From passionate_programmer at hotmail.com Sat Oct 1 06:10:03 2016 From: passionate_programmer at hotmail.com (Rohit P) Date: Sat, 1 Oct 2016 04:10:03 +0000 Subject: Why GnuPG encrypted file has no icon? Message-ID: When you encrypt multiple files in a folder, GnuPG encrypted files have no icon. It is difficult to immediately identify which are the encrypted files. Any specific reason why encrypted files have no icon? ............... RP -------------- next part -------------- An HTML attachment was scrubbed... URL: From passionate_programmer at hotmail.com Sat Oct 1 08:47:39 2016 From: passionate_programmer at hotmail.com (Rohit P) Date: Sat, 1 Oct 2016 06:47:39 +0000 Subject: Why GnuPG encrypted file has no icon? In-Reply-To: <18B48D6B-CDB4-4BF8-9B0A-6070271781E2@gmail.com> References: , <18B48D6B-CDB4-4BF8-9B0A-6070271781E2@gmail.com> Message-ID: I am using Windows 7. Icons are there on all files. What I actually meant is when a file is encrypted with GnuPG, the resultant .pgp file has no icon. ________________________________ From: Paul R. Ramer Sent: Saturday, October 1, 2016 11:17:54 AM To: Rohit P Subject: Re: Why GnuPG encrypted file has no icon? On September 30, 2016 9:10:03 PM PDT, Rohit P wrote: >When you encrypt multiple files in a folder, GnuPG encrypted files have >no icon. It is difficult to immediately identify which are the >encrypted files. > > >Any specific reason why encrypted files have no icon? I don't know which operating system you are using here, but icons are usually set for files that have known data types or file extensions. It has to do with your operating system or desktop environment not GnuPG. Apparently your operating system (probably Windows) does not have icons assigned for these types of files. Hope that is helpful. -Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Sat Oct 1 14:10:36 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 1 Oct 2016 13:10:36 +0100 Subject: Why GnuPG encrypted file has no icon? In-Reply-To: References: , <18B48D6B-CDB4-4BF8-9B0A-6070271781E2@gmail.com> Message-ID: <151447885.20161001131036@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 1 October 2016 at 7:47:39 AM, in , Rohit P wrote:- > I am using Windows 7. Icons are there on all files. What I actually > meant is when a file is encrypted with GnuPG, the resultant .pgp file > has no icon. If Windows has an application associated with the file extension, the file will be shown with that application's icon. And double-clicking the file will cause that application to perform a default action on that file, for example double-clicking a .txt file on a Windows machine will usually open the file using Notepad. You could try right-clicking one of your .gpg files and selecting "open with", keeping the "always use this app" box ticked, click "more apps", and select GnuPG. (It might show as "GnuPG's OpenPGP Tool".) Not sure why you get .pgp files; I get .asc. - -- Best regards MFPA Lotto: A tax on people who are bad at statistics! -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJX76e+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwPjQIAIf131Iczm1T00j/cvuVSECT G/J5fMSWWgvfKau+2X6RpfVjgDpy9MMFhM4vf0AwhIoDwyYdlZ2srZ+r4iLJPkoW gjNQwI1lAG2K795TiVBrs3GrwV2OLnoCMaCdPa5jFUwkW5P0JRFMrj+9d/oFWiqh /72PWP2PkD81P7HgXy/86FrLBZ/lwPU1Ocx/Ew+2Gooj3vYSTEARYk/NnMTAqcwO SOo2t6yFUDEF7hTnMTVeAIA7f7neb5fOhTEVVZf1k+h3WFsEtcS0u2NkbDk0wVwt x4daONNQonBgQdbxKVScuqBqJI/ZEG6QcYQx+8qE8Q6GXwhKMD6sRDv6zly9LOiI vgQBFgoAZgUCV++nvl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45JfkAQCgCV+0Hst3ykF6q0uYGJQsp2Eu cv+DKvX4yb37duVzHQEAy2KF9EFSvtJxqk4QblE7P7x8hGpVSJtakVO3CHC44QI= =awAg -----END PGP SIGNATURE----- --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From 2014-667rhzu3dc-lists-groups at riseup.net Sat Oct 1 19:44:42 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 1 Oct 2016 18:44:42 +0100 Subject: Why GnuPG encrypted file has no icon? In-Reply-To: References: , <18B48D6B-CDB4-4BF8-9B0A-6070271781E2@gmail.com> , <151447885.20161001131036@riseup.net> Message-ID: <85753419.20161001184442@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 1 October 2016 at 6:23:17 PM, in , Rohit P wrote:- > I guess .asc extension is only when you select "ASCII Armor" option. > If you don't select this option it is .pgp. I just tested and that's right. I always use -ear, so always get the .asc extension appended. > I tried "Open With", but don't know which .exe to select to associate > .pgp extension. Probably gpg.exe. Try without the "always use this app" box ticked if you are unsure. - -- Best regards MFPA The greatest of faults is to be conscious of none. -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlfv9gxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOT4EwEAr+INRodzIKMq2H7/jY7jniAw 1GfZ1PIphdRxV/y6Y8QBAOeZUO9WpS1/H37LwDfSQm+dRIUav+OIvk93IzzWntcJ iQF8BAEBCgBmBQJX7/YMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwOwEIAJ9H7Jr1Ns8Q0RpQHt0MoO0i Nk2WujtspaUFJFqRqOB9dKCEkGx9DiZqvaPPHzeoFugvz5ou+GjYn3Drhs2PM+v0 yj+WONS8effurnaTd7yUTkIKd9UhH9jiCj6ThMZFsgKONMWG9SbFAqNS/AJq8hi4 uzwhV9cWRoX0i+5rFH0foMu3tuidP/zn+Lv9Z1bZQDpUpie+kWmcNu74z3Y/bwEK zxOljnh3DpCLiB8+ET7lu6pkbzmVaArZe4R+R3Yo+qqh6jhXZsUM4u6tMO3hgIR9 IKwTCjllSrQAx8AKWOAAvb54BETevq8JjFsr3ZUYhVNv8PsUVn7+efxVhxCKcxg= =rZun -----END PGP SIGNATURE----- --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From wk at gnupg.org Sat Oct 1 19:40:50 2016 From: wk at gnupg.org (Werner Koch) Date: Sat, 01 Oct 2016 19:40:50 +0200 Subject: Terminology - certificate or key ? In-Reply-To: <20160930153055.GA30569@gnu.org> (ineiev@gnu.org's message of "Fri, 30 Sep 2016 11:30:56 -0400") References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com> <87eg41wua2.fsf@wheatstone.g10code.de> <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org> <87d1jlv55c.fsf@wheatstone.g10code.de> <20160930153055.GA30569@gnu.org> Message-ID: <87oa34rmql.fsf@wheatstone.g10code.de> On Fri, 30 Sep 2016 17:30, ineiev at gnu.org said: > There is one more: "secret key". Well, I like "secret key" because "secret" stands out when reading source code or text. "private" and "public" are two similar and when it comes to naming variables sk and pk or seckey and pubkey are easier to distinguish that, well, what? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From wk at gnupg.org Sat Oct 1 19:45:51 2016 From: wk at gnupg.org (Werner Koch) Date: Sat, 01 Oct 2016 19:45:51 +0200 Subject: Terminology - certificate or key ? In-Reply-To: <2cab7221-0b52-77eb-a63e-497e281d50e2@andrewg.com> (Andrew Gallagher's message of "Fri, 30 Sep 2016 17:50:01 +0100") References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com> <87eg41wua2.fsf@wheatstone.g10code.de> <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org> <87d1jlv55c.fsf@wheatstone.g10code.de> <2cab7221-0b52-77eb-a63e-497e281d50e2@andrewg.com> Message-ID: <87k2dsrmi8.fsf@wheatstone.g10code.de> On Fri, 30 Sep 2016 18:50, andrewg at andrewg.com said: > with the same key. "Latch and key" is the best analogy I know of to Frankly, I did not know how to translate the German term "Schnappschloss". I had in mind that a "latch" is similar to a "deadbolt". Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From passionate_programmer at hotmail.com Sat Oct 1 19:23:17 2016 From: passionate_programmer at hotmail.com (Rohit P) Date: Sat, 1 Oct 2016 17:23:17 +0000 Subject: Why GnuPG encrypted file has no icon? In-Reply-To: <151447885.20161001131036@riseup.net> References: , <18B48D6B-CDB4-4BF8-9B0A-6070271781E2@gmail.com> , <151447885.20161001131036@riseup.net> Message-ID: @MFPA: I guess .asc extension is only when you select "ASCII Armor" option. If you don't select this option it is .pgp. Not sure. I tried "Open With", but don't know which .exe to select to associate .pgp extension. Regards, RP ________________________________ From: MFPA <2014-667rhzu3dc-lists-groups at riseup.net> Sent: Saturday, October 1, 2016 5:40 PM To: Rohit P on GnuPG-Users Cc: Rohit P Subject: Re: Why GnuPG encrypted file has no icon? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 1 October 2016 at 7:47:39 AM, in , Rohit P wrote:- > I am using Windows 7. Icons are there on all files. What I actually > meant is when a file is encrypted with GnuPG, the resultant .pgp file > has no icon. If Windows has an application associated with the file extension, the file will be shown with that application's icon. And double-clicking the file will cause that application to perform a default action on that file, for example double-clicking a .txt file on a Windows machine will usually open the file using Notepad. You could try right-clicking one of your .gpg files and selecting "open with", keeping the "always use this app" box ticked, click "more apps", and select GnuPG. (It might show as "GnuPG's OpenPGP Tool".) Not sure why you get .pgp files; I get .asc. - -- Best regards MFPA Lotto: A tax on people who are bad at statistics! -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJX76e+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwPjQIAIf131Iczm1T00j/cvuVSECT G/J5fMSWWgvfKau+2X6RpfVjgDpy9MMFhM4vf0AwhIoDwyYdlZ2srZ+r4iLJPkoW gjNQwI1lAG2K795TiVBrs3GrwV2OLnoCMaCdPa5jFUwkW5P0JRFMrj+9d/oFWiqh /72PWP2PkD81P7HgXy/86FrLBZ/lwPU1Ocx/Ew+2Gooj3vYSTEARYk/NnMTAqcwO SOo2t6yFUDEF7hTnMTVeAIA7f7neb5fOhTEVVZf1k+h3WFsEtcS0u2NkbDk0wVwt x4daONNQonBgQdbxKVScuqBqJI/ZEG6QcYQx+8qE8Q6GXwhKMD6sRDv6zly9LOiI vgQBFgoAZgUCV++nvl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45JfkAQCgCV+0Hst3ykF6q0uYGJQsp2Eu cv+DKvX4yb37duVzHQEAy2KF9EFSvtJxqk4QblE7P7x8hGpVSJtakVO3CHC44QI= =awAg -----END PGP SIGNATURE----- --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Sat Oct 1 21:01:59 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 1 Oct 2016 20:01:59 +0100 Subject: Terminology - certificate or key ? In-Reply-To: <87k2dsrmi8.fsf@wheatstone.g10code.de> References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com> <87eg41wua2.fsf@wheatstone.g10code.de> <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org> <87d1jlv55c.fsf@wheatstone.g10code.de> <2cab7221-0b52-77eb-a63e-497e281d50e2@andrewg.com> <87k2dsrmi8.fsf@wheatstone.g10code.de> Message-ID: <1022601933.20161001200159@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 1 October 2016 at 6:45:51 PM, in , Werner Koch wrote:- > Frankly, I did not know how to translate the German term > "Schnappschloss". I had in mind that a "latch" is similar to a > "deadbolt". For latch, the Oxford dictionary gives "A metal bar with a catch and lever used for fastening a door or gate" as the primary use. A secondary meaning is "A spring lock for an outer door, which catches when the door is closed and can only be opened from the outside with a key." - -- Best regards MFPA Coffee doesn't need a menu, it needs a cup. -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlfwCClfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOQkawEAppG/RiB1M5Jy5afKUiEcVTiM FvOzhKnZlMinYA+qdpwBAOW3e1t6tHubrAnYqV87FcNflEzh9N/E7e69WVHDeaQP iQF8BAEBCgBmBQJX8Ag7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw7psH/RlbSNsaf6buLFk6KA1zJRzS Fv9fYG/Q5DRH9C8e2ICjHvkTtjzDgSuzggq3mwvZjaUaLiMWhshkN9hicFifJbsj CokF7GCXmRGmpHek1r4AksA5n34ys1arWh+jfHRQUfzspVEt3TEwj89bNJiAwcqX U1aZO05KwTD4aN4Z0aw6vB16sq5WZVucc5gpbBF1DmCjQP5/fhKAC6pzxN6omrIq lhyRKuP1iIlhyHPcqdgcnV8I3RDRXBTfHWJuMWcdRpqd7O1phgcc6rWiVY4VADLl S2w2PmLah/Ma75i0JDemZZ1K35SDjHCe8XymjNu/Iu4KPyeUTlcVVWw6iT3UEUE= =9j8Q -----END PGP SIGNATURE----- --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From htd+ml at fritha.org Sat Oct 1 21:00:15 2016 From: htd+ml at fritha.org (Heinz Diehl) Date: Sat, 1 Oct 2016 21:00:15 +0200 Subject: Terminology - certificate or key ? In-Reply-To: <87k2dsrmi8.fsf@wheatstone.g10code.de> References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com> <87eg41wua2.fsf@wheatstone.g10code.de> <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org> <87d1jlv55c.fsf@wheatstone.g10code.de> <2cab7221-0b52-77eb-a63e-497e281d50e2@andrewg.com> <87k2dsrmi8.fsf@wheatstone.g10code.de> Message-ID: <20161001190015.GA19011@fritha.org> On 01.10.2016, Werner Koch wrote: > Frankly, I did not know how to translate the German term > "Schnappschloss". Visualising a picture of what is meant by the German term, I would intuitively translate it to something like a hasp, a snap lock or even a spring lock. And you're right, I also heard the term latch lock. From arbiel.perlacremaz at gmx.fr Sun Oct 2 00:10:59 2016 From: arbiel.perlacremaz at gmx.fr (Arbiel (gmx)) Date: Sun, 2 Oct 2016 00:10:59 +0200 Subject: recording and retrieving "secrets" into gpg files In-Reply-To: <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org> References: <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr> <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org> Message-ID: <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr> Hi Stephan The "Bash scripting" material, which I began reading, gave me some valuable informations and I will go on reading it. On the other hand, I did not understand the aim of the material concerning bash for gpg, as it deals with issues which I am quite unaware of. Maybe, when I get more confident in gpg concepts, will I understand its purpose. In fact, I wish to record "secrets" in gnome-keyrings, as seahorse does, and I am looking for tutorials which explain how to do so with bash scripts, which are the only "programs" I am able to write. Cheers Arbiel Le 30/09/2016 ? 17:30, Stephan Beck a ?crit : > Hi Arbiel, > > Arbiel (gmx): >> Hi >> >> Thank you Andrew. >> >> In the material I've been ready lately, all examples are written in a >> programming language and I only have abilities in bash scripting. >> >> Can somebody, please, direct me toward a url where they provide bash >> scripting examples. > [...] > Bash scripting in general? > http://bash-hackers.org > > related to gpg? For instance, > https://github.com/Whonix/gpg-bash-lib > > Cheers, > > Stephan > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: OpenPGP digital signature URL: From dgouttegattat at incenp.org Sun Oct 2 09:52:22 2016 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Sun, 2 Oct 2016 09:52:22 +0200 Subject: recording and retrieving "secrets" into gpg files In-Reply-To: <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr> References: <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr> <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org> <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr> Message-ID: <0e8e483c-9ec7-e6f6-bf28-1f8b15061eb4@incenp.org> On 10/02/2016 12:10 AM, Arbiel (gmx) wrote: > In fact, I wish to record "secrets" in gnome-keyrings, as seahorse does, > and I am looking for tutorials which explain how to do so with bash > scripts, which are the only "programs" I am able to write. Then you might have a look at the secret-tool program (in the libsecret-tools package), which is a command-line client (so, it should be scriptable with bash) to the secret service [1]. (The "secret service" is the service responsible for managing the keyrings. Seahorse is only a client for that service, it does not manipulate the keyring itself.) E.g., to store a secret into the default keyring: $ echo -n "mysecret" | secret-tool store --label="A secret" \ hostname www.example.com where "mysecret" is the secret to store, "A secret" is the name that will be displayed in Seahorse, and "hostname www.example.com" is a key value pair that you can later use to search for this secret. To retrieve this secret: $ secret-tool search hostname www.example.com You will not have to use GnuPG. In fact, as far as I know GnuPG is not involved anywhere --- the secret service daemon encrypts the keyring itself, it does not use GnuPG for that. Hope that helps, Damien [1] https://specifications.freedesktop.org/secret-service/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jhs