme has an > interface for that too. Per the other messages in this thread and the original post, I want to query the options from the gpg-agent directly. Based on some experimentation with the configuration files and strace, gpgconf doesn't query the information from gpg-agent, it parses the configuration files which is not what I need. Am I missing something? If it matters, the version of gpgconf / GPG I'm using is 2.0.14. Thanks, Eric From daniel at pocock.pro Wed Apr 27 22:22:51 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Wed, 27 Apr 2016 22:22:51 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <5720C11B.2000909@digitalbrains.com> References: <571F1E62.30203@pocock.pro> <5720C11B.2000909@digitalbrains.com> Message-ID: <57211F9B.5050209@pocock.pro> On 27/04/16 15:39, Peter Lebbing wrote: > On 26/04/16 09:53, Daniel Pocock wrote: >> There has been some discussion on debian-devel[1] about making a >> bootable Debian Live CD specifically for GnuPG > > I think this is interesting, and I would probably use it. But I'm just > doing it out of interest, not because I have particular security needs > (other than protect my network and the hosts on it from network-based > hackers). > >> - has anybody already seen anything like this? Nobody likes >> re-inventing the wheel > > I'm not personally familiar with them, and I see Tails is even mentioned > on the wiki, so you're already aware of it. > >> - can we call all the necessary GnuPG commands from a script without the >> user interacting directly with GnuPG, using "--batch" / unattanded >> operation? The sequence of commands involved would be similar to this >> blog[3] > > A bunch of stuff can be sanely scripted, but unfortunately there are > also cases where this can lead to a very suboptimal or kludgy solution > and GPGME would be the better way to go. > > I notice in the blog this person used GnuPG 1.4.x. I don't know why he > does that; I would recommend GnuPG 2.0.x. GnuPG 2.1 introduces some more > commands and features that are well suited to scripting, but I think it > could well be too new for a Debian Live CD. You mgi > Debian jessie (stable) has 2.0 2.1.x is in testing and could potentially go to backports if it is necessary to use it. https://packages.qa.debian.org/g/gnupg2.html > In fact, you mention ECC keys on the wiki. GnuPG 1.4 does not and will > never support ECC keys. > > Incidentally, when you use GnuPG 2.x, you can drop the 'use-agent' > statement from the configuration file which is a 1.4 thing: 2.x always > uses the agent. > Thanks for pointing that out, removed from the wiki You are very welcome to sign up for a wiki account too if you would like to tweak it directly >> - what would be the preferred way for the GUI to obtain and keep the >> master key passphrase without prompting the user to re-enter it for >> every operation? > > I am of the strong opinion that this should be left to the default GnuPG > mechanism: the agent, combined with a (stock) pinentry. The agent will > remember passphrases for 10 minutes by default, but it is configurable > (not to an unlimited number, but there is some number like INT_MAX or > similar to emulate it). > > The pinentry is responsible for securely querying the user and the agent > for securely keeping the secret in memory. They have been expressly > designed with this purpose. In your specific use case, with swap and > network disabled, I suppose it would matter less, but if you find agent > and pinentry unsatisfactory, perhaps the correct course would be to > discuss improvements to them rather than spin your own solution. > So far there has been discussion about using text-based UIs such as whiptail (shell scripting) or Urwid (Python) Can anybody point me to an example of using pinentry with either of those? Or will it just work on the basic black and white console? >> - would anybody else like to suggest improvements to the workflow? > > I have some suggestions. > > You state that a smartcard reader with dedicated PIN-pad protects from > keyloggers. While there is some truth to it, it is not a panacea. The > firmware of the reader should not have a security issue where it accepts > rogue firmware updates, for instance. Or you could turn on the > microphone and listen for the cadence of the keypresses, or pop up a > message to the user saying that the PIN-pad of the particular reader is > not supported and request them to type on the regular keyboard. The > latter could take the form of a downgrade attack, where the malware > strips the part of the USB configuration descriptor describing the > PIN-pad support. In fact, I think this is the most low-tech solution > that would work pretty well in practice, so I'm putting my money on this > "solution". It works equally well with a hardware dongle hidden in the > connector of the smartcard reader, like a hardware keylogger in the > keyboard cable. > > You save the private keys to flash storage. I'd like an option to use > writable optical storage. It's cheaper (per storage unit), you can > refresh it every so often for a low price (completely disintegrating the > old disc and throwing it out). > > Additionally, I think paperkey[1] would make an excellent addition to > the software installed. Although I heard that a 4096-bit RSA key[2] > would take a lot of typing if it didn't scan with OCR. Oh, a good > OCR-font for printing, also good to include. Anyway, I considered a > 2048-bit RSA key quite typable in an emergency; I have paper backups of > my master and my encryption keys. The signature key is unneeded as you > can just create a new one when you lose it. > paperkey is already listed in the wiki and printing is mentioned, it should have been in the workflow too, now it is added there. > I'd recommend a reading of the questions in the GnuPG FAQ[3], and > checking whether any apply to your project. Thought, discussion and > consensus have gone into the drafting of the FAQ, it is a valuable > source of information. > > I'd suggest to support only OpenPGP smartcards, not PKCS #11 tokens. The > latter requires a lot of tinkering to get to work, and to make it into a > Live CD that runs on a fair multitude of systems? I think it would be > difficult, and the cost/benefit tradeoff seems bad. OpenPGP compatible > cards are not expensive. They were designed to offer a good alternative > to PKCS #11 in the first place. > This was raised on another list. I would potentially start with OpenPGP cards and then anybody keen on PKCS#11 could add support for that later. > Regarding expiry periods, I think they are too soon. I think the main > feature of expiry is to eventually disable a key to which the private > part has been lost. The purpose of this is to ease the selection process > when fetching a key from the keyservers. I consider several years to be > sufficient for this purpose, and subkeys need not expire sooner than > master keys. Some people actually want shorter expiry, every 1 - 3 months, although I am not advocating that so far. One goal of making this simple with a Live CD is that people can regularly boot into it and extend their expiry without having to think about the commands to execute. > > Finally, I'll finish with how I've done it myself: > > - I burned a generic Linux Live CD; I'm fairly sure it was Knoppix. Did this have all the necessary things (GnuPG 2.x, paperkey, smartcard support) in the image? > - I removed the cables from any hard disks and unplugged everything that > was not needed, especially network cables. I didn't have any wireless > communication in the system, otherwise it would have been removed if > possible. I didn't remove any expansion cards. > - I booted the Live CD, and created RSA keys with GnuPG. > - I burned the private keys to a DVD-R, passwordless. > - I printed a paperkey backup, passwordless. I don't have a revocation > certificate as I can revoke the key with the private key material, which > I intend not to lose. It was a personal choice, it is not a recommendation. > - I transferred the keys to smartcards. I use a setup with a smartcard > holding the master key and another two holding (identical) signature and > encryption keys. One of those two also has an auth subkey. > Unfortunately, the multi-smartcard solution requires packet surgery on > the private key files to work in GnuPG 1.4 and 2.0: otherwise it will > only ever accept either the master key one or a subkey one, but never both. > - I deleted all private key material. > - I inserted a USB stick, mounted it, and copied the public keys to it. > - I turned the PC off. > > It was a few years ago, I might have a mistake in the details. The DVD-R > and the printout are stored in a secure location. I decided that I > didn't want to forget the passphrase to them and that a very simple > password would not offer any real security, so I'm depending on the > physical security of the storage. By now, I'm used to using a password > manager, and I think I would never forget the password I currently use > for that (difficulty: you've already memorized it, per XKCD[4]), so I > might use that instead. > > I hope this will be of use to you. I don't have any experience with a > situation where I depended on the security of it all, nor experience > with the other side of the equation, trying to break someone else's > security. I'm just a hobbyist. But a lot of thought has gone into it, > and I vied to keep the thought process academical and well-funded, and > not based on gut feeling. No warranties though... > > Thanks for your efforts! I appreciate them; Debian in general and this > Live CD in particular. > Thanks for sharing your own experience with this. I hope that this effort will evolve to capture the best bits of everybody's experience. Regards, Daniel From idmsdba at nycap.rr.com Thu Apr 28 00:16:21 2016 From: idmsdba at nycap.rr.com (Michael