at berklix.com Sun Oct 2 12:44:16 2016 From: jhs at berklix.com (Julian H. Stacey) Date: Sun, 02 Oct 2016 12:44:16 +0200 Subject: Terminology - certificate or key ? In-Reply-To: Your message "Sat, 01 Oct 2016 21:00:15 +0200." <20161001190015.GA19011@fritha.org> Message-ID: <201610021044.u92AiGNA004672@fire.js.berklix.net> https://lists.gnupg.org/pipermail/gnupg-users/2016-October/056809.html > Frankly, I did not know how to translate the German term > "Schnappschloss". I had in mind that a "latch" is similar to a > "deadbolt". Heinz Diehl wrote: > Visualising a picture of what is meant by the German term, I would > intuitively translate it to something like a hasp, a snap lock or even > a spring lock. And you're right, I also heard the term latch lock. https://de.wikipedia.org/wiki/Schnappschloss is empty. Schnappschloss seems to be a wide word covering all sorts, English has more words than German, so probably a selection of pictures offers best way to choose best word for the function. A latch is not similar to a deadbolt though. A latch is weaker. A latch is spring loaded, or gravity assisted. https://www.google.de/?gws_rd=ssl#q=Schnappschloss ... Pictures The silver, one from right end, is a snap lock. The brass at far right is a latch. http://www.ebay.de/bhp/schnappschloss http://www.ebay.de/itm/Oberlichtschnaepper-Edelstahl-Optik-Federriegel-Schnappschloss-Fensterschloss-/331887421951 "Latch" http://www.ebay.de/itm/4-x-Schnappschloss-mit-Ose-gross-97x50-mm-Kistenverschluss-Spannverschluss-/360829984297 "Snap lock" May be OK, or maybe Catch, (I'd be happier with the word Lock if that picture also had a tiny hole for a key (as mine does, crappy key but it is then a primitive lock. http://www.ebay.de/itm/2pcs-3-Spannverschluss-Kofferverschluss-Kistenverschluss-Schnappschloss-Latch-/351691384246 "Hasp" http://www.diy.com/departments/blooma-galvanised-steel-tower-bolt-l102mm/307467_BQ.prd http://www.diy.com/departments/yale-deadlock/ http://www.ebay.com/itm/15-2cm-ZOLL-TURM-BOLZEN-TURSCHLOSS-SCHUPPEN-GARTEN-TUR-/301978902053 "Dead bolts" PS Wouldnt suprise me if British & American & other speakers of English had different words for some of those things. (I'm English but decades in Germany so not always entirely certain translating back) Cheers, Julian -- Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable. http://berklix.eu/brexit/#stolen_votes From idmsdba at nycap.rr.com Sun Oct 2 19:48:01 2016 From: idmsdba at nycap.rr.com (Michael A. Yetto) Date: Sun, 2 Oct 2016 13:48:01 -0400 Subject: Terminology - certificate or key ? In-Reply-To: <201610021044.u92AiGNA004672@fire.js.berklix.net> References: <20161001190015.GA19011@fritha.org> <201610021044.u92AiGNA004672@fire.js.berklix.net> Message-ID: <20161002134801.2f887de3@braetac.lighthouse.yetnet> On Sun, 02 Oct 2016 12:44:16 +0200 "Julian H. Stacey" wrote: >https://lists.gnupg.org/pipermail/gnupg-users/2016-October/056809.html >> Frankly, I did not know how to translate the German term >> "Schnappschloss". I had in mind that a "latch" is similar to a >> "deadbolt". > >Heinz Diehl wrote: >> Visualising a picture of what is meant by the German term, I would >> intuitively translate it to something like a hasp, a snap lock or >> even a spring lock. And you're right, I also heard the term latch >> lock. > >https://de.wikipedia.org/wiki/Schnappschloss is empty. > >Schnappschloss seems to be a wide word covering all sorts, >English has more words than German, so probably a selection of pictures >offers best way to choose best word for the function. > >A latch is not similar to a deadbolt though. >A latch is weaker. >A latch is spring loaded, or gravity assisted. > >https://www.google.de/?gws_rd=ssl#q=Schnappschloss ... Pictures >The silver, one from right end, is a snap lock. >The brass at far right is a latch. > >http://www.ebay.de/bhp/schnappschloss >http://www.ebay.de/itm/Oberlichtschnaepper-Edelstahl-Optik-Federriegel-Schnappschloss-Fensterschloss-/331887421951 >"Latch" > >http://www.ebay.de/itm/4-x-Schnappschloss-mit-Ose-gross-97x50-mm-Kistenverschluss-Spannverschluss-/360829984297 >"Snap lock" > May be OK, or maybe Catch, (I'd be happier with the word Lock if > that picture also had a tiny hole for a key (as mine does, crappy > key but it is then a primitive lock. > >http://www.ebay.de/itm/2pcs-3-Spannverschluss-Kofferverschluss-Kistenverschluss-Schnappschloss-Latch-/351691384246 >"Hasp" > >http://www.diy.com/departments/blooma-galvanised-steel-tower-bolt-l102mm/307467_BQ.prd >http://www.diy.com/departments/yale-deadlock/ >http://www.ebay.com/itm/15-2cm-ZOLL-TURM-BOLZEN-TURSCHLOSS-SCHUPPEN-GARTEN-TUR-/301978902053 >"Dead bolts" > >PS Wouldnt suprise me if British & American & other speakers of >English had different words for some of those things. (I'm English >but decades in Germany so not always entirely certain translating back) > > I think that was my cue. I thought what might be meant is what I have always referred to as a slam lock. That is, a locking mechanism that stays locked after opening from the inside and locks itself after closing from the outside. It is an easy way to lock yourself out of your car with the engine running if you just had the door replaced and the new one has a slam lock while the old one didn't. Mike "not that this ever happened to me" Yetto -- "If your belief system is not founded in an objective reality, you should not be making decisions that affect other people." - Neil deGrasse Tyson -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From maorlando at gmail.com Sun Oct 2 01:30:33 2016 From: maorlando at gmail.com (Matthew Orlando) Date: Sat, 1 Oct 2016 16:30:33 -0700 Subject: gpg4win --gen-key fails to connect to IPC when using --homedir In-Reply-To: <20130402100008.69a67f4b@bigbox.christie.dr> References: <20130402100008.69a67f4b@bigbox.christie.dr> Message-ID: <1ff0d639-669e-7752-98f6-c0ef1d712ef6@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I had to do two things to solve this: 1: use absolute paths for the homedir. E.g.: gpg --homedir "C:\users\me\test\gpg" --gen-key 2: kill any existing GnuPG agents with task manager, and then start one manually using the same homedir: gpg-agent --homedir="C:\users\me\test\gpg" --daemon After you're done, kill the agent you started. Cheers, Cogwheel Tim Chase gnupg at tim.thechases.com Tue Apr 2 17:00:08 CEST 2013 > I found a similar thread here: > > http://lists.gnupg.org/pipermail/gnupg-users/2012-April/044164.html > > but it doesn't seem to have been resolved. gpg4win was installed > using the default location, and with none of the add-ons (no > Outlook, shell, extensions, just gpg). The same operation without > --homedir works as expected. > > Any way to get this to work? > > Thanks, > > -tkc > > > C:\work\tempgpg> gpg --homedir . --gen-key > gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > gpg: keyring `./secring.gpg' created > gpg: keyring `./pubring.gpg' created > Please select what kind of key you want: > (1) RSA and RSA (default) > (2) DSA and Elgamal > (3) DSA (sign only) > (4) RSA (sign only) > Your selection? 1 > RSA keys may be between 1024 and 4096 bits long. > What keysize do you want? (2048) 2048 > Requested keysize is 2048 bits > Please specify how long the key should be valid. > 0 = key does not expire > = key expires in n days > w = key expires in n weeks > m = key expires in n months > y = key expires in n years > Key is valid for? (0) 0 > Key does not expire at all > Is this correct? (y/N) y > > GnuPG needs to construct a user ID to identify your key. > > Real name: Joe User > Email address: joe at example.com > Comment: Test > You selected this USER-ID: > "Joe User (Test) " > > Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o > You need a Passphrase to protect your secret key. > > gpg: can't connect to the agent: Invalid value passed to IPC > gpg: problem with the agent: No agent running > gpg: can't connect to the agent: Invalid value passed to IPC > gpg: problem with the agent: No agent running > gpg: Key generation canceled. > > C:\work\tempgpg>gpg --version > gpg (GnuPG) 2.0.17 (Gpg4win 2.1.0) > libgcrypt 1.4.6 > Copyright (C) 2011 Free Software Foundation, Inc. > [snip] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJX8EcYAAoJEPro35Ne53Y9oHQIAKBKx+//QPuRMQXMVyb1bouk nH5gNynV6n7K60a+w8N6Liky7a3FKTBpMi3wEkZo5Rw5wMtspuT0pqqT2E13Ml+L Jw5/habejgQ84QMZB6FFbzM/tQBqnHUFn7EkOutq6ULqYMV7rt2MPba3c16tt/O6 9OoDj9phoXC0AABTDSBDS7AFyCvYJ61DJW6gTtAm8A7PCo39hjLQS5HiMviBWwLt qqCogHQLuES7+4znA/kip3kuaPHcEiZ6BeG8dlxCkUc7flHlF3XsHg4TWmLwW118 Bv2VTNHMqSU9Mgyl+2qk/bJkSoUFcmxAjb3aVSNgRHoFBjCT89KzmZcikVmU4dE= =eXvP -----END PGP SIGNATURE----- From tlikonen at iki.fi Sun Oct 2 20:59:06 2016 From: tlikonen at iki.fi (Teemu Likonen) Date: Sun, 02 Oct 2016 21:59:06 +0300 Subject: Confusing options for --tofu-(default-)policy= Message-ID: <87h98uwpad.fsf@iki.fi> First a quote from the gpg 2.1.15 man page: --trust-model pgp|classic|tofu|tofu+pgp|direct|always|auto [...] In the TOFU model, policies are associated with bindings between keys and email addresses (which are extracted from user ids and normalized). There are five policies, which can be set manually using the --tofu-policy option. The default policy can be set using the --tofu-default- policy policy. The TOFU policies are: auto, good, unknown, bad and ask. The auto policy is used by default (unless overridden by --tofu-default-policy) and marks a binding as marginally trusted. The good, unknown and bad policies mark a binding as fully trusted, as having unknown trust or as having trust never, respectively. [...] So there's a mapping from tofu policy to trust: auto=marginal, good=fully, unknown=unknown, bad=never. But why use different names? Why not use the same names for tofu policy and trust? -- /// Teemu Likonen - .-.. // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From mls at bjoern-kahl.de Sun Oct 2 21:36:49 2016 From: mls at bjoern-kahl.de (Bjoern Kahl) Date: Sun, 2 Oct 2016 21:36:49 +0200 Subject: API documentation for Python GpgMe bindings? Message-ID: Dear All, I'd tried to play around with the (new) Python bindings announced just a few days ago, but I am a bit lost. I am using Python-2.7 on MacOS "El Captain", with Python-2.7, gpg2, gpgme (1.6.0_2) and the bindings py27-pygpgme and pyme all installed using MacPorts. (Yes, that is not the newest gpgme-1.7.0 announced last week, the announcement last week just made me aware of the fact that there are Python binding at all.) I know the C-library documentation of GpgMe found here: https://www.gnupg.org/documentation/manuals/gpgme/ Is there a similar documentation for the Python bindings "pyme" (or "pyme3")? Google didn't return helpful results for "gpgme python api reference" or "pyme api reference" for me. Looking at the C-library documentation and the help() output in the Python interpreter for pyme and objects accessible from there, I fail to see a clear mapping on how to call various functions. For example, I can create a GpgMe context with "ctx = pyme.core.Context()" and find a key "key = ctx.get_key("the-key-id"). But how do I - for example - change context attributes like the pinentry mode? The "pyme.core.Context" object doesn't seem to have a "set_attributes" or a "set_pinentry_mode" or anything related. I found "pyme.pygpgme.gpgme_set_pinentry_mode()", which takes a context, but apparently a different flavour of a "context" than returned from "pyme.core.Context()". Trying to pass the result from "pyme.core.Context()" to "pyme.pygpgme.gpgme_set_pinentry_mode()" gives a type error. Also, the context from "pyme.core.Context()" doesn't seem to have a function to retrieve the underlying gpgme context. So, were can I find documentation of the Python bindings or guidelines how to apply the C-library documentation to the pyme bindings for Python (either 2.7 or 3.x)? Thanks & best regards Bj?rn -- | Bjoern Kahl +++ Siegburg +++ Germany | | "mls at -my-domain-" +++ www.bjoern-kahl.de | | Languages: German, English, Ancient Latin (a bit :-)) | From dkg at fifthhorseman.net Mon Oct 3 15:40:02 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 03 Oct 2016 09:40:02 -0400 Subject: Terminology - certificate or key ? In-Reply-To: <20161002134801.2f887de3@braetac.lighthouse.yetnet> References: <20161001190015.GA19011@fritha.org> <201610021044.u92AiGNA004672@fire.js.berklix.net> <20161002134801.2f887de3@braetac.lighthouse.yetnet> Message-ID: <87bmz1blfx.fsf@alice.fifthhorseman.net> On Sun 2016-10-02 13:48:01 -0400, Michael A. Yetto wrote: > I thought what might be meant is what I have always referred to as a > slam lock. That is, a locking mechanism that stays locked after opening > from the inside and locks itself after closing from the outside. as a native en_US-speaker, I can confirm that the most precise term here is "slam lock". however, i've found that term is not particularly widely-known or understood, which probably makes it a bad choice for explanatory metaphor :( fwiw, i disagree with Werner that X.509 certificates and OpenPGP certificates are radically different. There are differences for sure -- chief among them the composability (and decomposability) of OpenPGP certificates, as well as their multi-issuer nature. But conceptually both formats provide transferable, cryptographically-verifiable assertions about bindings between identities, capabilities, and public key material. This is roughly what "certificate" means to most people, and that's the right term to use in my opinion. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From wk at gnupg.org Mon Oct 3 16:14:25 2016 From: wk at gnupg.org (Werner Koch) Date: Mon, 03 Oct 2016 16:14:25 +0200 Subject: Terminology - certificate or key ? In-Reply-To: <201610021044.u92AiGNA004672@fire.js.berklix.net> (Julian H. Stacey's message of "Sun, 02 Oct 2016 12:44:16 +0200") References: <201610021044.u92AiGNA004672@fire.js.berklix.net> Message-ID: <87ponhr03i.fsf@wheatstone.g10code.de> On Sun, 2 Oct 2016 12:44, jhs at berklix.com said: > Schnappschloss seems to be a wide word covering all sorts, It might be that there are regional differences in Germany. May be even more here, close to the traditional area of lock fabrication. Here are two padlocks: We would call the left one a "normales Vorhangeschloss" (simple padlock). But the middle one is known as a "Schappschloss" - referring to the feature that you do not need a key to lock it. So it seems, the term "lock" works only along with a picture. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From arbiel.perlacremaz at gmx.fr Mon Oct 3 16:28:07 2016 From: arbiel.perlacremaz at gmx.fr (Arbiel (gmx)) Date: Mon, 3 Oct 2016 16:28:07 +0200 Subject: recording and retrieving "secrets" into gpg files In-Reply-To: <0e8e483c-9ec7-e6f6-bf28-1f8b15061eb4@incenp.org> References: <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr> <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org> <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr> <0e8e483c-9ec7-e6f6-bf28-1f8b15061eb4@incenp.org> Message-ID: <9b008279-17b5-4f2c-6800-2261a826ad9c@gmx.fr> Hi Damien It's exactly what I was looking for. Thank you a lot. Arbiel Le 02/10/2016 ? 09:52, Damien Goutte-Gattat a ?crit : > On 10/02/2016 12:10 AM, Arbiel (gmx) wrote: >> In fact, I wish to record "secrets" in gnome-keyrings, as seahorse does, >> and I am looking for tutorials which explain how to do so with bash >> scripts, which are the only "programs" I am able to write. > > Then you might have a look at the secret-tool program (in the > libsecret-tools package), which is a command-line client (so, it should > be scriptable with bash) to the secret service [1]. > > (The "secret service" is the service responsible for managing the > keyrings. Seahorse is only a client for that service, it does not > manipulate the keyring itself.) > > E.g., to store a secret into the default keyring: > > $ echo -n "mysecret" | secret-tool store --label="A secret" \ > hostname www.example.com > > where "mysecret" is the secret to store, "A secret" is the name that > will be displayed in Seahorse, and "hostname www.example.com" is a key > value pair that you can later use to search for this secret. > > To retrieve this secret: > > $ secret-tool search hostname www.example.com > > You will not have to use GnuPG. In fact, as far as I know GnuPG is not > involved anywhere --- the secret service daemon encrypts the keyring > itself, it does not use GnuPG for that. > > Hope that helps, > > Damien > > > [1] https://specifications.freedesktop.org/secret-service/ > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: OpenPGP digital signature URL: From jc.gnupg at unser.net Mon Oct 3 16:53:19 2016 From: jc.gnupg at unser.net (Juergen Christoffel) Date: Mon, 3 Oct 2016 16:53:19 +0200 Subject: recording and retrieving "secrets" into gpg files In-Reply-To: <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr> References: <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr> Message-ID: <20161003145319.GA32265@unser.net> On Fri, Sep 30, 2016 at 03:56:08PM +0200, Arbiel (gmx) wrote: > >Can somebody, please, direct me toward a url where they provide bash >scripting examples. Take a look at https://www.passwordstore.org/ which is written in bash and stores secrets with gnupg. --jc -- Doctorow's Law: Anytime someone puts a lock on something you own, against your wishes, and doesn't give you the key, they're not doing it for your benefit. From richard.hoechenberger at gmail.com Mon Oct 3 18:34:41 2016 From: richard.hoechenberger at gmail.com (=?UTF-8?Q?Richard_H=C3=B6chenberger?=) Date: Mon, 3 Oct 2016 18:34:41 +0200 Subject: Terminology - certificate or key ? In-Reply-To: <87ponhr03i.fsf@wheatstone.g10code.de> References: <201610021044.u92AiGNA004672@fire.js.berklix.net> <87ponhr03i.fsf@wheatstone.g10code.de> Message-ID: On Mon, Oct 3, 2016 at 4:14 PM, Werner Koch wrote: > Here are two padlocks: > > > > We would call the left one a "normales Vorhangeschloss" (simple > padlock). But the middle one is known as a "Schappschloss" - referring > to the feature that you do not need a key to lock it. Growing up in (East) Germany myself, I've never, ever, heard or read this word before. I always assumed all padlocks would lock without a key, hence be "Schnappschl?sser". Never seen or handled anything else. :) But maybe I'm simply too young, the padlock-without-Schnappschloss type appears to be kind of ancient? Cheers, Richard From wk at gnupg.org Mon Oct 3 20:40:45 2016 From: wk at gnupg.org (Werner Koch) Date: Mon, 03 Oct 2016 20:40:45 +0200 Subject: Terminology - certificate or key ? In-Reply-To: ("Richard =?utf-8?Q?H=C3=B6chenberger=22's?= message of "Mon, 3 Oct 2016 18:34:41 +0200") References: <201610021044.u92AiGNA004672@fire.js.berklix.net> <87ponhr03i.fsf@wheatstone.g10code.de> Message-ID: <877f9pqnrm.fsf@wheatstone.g10code.de> On Mon, 3 Oct 2016 18:34, richard.hoechenberger at gmail.com said: > :) But maybe I'm simply too young, the padlock-without-Schnappschloss > type appears to be kind of ancient? Heavy duty padlocks require a key for locking; you may have seen them used to lock a motorbike. The description at [1] lists this as a feature: Schlie?zwang: Verriegelung nur mit Schl?ssel (Schl?ssel kann bei ge?ffnetem Zustand nicht abgezogen werden) Salam-Shalom, Werner [1] -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From simon.albrecht at mail.de Mon Oct 3 15:36:22 2016 From: simon.albrecht at mail.de (Simon Albrecht) Date: Mon, 3 Oct 2016 15:36:22 +0200 Subject: What to do at failed integrity check? Message-ID: <471bc952-018c-1f12-6648-15bb979ff842@mail.de> Hello everybody, I?m having a problem getting GnuPG set up: I downloaded the tarball and signature (for v2.0.30), then did the integrity check as described on using the packaged version of GnuPG (1.4.something), and it failed with this message: gpg: Signature made Do 31 M?r 2016 12:56:02 CEST using RSA key ID 4F25E3B6 gpg: Can't check signature: public key not found I already tried getting the files from a mirror ? same thing. Now, the instructions on the linked webpage only say ?the file should be treated suspiciously?. But what can I do now? Just use it anyway and hope it?s not a real problem? Best regards, Simon Albrecht From ca+gnupg-users at esmtp.org Mon Oct 3 22:34:15 2016 From: ca+gnupg-users at esmtp.org (Claus Assmann) Date: Mon, 3 Oct 2016 13:34:15 -0700 Subject: What to do at failed integrity check? In-Reply-To: <471bc952-018c-1f12-6648-15bb979ff842@mail.de> References: <471bc952-018c-1f12-6648-15bb979ff842@mail.de> Message-ID: <20161003203415.GA14727@x2.esmtp.org> On Mon, Oct 03, 2016, Simon Albrecht wrote: > gpg: Signature made Do 31 M??r 2016 12:56:02 CEST using RSA key ID 4F25E3B6 > gpg: Can't check signature: public key not found ^^^^^^^^^^^^^^^^^^^^^ > I already tried getting the files from a mirror ??? same thing. Hmm... did you read the message? You might want to download the key... -- Reply-To: is set, please do not Cc' me. From moritz at klammler.eu Mon Oct 3 22:44:16 2016 From: moritz at klammler.eu (Moritz Klammler) Date: Mon, 03 Oct 2016 22:44:16 +0200 Subject: What to do at failed integrity check? In-Reply-To: Simon Albrecht's message of "Mon\, 3 Oct 2016 15\:36\:22 +0200 \(6 hours\, 52 minutes\, 39 seconds ago\)" Message-ID: <87mvil40yn.fsf@klammler.eu> > gpg: Signature made Do 31 M?r 2016 12:56:02 CEST using RSA key ID 4F25E3B6 > gpg: Can't check signature: public key not found GnuPG didn't tell you that if found out that the file doesn't match the signature. It told you that it wasn't able to check whether it is valid in the first place because your key-ring doesn't contain the key which the signature says was used to create it. Without the public key (certificate) of the signer, you cannot verify the signature. You can import the certificate from a public key-server using this command. $ gpg --recv-key 4F25E3B6 Where "4F25E3B6" is the ID reported by the error message (and happens to belong to Werner Koch). Of course, when you download the certificate like so, an attacker that has previously tampered with your internet connection, tricking you into downloading a compromised version of GnuPG (together with a fake signature) can potentially trick you again and you cannot be sure that you've actually downloaded Werner Koch's certificate. In order to defend against this, you should check the fingerprint by running $ gpg --fingerprint 4F25E3B6 pub rsa2048 2011-01-12 [SC] [expires: 2019-12-31] D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 uid [ unknown] Werner Koch (dist sig) sub rsa2048 2011-01-12 [A] [expires: 2019-12-31] and checking the output against a trusted source of the fingerprint. Where you obtain this from, I don't know. As a minimum, it should match the fingerprint shown above but of course, that could be tampered with, too. (The fingerprint is the hex sequence "D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6". The other output might differ for legitimate reasons.) Alternatively, if you're lucky, you might have participated in enough key-signings such that GnuPG finds a chain of trust to the key. As you can see from the "unknown" in the output shown above, I've not been that lucky so far. -- OpenPGP: Public Key: http://openpgp.klammler.eu Fingerprint: 2732 DA32 C8D0 EEEC A081 BE9D CF6C 5166 F393 A9C0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 454 bytes Desc: not available URL: From sbutler at fchn.com Mon Oct 3 22:31:35 2016 From: sbutler at fchn.com (Steve Butler) Date: Mon, 3 Oct 2016 20:31:35 +0000 Subject: What to do at failed integrity check? In-Reply-To: <471bc952-018c-1f12-6648-15bb979ff842@mail.de> References: <471bc952-018c-1f12-6648-15bb979ff842@mail.de> Message-ID: Go to any public key server and get that key ID. However, before doing that, I'd first verify the checksum without using GnuPG. That process should also have been described on the download page. -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces+sbutler=fchn.com at gnupg.org] On Behalf Of Simon Albrecht Sent: Monday, October 03, 2016 6:36 AM To: gnupg-users at gnupg.org Subject: What to do at failed integrity check? Hello everybody, I?m having a problem getting GnuPG set up: I downloaded the tarball and signature (for v2.0.30), then did the integrity check as described on using the packaged version of GnuPG (1.4.something), and it failed with this message: gpg: Signature made Do 31 M?r 2016 12:56:02 CEST using RSA key ID 4F25E3B6 gpg: Can't check signature: public key not found I already tried getting the files from a mirror ? same thing. Now, the instructions on the linked webpage only say ?the file should be treated suspiciously?. But what can I do now? Just use it anyway and hope it?s not a real problem? Best regards, Simon Albrecht _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From justus at g10code.com Tue Oct 4 11:00:52 2016 From: justus at g10code.com (Justus Winter) Date: Tue, 04 Oct 2016 11:00:52 +0200 Subject: API documentation for Python GpgMe bindings? In-Reply-To: References: Message-ID: <87int8zdx7.fsf@europa.jade-hamburg.de> Hello :) Bjoern Kahl writes: > I'd tried to play around with the (new) Python bindings announced just > a few days ago, but I am a bit lost. I am using Python-2.7 on MacOS > "El Captain", with Python-2.7, gpg2, gpgme (1.6.0_2) and the bindings > py27-pygpgme and pyme all installed using MacPorts. note that pygpgme is an entirely different project. > (Yes, that is not the newest gpgme-1.7.0 announced last week, the > announcement last week just made me aware of the fact that there > are Python binding at all.) Note that 'pyme' as available from MacPorts is likely the old pyme. You can grab and build the new 'pyme3' bindings from pypi, provided that you do have all the build dependencies. I'm not familiar with MacPorts, but that might help with that. (Despite the name, 'pyme3' also works with Python 2.7. Originally, it was only for Python 3, but we backported it. 'pyme3' was the working title, and it helps to differentiate between the old and the new binding.) > I know the C-library documentation of GpgMe found here: > https://www.gnupg.org/documentation/manuals/gpgme/ > > Is there a similar documentation for the Python bindings "pyme" (or > "pyme3")? No, unfortunately not at this point. > Looking at the C-library documentation and the help() output in the > Python interpreter for pyme and objects accessible from there, I fail > to see a clear mapping on how to call various functions. 'pyme3' has a high-level api with curated docstrings. Cheers, Justus -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 454 bytes Desc: not available URL: From stebe at mailbox.org Tue Oct 4 13:00:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Tue, 04 Oct 2016 11:00:00 +0000 Subject: recording and retrieving "secrets" into gpg files In-Reply-To: <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr> References: <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr> <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org> <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr> Message-ID: <3a81d648-178f-c817-fa5c-92d87e73314a@mailbox.org> Hi Arbiel, Arbiel (gmx): > Hi Stephan > > The "Bash scripting" material, which I began reading, gave me some > valuable informations and I will go on reading it. > > On the other hand, I did not understand the aim of the material > concerning bash for gpg, as it deals with issues which I am quite > unaware of. Maybe, when I get more confident in gpg concepts, will I > understand its purpose. > > In fact, I wish to record "secrets" in gnome-keyrings, as seahorse does, > and I am looking for tutorials which explain how to do so with bash > scripts, which are the only "programs" I am able to write. Ah, ok, you were still with that, so it was sort of misunderstanding. For me it wasn't quite clear whether your new question really had anything to do with your old (storing secrets in gnome-keyrings), or whether (what I thought at last) it was a new one and generic. So I gave you two links, one for bash scripting in general, and the one related to gpg (as an example) for bash scripting concerning gpg. No, that file verification bash scripting hasn't anything to do with storing secrets in keyrings. I looked again but haven't found anything specific related to your question. Cheers, Stephan > Le 30/09/2016 ? 17:30, Stephan Beck a ?crit : >> Hi Arbiel, >> >> Arbiel (gmx): >>> Hi >>> >>> Thank you Andrew. >>> >>> In the material I've been ready lately, all examples are written in a >>> programming language and I only have abilities in bash scripting. >>> >>> Can somebody, please, direct me toward a url where they provide bash >>> scripting examples. >> [...] >> Bash scripting in general? >> http://bash-hackers.org >> >> related to gpg? For instance, >> https://github.com/Whonix/gpg-bash-lib >> >> Cheers, >> >> Stephan >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x4218732B.asc Type: application/pgp-keys Size: 4089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From aheinecke at intevation.de Tue Oct 4 14:03:06 2016 From: aheinecke at intevation.de (Andre Heinecke) Date: Tue, 04 Oct 2016 14:03:06 +0200 Subject: Agent forwarding failure when the socketdir was autodeleted Message-ID: <3938401.1pLH0TdMhg@esus> Hi, Using GnuPG 2.1.15 I'm trying to SSH into a remote machine with OpenSSH 6.7 as described under: https://wiki.gnupg.org/AgentForwarding The problem is that the remote system uses systemd so /var/run/user/ exits and GnuPG will use it. But if I am not logged in or there is no gnupg process running. systemd autodeletes /var/run/user//gnupg this causes the remote forward of the Socket to fail because the directory for the socket does not exist and SSH won't create it. :-/ Any ideas how to solve this without requireing changes to the root configuration of the remote machine? I would happily update the wiki with a solution. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: This is a digitally signed message part. URL: From aheinecke at intevation.de Tue Oct 4 12:19:28 2016 From: aheinecke at intevation.de (Andre Heinecke) Date: Tue, 04 Oct 2016 12:19:28 +0200 Subject: Why GnuPG encrypted file has no icon? In-Reply-To: References: Message-ID: <3372410.p2aesyHPLG@esus> Hi, On Saturday 01 October 2016 04:10:03 Rohit P wrote: > When you encrypt multiple files in a folder, GnuPG encrypted files have no > icon. It is difficult to immediately identify which are the encrypted > files. If you are using Gpg4win you can try out our Beta of gpg4win-3.0 (See: https://wiki.gnupg.org/Gpg4win/Testversions ) There we added set up of file extensions and handling of files by "double click" for Windows. > Any specific reason why encrypted files have no icon? One problem was that the .pgp / .gpg / .asc extentions are pretty general. It could be Keys, signed data, detached signatures, etc.. so to bind them to an application the application would have to detect what a file is and handle it appropiately. This is done now by Kleopatra. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: This is a digitally signed message part. URL: From htd+ml at fritha.org Tue Oct 4 17:55:30 2016 From: htd+ml at fritha.org (Heinz Diehl) Date: Tue, 4 Oct 2016 17:55:30 +0200 Subject: Terminology - certificate or key ? In-Reply-To: <87ponhr03i.fsf@wheatstone.g10code.de> References: <201610021044.u92AiGNA004672@fire.js.berklix.net> <87ponhr03i.fsf@wheatstone.g10code.de> Message-ID: <20161004155530.GA2060@fritha.org> On 03.10.2016, Werner Koch wrote: > We would call the left one a "normales Vorhangeschloss" (simple > padlock). But the middle one is known as a "Schappschloss" - referring > to the feature that you do not need a key to lock it. The left one is a modular padlock, and the one in the middle is an integrated padlock. According to one of my friends who is a native en_GB speaker. Not shure if this helps, though. I guess most languages simply use "padlock" for both types. Haengeschloss in German, hengel?s in NO, h?ngl?s (SE), h?ngel?s (DK).. From dkg at fifthhorseman.net Tue Oct 4 17:26:59 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 04 Oct 2016 11:26:59 -0400 Subject: Agent forwarding failure when the socketdir was autodeleted In-Reply-To: <3938401.1pLH0TdMhg@esus> References: <3938401.1pLH0TdMhg@esus> Message-ID: <874m4s9lto.fsf@alice.fifthhorseman.net> On Tue 2016-10-04 08:03:06 -0400, Andre Heinecke wrote: > Using GnuPG 2.1.15 I'm trying to SSH into a remote machine with OpenSSH 6.7 as > described under: > > https://wiki.gnupg.org/AgentForwarding > > The problem is that the remote system uses systemd so /var/run/user/ > exits and GnuPG will use it. > > But if I am not logged in or there is no gnupg process running. systemd > autodeletes /var/run/user//gnupg this causes the remote forward of the > Socket to fail because the directory for the socket does not exist and SSH > won't create it. :-/ If you're not logged in, then how does the remote forward work? aren't you actually still logged in (via ssh) as long as your remote forward is running? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From aheinecke at intevation.de Tue Oct 4 20:49:00 2016 From: aheinecke at intevation.de (Andre Heinecke) Date: Tue, 04 Oct 2016 20:49 +0200 Subject: Agent forwarding failure when the socketdir was autodeleted In-Reply-To: <874m4s9lto.fsf@alice.fifthhorseman.net> References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net> Message-ID: <3772820.ua5IrI4zjK@esus> Hi, On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote: > > But if I am not logged in or there is no gnupg process running. systemd > > autodeletes /var/run/user//gnupg this causes the remote forward of > > the > > Socket to fail because the directory for the socket does not exist and SSH > > won't create it. :-/ > > If you're not logged in, then how does the remote forward work? aren't > you actually still logged in (via ssh) as long as your remote forward is > running? Sorry for not formulating this better. You are of course right If I'm not logged in the remote forward is not working. That is not what I meant to say. The problem is, that when I disconnect the /run/.../gnupg dir is deleted and the next time I want to connect and ssh tries to set up the forwarding this will fail because the /run/.../gnupg directory in which the forwarded socket should be created does not exist. Warning: remote port forwarding failed for listen path /var/run/user//gnupg/S.gpg-agent My current workaround is to connect first and start dirmngr on the remote machine (to get the socketdir created and used). And then connect with ssh socket forwarding. This is a bit clunky to use. I've tried placing files in that folder, or to set up permissions to 000 for the gnupg folder (so that gnupg itself does not use it) but to no avail. It's still removed when disconnecting and the next connect will fail. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: This is a digitally signed message part. URL: From dkg at fifthhorseman.net Tue Oct 4 21:34:25 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 04 Oct 2016 15:34:25 -0400 Subject: Agent forwarding failure when the socketdir was autodeleted In-Reply-To: <3772820.ua5IrI4zjK@esus> References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net> <3772820.ua5IrI4zjK@esus> Message-ID: <87eg3v9ada.fsf@alice.fifthhorseman.net> Hi Andre-- On Tue 2016-10-04 14:49:00 -0400, Andre Heinecke wrote: > On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote: >> > But if I am not logged in or there is no gnupg process running. systemd >> > autodeletes /var/run/user//gnupg this causes the remote forward of >> > the >> > Socket to fail because the directory for the socket does not exist and SSH >> > won't create it. :-/ >> >> If you're not logged in, then how does the remote forward work? aren't >> you actually still logged in (via ssh) as long as your remote forward is >> running? > > Sorry for not formulating this better. You are of course right If I'm not > logged in the remote forward is not working. > > That is not what I meant to say. The problem is, that when I disconnect the > /run/.../gnupg dir is deleted and the next time I want to connect and ssh > tries to set up the forwarding this will fail because the /run/.../gnupg > directory in which the forwarded socket should be created does not exist. so /run/user/ exists upon ssh connection, but /run/user//gnupg/ does not, and therefore sshd on the remote side of the pipe can't auto-create the remote socket -- is that the concern? > My current workaround is to connect first and start dirmngr on the remote > machine (to get the socketdir created and used). And then connect with ssh > socket forwarding. This is a bit clunky to use. agreed, that sounds clunky and annoying. I wonder whether ssh's remote socket forwarding ought to try to automatically create the parent directories if they don't already exist. This doesn't solve your problem in the near term if you can't update the remote host, but it seems like the right place to fix this problem. Maybe that's worth asking on openssh-unix-dev at mindrot.org ? > I've tried placing files in that folder, or to set up permissions to 000 for > the gnupg folder (so that gnupg itself does not use it) but to no avail. It's > still removed when disconnecting and the next connect will fail. right, session termination (or machine reboot, etc) should clean up /run/user/ entirely -- that's part of the explicit goal of $XDG_RUNTIME_DIR, aiui. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From Swetan.Govenkar at pcm.com Tue Oct 4 12:37:40 2016 From: Swetan.Govenkar at pcm.com (Govenkar, Swetan) Date: Tue, 4 Oct 2016 10:37:40 +0000 Subject: Private Key Encryption Message-ID: <9E2067DA11DEA44489C0B8F3CE39836C2EB29B5A@AFS-PW-EX102.afservice.org> Hi Team, We are performing encryption and decryption process. We are using the SUSE Linux 11 SPS3 OS. We want to Encrypt and Sign the file using gpg encryption technique. As a Linux OS root user, we are able to generate keys and perform Encryption, Signing, Verification and Decryption perfectly and we are also able to list the generated keys. We want to use these keys in the SAP R/3 System. The administrator user for the SAP System is SIDADM. In our case it is SF2ADM. We switch the user from root to sf2adm and try to generate the keys using the command gpg --gen-key. But we are not able to enter the passphrase for the key. Instead we are getting the error message stating that "gpg: Cancelled by user" "gpg: Key generation canceled." Please find the attached screenshot of the same. We have tried the following : 1)Adding a new user home using the command addgnupghome 2)gpg-agent --daemon and setting the link to the requires S-gpg-agent in /tmp/ directory. 3)We thought the issue was because of terminal type to be set. We have tried setting GPG_TTY to $tty. But the issue has not been resolved yet. Could you please let us know what is the procedure to perform encryption and decryption using gpg technique on Linux OS without the root user( Using a different user) Thanks and Regards, Swetan G _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ The information contained in this transmission is confidential. It is intended solely for the use of the individual(s) or organization(s) to whom it is addressed. Any disclosure, copying or further distribution is not permitted unless such privilege is explicitly granted in writing by PCM, Inc. Furthermore, PCM, Inc. is not responsible for the proper and complete transmission of the substance of this communication, nor for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Encryption_Decryption_Error.JPG Type: image/jpeg Size: 99312 bytes Desc: Encryption_Decryption_Error.JPG URL: From wk at gnupg.org Wed Oct 5 09:42:21 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 05 Oct 2016 09:42:21 +0200 Subject: Agent forwarding failure when the socketdir was autodeleted In-Reply-To: <3772820.ua5IrI4zjK@esus> (Andre Heinecke's message of "Tue, 04 Oct 2016 20:49 +0200") References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net> <3772820.ua5IrI4zjK@esus> Message-ID: <8760p7i6n6.fsf@wheatstone.g10code.de> On Tue, 4 Oct 2016 20:49, aheinecke at intevation.de said: > My current workaround is to connect first and start dirmngr on the remote > machine (to get the socketdir created and used). And then connect with ssh > socket forwarding. This is a bit clunky to use. You may use gpgconf --create-socketdir to create the directory w/o running any daemon. It is a NOP if the directory already exists. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From stebe at mailbox.org Wed Oct 5 14:27:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Wed, 05 Oct 2016 12:27:00 +0000 Subject: Agent forwarding failure when the socketdir was autodeleted In-Reply-To: <87eg3v9ada.fsf@alice.fifthhorseman.net> References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net> <3772820.ua5IrI4zjK@esus> <87eg3v9ada.fsf@alice.fifthhorseman.net> Message-ID: <6f310963-99d2-f1dd-2e68-fce0d6c3a8bc@mailbox.org> Hi, Daniel Kahn Gillmor: > Hi Andre-- > > On Tue 2016-10-04 14:49:00 -0400, Andre Heinecke wrote: > >> On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote: >>>> But if I am not logged in or there is no gnupg process running. systemd >>>> autodeletes /var/run/user//gnupg this causes the remote forward of >>>> the >>>> Socket to fail because the directory for the socket does not exist and SSH >>>> won't create it. :-/ >>> >>> If you're not logged in, then how does the remote forward work? aren't >>> you actually still logged in (via ssh) as long as your remote forward is >>> running? >> >> Sorry for not formulating this better. You are of course right If I'm not >> logged in the remote forward is not working. >> >> That is not what I meant to say. The problem is, that when I disconnect the >> /run/.../gnupg dir is deleted and the next time I want to connect and ssh >> tries to set up the forwarding this will fail because the /run/.../gnupg >> directory in which the forwarded socket should be created does not exist. > > so /run/user/ exists upon ssh connection, but > /run/user//gnupg/ does not, and therefore sshd on the remote side > of the pipe can't auto-create the remote socket -- is that the concern? > >> My current workaround is to connect first and start dirmngr on the remote >> machine (to get the socketdir created and used). And then connect with ssh >> socket forwarding. This is a bit clunky to use. > > agreed, that sounds clunky and annoying. > > I wonder whether ssh's remote socket forwarding ought to try to > automatically create the parent directories if they don't already exist. So, ssh does not even create the socket if you set STREAMBINDUNLINK yes in /etc/ssh/ssh_config (or give the correspondent -o option on the command line, client-side)? If this is the case (still no socket/socketdir creation), it may help adjusting the ~/.profile of the remote account (if permissions allow it) you log into, adding the following, as seen on (1), provided that you log in from the console. Quote follows below. Kyle Amon has provided the following bit for a .bash_profile: # # setup ssh-agent # # set environment variables if user's agent already exists [ -z "$SSH_AUTH_SOCK" ] && SSH_AUTH_SOCK=$(ls -l /tmp/ssh-*/agent.* 2> /dev/null | grep $(whoami) | awk '{print $9}') [ -z "$SSH_AGENT_PID" -a -z `echo $SSH_AUTH_SOCK | cut -d. -f2` ] && SSH_AGENT_PID=$((`echo $SSH_AUTH_SOCK | cut -d. -f2` + 1)) [ -n "$SSH_AUTH_SOCK" ] && export SSH_AUTH_SOCK [ -n "$SSH_AGENT_PID" ] && export SSH_AGENT_PID # start agent if necessary if [ -z $SSH_AGENT_PID ] && [ -z $SSH_TTY ]; then # if no agent & not in ssh eval `ssh-agent -s` > /dev/null fi [Quote end] If you re-connect to the remote machine and login to the user account (from the console) an ssh-agent (if not already started) is (hopefully) being started on the remote machine and creates the directory and socket in /tmp. Or, another idea, is to use a specific local script and execute it on the remote server (or to use COMMAND option from the command line and execute it on the remote server): Quote from (2) Executing a Local Script on a Remote Linux Server $ ssh [user]@[server] 'bash -s' < [local_script] If all this did not help, and, consequently, systemd (itself) on the remote machine had to be tricked into preserving (or automatically recreating) the /gnupg directory, I were a bit lost, but at least I had read through a bunch of very interesting docs I can make use of myself. (1) http://mah.everybody.org/docs/ssh (2) http://www.shellhacks.com/en/Running-Commands-on-a-Remote-Linux-Server-over-SSH Cheers, Stephan -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x4218732B.asc Type: application/pgp-keys Size: 4090 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From stebe at mailbox.org Wed Oct 5 14:44:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Wed, 05 Oct 2016 12:44:00 +0000 Subject: Agent forwarding failure when the socketdir was autodeleted In-Reply-To: <6f310963-99d2-f1dd-2e68-fce0d6c3a8bc@mailbox.org> References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net> <3772820.ua5IrI4zjK@esus> <87eg3v9ada.fsf@alice.fifthhorseman.net> <6f310963-99d2-f1dd-2e68-fce0d6c3a8bc@mailbox.org> Message-ID: Oh, just seen Werner's answer :-) Well, I had a good time reading the mentioned docs ;-) Cheers, Stephan Stephan Beck: > Hi, > > Daniel Kahn Gillmor: >> Hi Andre-- >> >> On Tue 2016-10-04 14:49:00 -0400, Andre Heinecke wrote: >> >>> On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote: >>>>> But if I am not logged in or there is no gnupg process running. systemd >>>>> autodeletes /var/run/user//gnupg this causes the remote forward of >>>>> the >>>>> Socket to fail because the directory for the socket does not exist and SSH >>>>> won't create it. :-/ >>>> >>>> If you're not logged in, then how does the remote forward work? aren't >>>> you actually still logged in (via ssh) as long as your remote forward is >>>> running? >>> >>> Sorry for not formulating this better. You are of course right If I'm not >>> logged in the remote forward is not working. >>> >>> That is not what I meant to say. The problem is, that when I disconnect the >>> /run/.../gnupg dir is deleted and the next time I want to connect and ssh >>> tries to set up the forwarding this will fail because the /run/.../gnupg >>> directory in which the forwarded socket should be created does not exist. >> >> so /run/user/ exists upon ssh connection, but >> /run/user//gnupg/ does not, and therefore sshd on the remote side >> of the pipe can't auto-create the remote socket -- is that the concern? >> >>> My current workaround is to connect first and start dirmngr on the remote >>> machine (to get the socketdir created and used). And then connect with ssh >>> socket forwarding. This is a bit clunky to use. >> >> agreed, that sounds clunky and annoying. >> >> I wonder whether ssh's remote socket forwarding ought to try to >> automatically create the parent directories if they don't already exist. > > So, ssh does not even create the socket if you set > STREAMBINDUNLINK yes > in /etc/ssh/ssh_config (or give the correspondent -o option on the > command line, client-side)? > If this is the case (still no socket/socketdir creation), it may help > adjusting the ~/.profile of the remote account (if permissions allow it) > you log into, adding the following, as seen on (1), provided that you > log in from the console. Quote follows below. > > Kyle Amon has provided the following bit for a .bash_profile: > > # > # setup ssh-agent > # > > # set environment variables if user's agent already exists > [ -z "$SSH_AUTH_SOCK" ] && SSH_AUTH_SOCK=$(ls -l /tmp/ssh-*/agent.