A. Yetto) Date: Wed, 27 Apr 2016 18:16:21 -0400 Subject: Top-posting In-Reply-To: <5720E078.8030005@andrewg.com> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> Message-ID: <20160427181621.213e21f4@braetac.lighthouse.yetnet> On Wed, 27 Apr 2016 16:53:28 +0100 Andrew Gallagher wrote: >On 27/04/16 16:48, Robert J. Hansen wrote: >>> What is the matter with top posting? >> >> A: Yes. Just not top-posting. >> Q: Are both allowed here? >> >> A: Quote a few lines, write your response to those few lines, >> quote a few lines, write your response, and so on. This is >> called inline-posting. Q: What if it's a long message? >> >> A: Quote as much of the material as you need for context, >> place it at the top of the message, and write your response >> beneath it. This is called bottom-posting. >> Q: So what should I do instead? >> >> A: Normally the stuff preceding text is relevant to what >> comes after it. When you top-post, the following text is >> relevant to what precedes it. It's reversed. >> Q: What do you mean? >> >> A: It reverses the usual flow of reading. >> Q: What's the problem with top-posting? > >I am SO going to shamelessly steal this. > Everyone is going to steal this. It should probably be released under a Creative Commons license. Mike Yetto -- The only good part of April Fool's Day is that it shows people what it's like to be a skeptic the rest of the year." - Phil Plait -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: From ricul77 at gmail.com Wed Apr 27 23:02:18 2016 From: ricul77 at gmail.com (Richard Ulrich) Date: Wed, 27 Apr 2016 23:02:18 +0200 Subject: gpg and smartcard on ubuntu 16.04 Message-ID: <1461790938.5458.19.camel@gmail.com> I didn't read this list for a while, so forgive me if this was discussed before. For many years I have used gpg and gpg-agent with ssh support with an OpenPGP smartcard.? On every ubuntu upgrade I had to fiddle a little bit to have gpg-agent act for ssh auth. No big deal usually. But this time, after the usual fiddling, I have it working nicely for ssh and evolution. But now it's the direct usage of gpg on the command line that is giving me a hard time. This aspect always worked out of the box so far. I use the stock versions from the ubuntu 16.04 repository: gnupg ?1.4.20-1ubuntu3 gnupg2 2.1.11-6ubuntu2 gnupg-agent?2.1.11-6ubuntu2 scdaemon 2.1.11-6ubuntu2 In ~/.bashrc I terminate gpg-agent if it was started without ssh support, and start it again with: /usr/bin/gpg-agent --daemon --enable-ssh-support??> /dev/null Now if I want to decrypt a file: gpg -d Dokumente/somefile.txt.gpg? gpg: Anonymer Empf?nger; Versuch mit geheimem Schl?ssel 0AAAAAAA ? gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) gpg: Kartenleser ist nicht vorhanden gpg --use-agent -d Dokumente/somefile.txt.gpg? gpg: Anonymer Empf?nger; Versuch mit geheimem Schl?ssel 0AAAAAAA ? gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) gpg: Kartenleser ist nicht vorhanden gpg2 -d Dokumente/somefile.txt.gpg? gpg: verschl?sselt mit RSA Schl?ssel, ID 00000000 gpg: Entschl?sselung fehlgeschlagen: Kein geheimer Schl?ssel gpg --card-status gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) gpg: Kartenleser ist nicht vorhanden gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler gpg2 --card-status Reader ...........: ... Application ID ...: ... Version ..........: 2.0 Manufacturer .....: ZeitControl All this was never a problem until now. Are there any tricks to get the interfacing with smartcards working smoother again? If I powercycle the smartcard, and kill scdaemon, It will first ask me for the other smart card that contains the master key. If I don't provide this, I could not figure out how to decrypt the file.? The only way was to plugin in that other smart card, and have gpg find out that this is not the one we need. Then it asks me to plug in the card that I indeed need. Now I can enter the pin, but strangely in the console, and not the pinentry window. With this awkward workflow I am able to decrypt the file. Rgds Richard From philip.jackson at nordnet.fr Wed Apr 27 22:48:40 2016 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Wed, 27 Apr 2016 22:48:40 +0200 Subject: Website usability issue In-Reply-To: <572081EC.3020700@digitalbrains.com> References: <572081EC.3020700@digitalbrains.com> Message-ID: <572125A8.6090506@nordnet.fr> On 27/04/16 11:10, Peter Lebbing wrote: > Using a netbook with a touchpad, Debian Jessie/stable and Iceweasel > 38.7.1esr-1~deb8u1 (Debian package), I encounter an issue with the menu > at the top of the website. > > When you hover the pointer over a menu category (Home, Donate, Download, > ...) it folds down and subpages appear. However, there is a small slit > between the category and the pages. If I'm not quick enough with the > touchpad movement, and manage to hover over the slit while moving down, > the menu folds up again just as I'm about to select a page. At the > moment, I'm having more difficulty keeping it open than not. I'm sure > this depends on pointer device, acceleration settings and the amount of > caffeine in the user... (none as of yet). I have a similar setup on an old laptop (Debian 8.4 Jessie with Iceweasel 38.7.1esr-1-deb8u1) with touchpad. But I don't see the problem you outline with the dropdown menus on gnupg.org (at least I presume you are writing about gnupg.org ?). I also use a wireless mouse but also no problem. And I'm cafeine deficient so move very slowly at this time of day :-) Philip From rjh at sixdemonbag.org Thu Apr 28 01:50:42 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 27 Apr 2016 19:50:42 -0400 Subject: Top-posting In-Reply-To: <20160427181621.213e21f4@braetac.lighthouse.yetnet> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> Message-ID: <57215052.3080805@sixdemonbag.org> > It should probably be released under a Creative Commons license. I hereby contribute it to the public domain. Share and enjoy. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: OpenPGP digital signature URL: From gniibe at fsij.org Thu Apr 28 02:23:16 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 28 Apr 2016 09:23:16 +0900 Subject: gpg and smartcard on ubuntu 16.04 In-Reply-To: <1461790938.5458.19.camel@gmail.com> References: <1461790938.5458.19.camel@gmail.com> Message-ID: <572157F4.3030605@fsij.org> On 04/28/2016 06:02 AM, Richard Ulrich wrote: > I use the stock versions from the ubuntu 16.04 repository: > gnupg 1.4.20-1ubuntu3 > gnupg2 2.1.11-6ubuntu2 > gnupg-agent 2.1.11-6ubuntu2 > scdaemon 2.1.11-6ubuntu2 Good, Ubuntu has GnuPG 2.1 (eventually, gpg will be GnuPG 2.1). Out of curiosity, does it has libgcrypt 1.7.0? > Now if I want to decrypt a file: > > gpg -d Dokumente/somefile.txt.gpg > gpg: Anonymer Empf?nger; Versuch mit geheimem Schl?ssel 0AAAAAAA ? > gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) > gpg: Kartenleser ist nicht vorhanden > > gpg --use-agent -d Dokumente/somefile.txt.gpg > gpg: Anonymer Empf?nger; > Versuch mit geheimem Schl?ssel 0AAAAAAA ? > gpg: pcsc_list_readers failed: > unknown PC/SC error code (0x8010002e) > gpg: Kartenleser ist nicht > vorhanden I think that this is the issue of GPG_AGENT_INFO variable, which was used before 2.1. How about set those environment variables, like? export GPG_AGENT_INFO=$HOME/.gnupg/S.gpg-agent:0:1 export SSH_AUTH_SOCK=$HOME/S.gpg-agent.ssh After setting those variables, does gpg work correctly? In my environment of Debian, those variables are set by: /etc/X11/Xsession.d/90gpg-agent -- From wk at gnupg.org Thu Apr 28 09:23:12 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 28 Apr 2016 09:23:12 +0200 Subject: Req: 64-bit GnuPG/GPGME for Windows In-Reply-To: <5720DDB1.3010306@sixdemonbag.org> (Robert J. Hansen's message of "Wed, 27 Apr 2016 11:41:37 -0400") References: <571FA5E3.9030009@sixdemonbag.org> <87eg9rqtb1.fsf@wheatstone.g10code.de> <5720DDB1.3010306@sixdemonbag.org> Message-ID: <87mvoemc2n.fsf@wheatstone.g10code.de> On Wed, 27 Apr 2016 17:41, rjh at sixdemonbag.org said: > Besides my contract requiring 64-bit deliverables? :) A 32-bit GnuPG Then let's have a sub-contract :-) > standalone executable is okay, but my code needs to be 64-bit, which > means a 64-bit GPGME DLL. GPGME does currently not receive the attention it deserves. We will again start working on it in the not too far future. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Apr 28 09:20:46 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 28 Apr 2016 09:20:46 +0200 Subject: Top-posting In-Reply-To: <20160427181621.213e21f4@braetac.lighthouse.yetnet> (Michael A. Yetto's message of "Wed, 27 Apr 2016 18:16:21 -0400") References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> Message-ID: <87r3dqmc6p.fsf@wheatstone.g10code.de> > Everyone is going to steal this. FWIW: Perry E. Metzger gives this shorter version for many years: A3: Please. Q3: Should I avoid top posting on this mailing list? A2: Because, by reversing the order of a conversation, it leaves the reader without much context, and makes them read a message in an unnatural order. Q2: Why is top posting irritating? A1: It is the practice of putting your reply to a message before the quoted message, instead of after the (trimmed) message. Q1: What is top posting? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Apr 28 09:32:11 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 28 Apr 2016 09:32:11 +0200 Subject: Querying gpg-agent configuration options In-Reply-To: <20160427160241.GA7445@sinister.codevat.com> (Eric Pruitt's message of "Wed, 27 Apr 2016 09:02:41 -0700") References: <20160426213119.GA27769@sinister.codevat.com> <87inz3qtwa.fsf@wheatstone.g10code.de> <20160427160241.GA7445@sinister.codevat.com> Message-ID: <87inz2mbno.fsf@wheatstone.g10code.de> On Wed, 27 Apr 2016 18:02, eric.pruitt at gmail.com said: > query the information from gpg-agent, it parses the configuration files > which is not what I need. Am I missing something? If it matters, the It parses the configuration files and also consults gpg-agent to test which are options are enabled for use by gpgconf and what are the current values. To do this gpgconf uses the special gpg-agent option '--gpgconf-list'. This usuallay returns the correct values, unless gpg-agent has not ben restarted after a gpg-agent.cof chnage or command line options are used. > version of gpgconf / GPG I'm using is 2.0.14. If really required we could add an Assuan command to return certain values similar to "gpg-connect-agent 'help getinfo' /bye". But before adding such an option I would like to learn why you need this. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mick.crane at gmail.com Thu Apr 28 10:39:02 2016 From: mick.crane at gmail.com (mick crane) Date: Thu, 28 Apr 2016 09:39:02 +0100 Subject: Top-posting In-Reply-To: <87r3dqmc6p.fsf@wheatstone.g10code.de> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> Message-ID: <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> even shorter, A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? On 2016-04-28 08:20, Werner Koch wrote: >> Everyone is going to steal this. > > FWIW: Perry E. Metzger gives this shorter version for many years: > > A3: Please. > Q3: Should I avoid top posting on this mailing list? > > A2: Because, by reversing the order of a conversation, it leaves the > reader without much context, and makes them read a message in an > unnatural order. > Q2: Why is top posting irritating? > > A1: It is the practice of putting your reply to a message before the > quoted message, instead of after the (trimmed) message. > Q1: What is top posting? > > > > Shalom-Salam, > > Werner -- key ID: 0x4BFEBB31 From johannes at zarl-zierl.at Thu Apr 28 00:54:05 2016 From: johannes at zarl-zierl.at (Johannes Zarl-Zierl) Date: Thu, 28 Apr 2016 00:54:05 +0200 Subject: Is there a foolproof tutorial to start with gpgme? In-Reply-To: <571F9AFC.8080602@sixdemonbag.org> References: <571F9AFC.8080602@sixdemonbag.org> Message-ID: <1717560.PdlE0HlYcJ@mani> On Tuesday 26 April 2016 12:44:44 Robert J. Hansen wrote: > Please note: since CMake doesn't have a plugin (yet) to automatically > detect GPGME The usual way is for a library to provide a PackageConfig.cmake file. The old- style FindPackage.cmake "plugins" are very much deprecated and it's hard to convince cmake maintainers to accept a new one... That being said, it shouldn't be too hard to create a working gpgme- config.cmake file using autotools.... Johannes From paolo.bolzoni.brown at gmail.com Thu Apr 28 11:02:30 2016 From: paolo.bolzoni.brown at gmail.com (Paolo Bolzoni) Date: Thu, 28 Apr 2016 11:02:30 +0200 Subject: Top-posting In-Reply-To: <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> Message-ID: I think this text (or variants) are old as email itself and actually, while funny, makes little sense. When you follow an email thread you do not read everything, you just read the new email and it makes little difference if it is in the top. Besides most email clients actually put an indentation in the quoted text so it should look like: A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? >> A: Top-posting. >>> Q: What is the most annoying thing in e-mail? That with one-liners looks strange, but it makes clear with long texts. However, I agree there is not need to keep clutter in the bottom of emails. So while I still don't see the big deal with top-posting. I agree that is much better (A) to trim and answers to single points or (B) simply make a clean email. Cheers, Paolo From guru at unixarea.de Thu Apr 28 11:26:52 2016 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 28 Apr 2016 11:26:52 +0200 Subject: Top-posting In-Reply-To: References: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> Message-ID: <20160428092652.GA3557@c720-r292778-amd64> El d?a Thursday, April 28, 2016 a las 11:02:30AM +0200, Paolo Bolzoni escribi?: > I think this text (or variants) are old as email itself and actually, > while funny, makes little sense. > > When you follow an email thread you do not read everything, you just > read the new email and it makes little difference if it is in the top. > Besides most email clients actually put an indentation in the quoted > text so it should look like: I have the feeling (and even could proof this with examples) that top posters do not even read about what they are posting on top of. They just want to say something, sometimes useless, because it is already said/answered a few lines down). Speaking more technically, the problem is that 'modern' MUA, like OutLook crap, thunderbird or other browser-like MUA do not invite to post and quote correctly. They put the cursor above the first line (sometimes you can not even configure this, and also not the correct citation with '> ') and they do not provide the required tools/commands to trim the old text, i.e. for example delete 150 lines with just saying '150dd' or '.,$-20d' or others. In these 'modern' MUA you must carefully place the cursor with the mouse, highlight even more carefully the text you want to delete, and doing this with the limitation of a smartphone is really a PITA. That's why I do prefer 'mutt' and 'vim'. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 ?Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA! My Lord, give us back the problems of yesterday, those we have had in the GDR. From paolo.bolzoni.brown at gmail.com Thu Apr 28 11:49:21 2016 From: paolo.bolzoni.brown at gmail.com (Paolo Bolzoni) Date: Thu, 28 Apr 2016 11:49:21 +0200 Subject: Top-posting In-Reply-To: <20160428092652.GA3557@c720-r292778-amd64> References: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> Message-ID: > Speaking more technically, the problem is that 'modern' MUA, like > OutLook crap, thunderbird or other browser-like MUA do not invite to > post and quote correctly. They put the cursor above the first line > (sometimes you can not even configure this, and also not the correct > citation with '> ') and they do not provide the required tools/commands to trim > the old text, i.e. for example delete 150 lines with just saying '150dd' > or '.,$-20d' or others. In these 'modern' MUA you must carefully place > the cursor with the mouse, highlight even more carefully the text you > want to delete, and doing this with the limitation of a smartphone is > really a PITA. The modern editors are indeed part of the problem. Don't get me wrong, I am all for fancy screens, pleasant colors, GUIs, and modernity. But what I do not understand why break down and remove what it does work already. Another example that sometime drive me crazy is the lack of regular expressions in "Search" functions. However, you can move around with keyboard even in "modern" mua. When using normal keyboards I think you are exagerating a bit. The problem is indeed annoying with limited keyboards, though. From jerry at seibercom.net Thu Apr 28 12:07:15 2016 From: jerry at seibercom.net (Jerry) Date: Thu, 28 Apr 2016 06:07:15 -0400 Subject: Top-posting In-Reply-To: <20160428092652.GA3557@c720-r292778-amd64> References: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> Message-ID: <20160428060715.00003e1b@seibercom.net> On Thu, 28 Apr 2016 11:26:52 +0200, Matthias Apitz stated: >Speaking more technically, the problem is that 'modern' MUA, like >OutLook crap, thunderbird or other browser-like MUA do not invite to >post and quote correctly. They put the cursor above the first line >(sometimes you can not even configure this, and also not the correct >citation with '> ') and they do not provide the required >tools/commands to trim the old text, i.e. for example delete 150 lines >with just saying '150dd' or '.,$-20d' or others. In these 'modern' MUA >you must carefully place the cursor with the mouse, highlight even >more carefully the text you want to delete, and doing this with the >limitation of a smartphone is really a PITA. I use "claws-mail" and all I have to do is highlight the text I want to reply to. If there is something I still want to eliminate, I just highlight it and delete it. Now. if I had to start counting characters, lines, etcetera and entering cryptic code to remove said items, that would be a PITA. I rarely use a smart phone to respond to an email. And if I do, I have discovered that it is possible to delete unnecessary text AND position the new text at the bottom of the message. By the way, I have also discovered that you can do the exact same thing in MS Outlook. I don't use "Thunderbird" so I cannot comment on its features or deficiencies. -- Jerry From andrewg at andrewg.com Thu Apr 28 12:16:52 2016 From: andrewg at andrewg.com (Andrew Gallagher) Date: Thu, 28 Apr 2016 11:16:52 +0100 Subject: Top-posting In-Reply-To: <20160428060715.00003e1b@seibercom.net> References: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <20160428060715.00003e1b@seibercom.net> Message-ID: <5721E314.8010901@andrewg.com> On 28/04/16 11:07, Jerry wrote: > > I use "claws-mail" and all I have to do is highlight the text I want to > reply to. ... > I don't use "Thunderbird" so I cannot comment on its > features or deficiencies. Thunderbird has exactly the same feature. A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From andrewg at andrewg.com Thu Apr 28 12:22:02 2016 From: andrewg at andrewg.com (Andrew Gallagher) Date: Thu, 28 Apr 2016 11:22:02 +0100 Subject: Top-posting In-Reply-To: <20160428092652.GA3557@c720-r292778-amd64> References: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> Message-ID: <5721E44A.4070803@andrewg.com> On 28/04/16 10:26, Matthias Apitz wrote: > Speaking more technically, the problem is that 'modern' MUA, like > OutLook crap, thunderbird or other browser-like MUA do not invite to > post and quote correctly. They put the cursor above the