* 2> > /dev/null | grep $(whoami) | awk '{print $9}') > [ -z "$SSH_AGENT_PID" -a -z `echo $SSH_AUTH_SOCK | cut -d. -f2` ] && > SSH_AGENT_PID=$((`echo $SSH_AUTH_SOCK | cut -d. -f2` + 1)) > [ -n "$SSH_AUTH_SOCK" ] && export SSH_AUTH_SOCK > [ -n "$SSH_AGENT_PID" ] && export SSH_AGENT_PID > > # start agent if necessary > if [ -z $SSH_AGENT_PID ] && [ -z $SSH_TTY ]; then # if no agent & not > in ssh > eval `ssh-agent -s` > /dev/null > fi > > [Quote end] > If you re-connect to the remote machine and login to the user account > (from the console) an ssh-agent (if not already started) is (hopefully) > being started on the remote machine and creates the directory and socket > in /tmp. > Or, another idea, is to use a specific local script and execute it on > the remote server (or to use COMMAND option from the command line and > execute it on the remote server): Quote from (2) > > Executing a Local Script on a Remote Linux Server > > $ ssh [user]@[server] 'bash -s' < [local_script] > > If all this did not help, and, consequently, systemd (itself) on the > remote machine had to be tricked into preserving (or automatically > recreating) the /gnupg directory, I were a bit lost, but at least I had > read through a bunch of very interesting docs I can make use of myself. > > (1) http://mah.everybody.org/docs/ssh > (2) > http://www.shellhacks.com/en/Running-Commands-on-a-Remote-Linux-Server-over-SSH > > > Cheers, > > Stephan > -- Hinweis: Diese E-Mail enth?lt vertrauliche Informationen und ist nur f?r ihren legitimen Empf?nger bestimmt. Ihre Weitergabe oder Vervielf?ltigung gleich welcher Art ist nicht gestattet. Sollten Sie diese E-Mail irrt?mlich erhalten haben, l?schen Sie sie bitte und informieren Sie den Absender. From sbeck at mailbox.org Wed Oct 5 14:43:00 2016 From: sbeck at mailbox.org (Stephan Beck) Date: Wed, 05 Oct 2016 12:43:00 +0000 Subject: Agent forwarding failure when the socketdir was autodeleted In-Reply-To: <6f310963-99d2-f1dd-2e68-fce0d6c3a8bc@mailbox.org> References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net> <3772820.ua5IrI4zjK@esus> <87eg3v9ada.fsf@alice.fifthhorseman.net> <6f310963-99d2-f1dd-2e68-fce0d6c3a8bc@mailbox.org> Message-ID: <2cc9d35e-f747-250a-856a-0577a8d713d8@mailbox.org> Oh, just seen Werner's answer :-) Well, I had a good time reading the mentioned docs ;-) Cheers, Stephan Stephan Beck: > Hi, > > Daniel Kahn Gillmor: >> Hi Andre-- >> >> On Tue 2016-10-04 14:49:00 -0400, Andre Heinecke wrote: >> >>> On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote: >>>>> But if I am not logged in or there is no gnupg process running. systemd >>>>> autodeletes /var/run/user//gnupg this causes the remote forward of >>>>> the >>>>> Socket to fail because the directory for the socket does not exist and SSH >>>>> won't create it. :-/ >>>> >>>> If you're not logged in, then how does the remote forward work? aren't >>>> you actually still logged in (via ssh) as long as your remote forward is >>>> running? >>> >>> Sorry for not formulating this better. You are of course right If I'm not >>> logged in the remote forward is not working. >>> >>> That is not what I meant to say. The problem is, that when I disconnect the >>> /run/.../gnupg dir is deleted and the next time I want to connect and ssh >>> tries to set up the forwarding this will fail because the /run/.../gnupg >>> directory in which the forwarded socket should be created does not exist. >> >> so /run/user/ exists upon ssh connection, but >> /run/user//gnupg/ does not, and therefore sshd on the remote side >> of the pipe can't auto-create the remote socket -- is that the concern? >> >>> My current workaround is to connect first and start dirmngr on the remote >>> machine (to get the socketdir created and used). And then connect with ssh >>> socket forwarding. This is a bit clunky to use. >> >> agreed, that sounds clunky and annoying. >> >> I wonder whether ssh's remote socket forwarding ought to try to >> automatically create the parent directories if they don't already exist. > > So, ssh does not even create the socket if you set > STREAMBINDUNLINK yes > in /etc/ssh/ssh_config (or give the correspondent -o option on the > command line, client-side)? > If this is the case (still no socket/socketdir creation), it may help > adjusting the ~/.profile of the remote account (if permissions allow it) > you log into, adding the following, as seen on (1), provided that you > log in from the console. Quote follows below. > > Kyle Amon has provided the following bit for a .bash_profile: > > # > # setup ssh-agent > # > > # set environment variables if user's agent already exists > [ -z "$SSH_AUTH_SOCK" ] && SSH_AUTH_SOCK=$(ls -l /tmp/ssh-*/agent.* 2> > /dev/null | grep $(whoami) | awk '{print $9}') > [ -z "$SSH_AGENT_PID" -a -z `echo $SSH_AUTH_SOCK | cut -d. -f2` ] && > SSH_AGENT_PID=$((`echo $SSH_AUTH_SOCK | cut -d. -f2` + 1)) > [ -n "$SSH_AUTH_SOCK" ] && export SSH_AUTH_SOCK > [ -n "$SSH_AGENT_PID" ] && export SSH_AGENT_PID > > # start agent if necessary > if [ -z $SSH_AGENT_PID ] && [ -z $SSH_TTY ]; then # if no agent & not > in ssh > eval `ssh-agent -s` > /dev/null > fi > > [Quote end] > If you re-connect to the remote machine and login to the user account > (from the console) an ssh-agent (if not already started) is (hopefully) > being started on the remote machine and creates the directory and socket > in /tmp. > Or, another idea, is to use a specific local script and execute it on > the remote server (or to use COMMAND option from the command line and > execute it on the remote server): Quote from (2) > > Executing a Local Script on a Remote Linux Server > > $ ssh [user]@[server] 'bash -s' < [local_script] > > If all this did not help, and, consequently, systemd (itself) on the > remote machine had to be tricked into preserving (or automatically > recreating) the /gnupg directory, I were a bit lost, but at least I had > read through a bunch of very interesting docs I can make use of myself. > > (1) http://mah.everybody.org/docs/ssh > (2) > http://www.shellhacks.com/en/Running-Commands-on-a-Remote-Linux-Server-over-SSH > > > Cheers, > > Stephan > -- Hinweis: Diese E-Mail enth?lt vertrauliche Informationen und ist nur f?r ihren legitimen Empf?nger bestimmt. Ihre Weitergabe oder Vervielf?ltigung gleich welcher Art ist nicht gestattet. Sollten Sie diese E-Mail irrt?mlich erhalten haben, l?schen Sie sie bitte und informieren Sie den Absender. From gnupg at jelmail.com Wed Oct 5 17:26:54 2016 From: gnupg at jelmail.com (gnupg at jelmail.com) Date: Wed, 5 Oct 2016 16:26:54 +0100 Subject: Listing signatures in edit mode? Message-ID: I know how to list signatures with "gpg --list-sigs" but is it possible to do so whilst in "gpg --edit-key" mode ? Furthermore, is it possible to limit the list to my own sigs (i.e. when editing/viewing a third-party's key), and without using something like "grep" ? And can I list the cross-certify signatures? The normal "--list-sigs" doesn't show them. Also, and kind-of related, is it possible to delete a specific sig (with "delsig" in edit mode) without having to step through all sigs ? (I did mean delete rather than revoke; the latter at least limits the sig list to one's own.) I've checked the docs but was unable to find the solution, I hope I've missed something.... gpg (GnuPG) 2.1.14 libgcrypt 1.7.2 GNU/Linux 4.6.4-1-ARCH From dkg at fifthhorseman.net Wed Oct 5 19:46:51 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 05 Oct 2016 13:46:51 -0400 Subject: Agent forwarding failure when the socketdir was autodeleted In-Reply-To: <8760p7i6n6.fsf@wheatstone.g10code.de> References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net> <3772820.ua5IrI4zjK@esus> <8760p7i6n6.fsf@wheatstone.g10code.de> Message-ID: <8760p67kok.fsf@alice.fifthhorseman.net> On Wed 2016-10-05 03:42:21 -0400, Werner Koch wrote: > On Tue, 4 Oct 2016 20:49, aheinecke at intevation.de said: > >> My current workaround is to connect first and start dirmngr on the remote >> machine (to get the socketdir created and used). And then connect with ssh >> socket forwarding. This is a bit clunky to use. > > You may use > > gpgconf --create-socketdir > > to create the directory w/o running any daemon. It is a NOP if the > directory already exists. The trouble is that the socket directory needs to be created before ssh tries to forward the socket. when doing a forward from the command line, the ssh channel that does socket forwarding is often established before the channel that runs any shell or other interactive behavior. I really think this ought to be handled in OpenSSH. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From aheinecke at intevation.de Wed Oct 5 21:35:12 2016 From: aheinecke at intevation.de (Andre Heinecke) Date: Wed, 05 Oct 2016 21:35:12 +0200 Subject: Agent forwarding failure when the socketdir was autodeleted In-Reply-To: <8760p67kok.fsf@alice.fifthhorseman.net> References: <3938401.1pLH0TdMhg@esus> <8760p7i6n6.fsf@wheatstone.g10code.de> <8760p67kok.fsf@alice.fifthhorseman.net> Message-ID: <1692039.nYCvrdervT@esus> Hi, On Wednesday 05 October 2016 13:46:51 Daniel Kahn Gillmor wrote: > > You may use > > > > gpgconf --create-socketdir > > > > to create the directory w/o running any daemon. It is a NOP if the > > directory already exists. Yes, that works but it's still a bit cludgy I'd like to have it working in a single ssh command. > The trouble is that the socket directory needs to be created before ssh > tries to forward the socket. when doing a forward from the command > line, the ssh channel that does socket forwarding is often established > before the channel that runs any shell or other interactive behavior. > > I really think this ought to be handled in OpenSSH. Exactly. I wrote a mail to openssh-unix-dev as you suggested to ask about that. Let's see :-) Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: This is a digitally signed message part. URL: From gnupg at jelmail.com Thu Oct 6 17:21:06 2016 From: gnupg at jelmail.com (John Lane) Date: Thu, 6 Oct 2016 16:21:06 +0100 Subject: using with su/sudo Message-ID: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com> The requirement for tty ownership for commands where pinentry is required causes problems for shells opened with sudo or su, where such commands generally result in a "permission denied" kind of error: $ gpg -d /tmp/encrypted.asc gpg: public key decryption failed: Permission denied I can use "script" to work around this but it is a bit of a hack that relies on the fact that "script" creates a new tty owned by the current user: $ script -q -c 'gpg -d /tmp/encrypted.asc' Is there a correct way to make gpg play nicely inside su/sudo ? PS I am using su/sudo to change to another unprivileged user, not root. Thanks, John From wk at gnupg.org Thu Oct 6 09:11:04 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 06 Oct 2016 09:11:04 +0200 Subject: Listing signatures in edit mode? In-Reply-To: (gnupg@jelmail.com's message of "Wed, 5 Oct 2016 16:26:54 +0100") References: Message-ID: <87twcqdkaf.fsf@wheatstone.g10code.de> On Wed, 5 Oct 2016 17:26, gnupg at jelmail.com said: > I know how to list signatures with "gpg --list-sigs" but is it possible > to do so whilst in "gpg --edit-key" mode ? There is a "check" command which does the same as --check-sigs. However, I just realized that there is a regression in 2.1 in that it does not list them anymore. Needs to be fixed. > Furthermore, is it possible to limit the list to my own sigs (i.e. when > editing/viewing a third-party's key), and without using something like > "grep" ? No. > And can I list the cross-certify signatures? The normal "--list-sigs" > doesn't show them. What to you mean by this? > Also, and kind-of related, is it possible to delete a specific sig (with > "delsig" in edit mode) without having to step through all sigs ? No, there is no easy way to identify a signature and thus we have not implemented it. Note that we won't add new features before the release fo 2.2, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From gnupg at jelmail.com Thu Oct 6 21:10:05 2016 From: gnupg at jelmail.com (John Lane) Date: Thu, 6 Oct 2016 20:10:05 +0100 Subject: Listing signatures in edit mode? In-Reply-To: <87twcqdkaf.fsf@wheatstone.g10code.de> References: <87twcqdkaf.fsf@wheatstone.g10code.de> Message-ID: On 06/10/16 08:11, Werner Koch wrote: > On Wed, 5 Oct 2016 17:26, gnupg at jelmail.com said: >> I know how to list signatures with "gpg --list-sigs" but is it possible >> to do so whilst in "gpg --edit-key" mode ? > > There is a "check" command which does the same as --check-sigs. > However, I just realized that there is a regression in 2.1 in that it > does not list them anymore. Needs to be fixed. > good to know, thanks. > >> And can I list the cross-certify signatures? The normal "--list-sigs" >> doesn't show them. > > What to you mean by this? > Perhaps I have misunderstood this: https://www.gnupg.org/faq/subkey-cross-certify.en.html where it says "Subkey cross-certification (sometimes called "back signing") involves the subkey issuing a signature on the primary key, just like the primary key signature on the subkey." I was wondering, just for my education, how I can see such signatures. I don't think they show on "--list-sigs", for example: gpg --keyid-format short --list-sigs freddy pub rsa2048/1E8BB8D0 2016-10-06 [SC] uid [ultimate] Freddy Test sig 3 1E8BB8D0 2016-10-06 Freddy Test sub rsa2048/FC91A390 2016-10-06 [E] sig 1E8BB8D0 2016-10-06 Freddy Test sub rsa2048/63AB1D1A 2016-10-06 [S] sig 1E8BB8D0 2016-10-06 Freddy Test Would I not expect to see sigs by FC91A390 and 63AB1D1A on E8BB8D0 ? From wk at gnupg.org Thu Oct 6 20:27:19 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 06 Oct 2016 20:27:19 +0200 Subject: Listing signatures in edit mode? In-Reply-To: (John Lane's message of "Thu, 6 Oct 2016 20:10:05 +0100") References: <87twcqdkaf.fsf@wheatstone.g10code.de> Message-ID: <8737k9e3js.fsf@wheatstone.g10code.de> On Thu, 6 Oct 2016 21:10, gnupg at jelmail.com said: > where it says "Subkey cross-certification (sometimes called "back > signing") involves the subkey issuing a signature on the primary key, Ah well, this is a property of the key binding signature for signature subkeys. You can look at them using --list-packets. Gpg will warn if the backsig is missing. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From peter at digitalbrains.com Thu Oct 6 20:41:34 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 6 Oct 2016 20:41:34 +0200 Subject: Listing signatures in edit mode? In-Reply-To: References: <87twcqdkaf.fsf@wheatstone.g10code.de> Message-ID: <3b45153e-6e8c-ee8b-920e-96a0d4c5f2de@digitalbrains.com> On 06/10/16 21:10, John Lane wrote: > Would I not expect to see sigs by FC91A390 and 63AB1D1A on E8BB8D0 ? No, the cross-certification signature is part of the signature of 1E8BB8D0 on 63AB1D1A. This cross-certification signature is not really that well visible. For instance, take my key: -----------------8<------------------->8----------------- pub rsa2048/DE500B3E 2009-11-12 [C] [expires: 2017-10-19] uid [ultimate] Peter Lebbing sub rsa2048/DE6CDCA1 2009-11-12 [S] [expires: 2017-10-19] sub rsa2048/73A33BEE 2009-11-12 [E] [expires: 2017-10-19] sub rsa2048/B65D8246 2009-12-05 [A] [expires: 2017-10-19] -----------------8<------------------->8----------------- If you do $ gpg2 --export-options export-minimal --export de500b3e|gpg2 --list-packets |less you get a big amount of technical detail (I've left out certifications by other people, or I would have been swamped by irrelevant data and would have lost track). Among it we see a signature of DE500B3E on DE6CDCA1: -----------------8<------------------->8----------------- :signature packet: algo 1, keyid AC46EFE6DE500B3E version 4, created 1445346807, md5len 0, sigclass 0x18 digest algo 2, begin of digest 65 31 hashed subpkt 27 len 1 (key flags: 02) hashed subpkt 2 len 4 (sig created 2015-10-20) hashed subpkt 9 len 4 (key expires after 7y342d23h58m) subpkt 32 len 284 (signature: v4, class 0x19, algo 1, digest algo 2) subpkt 16 len 8 (issuer key ID AC46EFE6DE500B3E) data: [2046 bits] -----------------8<------------------->8----------------- If I'm not mistaken, the cross-certification signature is "subpkt 32", but unfortunately it is not parsed by --list-packets. What broadly happens, if memory serves me correctly, is that DE6CDCA1 issues a signature on DE500B3E, which becomes the subpkt 32. Then DE500B3E issues this whole signature packet, which includes the signature just made by DE6CDCA1. The gory details are in RFC 4880. Note that only signing subkeys issue a cross-certification, not encryption or authentication subkeys. Some encryption subkeys might even be mathematically incapable of issuing such a signature, depending on the type. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From gnupg at jelmail.com Thu Oct 6 22:55:26 2016 From: gnupg at jelmail.com (John Lane) Date: Thu, 6 Oct 2016 21:55:26 +0100 Subject: Listing signatures in edit mode? In-Reply-To: <3b45153e-6e8c-ee8b-920e-96a0d4c5f2de@digitalbrains.com> References: <87twcqdkaf.fsf@wheatstone.g10code.de> <3b45153e-6e8c-ee8b-920e-96a0d4c5f2de@digitalbrains.com> Message-ID: On 06/10/16 19:41, Peter Lebbing wrote: > On 06/10/16 21:10, John Lane wrote: >> Would I not expect to see sigs by FC91A390 and 63AB1D1A on E8BB8D0 ? > No, the cross-certification signature is part of the signature of > 1E8BB8D0 on 63AB1D1A. This cross-certification signature is not really > that well visible. > > For instance, take my key: > > -----------------8<------------------->8----------------- > pub rsa2048/DE500B3E 2009-11-12 [C] [expires: 2017-10-19] > uid [ultimate] Peter Lebbing > sub rsa2048/DE6CDCA1 2009-11-12 [S] [expires: 2017-10-19] > sub rsa2048/73A33BEE 2009-11-12 [E] [expires: 2017-10-19] > sub rsa2048/B65D8246 2009-12-05 [A] [expires: 2017-10-19] > -----------------8<------------------->8----------------- > > If you do > > $ gpg2 --export-options export-minimal --export de500b3e|gpg2 > --list-packets |less > > you get a big amount of technical detail (I've left out certifications > by other people, or I would have been swamped by irrelevant data and > would have lost track). Among it we see a signature of DE500B3E on DE6CDCA1: > > -----------------8<------------------->8----------------- > :signature packet: algo 1, keyid AC46EFE6DE500B3E > version 4, created 1445346807, md5len 0, sigclass 0x18 > digest algo 2, begin of digest 65 31 > hashed subpkt 27 len 1 (key flags: 02) > hashed subpkt 2 len 4 (sig created 2015-10-20) > hashed subpkt 9 len 4 (key expires after 7y342d23h58m) > subpkt 32 len 284 (signature: v4, class 0x19, algo 1, digest algo 2) > subpkt 16 len 8 (issuer key ID AC46EFE6DE500B3E) > data: [2046 bits] > -----------------8<------------------->8----------------- > > If I'm not mistaken, the cross-certification signature is "subpkt 32", > but unfortunately it is not parsed by --list-packets. What broadly > happens, if memory serves me correctly, is that DE6CDCA1 issues a > signature on DE500B3E, which becomes the subpkt 32. Then DE500B3E issues > this whole signature packet, which includes the signature just made by > DE6CDCA1. > > The gory details are in RFC 4880. great explanation, thanks. found it in rfc too 0x19 "primary key binding signature" (sec 5.2.1, 5.2.4, 11.1). Sec 15 notes interestingly that "implementing software may handle these [keys without a back signature] as it sees fit" I think the page I quoted misled me when it said this binding signature was "just like the primary key signature on the subkey" which, while conceptually true, isn't technically true. but I get it now, so another thing learnt. thanks v. much. > > Note that only signing subkeys issue a cross-certification, not > encryption or authentication subkeys. Some encryption subkeys might even > be mathematically incapable of issuing such a signature, depending on > the type. > > HTH, > > Peter. > From jernst at invacarecontractor.com Thu Oct 6 14:38:33 2016 From: jernst at invacarecontractor.com (Jim Ernst) Date: Thu, 6 Oct 2016 12:38:33 +0000 Subject: Syntax Question on GPG2 on LINUX Message-ID: Hello All - I am working in a LINUX environment using GPG version 2.1.15 Can anyone give me the syntax to use gpg2 to create a signed, encrypted file using a passphrase in a LINUX shell script ? This is being run from Oracle EBS on a schedule so there would not be a user interacting to answer prompts. With this mode, is there any terminal settings I would need to set ? Thanks !! Jim Ernst NTT Data NOTE: The sender of this email is an independent contractor of Invacare Corporation or one of its subsidiaries. CONFIDENTIALITY NOTICE: The information in this e-mail message and any attachments may contain privileged, confidential or proprietary information, including confidential health information, protected by applicable Federal or state laws. Such information is intended only for the recipient named above. If you are not the intended recipient, please notify the sender immediately, and take notice that any use, disclosure or distribution of such information is prohibited by law. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbutler at fchn.com Thu Oct 6 22:19:43 2016 From: sbutler at fchn.com (Steve Butler) Date: Thu, 6 Oct 2016 20:19:43 +0000 Subject: Syntax Question on GPG2 on LINUX In-Reply-To: References: Message-ID: <52ed70c72bc8454b946d0799fc097ffb@t1l1exchmbs-01.fchn.com> Jim, I don't use modern but I do have a script for classic that works in unattended mode on a Linux box. The caller knows the input file name and the script knows my passphrase -- default gpg_pass2. Hope this helps with gpg2! --Steve $ cat gpg_encrypt #!/bin/ksh usage="gpg_encrypt [ -a -b -e ext -n -s ] PK_ID source" # # Interface script for edi and ftpexec to encrypt files vi GnuPG # # -a Use Ascii Armor (--armor switch) # -b Use binary (e.g. opposite of -a) # -e Use ext as value of file extension (defaults to pgp when not specified) # -n Do not sign (e.g. opposite of -s) # -s Sign using key for helpdesk at fchn.com as signing key # For conflicting options, the last one entered takes precedence. # # PK_ID Key ID to which the file is to be encrypted. # source Source file name to encrypt. # # Encryptes to a file of source.ext and name is echoed to stdlist XRG_DBA=${XRG_DBA:=/usr/xrg_dba} xrgbin=$XRG_DBA/bin homedir=$($xrgbin/default gpg_home) EXT=pgp ARMOR="" SIGN="--sign" while getopts ":abe:ns" opt do case $opt in a) ARMOR="--armor" ;; b) ARMOR="" ;; e) EXT=$OPTARG ;; n) SIGN="" ;; s) SIGN="--sign" ;; *) echo $usage exit 2 ;; esac done shift $(($OPTIND - 1)) if [[ $# -ne 2 ]]; then echo "gpg_encrypt: Must supply 2 parameters" >&2 echo " usage: $usage" >&2 exit 99 fi rm -f "$2.$EXT" > /dev/null if [[ -z $SIGN ]]; then gpg --batch --homedir $homedir --quiet --no-tty --always-trust $ARMOR \ --no-permission-warning --recipient $1 --output "$2.$EXT" --encrypt "$2" x=$? else $xrgbin/default gpg_pass2 | gpg \ --batch --homedir $homedir --quiet --no-tty --always-trust $ARMOR \ --sign --passphrase-fd 0 --default-key helpdesk at fchn.com \ --no-permission-warning --recipient $1 --output "$2.$EXT" --encrypt "$2" x=$? fi if [ $x -ne 0 ]; then echo "gpg_encrypt: gpg failure code '$x'" >&2 fi echo "$2.$EXT" exit $x # From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Jim Ernst Sent: Thursday, October 06, 2016 5:39 AM To: gnupg-users at gnupg.org Subject: Syntax Question on GPG2 on LINUX Hello All - I am working in a LINUX environment using GPG version 2.1.15 Can anyone give me the syntax to use gpg2 to create a signed, encrypted file using a passphrase in a LINUX shell script ? This is being run from Oracle EBS on a schedule so there would not be a user interacting to answer prompts. With this mode, is there any terminal settings I would need to set ? Thanks !! Jim Ernst NTT Data NOTE: The sender of this email is an independent contractor of Invacare Corporation or one of its subsidiaries. CONFIDENTIALITY NOTICE: The information in this e-mail message and any attachments may contain privileged, confidential or proprietary information, including confidential health information, protected by applicable Federal or state laws. Such information is intended only for the recipient named above. If you are not the intended recipient, please notify the sender immediately, and take notice that any use, disclosure or distribution of such information is prohibited by law. -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gniibe at fsij.org Fri Oct 7 04:56:14 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 7 Oct 2016 11:56:14 +0900 Subject: using with su/sudo In-Reply-To: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com> References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com> Message-ID: <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org> On 10/07/2016 12:21 AM, John Lane wrote: > The requirement for tty ownership for commands where pinentry is > required causes problems for shells opened with sudo or su, where > such commands generally result in a "permission denied" kind of error: > > $ gpg -d /tmp/encrypted.asc > gpg: public key decryption failed: Permission denied > > I can use "script" to work around this but it is a bit of a hack that > relies on the fact that "script" creates a new tty owned by the current > user: > > $ script -q -c 'gpg -d /tmp/encrypted.asc' > > Is there a correct way to make gpg play nicely inside su/sudo ? One possible way is invoking gpg with an option --pinentry-mode=loopback. I confirmed this issue with TTY. The cause is that pinentry cannot open the TTY in question in the situation of its owner is original user. It's EACCESS (Permission denied) to TTY device when pinentry tries to open the TTY. I created a ticket at the bug tracker. https://bugs.gnupg.org/gnupg/issue2739 With the situation of gpg-agent's allow-loopback-pinentry is default now, perhaps, it would be the best (from the user's viewpoint) that gpg-agent automatically fallbacks to loopback mode. On window system, I think it doesn't work either... -- From gnupg at jelmail.com Fri Oct 7 12:45:02 2016 From: gnupg at jelmail.com (John Lane) Date: Fri, 7 Oct 2016 11:45:02 +0100 Subject: using with su/sudo In-Reply-To: <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org> References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com> <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org> Message-ID: > One possible way is invoking gpg with an option > --pinentry-mode=loopback. Yes, just tried this. It works but you lose the pinentry dialog. > I created a ticket at the bug tracker. > > https://bugs.gnupg.org/gnupg/issue2739 > thanks for creating the ticket. > With the situation of gpg-agent's allow-loopback-pinentry is default > now, perhaps, it would be the best (from the user's viewpoint) that > gpg-agent automatically fallbacks to loopback mode. I agree, although I think the loopback mode is less clear in what password it's asking for (especially in keygen). At least it would work. From rjh at sixdemonbag.org Fri Oct 7 17:52:09 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 7 Oct 2016 11:52:09 -0400 Subject: gnupg-for-java Message-ID: <02e301d220b2$c39a1bd0$4ace5370$@sixdemonbag.org> A while ago someone was trying to update gnupg-for-java to work with a more modern environment. Does anyone remember who did that work, or where I could find it? The version of gnupg-for-java I'm downloading from Guardian Project's github account has dependencies on a lot of old stuff and I'm having the devil's own time getting it built on macOS Sierra (Java 1.8, GPGME 1.7). Before I dig deeper into this to fix my problems and bring it up to date, I thought I'd check and see if someone had already done so and saved me the effort. :) From antony at blazrsoft.com Fri Oct 7 21:15:26 2016 From: antony at blazrsoft.com (Antony Prince) Date: Fri, 07 Oct 2016 15:15:26 -0400 Subject: gnupg-for-java In-Reply-To: <02e301d220b2$c39a1bd0$4ace5370$@sixdemonbag.org> References: <02e301d220b2$c39a1bd0$4ace5370$@sixdemonbag.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On October 7, 2016 11:52:09 AM EDT, "Robert J. Hansen" wrote: >A while ago someone was trying to update gnupg-for-java to work with a >more >modern environment. Does anyone remember who did that work, or where I >could find it? The version of gnupg-for-java I'm downloading from >Guardian >Project's github account has dependencies on a lot of old stuff and I'm >having the devil's own time getting it built on macOS Sierra (Java 1.8, >GPGME 1.7). Before I dig deeper into this to fix my problems and bring >it >up to date, I thought I'd check and see if someone had already done so >and >saved me the effort. :) I played around with it a bit months ago (maybe longer), but I never made any concrete progress on it other than compiling it on Ubuntu and doing some simple operations through it. I don't think I had anything that would have helped with the Mac situation. - -- Antony -----BEGIN PGP SIGNATURE----- iQJCBAEBCgAsJRxBbnRvbnkgUHJpbmNlIDxhbnRvbnlAYmxhenJzb2Z0LmNvbT4F Alf39EQACgkQrz1AhzAbGxnTAA//UrxwaxnTQS0euBgBMNK6KptCzY6CluVuD5VV xp06aOrbtSb9ygCYt7xLsXFtPW8clkJwDqAjQ38fzfhJdby+BapiKzOgXEl7TfsX vpdgFiLv42RnTazVcnWxkki0WI57u6RUSdoEwYfcsY6KAeIK6wbPK91z42ZllpLV a2QW3r3BX0xHvZZi1tl5ZWjxIS2XLkCnacYtPSfsyJINFlntJHgFtMGbaHF/G3gC YmApXOg7tomNkLDe7RLpyMcMLkYFuJaAe2gIxc5so5stxmVKb66SdAZKYEQDsmr4 s4kxKClue8inTLBl6BUyIaYfbsWi6SGwOT9NlGAoKHf49SxvJGWJczVwa2lAFYNH Y4GeBeHrBMTPCcwN5J6CkxqgR0omBrARkUnQv2z6+UPYRw5wwdTyfG5jUa57QQzf LJLiOtZHkQVYCaWT8+ljM0EN7uCkU5nuLm/ezBssNPxwyOYYuRATrIjSyePW7CaA Y+FGYPAHOUKqAmuuABsNaJEKoYdkCeL/IkiW3pqETpjo3HRXGHiHOvF1+fRKBdIe 7jLsBybUCLs2TRzqFrazijY9HF28Ynm8Hstrgl0C5ssxIUde756as5djTEkWNi6B xJp6bPKgBSfr4x1N/JOgmQQaBVYVuH/LM/V58Zot62S1Iz3NC36pzhoiFshJpROF WmNyBLw= =YTN+ -----END PGP SIGNATURE----- From jernst at invacarecontractor.com Fri Oct 7 22:59:44 2016 From: jernst at invacarecontractor.com (Jim Ernst) Date: Fri, 7 Oct 2016 20:59:44 +0000 Subject: Linux GPG2 Encryption Getting Intermittent gpg: signing failed: Inappropriate ioctl for device When Run From Oracle Apps Message-ID: Hello All - I am using the following code with gpg (GnuPG) 2.1.15, and when run on Linux submitted from an Oracle EBS Apps request it errors with "gpg: signing failed: Inappropriate ioctl for device": /usr/local/bin/gpg2 -v --batch --no-tty --output $v_outbound_dir/$v_fname_sign --encrypt --recipient $v_recipient --passphrase $v_passphrase --sign $v_sd_name/$v_fn ame_in The process will work then the error will suddenly occur when there has been no change in the statement. Has anyone hit something like this before ? I notice the error message has "gpg:"; does gpg2 start its' messages this way or with "gpg2:" ? Thanks, James Ernst NTT Data NOTE: The sender of this email is an independent contractor of Invacare Corporation or one of its subsidiaries. CONFIDENTIALITY NOTICE: The information in this e-mail message and any attachments may contain privileged, confidential or proprietary information, including confidential health information, protected by applicable Federal or state laws. Such information is intended only for the recipient named above. If you are not the intended recipient, please notify the sender immediately, and take notice that any use, disclosure or distribution of such information is prohibited by law. -------------- next part -------------- An HTML attachment was scrubbed... URL: From passionate_programmer at hotmail.com Sat Oct 8 08:58:12 2016 From: passionate_programmer at hotmail.com (Rohit P) Date: Sat, 8 Oct 2016 06:58:12 +0000 Subject: RSA 4096-bit Key Message-ID: I am using latest version of GPG. I noticed there is no option to generate RSA 4096-bit key. The same goes with DSA. In older versions of GnuPG, this key size was supported. ......................... Regards, RP -------------- next part -------------- An HTML attachment was scrubbed... URL: From passionate_programmer at hotmail.com Sat Oct 8 09:02:00 2016 From: passionate_programmer at hotmail.com (Rohit P) Date: Sat, 8 Oct 2016 07:02:00 +0000 Subject: GnuPG vs. GPG4Win Message-ID: In Older versions of GnuPG, a system tray icon used to appear with an option to encrypt text on current window. Newer versions of GnuPG has no such option. I am not understanding the difference between GnuPG and GPG4Win. Are these one and the same thing? Windows binary is not available for download from GnuPG site. -------------- next part -------------- An HTML attachment was scrubbed... URL: From herbert at mailbox.org Sat Oct 8 09:17:21 2016 From: herbert at mailbox.org (Herbert J. Skuhra) Date: Sat, 08 Oct 2016 09:17:21 +0200 Subject: RSA 4096-bit Key In-Reply-To: References: Message-ID: <86fuo7z4vy.wl-herbert@mailbox.org> Rohit P skrev: > > I am using latest version of GPG. I noticed there is no option to generate RSA 4096-bit key. The same goes with DSA. > In older versions of GnuPG, this key size was supported. % man gpg % gpg --full-gen-key -- Herbert From 2014-667rhzu3dc-lists-groups at riseup.net Sat Oct 8 12:05:43 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 8 Oct 2016 11:05:43 +0100 Subject: Terminology - certificate or key ? In-Reply-To: <20161004155530.GA2060@fritha.org> References: <201610021044.u92AiGNA004672@fire.js.berklix.net> <87ponhr03i.fsf@wheatstone.g10code.de> <20161004155530.GA2060@fritha.org> Message-ID: <70523197.20161008110543@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tuesday 4 October 2016 at 4:55:30 PM, in , Heinz Diehl wrote:- > The left one is a modular padlock, and the one in the middle is an > integrated padlock. According to one of my friends who is a native > en_GB speaker. As a native en_GB speaker I had never heard those terms. A quick internet search lead me to [0]. "And while this was happening Yale was creating the first modular padlock (up until this point all padlocks had used integrated locking mechanisms). These new modular locking mechanics allowed the locks to be serviced and rekeyed because all components could be removed and reconstructed." [0] - -- Best regards MFPA Don't ask me, I'm making this up as I go! -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlf4xQFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORtbgD/SdtqmwhRwikMctU60kBlV1uL 25LDktr9ROYwIiLGz1EA/RxrxAt5sge054QBLQYhVfd9NquFYPGkGfANZcyRHjgB iQF8BAEBCgBmBQJX+MUVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwFtcH+wYIrS/sAk2+J/pVnK7o6oQR tdFhFSUMvKuO/fQpliCSKRabYn1MOOsLA8ph06FF+mgdMrkTkyacNBbld7kaoL3b VikeQk38+7RezBL7eBhkz+wthUPmLQNoBuI7jtgpM1aJTd3XTxmUmrl8PeAvwXp9 IMJNRqXsepdKBfCRxM2OHwo4rvJ4dWJME8ckYLRrKL6MKYSGju2veBtYiwOm/TIp MXB115KgbM3Xaym2IMM7GZIJ9V3rux9T4zFmqfSfS31AryFohUWKwGZunckSUzLk lKDpWeZdC9QTJVAVrKbL5cXsdvF7Q85f8MlGTbhUGb1kP7yjdaBvtHcZA8lsrsM= =RnKK -----END PGP SIGNATURE----- --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From 2014-667rhzu3dc-lists-groups at riseup.net Sat Oct 8 12:24:57 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 8 Oct 2016 11:24:57 +0100 Subject: GnuPG vs. GPG4Win In-Reply-To: References: Message-ID: <1552263190.20161008112457@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 8 October 2016 at 8:02:00 AM, in , Rohit P wrote:- > In Older versions of GnuPG, a system tray icon used to appear with > an option to encrypt text on current window. Newer versions of GnuPG > has no such option. That would come from some frontend or Explorer plugin, not from GnuPG itself. > I am not understanding the difference between GnuPG and GPG4Win. > Are these one and the same thing? GPG4win is GnuPG 2.0.x bundled with a choice of certificate managers, plugins for Outlook and Windows Explorer, and the Gpg4win Compendium documentation. They also have "light" and "vanilla" downloads that eschew some or all of the extras. > Windows binary is not available for download from GnuPG site. Windows binaries for GnuPG versions 2.1.x and 1.4.x are the second and third items listed at . The first list item points you to the GPG4win download page. - -- Best regards MFPA It is easy to propose impossible remedies. -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlf4yXlfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOR2PgEApRaq79a3JIx8w5eTBIn8QnRh h8uxU4uin0PUXPgKZQQA/0j5JyRNqlbmhc2xzuUc8ALK8PdPY+XUzcKXm72KS3AC iQF8BAEBCgBmBQJX+Ml5XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwBCUIAIk1Aa9lGYWTp1ka17q1Fzki XVYdXE6PQ+zDmS9D9v5MF1NDI281pkJmxE/fMe7zlxJ0I9QYJMS/XFBX/ZsrXZVE bgwSJpVS2EPGh3WpAZihphImlkMZ59GzK6QVqdYGKuW6J3JaLpdUHV/MNle1g+sK cWgXu9Qa+Jid56MTUnRimqngAFOjKpPBhPcsLgfs7xn7yEC3U/SCae5pUMjt98Lz UKoMrQh1zPMGmArAyn2rSVMlKOzk+7GYC4++GNwXM3YciREuE8WLq+GKYRZu6Fcs xD34jFGxvmMFu0Hk5kJMoEc72+eKrU3P3sf2EAsILCrIS0n12rEnodNgnuUgAzU= =ymqs -----END PGP SIGNATURE----- --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From peter at digitalbrains.com Sat Oct 8 12:59:40 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 8 Oct 2016 12:59:40 +0200 Subject: Linux GPG2 Encryption Getting Intermittent gpg: signing failed: Inappropriate ioctl for device When Run From Oracle Apps In-Reply-To: References: Message-ID: <920f0488-b9f8-d589-0a50-6f25ba110b93@digitalbrains.com> On 07/10/16 22:59, Jim Ernst wrote: > I am using the following code with gpg (GnuPG) 2.1.15, and when run on > Linux submitted from an Oracle EBS Apps request it errors with ?gpg: > signing failed: Inappropriate ioctl for device?: This sounds like the bug . The bug is that the error message is quite unclear, but means that the program was unable to prompt for a passphrase with a pinentry. > /usr/local/bin/gpg2 -v --batch --no-tty --output > $v_outbound_dir/$v_fname_sign --encrypt --recipient $v_recipient > --passphrase $v_passphrase --sign $v_sd_name/$v_fn I find it odd that this even works as intended for you at all. I usually get confused as to which versions of GnuPG support which methods of unusual passphrase entry, but my GnuPG 2.1.11 [1] does not respect the --passphrase argument at all. It simply prompts me for the passphrase through a pinentry anyway. So my guess is that the "intermittent" behaviour you see is that when the passphrase is known and cached, it will run okay, ignoring your --passphrase argument. But when it needs to know the passphrase, it will error out since it can't locate a method to interact with you. Usually, the --passphrase argument makes no sense from a security standpoint. You encrypt the private key because you don't want anyone with access to that file to directly have your private key. Yet, they only need to access the file with your script to simply obtain the passphrase there. You've only changed the scenario from "there's one interesting file" to "you need two files". That's not very useful. Another point is that the passphrase is plainly in the process list when someone does a "ps ax" while GnuPG is running. For unattended signing, I think usually you either store the private key unencrypted (or at least, the signing subkey), or you prime the passphrase cache when you boot the server, with gpg-preset-passphrase. But I don't know much about scripting GnuPG effectively. HTH, Peter. [1] I should start compiling my own newer versions, but haven't started yet. I run Debian jessie/stable, and the newest versions of GnuPG 2.1 for testing and unstable are not easily installable on stable. That's why I'm a tad behind. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From passionate_programmer at hotmail.com Sat Oct 8 14:46:19 2016 From: passionate_programmer at hotmail.com (Rohit P) Date: Sat, 8 Oct 2016 12:46:19 +0000 Subject: GnuPG vs. GPG4Win In-Reply-To: <1552263190.20161008112457@riseup.net> References: , <1552263190.20161008112457@riseup.net> Message-ID: Thanks. I downloaded the second item from the link you provided. It has no front-end and the readme file says it can be run only from command-line. ................ RP ________________________________ From: MFPA <2014-667rhzu3dc-lists-groups at riseup.net> Sent: Saturday, October 8, 2016 3:54 PM To: Rohit P on GnuPG-Users Cc: Rohit P Subject: Re: GnuPG vs. GPG4Win -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 8 October 2016 at 8:02:00 AM, in , Rohit P wrote:- > In Older versions of GnuPG, a system tray icon used to appear with > an option to encrypt text on current window. Newer versions of GnuPG > has no such option. That would come from some frontend or Explorer plugin, not from GnuPG itself. > I am not understanding the difference between GnuPG and GPG4Win. > Are these one and the same thing? GPG4win is GnuPG 2.0.x bundled with a choice of certificate managers, plugins for Outlook and Windows Explorer, and the Gpg4win Compendium documentation. They also have "light" and "vanilla" downloads that eschew some or all of the extras. > Windows binary is not available for download from GnuPG site. Windows binaries for GnuPG versions 2.1.x and 1.4.x are the second and third items listed at . The first list item points you to the GPG4win download page. - -- Best regards MFPA It is easy to propose impossible remedies. -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlf4yXlfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOR2PgEApRaq79a3JIx8w5eTBIn8QnRh h8uxU4uin0PUXPgKZQQA/0j5JyRNqlbmhc2xzuUc8ALK8PdPY+XUzcKXm72KS3AC iQF8BAEBCgBmBQJX+Ml5XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwBCUIAIk1Aa9lGYWTp1ka17q1Fzki XVYdXE6PQ+zDmS9D9v5MF1NDI281pkJmxE/fMe7zlxJ0I9QYJMS/XFBX/ZsrXZVE bgwSJpVS2EPGh3WpAZihphImlkMZ59GzK6QVqdYGKuW6J3JaLpdUHV/MNle1g+sK cWgXu9Qa+Jid56MTUnRimqngAFOjKpPBhPcsLgfs7xn7yEC3U/SCae5pUMjt98Lz UKoMrQh1zPMGmArAyn2rSVMlKOzk+7GYC4++GNwXM3YciREuE8WLq+GKYRZu6Fcs xD34jFGxvmMFu0Hk5kJMoEc72+eKrU3P3sf2EAsILCrIS0n12rEnodNgnuUgAzU= =ymqs -----END PGP SIGNATURE----- --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at ssl-mail.com Sun Oct 9 17:11:36 2016 From: lists at ssl-mail.com (lists at ssl-mail.com) Date: Sun, 09 Oct 2016 08:11:36 -0700 Subject: every keyserver submit/retrieve returns " ERR 167772346 No keyserver available " ? Message-ID: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com> I'm trying to get gpg2 up & running on linux. I've installed gpg2 --version gpg (GnuPG) 2.1.15 libgcrypt 1.7.3 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/test/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 I can generate key pairs and rev certs OK. But when I try to upload/retrieve from any keyserver, I get "ERR 167772346 No keyserver available ". Here's an attempt with keyserver == pool @ hkps://hkps.pool.sks-keyservers.net gpg -v --debug-all --recv-keys 0x673A03E4C1DB921F gpg: reading options from '/home/test/.gnupg/gpg.conf' gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing cardio ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: chan_3 <- # Home: /home/test/.gnupg gpg: DBG: chan_3 <- # Config: /home/test/.gnupg/dirmngr.conf gpg: DBG: chan_3 <- OK Dirmngr 2.1.15 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_3 -> GETINFO version gpg: DBG: chan_3 <- D 2.1.15 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KEYSERVER --clear hkps://hkps.pool.sks-keyservers.net gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KS_GET -- 0x673A03E4C1DB921F gpg: DBG: chan_3 <- ERR 167772346 No keyserver available gpg: keyserver receive failed: No keyserver available gpg: DBG: chan_3 -> BYE gpg: DBG: [not enabled in the source] stop gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: secmem usage: 0/65536 bytes in 0 blocks I've tried a bunch of different keyservers with always the same result. What am I missing? From kristian.fiskerstrand at sumptuouscapital.com Sun Oct 9 19:26:45 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Sun, 9 Oct 2016 19:26:45 +0200 Subject: every keyserver submit/retrieve returns " ERR 167772346 No keyserver available " ? In-Reply-To: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com> References: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com> Message-ID: <14d7aceb-c894-933c-af67-50a6c793dfe7@sumptuouscapital.com> On 10/09/2016 05:11 PM, lists at ssl-mail.com wrote: > I'm trying to get gpg2 up & running on linux. ... > > I've tried a bunch of different keyservers with always the same result. > > What am I missing? For one thing a $ dig +trace hkps.pool.sks-keyservers.net to see resolver results, additionally output of $ gpg-connect-agent --dirmngr 'KEYSERVER --help', make sure hkps is listed as a supported schemata -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "If you cannot convince them, confuse them" (Harry S Truman) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From lists at ssl-mail.com Sun Oct 9 19:34:10 2016 From: lists at ssl-mail.com (lists at ssl-mail.com) Date: Sun, 09 Oct 2016 10:34:10 -0700 Subject: every keyserver submit/retrieve returns " ERR 167772346 No keyserver available " ? In-Reply-To: <14d7aceb-c894-933c-af67-50a6c793dfe7@sumptuouscapital.com> References: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com> <14d7aceb-c894-933c-af67-50a6c793dfe7@sumptuouscapital.com> Message-ID: <1476034450.1541343.750451913.5AA49BD8@webmail.messagingengine.com> hi On Sun, Oct 9, 2016, at 10:26 AM, Kristian Fiskerstrand wrote: >> What am I missing? > For one thing a just fyi, more here @ https://bugs.gnupg.org/gnupg/issue2745 > $ dig +trace hkps.pool.sks-keyservers.net to see resolver results, >From the machine on which I'm running gpg dig +trace hkps.pool.sks-keyservers.net ; <<>> DiG 9.10.3-P4 <<>> +trace hkps.pool.sks-keyservers.net ;; global options: +cmd . 173 IN NS b.root-servers.net. . 173 IN NS g.root-servers.net. . 173 IN NS e.root-servers.net. . 173 IN NS a.root-servers.net. . 173 IN NS d.root-servers.net. . 173 IN NS c.root-servers.net. . 173 IN NS i.root-servers.net. . 173 IN NS l.root-servers.net. . 173 IN NS h.root-servers.net. . 173 IN NS f.root-servers.net. . 173 IN NS j.root-servers.net. . 173 IN NS k.root-servers.net. . 173 IN NS m.root-servers.net. . 3573 IN RRSIG NS 8 0 518400 20161022050000 20161009040000 39291 . SeIwCb0CKHIaVgEXAVNJ3UJdAmnNyOWmU0TpXSSM58RibXDGmtrJKPkj +EkxIRItWeRvECSa+oqsnc513uhilK94+t4P7395m4AokdlkXjaH3bjh Dxqt8CmA+k9+7/T54x/ZeAsYD2we3FAD7x/lyu8+zRDkFHO0wQ5MekhV WXebhc4OkXNbr5/b65xkjStFrWC7uvOxfVOHtxzObTi5OR8AFisYPsfQ 6Pwu0HtTaJim9wFQgjF60nhzqfFH82Z1qmxWpkTWsaUXKYdETwKmc5l/ ilDni8/Y0f6sQXUsv/J8oTLSDPw6A9n9lJrlKLa7vM3ZDSgw9NVLHtju tWECvA== ;; Received 525 bytes from 10.19.2.100#53(10.19.2.100) in 0 ms net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 86400 IN DS 35886 8 2 7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE net. 86400 IN RRSIG DS 8 1 86400 20161022050000 20161009040000 39291 . FKrdz/REDbJ/00oUK5owedOwz7rtKZlzdPH8Tv4XbcSgdzZRjoBSVy4N CSxgzJIn7TxhQSJtaVYNpGRNc2vN0uq9SUwntkFs5DOUUv7fGvuRGzgT QOl2u+XKjmDHbTem8RoFJvMMr0UeqS/v7cKnFSvZyxgM43y0IEaA42wt 1q3vOAk93+SD6C0GkYQCb6IQT+UfYACKlkPt/v7UC3S6CjovpLeJKvTv 7P7ON+AbDUaa9SVp+JBvOhAkgstAHQzbNY9uSeTo+gSEpIncqmnQnfO3 sFUt1iXyfDm7ySkq1u71OpMOxWR5e7DkvBR1trBNcfhqLekxEQztZFPx 4msUpQ== ;; Received 877 bytes from 199.7.91.13#53(d.root-servers.net) in 102 ms sks-keyservers.net. 172800 IN NS ns2.kfwebs.net. sks-keyservers.net. 172800 IN NS ns2.sks-keyservers.net. sks-keyservers.net. 172800 IN NS ns6.sks-keyservers.net. sks-keyservers.net. 172800 IN NS ns9.sks-keyservers.net. sks-keyservers.net. 172800 IN NS ns13.sks-keyservers.net. sks-keyservers.net. 86400 IN DS 30729 8 1 625547BEB5EEF7FDB7683462BD9453BD0A886542 sks-keyservers.net. 86400 IN RRSIG DS 8 2 86400 20161015045546 20161008034546 2480 net. EiPMbb2zOb9Lt9rK/iYKN0d1FIWWpzyEEREngvVlbqK2WZASGvPpJbou ZQfS0YIUNVUaSd6mDYCJ21hibUwi7EJ++o4ChfUfrqxXFwF3Dy/j90pp 72G18kYgFtAEt9uA8xEpUrOR4yvKRmnh4FRemk8jYKVDw6bmhksJ1yh/ +sc= ;; Received 574 bytes from 192.43.172.30#53(i.gtld-servers.net) in 42 ms hkps.pool.SKS-KEYSERVERS.NET. 60 IN A 140.211.169.202 hkps.pool.SKS-KEYSERVERS.NET. 60 IN A 193.224.163.43 hkps.pool.SKS-KEYSERVERS.NET. 60 IN A 212.12.48.27 hkps.pool.SKS-KEYSERVERS.NET. 60 IN A 94.142.242.225 hkps.pool.SKS-KEYSERVERS.NET. 60 IN A 178.62.203.205 hkps.pool.SKS-KEYSERVERS.NET. 60 IN A 92.43.111.21 hkps.pool.SKS-KEYSERVERS.NET. 60 IN A 18.9.60.141 hkps.pool.SKS-KEYSERVERS.NET. 60 IN A 104.236.209.43 hkps.pool.SKS-KEYSERVERS.NET. 60 IN A 37.191.220.247 hkps.pool.SKS-KEYSERVERS.NET. 60 IN A 193.164.133.100 hkps.pool.SKS-KEYSERVERS.NET. 60 IN RRSIG A 8 4 60 20161108172011 20161009162011 30729 sks-keyservers.net. EQM/Uuss9isgA/kCf6PhF3xw/n/g1Rr0xYLeiI/0WAlYqpKZ4s+RaTqJ 66y4hnugzfGlUqfcNJ+14WI3H1GDIGqS9cEeQ5WYD+gRgUDNI043XRAD 0YsN/ueaNPW7ICUhOQdOtYNWIzsuZ9uJi5vQYSjTEq5u2tycU3dQeQvf iEyDwCooqfcac7PMyCO181yUNKVpjagwr0E2fDhZshOqRvJGZ8vIzpKM uQMwz42yBskwBUZk8I8UFOawyyYN5fee0mMuCSVnBF6JP4QbkKIGCQ2P OPsIHqcA/XCw1/sau+UOu0fmDymAR9cef0Mw1cAA3d+18gBIUOtPswyl mJTTBw== SKS-KEYSERVERS.NET. 60 IN NS ns9.sks-keyservers.net. SKS-KEYSERVERS.NET. 60 IN NS ns2.kfwebs.net. SKS-KEYSERVERS.NET. 60 IN NS ns1.kfwebs.net. SKS-KEYSERVERS.NET. 60 IN NS ns6.sks-keyservers.net. SKS-KEYSERVERS.NET. 60 IN NS ns13.sks-keyservers.net. SKS-KEYSERVERS.NET. 60 IN NS ns10.sks-keyservers.net. SKS-KEYSERVERS.NET. 60 IN NS ns7.sks-keyservers.net. SKS-KEYSERVERS.NET. 60 IN NS ns2.sks-keyservers.net. SKS-KEYSERVERS.NET. 60 IN NS ns12.sks-keyservers.net. SKS-KEYSERVERS.NET. 60 IN RRSIG NS 8 2 60 20161024162716 20160924160638 30729 sks-keyservers.net. Jek/os9DufEHhA6jIrzLBXiv5CfYQSDt2xYhLKziq4REBfS0k0Nuu04o EeTIjWzZwBbPKLsnLglK3tf71hn8xEZiD9sUwn0wjLAM9vJMLb+EvduH /rnqPbXtOwDltVfyQjjHQyDCmM5otR/s1oHgEu/6fSdZj5N2OM2UIzns 7CdxVoah+E3QrUuitUzHJIDM9Ay/NItKqCBQMzxe1aJebV93+M7jzj5G eSaR8geWTgfWnNhqFDaxWd7ebjhwkC2zA4IJiHbut7CQ0R831IwwXnc3 obGjvzG9oiZXPVa+Okq198ketOQWiLeLfwfPrASHkHVd1DeXTFWnWQhj /+h0JQ== ;; Received 4094 bytes from 199.74.220.4#53(ns6.sks-keyservers.net) in 51 ms > gpg-connect-agent --dirmngr 'KEYSERVER --help', make sure hkps is listed as a supported schemata gpg-connect-agent --dirmngr 'KEYSERVER --help' /bye S # Known schemata: S # hkp >>> S # hkps S # http S # https S # finger S # kdns S # ldap S # (Use an URL for engine specific help.) OK It doesn't matter what schema+server I use. The result's always the same so far. From ben at adversary.org Sun Oct 9 20:04:54 2016 From: ben at adversary.org (Ben McGinnes) Date: Mon, 10 Oct 2016 05:04:54 +1100 Subject: Confusion about a statement in the FAQ In-Reply-To: <63619217-eec6-59da-a409-db7378c606f2@sixdemonbag.org> References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org> <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org> <7d6317c8-da07-5e88-4632-daa6ef66b154@cajuntechie.org> <63619217-eec6-59da-a409-db7378c606f2@sixdemonbag.org> Message-ID: <20161009180454.GA97681@adversary.org> On Sat, Sep 10, 2016 at 07:36:27PM -0400, Robert J. Hansen wrote: > > Hmm, OK that's kind of what I thought. But I'm still a little > > confused. Doesn't the email server have to support it? > > No. > > > Or would the "to" be one of those things not encrypted? > > Headers that are strictly required to process email are not armored. Actually the "To:" and "From:" headers could be armoured without real trouble since they're included in the data portion with the "Subject:" and whatever else any given MUA wants to include. It's the "rcpt to" and "mail from" headers that couldn't be, along with the relay data from SMTP, IMAP and/or POP3 transactions. It's just that the "To:" address usually matches the "rcpt to" address and the "From:" address usually matches "mail from" (mailing lists being one of the more common exceptions to that). Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: not available URL: From 2014-667rhzu3dc-lists-groups at riseup.net Mon Oct 10 00:02:07 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sun, 9 Oct 2016 23:02:07 +0100 Subject: GnuPG vs. GPG4Win In-Reply-To: References: , <1552263190.20161008112457@riseup.net> Message-ID: <445900054.20161009230207@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 8 October 2016 at 1:46:19 PM, in , Rohit P wrote:- > Thanks. > I downloaded the second item from the link you provided. It has no > front-end and the readme file says it can be run only from > command-line. That's as it should be. Well done. - -- Best regards MFPA Don't cry because it is over - smile because it happened -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlf6vmFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOSs3gEA5B+myjR1hVNiwh2VDJvlGYXS YcQohFmZKQDMsexY8OoA/Rr90ybWeEvgJ4L6HB2vGpaWNU9RM82LrOzAqDLqaGkE iQF8BAEBCgBmBQJX+r5hXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwlzQH/iagwl9gPeWSw6DBcN2aaUwr 8aZSLZK6I/0uQTYgwkF8WmNO6ZZZs1+PDhwdMICQzB78vESd+tMWizsdXKPsc6Kr 5rLKYCZPPJSqXs4CHhvJ0usjgH456RVTjv+nn1VaXTMGNtfMuhP3s1xx5/owHLpf 1XdAq5mC3h+iNqtDpBDdXD71E6p7yawXuKohB6tBNGvc62nCrm3rPm68pHhFEHg+ ZFSrYcuIrUVYijjHx0rNEe/3TCJ5i6BCUjHAntXQcGRlux7wy96Kt+XpDBwUR2l7 cf5soE8EuDzEV7Wp6+xod4E2zsknqg/b0a057/cyrcw425JheQE+SN6F03uM1/A= =N/vC -----END PGP SIGNATURE----- --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From kristian.fiskerstrand at sumptuouscapital.com Mon Oct 10 02:40:30 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Mon, 10 Oct 2016 02:40:30 +0200 Subject: Agent forwarding failure when the socketdir was autodeleted In-Reply-To: <1692039.nYCvrdervT@esus> References: <3938401.1pLH0TdMhg@esus> <8760p7i6n6.fsf@wheatstone.g10code.de> <8760p67kok.fsf@alice.fifthhorseman.net> <1692039.nYCvrdervT@esus> Message-ID: <7e2d4428-d228-1eac-1bf0-88365059d0a7@sumptuouscapital.com> On 10/05/2016 09:35 PM, Andre Heinecke wrote: >> I really think this ought to be handled in OpenSSH. > Exactly. I wrote a mail to openssh-unix-dev as you suggested to ask about > that. Let's see :-) For record purposes, this is http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-October/035409.html -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "A committee is a group that keeps minutes and loses hours." (Milton Berle) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Mon Oct 10 11:17:29 2016 From: wk at gnupg.org (Werner Koch) Date: Mon, 10 Oct 2016 11:17:29 +0200 Subject: every keyserver submit/retrieve returns " ERR 167772346 No keyserver available " ? In-Reply-To: <1476034450.1541343.750451913.5AA49BD8@webmail.messagingengine.com> (lists@ssl-mail.com's message of "Sun, 09 Oct 2016 10:34:10 -0700") References: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com> <14d7aceb-c894-933c-af67-50a6c793dfe7@sumptuouscapital.com> <1476034450.1541343.750451913.5AA49BD8@webmail.messagingengine.com> Message-ID: <87twck4l7a.fsf@wheatstone.g10code.de> On Sun, 9 Oct 2016 19:34, lists at ssl-mail.com said: > It doesn't matter what schema+server I use. The result's always the same so far. To which ADNS version is dirmngr linked? Did you build it yourself? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From meno.abels at adviser.com Mon Oct 10 12:04:40 2016 From: meno.abels at adviser.com (Meno Abels) Date: Mon, 10 Oct 2016 12:04:40 +0200 Subject: Key-Grip unknown in --gen-key --batch Message-ID: <210DD9AA-665F-4051-9C04-C0F819B2AD28@adviser.com> Hi, there is these manual: https://www.gnupg.org/documentation/manuals/gnupg/CSR-and-certificate-creation.html#CSR-and-certificate-creation i tried to sign a csr with it and the command Key-Grip is missing some how. In g10/keygen.c there is no equivalent command what can i do? this is what i did: cat < From dgouttegattat at incenp.org Mon Oct 10 14:09:03 2016 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Mon, 10 Oct 2016 14:09:03 +0200 Subject: Key-Grip unknown in --gen-key --batch In-Reply-To: <210DD9AA-665F-4051-9C04-C0F819B2AD28@adviser.com> References: <210DD9AA-665F-4051-9C04-C0F819B2AD28@adviser.com> Message-ID: On 10/10/2016 12:04 PM, Meno Abels wrote: > https://www.gnupg.org/documentation/manuals/gnupg/CSR-and-certificate-creation.html#CSR-and-certificate-creation > > i tried to sign a csr with it and the command Key-Grip is missing some how. > > In g10/keygen.c there is no equivalent command what can i do? To manipulate X.509 certificates (and related concepts such as CSRs), you should use the gpgsm program instead of gpg2. gpg2 is for OpenPGP material, gpgsm is for X.509/SMIME. The Key-Grip keyword is recognized by gpgsm (see sm/certreqgen.c). Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From lists at ssl-mail.com Mon Oct 10 14:59:38 2016 From: lists at ssl-mail.com (lists at ssl-mail.com) Date: Mon, 10 Oct 2016 05:59:38 -0700 Subject: every keyserver submit/retrieve returns " ERR 167772346 No keyserver available " ? In-Reply-To: <87twck4l7a.fsf@wheatstone.g10code.de> References: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com> <14d7aceb-c894-933c-af67-50a6c793dfe7@sumptuouscapital.com> <1476034450.1541343.750451913.5AA49BD8@webmail.messagingengine.com> <87twck4l7a.fsf@wheatstone.g10code.de> Message-ID: <1476104378.3313768.751161033.3E20D9E8@webmail.messagingengine.com> hi On Mon, Oct 10, 2016, at 02:17 AM, Werner Koch wrote: > To which ADNS version is dirmngr linked? libadnd1 v1.5.0 ldd `which dirmngr` linux-vdso.so.1 (0x00007fffb67ed000) >> libadns.so.1 => /usr/lib64/libadns.so.1 (0x00007f8ebb2d6000) libassuan.so.0 => /usr/lib64/libassuan.so.0 (0x00007f8ebb0c3000) libgpg-error.so.0 => /usr/lib64/libgpg-error.so.0 (0x00007f8ebaeaf000) libgcrypt.so.20 => /usr/lib64/libgcrypt.so.20 (0x00007f8ebaba2000) libksba.so.8 => /usr/lib64/libksba.so.8 (0x00007f8eba96b000) libnpth.so.0 => /usr/lib64/libnpth.so.0 (0x00007f8eba765000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f8eba548000) libgnutls.so.28 => /usr/lib64/libgnutls.so.28 (0x00007f8eba232000) libldap-2.4.so.2 => /usr/lib64/libldap-2.4.so.2 (0x00007f8eb9fe4000) libc.so.6 => /lib64/libc.so.6 (0x00007f8eb9c3c000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f8eb9a38000) /lib64/ld-linux-x86-64.so.2 (0x0000556c975e7000) libz.so.1 => /lib64/libz.so.1 (0x00007f8eb9821000) libp11-kit.so.0 => /usr/lib64/libp11-kit.so.0 (0x00007f8eb95df000) libtasn1.so.6 => /usr/lib64/libtasn1.so.6 (0x00007f8eb93cb000) libnettle.so.4 => /usr/lib64/libnettle.so.4 (0x00007f8eb9199000) libhogweed.so.2 => /usr/lib64/libhogweed.so.2 (0x00007f8eb8f6a000) libgmp.so.10 => /usr/lib64/libgmp.so.10 (0x00007f8eb8ce3000) liblber-2.4.so.2 => /usr/lib64/liblber-2.4.so.2 (0x00007f8eb8ad3000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f8eb88bc000) libsasl2.so.3 => /usr/lib64/libsasl2.so.3 (0x00007f8eb869f000) libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007f8eb8436000) libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x00007f8eb8042000) libffi.so.4 => /usr/lib64/libffi.so.4 (0x00007f8eb7e39000) rpm -q --whatprovides /usr/lib64/libadns.so.1 libadns1-1.5.0-196.1.x86_64 > Did you build it yourself? No, sourced from distro repo here, https://build.opensuse.org/package/show?project=security%3Aprivacy&package=gpg2 From cvimail81 at gmail.com Sun Oct 9 11:24:26 2016 From: cvimail81 at gmail.com (Egon) Date: Sun, 9 Oct 2016 11:24:26 +0200 Subject: PGP 2.6.3 IDEA encryption Message-ID: Hi! I have some files which was encrypted with PGP 2.6.3. The encryption algorithm was IDEA. I forgotten the password. Can most modern technology give me a possibility to decrypt the files? Best regards: Egon From rjh at sixdemonbag.org Mon Oct 10 21:54:58 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 10 Oct 2016 15:54:58 -0400 Subject: PGP 2.6.3 IDEA encryption In-Reply-To: References: Message-ID: <7dcb6810-6f94-1623-8d0f-f5d6fcab0345@sixdemonbag.org> > I forgotten the password. Can most modern technology give me a > possibility to decrypt the files? No. From gnupg at jelmail.com Mon Oct 10 22:56:44 2016 From: gnupg at jelmail.com (John Lane) Date: Mon, 10 Oct 2016 21:56:44 +0100 Subject: Private key export for SSH Message-ID: I've been trying out the SSH compatibility. Everything working as per the documentation, except I have one question. How can I extract the SSH PRIVATE key ? I am using "gpg --export-ssh-key alice > ssh_key.pub" for the public key but I can't find an equivalent for the private key. The reason why I would like the private key is so that I can use it on another host where I don't have the benefit of gpg 2.1 (or any gpg, for that matter). Thanks, John From raubvogel at gmail.com Mon Oct 10 22:12:55 2016 From: raubvogel at gmail.com (Mauricio Tavares) Date: Mon, 10 Oct 2016 16:12:55 -0400 Subject: Private key export for SSH In-Reply-To: References: Message-ID: Would gpg --export-secret-keys -a C00FFEE > secret do the trick? On Mon, Oct 10, 2016 at 4:56 PM, John Lane wrote: > I've been trying out the SSH compatibility. Everything working as per > the documentation, except I have one question. > > How can I extract the SSH PRIVATE key ? > > I am using "gpg --export-ssh-key alice > ssh_key.pub" for the public key > but I can't find an equivalent for the private key. > > The reason why I would like the private key is so that I can use it on > another host where I don't have the benefit of gpg 2.1 (or any gpg, for > that matter). > > Thanks, > John > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From 2014-667rhzu3dc-lists-groups at riseup.net Mon Oct 10 23:48:59 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 10 Oct 2016 22:48:59 +0100 Subject: GnuPG vs. GPG4Win In-Reply-To: References: <1552263190.20161008112457@riseup.net> <445900054.20161009230207@riseup.net> Message-ID: <1667144200.20161010224859@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sunday 9 October 2016 at 11:53:10 PM, in , Schlacta, Christ wrote:- > What we need is whomever maintains > gpg4win to release a guide on how to have it utilize the system's > install gnupg, so we can get 2.1.x working with some decent > management interfacen. Note: I use GnuPG 2.1.15 under Windows but do not use gpg4win. That said, have you tried gpg4win's beta version? Gpg4win version 3.0.0-beta187 (2016-09-05) includes GnuPG 2.1.15. I'm not sure what component in the package is a beta; GnuPG 2.1.15 isn't and most of the version numbers match those in Gpg4win version 2.3.3 (2016-08-18). - -- Best regards MFPA After all is said and done, a lot more will be said than done. -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlf8DNNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORT5gD/YCLLia6cW6kUCyR4AZ2QWZX0 qUmu0ja8ucVU6ZuxHXIBAM56E3kCuT0kQoxurM2ULkCYj3sEr4hy0YAi8tB3vgsH iQF8BAEBCgBmBQJX/AzoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwdREH/jbicN5ACdngq2WH4FifZt+l IpZogyi3yJq3PBxAakJ4128LjSVKngGw+azGAAKDgHOaPg5GGoZQgQVt6CTXgx2Q XgYz7HjgF285PDy1pgZWsZdzLQrwH/8pTIlPCEeMWArhk1TucFkzmK42Ti96ngrE HYn5ycmitGSI6D+A7oZRNyXfg92G3bWCCpKYojpnZ8KOjkBXImOpEN/XfbT5hPLb 7Usf3r/wRHooNISzXzAjJ4Ggj9JYwZ5HkV6HZ9LsDXAP1k9Xn8r99J5Kda46AjMX wvVepdNqHMMV4h7gg1Fdwiwgymh5AnVPyOhaSc3b9XDztHBfabeptBFUJ3dggng= =CJP2 -----END PGP SIGNATURE----- --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From juanmi.3000 at gmail.com Tue Oct 11 00:44:51 2016 From: juanmi.3000 at gmail.com (=?UTF-8?Q?Juan_Miguel_Navarro_Mart=c3=adnez?=) Date: Tue, 11 Oct 2016 00:44:51 +0200 Subject: GnuPG vs. GPG4Win In-Reply-To: <1667144200.20161010224859@riseup.net> References: <1552263190.20161008112457@riseup.net> <445900054.20161009230207@riseup.net> <1667144200.20161010224859@riseup.net> Message-ID