first line > (sometimes you can not even configure this, and also not the correct > citation with '> ') Thunderbird bottom-posts by default. https://support.mozilla.org/en-US/kb/reply-above-or-below-quoted-text A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Thu Apr 28 12:45:52 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 28 Apr 2016 12:45:52 +0200 Subject: gpg and smartcard on ubuntu 16.04 In-Reply-To: <572157F4.3030605@fsij.org> References: <1461790938.5458.19.camel@gmail.com> <572157F4.3030605@fsij.org> Message-ID: <5721E9E0.4050907@digitalbrains.com> On 28/04/16 02:23, NIIBE Yutaka wrote: > In my environment of Debian, those variables are set by: > /etc/X11/Xsession.d/90gpg-agent After I installed GnuPG 2.1 on my Debian Jessie (which doesn't have 2.1 itself), I encountered annoying issues. I also use smartcards, for SSH auth as well. I got it to run much smoother by editing this file to be the attached file. It did have a gotcha: if there isn't an agent running, you have to do something like: $ gpg-connect-agent /bye before you can do SSH auth. Note that the agent survives a logout/login. I got the impression that the explicit starting of the daemon in the startup script somehow messed something up. But I had some trouble pinning down the exact problem, and since it now works in a way that works for me, I left it at this. Perhaps you could just add the gpg-connect-agent call to the if-ssh-support conditional, and it would be purrfect. I will try that now and see if everything stays peachy. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- : ${GNUPGHOME=$HOME/.gnupg} if grep -qs '^[[:space:]]*enable-ssh-support' "${GNUPGHOME}/gpg-agent.conf"; then SSH_AUTH_SOCK="${GNUPGHOME}/S.gpg-agent.ssh" export SSH_AUTH_SOCK fi From peter at digitalbrains.com Thu Apr 28 13:10:10 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 28 Apr 2016 13:10:10 +0200 Subject: gpg and smartcard on ubuntu 16.04 In-Reply-To: <5721E9E0.4050907@digitalbrains.com> References: <1461790938.5458.19.camel@gmail.com> <572157F4.3030605@fsij.org> <5721E9E0.4050907@digitalbrains.com> Message-ID: <5721EF92.1030208@digitalbrains.com> On 28/04/16 12:45, Peter Lebbing wrote: > Perhaps you could just add the gpg-connect-agent call to the > if-ssh-support conditional, and it would be purrfect. I will try that > now and see if everything stays peachy. At a first glance, it seems to work with the attached version. On a cold boot, the agent is running and listening for SSH when I login. When I unlock a smartcard with the PIN, logout, and log back in, the smartcard is still unlocked (and the original agent running). While this may not be very expected, it is not related to logging *in* but rather to logging *out*, in my opinion. I don't readily know how to do something on logout. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- : ${GNUPGHOME=$HOME/.gnupg} if grep -qs '^[[:space:]]*enable-ssh-support' "${GNUPGHOME}/gpg-agent.conf"; then SSH_AUTH_SOCK="${GNUPGHOME}/S.gpg-agent.ssh" export SSH_AUTH_SOCK # Start the agent if it's not already running gpg-connect-agent /bye fi From guanx.bac at gmail.com Thu Apr 28 14:28:56 2016 From: guanx.bac at gmail.com (Guan Xin) Date: Thu, 28 Apr 2016 14:28:56 +0200 Subject: Top-posting In-Reply-To: <20160428092652.GA3557@c720-r292778-amd64> References: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> Message-ID: Your feeling is basically wrong. On Thu, Apr 28, 2016 at 11:26 AM, Matthias Apitz wrote: > El d?a Thursday, April 28, 2016 a las 11:02:30AM +0200, Paolo Bolzoni > escribi?: > > I have the feeling (and even could proof this with examples) that top > posters do not even read about what they are posting on top of. They just > want to say something, sometimes useless, because it is already > said/answered a few lines down). > > //snip > matthias > > -- > Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? > +49-176-38902045 > ?Dios querido denos otra vez los problemas de ayer, los que tuvimos en la > RDA! > My Lord, give us back the problems of yesterday, those we have had in the > GDR. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From guanx.bac at gmail.com Thu Apr 28 14:32:45 2016 From: guanx.bac at gmail.com (Guan Xin) Date: Thu, 28 Apr 2016 14:32:45 +0200 Subject: Top-posting In-Reply-To: <20160428092652.GA3557@c720-r292778-amd64> References: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> Message-ID: This post is an example to prove that your feeling is wrong. Show your examples now. On Thu, Apr 28, 2016 at 11:26 AM, Matthias Apitz wrote: > El d?a Thursday, April 28, 2016 a las 11:02:30AM +0200, Paolo Bolzoni > escribi?: > > I have the feeling (and even could proof this with examples) that top > posters do not even read about what they are posting on top of. They just > want to say something, sometimes useless, because it is already > said/answered a few lines down). > //snip > matthias > > -- > Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? > +49-176-38902045 > ?Dios querido denos otra vez los problemas de ayer, los que tuvimos en la > RDA! > My Lord, give us back the problems of yesterday, those we have had in the > GDR. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From guru at unixarea.de Thu Apr 28 19:38:50 2016 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 28 Apr 2016 19:38:50 +0200 Subject: Top-posting In-Reply-To: References: <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> Message-ID: <20160428173850.GA3299@c720-r292778-amd64> El d?a Thursday, April 28, 2016 a las 02:28:56PM +0200, Guan Xin escribi?: > Your feeling is basically wrong. Here comes the proofing example you asked for: https://lists.launchpad.net/ubuntu-phone/msg20309.html Someone put on top of some mails a question which has nothing todo with the problems the other posters have faced. HIH matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 ?Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA! My Lord, give us back the problems of yesterday, those we have had in the GDR. From wk at gnupg.org Thu Apr 28 20:33:07 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 28 Apr 2016 20:33:07 +0200 Subject: Evangelzation discussion In-Reply-To: <572086E7.30702@digitalbrains.com> (Peter Lebbing's message of "Wed, 27 Apr 2016 11:31:19 +0200") References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <572086E7.30702@digitalbrains.com> Message-ID: <87y47xh9cs.fsf@wheatstone.g10code.de> On Wed, 27 Apr 2016 11:31, peter at digitalbrains.com said: > Yes, I think it would be better if stuff like GPGME, libassuan, > libgcrypt, libgpg-error, libksba and pinentry got their own category on > the website rather than being a peer to the other stuff in related > software... I changed this library page a bit to better address your issues. > While "related software" is a large list, I don't think it's meant to be > exhaustive. I'm also not sure what the qualifications are to be > considered for being added (other than being free software). I think > this is done informally, on an ad-hoc basis. Right, just write or even better add a bug report (gpgweb/whish). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Apr 28 20:36:52 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 28 Apr 2016 20:36:52 +0200 Subject: Website usability issue In-Reply-To: <572125A8.6090506@nordnet.fr> (Philip Jackson's message of "Wed, 27 Apr 2016 22:48:40 +0200") References: <572081EC.3020700@digitalbrains.com> <572125A8.6090506@nordnet.fr> Message-ID: <87twilh96j.fsf@wheatstone.g10code.de> On Wed, 27 Apr 2016 22:48, philip.jackson at nordnet.fr said: > Iceweasel 38.7.1esr-1-deb8u1) with touchpad. But I don't see the > problem you outline with the dropdown menus on gnupg.org (at least I > presume you are writing about gnupg.org ?). Neither me, thus it is not easy to debug. However, I noticed it some time ago at someone else browser. There should be no gap but I assume that rounding issues may lead to the problems. As a workaround Peter can click on the top menu to open the main page of that pull down menu, and then use the secondary menu to select the actual page. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Thu Apr 28 21:10:39 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 28 Apr 2016 21:10:39 +0200 Subject: Website typo fixes In-Reply-To: <87y47xh9cs.fsf@wheatstone.g10code.de> References: <87y47xh9cs.fsf@wheatstone.g10code.de> Message-ID: <1461870640-19010-1-git-send-email-peter@digitalbrains.com> I saw some typo's in libraries.org on the website. Seizing the occasion, I'm also resending an older typo fix that either fell through the cracks or was silently rejected. I hope I'm using git-send-email right... I hardly ever use it. From peter at digitalbrains.com Thu Apr 28 21:10:40 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 28 Apr 2016 21:10:40 +0200 Subject: [PATCH] Fix typo's in libraries.org In-Reply-To: <1461870640-19010-1-git-send-email-peter@digitalbrains.com> References: <87y47xh9cs.fsf@wheatstone.g10code.de> <1461870640-19010-1-git-send-email-peter@digitalbrains.com> Message-ID: <1461870640-19010-2-git-send-email-peter@digitalbrains.com> --- web/related_software/libraries.org | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/web/related_software/libraries.org b/web/related_software/libraries.org index 2a5cc8d..6c963d0 100644 --- a/web/related_software/libraries.org +++ b/web/related_software/libraries.org @@ -12,10 +12,10 @@ ** Libraries required to build GnuPG - The libraries are requred to build currenrt GnUPG versions but may - also be used on its onw. They are maintained by the GnuPG Project. + The libraries are required to build current GnuPG versions but may + also be used on their own. They are maintained by the GnuPG Project. - - [[file:libgpg-error/index.org][Libgpg-error]] :: Libgpg-error is helper library used by a couple + - [[file:libgpg-error/index.org][Libgpg-error]] :: Libgpg-error is a helper library used by a couple of other projects to provide a common set of error codes and descriptions. - [[file:libgcrypt/index.org][Libgcrypt]] :: Libgcrypt is a general purpose cryptographic -- 2.1.4 From peter at digitalbrains.com Thu Apr 28 21:17:36 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 28 Apr 2016 21:17:36 +0200 Subject: [PATCH] Fix typo's in whats-new-in-2.1.org In-Reply-To: <1461870640-19010-1-git-send-email-peter@digitalbrains.com> References: <1461870640-19010-1-git-send-email-peter@digitalbrains.com> Message-ID: <1461871056-19498-1-git-send-email-peter@digitalbrains.com> --- web/faq/whats-new-in-2.1.org | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/web/faq/whats-new-in-2.1.org b/web/faq/whats-new-in-2.1.org index 179b075..c1e6d09 100644 --- a/web/faq/whats-new-in-2.1.org +++ b/web/faq/whats-new-in-2.1.org @@ -376,7 +376,7 @@ pub rsa2048/BD19AC1C In case the key has already been signed, the command prints a note and exits with success. In case you want to check that it really worked, -use ==--check-sigs= as usual: +use =--check-sigs= as usual: #+begin_example $ gpg2 --check-sigs '15CB 723E 2000 A1A8 2505 F3B7 CC00 B501 BD19 AC1C' @@ -515,13 +515,13 @@ For load balancing reasons, keyservers are organized in pools to enable instant round-robin DNS assignment of random keyservers. A problem with that approach is that the DNS resolver is not aware of the state of the keyserver. If a keyserver has gone down or a routing -problems occurs, /gpg/ and its keyserver helpers were not ware of it +problems occurs, /gpg/ and its keyserver helpers were not aware of it and would try over and over to use the same, dead, keyserver up until the DNS information expires and a the DNS resolver assigned a new server from the pool. The new /dirmngr/ in GnuPG does not use the implicit round-robin of -the DNS resolver but uses its own DNS look up and keeps an internal +the DNS resolver but uses its own DNS lookup and keeps an internal table of all hosts from the pool along with the encountered aliveness state. Thus after a failure (timeout) of a request, /dirmngr/ flags a host as dead and randomly selects another one from the pool. After a @@ -607,12 +607,12 @@ revocation certificate are put at the top of the file. :END: The /scdaemon/, which is responsible for accessing smardcards and -other tokens, has received many updates. In particular plugable USB +other tokens, has received many updates. In particular pluggable USB readers with a fixed card now work smoothless and similar to standard readers. The latest features of the [[http://www.fsij.org/doc-gnuk/][gnuk]] token are supported. Code for the SmartCard-HSM has been added. More card readers with a PIN pad are supported. The internal CCID driver does now also work with -certain non-auto configuration equipped readers. +certain non-auto-configuration equipped readers. ** New format for key listings :PROPERTIES: @@ -643,7 +643,7 @@ that is =show-uid-validity= is implicitly used for the The annotated key listing produced by the =--with-colons= options did not change. However a couple of new fields have been added, for -example if the new option =--with-secret-= is used the ?S/N of a token +example if the new option =--with-secret= is used the ?S/N of a token field? indicates the presence of a secret key even in a public key listing. This option is supported by recent [[https://gnupg.org/related_software/gpgme/][GPGME]] versions and makes writing of key manager software easier. @@ -682,7 +682,7 @@ menu of /gpgsm/. In batch mode the certificate creation dialog can now be controlled by a parameter file with several new keywords. Such a parameter file allows the creation of arbitrary X.509 certificates similar to what -can be done with /openssl/. It may this be used as the base for a CA +can be done with /openssl/. It may thus be used as the base for a CA software. For details see the ?CSR and certificate creation? section in the manual. -- 2.1.4 From tehpeh-gnupg at tty1.net Thu Apr 28 20:58:17 2016 From: tehpeh-gnupg at tty1.net (Thomas Pircher) Date: Thu, 28 Apr 2016 19:58:17 +0100 Subject: Website usability issue In-Reply-To: <87twilh96j.fsf@wheatstone.g10code.de> References: <572081EC.3020700@digitalbrains.com> <572125A8.6090506@nordnet.fr> <87twilh96j.fsf@wheatstone.g10code.de> Message-ID: <025cee4369d53e75e90a159d0ca56153@wusel.tty1.net> On 2016-04-28 19:36, Werner Koch wrote: > Neither me, thus it is not easy to debug. However, I noticed it some > time ago at someone else browser. I can see this too (FF 45.0.2 on Debian testing). But if you change the top: value in for the "nav ul li:hover ul.sub-menu" selector in your CSS file from 39px to 37px, then the problem disappears for me. I'm not a web designer, so I'm not sure this is the 'proper' fix for the gap. Cheers Thomas From wk at gnupg.org Thu Apr 28 22:23:45 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 28 Apr 2016 22:23:45 +0200 Subject: Website typo fixes In-Reply-To: <1461870640-19010-1-git-send-email-peter@digitalbrains.com> (Peter Lebbing's message of "Thu, 28 Apr 2016 21:10:39 +0200") References: <87y47xh9cs.fsf@wheatstone.g10code.de> <1461870640-19010-1-git-send-email-peter@digitalbrains.com> Message-ID: <87zisdfpny.fsf@wheatstone.g10code.de> On Thu, 28 Apr 2016 21:10, peter at digitalbrains.com said: > I saw some typo's in libraries.org on the website. Seizing the occasion, I'm > also resending an older typo fix that either fell through the cracks or was > silently rejected. Thanks. Both applied to the repo. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From youcanlinux at gmail.com Thu Apr 28 23:04:56 2016 From: youcanlinux at gmail.com (Daniel Villarreal) Date: Thu, 28 Apr 2016 17:04:56 -0400 Subject: Top-posting In-Reply-To: <20160428173850.GA3299@c720-r292778-amd64> References: <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <20160428173850.GA3299@c720-r292778-amd64> Message-ID: <73e65787-4d75-93ca-5aab-5ba94bbd900c@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > El d?a Thursday, April 28, 2016 a las 02:28:56PM +0200, Guan Xin escribi ?: >> Your feeling is basically wrong. >> > Here comes the proofing example you asked for: https://lists.launchpad.net/ubuntu-phone/msg20309.html Someone put on top of some mails a question which has nothing todo with the problems the other posters have faced. HIH matthias > Es ist mir egal... I don't really care about top- or bottom-posting, but I suppose it's more polite/proper to bottom post. I care more about editing and content. I often quote differently anyway... MfG, Daniel - -- Daniel Villarreal http://www.youcanlinux.org youcanlinux at gmail.com PGP key 2F6E 0DC3 85E2 5EC0 DA03 3F5B F251 8938 A83E 7B49 https://pgp.mit.edu/pks/lookup?op=get&search=0xF2518938A83E7B49 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXInryAAoJEPJRiTioPntJ24AH+wQEIgB/b4UhUPW4b8X7uv1P 4r4bdV/cpwyDMBmfgHike/ld4icuQctg3q5sGt4yYT/rA5vHVS/lr90ZyC4P9B8Y FUFpNA6NzRU8TNmucvvo4n0w0wHBSED06OtRI4mTSiN38/TTVI9sWaZUDrv262Yk or0OdZs4jbqTNzkcnFdQg7qgDu68LN04cKAzBjul7HFYAfpBxeRdkV9Bv5TQoY9j 37vK+yVue+vW6RFUZHGSEf6g0uVnzKafIpcKjpFfCyOXaSeBWs3hyvvapg8tZYXC C1342Km1hwLJjUmrdxGA5JqQCZpUUVsD/QHc35d5ZTQ+pD7FSfRH6Fc2lX9HQkw= =Gv9v -----END PGP SIGNATURE----- From jimoe at sohnen-moe.com Thu Apr 28 22:24:37 2016 From: jimoe at sohnen-moe.com (James Moe) Date: Thu, 28 Apr 2016 13:24:37 -0700 Subject: Top-posting In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> Message-ID: On 04/28/2016 02:02 AM, Paolo Bolzoni wrote: > I agree that > is much better (A) to trim and answers to single points or (B) simply > make a clean email. > In that spirit I offer this rant: Trim your posts! There is no need for a complete history of every bit of text in 14 previous posts including "On such date somebody wrote" headers, every respondent's signature, and every listserv trailer. I realize many of you use smartphones and tablets and Googlegroups, and direct experience has shown that it is unreasonably difficult to select and delete text. Nevertheless, please make the effort. I also realize that your response is very profound and that it is important to get it posted as quickly as possible. However, you greatly inconvenience the readers (for instance, me) of said profundity with all of the extraneous text you leave in your posting making it a challenge to even find the response. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From idmsdba at nycap.rr.com Fri Apr 29 00:11:27 2016 From: idmsdba at nycap.rr.com (Michael A. Yetto) Date: Thu, 28 Apr 2016 18:11:27 -0400 Subject: Top-posting In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> Message-ID: <20160428181127.0f65a0c2@braetac.lighthouse.yetnet> On Thu, 28 Apr 2016 11:02:30 +0200 Paolo Bolzoni wrote: >I think this text (or variants) are old as email itself and >actually, while funny, makes little sense. > It makes quite a bit of sense when you are dragged into a thread that has gone on for a while. >When you follow an email thread you do not read everything, you >just read the new email and it makes little difference if it is >in the top. Besides most email clients actually put an >indentation in the quoted text so it should look like: > You do if you must figure out what the problem is that the wrong people have been discussing for a week. Go to the bottom of the message. Backup to the start of the oldest part not yet read. Read that part till you get to the end of what you have previously read. Backup to the start of the oldest part not yet read. Read that part till you get to the end of what you have previously read. Lather, rinse, repeat. Mike Yetto -- "God is an ever receding pocket of scientific ignorance." - Neil deGrasse Tyson -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: From free10pro at gmail.com Fri Apr 29 06:54:55 2016 From: free10pro at gmail.com (Paul R. Ramer) Date: Thu, 28 Apr 2016 21:54:55 -0700 Subject: Top-posting In-Reply-To: References: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> Message-ID: <5722E91F.4040200@gmail.com> On 04/28/2016 02:49 AM, Paolo Bolzoni wrote: > However, you can move around with keyboard even in "modern" mua. When > using normal keyboards I think you are exagerating a bit. The problem > is indeed annoying with limited keyboards, though. Personally, I would rather not have to hit the "Page Down" button *every* time I wrote an email (provided I have full-size keyboard). If you are always varying from the defaults in a consistent way, then the defaults need to be different. Besides, think of the cumulative time wasted scrolling or paging down for every you write email. ;-) [1] Cheers, -Paul [1] https://xkcd.com/1205/ From guru at unixarea.de Fri Apr 29 07:37:58 2016 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 29 Apr 2016 07:37:58 +0200 Subject: Top-posting In-Reply-To: <20160429052510.GF99693@adversary.org> References: <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <20160429052510.GF99693@adversary.org> Message-ID: <20160429053758.GC2022@c720-r292778-amd64> El d?a Friday, April 29, 2016 a las 03:25:10PM +1000, Ben McGinnes escribi?: > I don't have an answer for all smartphone and tablet users (other than > the sensible ones who will SSH from their phone into another system > and use Mutt or some other CLI MUA), but for the iPhone and iPad users > I did find this solution from John Gruber (the guy who invented > Markdown): I have mutt+vim on my Ubuntu mobile phone https://www.gitbook.com/book/gurucubano/bq-aquaris-e-4-5-ubuntu-phone/details matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 ?Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA! My Lord, give us back the problems of yesterday, those we have had in the GDR. From free10pro at gmail.com Fri Apr 29 07:38:24 2016 From: free10pro at gmail.com (Paul R. Ramer) Date: Thu, 28 Apr 2016 22:38:24 -0700 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F4E02.1080100@pocock.pro> <571F5D18.30901@pocock.pro> Message-ID: <5722F350.80708@gmail.com> On 04/26/2016 05:24 AM, Dashamir Hoxha wrote: > On Tue, Apr 26, 2016 at 2:20 PM, Daniel Pocock wrote: >> You can use the wiki to link to the Github tasks that are relevant to >> using epgp in the Live CD, you don't have to copy the details of each >> task, just link to them >> > > It doesn't seem reasonable to me. Honestly, what is with this, "It doesn't seem reasonable to me," line? This is the second post in the thread where you have said this. If you want people to react positively to the needs of your project, you might choose not to say things like, "I don't want to...," and, "It doesn't seem reasonable to me." You already know that there seems to be a consensus that your project is not a solution to any problem. [1] You effectively ask for help, and yet when someone tells you how you can make a Debian package, which is an issue on your development website [2], you say that you don't want to do it because it "doesn't seem reasonable." You can't have it both ways. You are either engaging, communicative, reasonable, and compromising, or you are not. But don't expect anyone to help you when reject their ideas out of turn. You asked for help on smartcards recently because you don't have any readers or cards. I am not sure whether your project is useful or not, but I had considered giving you some assistance since I have multiple readers and cards. I might help you out when I had some free time just because you asked for it, I thought. But your inflexible, and sometimes irreverent, attitude has soured my intention. All right. The rant is over. -Paul [1] Not my opinion. It is just based on reading the responses to your project on this list. [2] https://github.com/dashohoxha/egpg/issues/19 From wk at gnupg.org Fri Apr 29 07:55:55 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 29 Apr 2016 07:55:55 +0200 Subject: Website usability issue In-Reply-To: <025cee4369d53e75e90a159d0ca56153@wusel.tty1.net> (Thomas Pircher's message of "Thu, 28 Apr 2016 19:58:17 +0100") References: <572081EC.3020700@digitalbrains.com> <572125A8.6090506@nordnet.fr> <87twilh96j.fsf@wheatstone.g10code.de> <025cee4369d53e75e90a159d0ca56153@wusel.tty1.net> Message-ID: <87k2jhez6c.fsf@wheatstone.g10code.de> On Thu, 28 Apr 2016 20:58, tehpeh-gnupg at tty1.net said: > ul.sub-menu" selector in your CSS file from 39px to 37px, then the > problem disappears for me. I'm not a web designer, so I'm not sure I did that now. Actually we fixed that more than year ago to close the gap by s/41px/39px/. With the 37px the pull-down overlaps by two pixels, but that should not be a problem. Thanks. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From viktordick86 at gmail.com Fri Apr 29 08:30:28 2016 From: viktordick86 at gmail.com (Viktor Dick) Date: Fri, 29 Apr 2016 08:30:28 +0200 Subject: Top-posting In-Reply-To: <5722E91F.4040200@gmail.com> References: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <5722E91F.4040200@gmail.com> Message-ID: <68afb13e-75e0-3ea0-5a5b-3394564de5fd@gmail.com> On 2016-04-29 06:54, Paul R. Ramer wrote: > Personally, I would rather not have to hit the "Page Down" button > *every* time I wrote an email (provided I have full-size keyboard). If > you are always varying from the defaults in a consistent way, then the > defaults need to be different. Besides, think of the cumulative time > wasted scrolling or paging down for every you write email. ;-) [1] In Thunderbird, you can set "start my reply below the quote". You still need to remove everything from the reply that you are not directly responding to. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From ben at adversary.org Fri Apr 29 07:25:10 2016 From: ben at adversary.org (Ben McGinnes) Date: Fri, 29 Apr 2016 15:25:10 +1000 Subject: Top-posting In-Reply-To: <20160428092652.GA3557@c720-r292778-amd64> References: <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> Message-ID: <20160429052510.GF99693@adversary.org> On Thu, Apr 28, 2016 at 11:26:52AM +0200, Matthias Apitz wrote: > El d?a Thursday, April 28, 2016 a las 11:02:30AM +0200, Paolo Bolzoni escribi?: > >> When you follow an email thread you do not read everything, you >> just read the new email and it makes little difference if it is in >> the top. Besides most email clients actually put an indentation in >> the quoted text so it should look like: I'd say this varies according to the thread and how much one cares to follow the whole thing. For example the "top-posters vs. the rest of the world" debate just never seems to die so I just skimmed it this time. > I have the feeling (and even could proof this with examples) that > top posters do not even read about what they are posting on top > of. They just want to say something, sometimes useless, because it > is already said/answered a few lines down). That seems to be more prevalent amongst M$ Outhouse users. > Speaking more technically, the problem is that 'modern' MUA, like > OutLook crap, thunderbird or other browser-like MUA do not invite to > post and quote correctly. Thunderbird does, but it also has other problems. > They put the cursor above the first line (sometimes you can not even > configure this, and also not the correct citation with '> ') and > they do not provide the required tools/commands to trim the old > text, i.e. for example delete 150 lines with just saying '150dd' or > '.,$-20d' or others. In these 'modern' MUA you must carefully place > the cursor with the mouse, highlight even more carefully the text > you want to delete, and doing this with the limitation of a > smartphone is really a PITA. I don't have an answer for all smartphone and tablet users (other than the sensible ones who will SSH from their phone into another system and use Mutt or some other CLI MUA), but for the iPhone and iPad users I did find this solution from John Gruber (the guy who invented Markdown): http://daringfireball.net/2007/07/non_top_posting_scripts > That's why I do prefer 'mutt' and 'vim'. Or Mutt and Emacs. ;) Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: not available URL: From free10pro at gmail.com Fri Apr 29 09:03:36 2016 From: free10pro at gmail.com (Paul R. Ramer) Date: Fri, 29 Apr 2016 00:03:36 -0700 Subject: Top-posting In-Reply-To: <68afb13e-75e0-3ea0-5a5b-3394564de5fd@gmail.com> References: <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <5722E91F.4040200@gmail.com> <68afb13e-75e0-3ea0-5a5b-3394564de5fd@gmail.com> Message-ID: <57230748.70001@gmail.com> On 04/28/2016 11:30 PM, Viktor Dick wrote: > On 2016-04-29 06:54, Paul R. Ramer wrote: >> Personally, I would rather not have to hit the "Page Down" button >> *every* time I wrote an email (provided I have full-size keyboard). If >> you are always varying from the defaults in a consistent way, then the >> defaults need to be different. Besides, think of the cumulative time >> wasted scrolling or paging down for every you write email. ;-) [1] > > In Thunderbird, you can set "start my reply below the quote". You still > need to remove everything from the reply that you are not directly > responding to. I know. I use Thunderbird with this option set. My comment was more about the idea of always having to correct for a program's defaults rather than using better defaults. :-) Cheers, -Paul From 2014-667rhzu3dc-lists-groups at riseup.net Fri Apr 29 12:30:53 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 29 Apr 2016 11:30:53 +0100 Subject: Top-posting In-Reply-To: References: <571F1E62.30203@pocock.pro> <571F51DA.8060809@digitalbrains.com> <67a964a0-28b3-92f4-e8eb-ab2b4e0c45da@broadcom.com> <571FD4D9.90706@sixdemonbag.org> <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> Message-ID: <1279683401.20160429113053@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thursday 28 April 2016 at 10:02:30 AM, in , Paolo Bolzoni wrote: > When you follow an email thyread you do not read > everything, you just > read the new email and it makes little difference if > it is in the top. Sometimes it makes a great deal of difference. Emails on mailing lists often arrive out of sequence, and some mailing list members may auto-delete messages from certain other members. The person reading your posting may not have seen the message that is being answered. Even if they have seen it, it may not be clear to which part of the message a top-posted comment refers. Bottom-posting is just as bad in this respect. > However, I agree there is not need to keep clutter > in the bottom of emails. Judicious quoting and inline quoting automatically precludes this. > So while I still don't see the big deal with > top-posting. For a list or organisation where top-posting is the norm, top-posting works despite its inefficiency. In fact, in such situations any other way of replying is liable to confuse. Where it is not the norm, it is confusing. It is a bit like driving on the wrong side of the road: either side is fine, as long as people do not try to mix them in the same location. > I agree that > is much better (A) to trim and answers to single > points or (B) simply > make a clean email. Please not (B), or it will appear as a new thread. (Unless you meant reply to the previous message without quoting from it.) - -- Best regards MFPA Keep them dry and don't feed them after midnight -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXIzfdXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw5ogH/idg/fG6KQ5SVvaLYjcAIUC3 B7sFYOkpqNflq4eZ81JsZThfeYhn1vuGhhI/un3khaWKQ10azOmfwNRJCTlwoQBZ wSny+QYbLbsU3ZDt3VYPXTlhLb2aM6yrLRodmREhVuEMD9u8SK9DQmWegf+Q6BMa Vp62SbkbZwy+twsslHRy8XNIHFWJ4cBJvB7g01UR66G6nx2oBnxZGjCq9kFiUYu7 RI72UK2OUCzmf031KMppzUw/CPPcGzRsZ4vNkV266PfSboJlsZB68M5qaCnHTIlz UyTfTx6dgW4PIMXV1/6ajRni5CfK9Bd8TDx9DXTm2NqdRu+kkOuckV2jkqS8xvGI vgQBFgoAZgUCVyM33V8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45F24AQCmn8Ur/JphfzdzaGFE+R4hw47K q6cHfK9cf13C1ZdzMAEA9/khkk4CSHnVGGw398b4otYe2LKCuTLSEE4Xp3GpjQY= =czj/ -----END PGP SIGNATURE----- From g1363333 at icloud.com Fri Apr 29 11:44:00 2016 From: g1363333 at icloud.com (=?GB2312?B?ufnQobfG?=) Date: Fri, 29 Apr 2016 17:44:00 +0800 Subject: [Announce] GnuPG 2.0.29 released Message-ID: ???? iPhone From 2014-667rhzu3dc-lists-groups at riseup.net Fri Apr 29 12:52:47 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 29 Apr 2016 11:52:47 +0100 Subject: Top-posting In-Reply-To: <20160428173850.GA3299@c720-r292778-amd64> References: <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <20160428173850.GA3299@c720-r292778-amd64> Message-ID: <559903458.20160429115247@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thursday 28 April 2016 at 6:38:50 PM, in , Matthias Apitz wrote: > Someone put on top of some mails a question which > has nothing todo with > the problems the other posters have faced. I sometimes see people try to hijack threads without top-posting. I spent a few minutes trying to find examples, but could not come up with good-enough search terms. - -- Best regards MFPA No man ever listened himself out of a job -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXIz0CXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw9Y8H/1TC0B8ZP0MHpfYm34WFvxPy 4VenDBJ3DNbkFKDkmARExqZ2UDGkueuF1ng/wHwE6mi3kR6eHsLUhfNzjrTNEEun hhMAYOztUUU4/iBEeNazohdGAmQeQE6nf+0mT2M/On8t5gP5VfsAQo2a9FQE2+eK IpP5Dc9JGK1g8OpwchEyyHFX8EZygzvUHWFr7t0iqHohnxVi+ig5xtP9Evm+SOkS F5vsFUH7ZuUSm8P9tub2/eokN6ITGIpuZeGFOoYHlB7Xkarc6vjg4lb+y5j56YVV DeAchmckEeVzmuWD55IzGaEUq/W3Q7I4loft2uMuHfnZoa0p4xUioxI9i95qhF6I vgQBFgoAZgUCVyM9DV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45MItAP4+e7TnlTkKrCBoYs7c+2Qwwzah cjenOBwvnGTF9t5YYAD9FzApH0ur8YuS5Ym6PoLeM9J1R/Lwi+J5tWDvbtqxVAk= =EKv/ -----END PGP SIGNATURE----- From guanx.bac at gmail.com Fri Apr 29 16:35:40 2016 From: guanx.bac at gmail.com (Guan Xin) Date: Fri, 29 Apr 2016 16:35:40 +0200 Subject: Top-posting In-Reply-To: <20160428173850.GA3299@c720-r292778-amd64> References: <87a8kfqswq.fsf@wheatstone.g10code.de> <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <20160428173850.GA3299@c720-r292778-amd64> Message-ID: This post is just another example to show that your feeling is wrong because I read your example of hijacked thread. Now you need one more example to show top posters not reading before replying. BTW, It is common sense that the Ubuntu community is a mess, and has nothing to do with top or bottom or front or rear posting. On Thu, Apr 28, 2016 at 7:38 PM, Matthias Apitz wrote: > El d?a Thursday, April 28, 2016 a las 02:28:56PM +0200, Guan Xin escribi?: > > > Your feeling is basically wrong. > > Here comes the proofing example you asked for: > > https://lists.launchpad.net/ubuntu-phone/msg20309.html > > Someone put on top of some mails a question which has nothing todo with > the problems the other posters have faced. > > HIH > > matthias > -- > Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? > +49-176-38902045 > ?Dios querido denos otra vez los problemas de ayer, los que tuvimos en la > RDA! > My Lord, give us back the problems of yesterday, those we have had in the > GDR. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From guru at unixarea.de Fri Apr 29 17:09:52 2016 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 29 Apr 2016 17:09:52 +0200 Subject: Top-posting In-Reply-To: References: <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <20160428173850.GA3299@c720-r292778-amd64> Message-ID: <20160429150952.GA2884@c720-r292778-amd64> El d?a Friday, April 29, 2016 a las 04:35:40PM +0200, Guan Xin escribi?: > This post is just another example to show that your feeling is wrong > because I read your example of hijacked thread. > Now you need one more example to show top posters not reading before > replying. You may look for more examples yourself, just open your eyes and you will find them any day. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 ?Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA! My Lord, give us back the problems of yesterday, those we have had in the GDR. From michael at englehorn.com Fri Apr 29 17:00:04 2016 From: michael at englehorn.com (Michael Englehorn) Date: Fri, 29 Apr 2016 10:00:04 -0500 Subject: Top-posting In-Reply-To: References: <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <20160428173850.GA3299@c720-r292778-amd64> Message-ID: <20160429150004.GA7066@englehorn.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > This post is just another example to show that your feeling is wrong > because I read your example of hijacked thread. > Now you need one more example to show top posters not reading before > replying. > > BTW, It is common sense that the Ubuntu community is a mess, and has > nothing to do with top or bottom or front or rear posting. Perhaps there should be an off-topic mailing list for all this stuff, rather than cluttering up a perfectly usable gnupg mailing list. - --- Michael J. Englehorn GPG Key Signing Policy: https://michael.englehorn.com/gpg/policy.txt GPG Fingerprint: CC10 C6F7 517C C64C FC4B A9D9 7502 F475 E7B6 CCB9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBAgAGBQJXI3bxAAoJELNu/GFpZKOz/MIL/3dCq7WwdQNfy/4pldJKo8ke BAGNFKynJAUzcuS/91x1voO8xgrWgT4XXe6BtasWme1rn4rB6LeK0EvCi0mryFr+ HsQToa0i98Du3z9pe0QbHbBEquokWBAHNrOZOvVG0z/iTQE4IV1JwzjWWKLs6w1A pvBZnkR+VneFLCyTFIDlgpN6gvVCSg/eiVyj/oAyz2Rlha7BHNTKSV75rLMyvWfV 2/xw4kGSZeFK/4b2W5Z6kOA+vj+BBQOse8Bs/HlVVoHXGI9Ffs9ZssWMhHcRBdZ8 p9rrwClu1KPsKnElGoVOL8eAnLZZepLpI6yrQtBUkIwGMOY+TrkVeQ4fp9RFlsS2 siVAOaUQH/29wcbJ+vYR8r+Gdbr3/w95pzN01UYTIjhwwYncdoLaFQVsm38lIe7I 7G48pgGqsDMO3OyNS5F5qwtKiMfX80HaibxPuIh+27vLGQiDf5ReyRkTMj6lbaYB et+P8UOtiOcO5U7h9DuscRV/IZSv78BaiPuWPIYuXg== =VNaU -----END PGP SIGNATURE----- From jhs at berklix.com Fri Apr 29 19:41:01 2016 From: jhs at berklix.com (Julian H. Stacey) Date: Fri, 29 Apr 2016 19:41:01 +0200 Subject: Top-posting In-Reply-To: Your message "Fri, 29 Apr 2016 16:35:40 +0200." Message-ID: <201604291741.u3THf14T093781@fire.js.berklix.net> > From: Guan Xin > This post is just another example to show that your feeling is wrong "avoid top posting" is mandated by list remit http://lists.gnupg.org/mailman/listinfo/gnupg-users Abusers should be forcibly un-subscribed, to save multiple subscribers wasting time extending personal discard filters. Cheers, Julian -- Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich http://berklix.eu/jhs/ Mail plain text, No quoted-printable, HTML, base64, MS.doc. Prefix old lines '> ' Reply below old, like play script. Break lines by 80. Lie to companies extorting personal data: Prevent abuse, loss & ID theft. From wk at gnupg.org Fri Apr 29 21:00:15 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 29 Apr 2016 21:00:15 +0200 Subject: Top-posting In-Reply-To: <201604291741.u3THf14T093781@fire.js.berklix.net> (Julian H. Stacey's message of "Fri, 29 Apr 2016 19:41:01 +0200") References: <201604291741.u3THf14T093781@fire.js.berklix.net> Message-ID: <87a8kcdyv4.fsf@wheatstone.g10code.de> On Fri, 29 Apr 2016 19:41, jhs at berklix.com said: > Abusers should be forcibly un-subscribed, to save multiple subscribers > wasting time extending personal discard filters. I tend to agree, but: In the 17 years we run this list, we fortunately had only very few cases were we had to take such kind of harsh measures. I hope we can continue in this way. To make the posting rules better visible, I have put an around the "avoid top-posting ..." on the list's main page. Now let's close the thread so we can paint something else. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From guanx.bac at gmail.com Sat Apr 30 01:24:23 2016 From: guanx.bac at gmail.com (Guan Xin) Date: Sat, 30 Apr 2016 01:24:23 +0200 Subject: Top-posting In-Reply-To: <20160429150952.GA2884@c720-r292778-amd64> References: <5720DF47.9040201@sixdemonbag.org> <5720E078.8030005@andrewg.com> <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <20160428173850.GA3299@c720-r292778-amd64> <20160429150952.GA2884@c720-r292778-amd64> Message-ID: Matthias, Just remember that it is you, and not the one questioned you, who need to look for stuff to support yourself. A mailing list may recommend bottom posting, and users had better follow it. This is perfectly fine. However, arbitrarily concluding that top posters don't read what s/he's replying is absurd and insulting, which is definitely worse than not following the top posting rule of the mailing list. This is my concluding remark of this thread. Guan On Fri, Apr 29, 2016 at 5:09 PM, Matthias Apitz wrote: > El d?a Friday, April 29, 2016 a las 04:35:40PM +0200, Guan Xin escribi?: > > > This post is just another example to show that your feeling is wrong > > because I read your example of hijacked thread. > > Now you need one more example to show top posters not reading before > > replying. > > You may look for more examples yourself, just open your eyes and you > will find them any day. > > matthias > > -- > Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? > +49-176-38902045 > ?Dios querido denos otra vez los problemas de ayer, los que tuvimos en la > RDA! > My Lord, give us back the problems of yesterday, those we have had in the > GDR. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From guru at unixarea.de Sat Apr 30 11:16:13 2016 From: guru at unixarea.de (Matthias Apitz) Date: Sat, 30 Apr 2016 11:16:13 +0200 Subject: Top-posting In-Reply-To: References: <20160427181621.213e21f4@braetac.lighthouse.yetnet> <87r3dqmc6p.fsf@wheatstone.g10code.de> <6e971559dfcb6b8e0f91fca67ba04167@rapunzel.local> <20160428092652.GA3557@c720-r292778-amd64> <20160428173850.GA3299@c720-r292778-amd64> <20160429150952.GA2884@c720-r292778-amd64> Message-ID: <20160430091613.GA1854@c720-r292778-amd64> El d?a Saturday, April 30, 2016 a las 01:24:23AM +0200, Guan Xin escribi?: > A mailing list may recommend bottom posting, and users had better follow it. > This is perfectly fine. Fine, that we agree in something. If you sign some contract, you do it below the text after reading it, and your signature *below* is expression of "yes I have read it". If you sign (post above) someone could think, he/she has not read it. To avoid such thinking, it's better to not top post. > ... > This is my concluding remark of this thread. Mine too. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 ?Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA! My Lord, give us back the problems of yesterday, those we have had in the GDR. From jhs at berklix.com Sat Apr 30 14:03:32 2016 From: jhs at berklix.com (Julian H. Stacey) Date: Sat, 30 Apr 2016 14:03:32 +0200 Subject: Top-posting In-Reply-To: Your message "Sat, 30 Apr 2016 01:24:23 +0200." Message-ID: <201604301203.u3UC3W27055916@fire.js.berklix.net> Guan Xin top posted again Sat, 30 Apr 2016 01:24:23 +0200 so my ~/.procmailrc snippet: :0 Hw * ^Sender: \"Gnupg-users\" \ { :0 H * ^From Guan Xin /dev/null :0 wc | $RCVSTORE +list/busy/gnupg-users :0 w # - $PUB_MAIL_LIST/gnupg-users/. } Cheers, Julian -- Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich http://berklix.eu/jhs/ Mail plain text, No quoted-printable, HTML, base64, MS.doc. Prefix old lines '> ' Reply below old, like play script. Break lines by 80. Lie to companies extorting personal data: Prevent abuse, loss & ID theft. From peter at digitalbrains.com Sat Apr 30 15:45:45 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 30 Apr 2016 15:45:45 +0200 Subject: gpg and smartcard on ubuntu 16.04 In-Reply-To: <20160430132640.GA6976@kaosu> References: <1461790938.5458.19.camel@gmail.com> <572157F4.3030605@fsij.org> <5721E9E0.4050907@digitalbrains.com> <20160430132640.GA6976@kaosu> Message-ID: <5724B709.5080409@digitalbrains.com> On 30/04/16 15:26, guido wrote: > Yes, In 2.1 you are not supposed to start the gpg-agent on login, it > starts automatically on demand. If you start it like in <2.0 you will > not be able to connect to it. Purely out of interest, what is it that goes wrong? Is it that the correct command-line arguments are missing? If it is autostarted by gpg-connect-agent, it has the form gpg-agent --homedir /home/peter/.gnupg --use-standard-socket --daemon which is not what is in /etc/X11/Xsession.d/90gnupg-agent. > But ssh needs that I know, which is why I added the gpg-connect-agent call in my version of the script. >> Perhaps you could just add the gpg-connect-agent call to the >> if-ssh-support conditional, and it would be purrfect. I will try >> that now and see if everything stays peachy. > > At least in debian's default version, that is already in > /etc/X11/XSession.d/90gpg-agent. But i kind of think that's > responsability of the package mantainer and not gnupg upstream. I don't understand what you mean. I just checked on the latest unstable version of gnupg-agent, and that version starts the agent explicitly, with the argument "--daemon". This is the variant that caused issues for me. I start the agent by "gpg-connect-agent /bye". For reference, I attach the script as it is by default in Debian. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- : ${GNUPGHOME=$HOME/.gnupg} GPGAGENT=/usr/bin/gpg-agent if grep -qs '^[[:space:]]*use-agent' "$GNUPGHOME/gpg.conf" "$GNUPGHOME/options" && test -x $GPGAGENT; then # Invoking gpg-agent with no arguments exits successfully if the agent # is already running on the standard socket if ! $GPGAGENT 2>/dev/null; then "$GPGAGENT" --daemon fi GPG_AGENT_INFO="${GNUPGHOME}/S.gpg-agent:0:1" export GPG_AGENT_INFO if grep -qs '^[[:space:]]*enable-ssh-support' "${GNUPGHOME}/gpg-agent.conf"; then SSH_AUTH_SOCK="${GNUPGHOME}/S.gpg-agent.ssh" export SSH_AUTH_SOCK fi fi From guido at dis.tur.bio Sat Apr 30 15:29:43 2016 From: guido at dis.tur.bio (guido) Date: Sat, 30 Apr 2016 10:29:43 -0300 Subject: gpg and smartcard on ubuntu 16.04 In-Reply-To: <572157F4.3030605@fsij.org> References: <1461790938.5458.19.camel@gmail.com> <572157F4.3030605@fsij.org> Message-ID: <20160430132943.GB6976@kaosu> On 28/04/2016, NIIBE Yutaka wrote: > On 04/28/2016 06:02 AM, Richard Ulrich wrote: > >I use the stock versions from the ubuntu 16.04 repository: > >gnupg 1.4.20-1ubuntu3 > >gnupg2 2.1.11-6ubuntu2 > >gnupg-agent 2.1.11-6ubuntu2 > >scdaemon 2.1.11-6ubuntu2 > > Good, Ubuntu has GnuPG 2.1 (eventually, gpg will be GnuPG 2.1). Out > of curiosity, does it has libgcrypt 1.7.0? Hi, No, 16.04's libgcrypt20 is 0.6.5 :( It was the first thing i asked my friend to check > >Now if I want to decrypt a file: > > > >gpg -d Dokumente/somefile.txt.gpg > >gpg: Anonymer Empf?nger; Versuch mit geheimem Schl?ssel 0AAAAAAA ? > >gpg: pcsc_list_readers failed: unknown PC/SC error code (0x8010002e) > >gpg: Kartenleser ist nicht vorhanden > > > >gpg --use-agent -d Dokumente/somefile.txt.gpg > >gpg: Anonymer Empf?nger; > >Versuch mit geheimem Schl?ssel 0AAAAAAA ? > >gpg: pcsc_list_readers failed: > >unknown PC/SC error code (0x8010002e) > >gpg: Kartenleser ist nicht > >vorhanden > > I think that this is the issue of GPG_AGENT_INFO variable, which was > used before 2.1. > > How about set those environment variables, like? > > export GPG_AGENT_INFO=$HOME/.gnupg/S.gpg-agent:0:1 > export SSH_AUTH_SOCK=$HOME/S.gpg-agent.ssh > > After setting those variables, does gpg work correctly? > > In my environment of Debian, those variables are set by: > /etc/X11/Xsession.d/90gpg-agent > -- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From guido at dis.tur.bio Sat Apr 30 15:26:40 2016 From: guido at dis.tur.bio (guido) Date: Sat, 30 Apr 2016 10:26:40 -0300 Subject: gpg and smartcard on ubuntu 16.04 In-Reply-To: <5721E9E0.4050907@digitalbrains.com> References: <1461790938.5458.19.camel@gmail.com> <572157F4.3030605@fsij.org> <5721E9E0.4050907@digitalbrains.com> Message-ID: <20160430132640.GA6976@kaosu> On 28/04/2016, Peter Lebbing wrote: > On 28/04/16 02:23, NIIBE Yutaka wrote: > > In my environment of Debian, those variables are set by: > > /etc/X11/Xsession.d/90gpg-agent > > After I installed GnuPG 2.1 on my Debian Jessie (which doesn't have 2.1 > itself), I encountered annoying issues. I also use smartcards, for SSH > auth as well. I got it to run much smoother by editing this file to be > the attached file. It did have a gotcha: if there isn't an agent > running, you have to do something like: > > $ gpg-connect-agent /bye > > before you can do SSH auth. Note that the agent survives a logout/login. > > I got the impression that the explicit starting of the daemon in the > startup script somehow messed something up. But I had some trouble > pinning down the exact problem, and since it now works in a way that > works for me, I left it at this. Yes, In 2.1 you are not supposed to start the gpg-agent on login, it starts automatically on demand. If you start it like in <2.0 you will not be able to connect to it. But ssh needs that, that is documented here https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html#Invoking-GPG_002dAGENT > Perhaps you could just add the gpg-connect-agent call to the > if-ssh-support conditional, and it would be purrfect. I will try that > now and see if everything stays peachy. At least in debian's default version, that is already in /etc/X11/XSession.d/90gpg-agent. But i kind of think that's responsability of the package mantainer and not gnupg upstream. Salud, g. > HTH, > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > : ${GNUPGHOME=$HOME/.gnupg} > > if grep -qs '^[[:space:]]*enable-ssh-support' "${GNUPGHOME}/gpg-agent.conf"; then > SSH_AUTH_SOCK="${GNUPGHOME}/S.gpg-agent.ssh" > export SSH_AUTH_SOCK > fi > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: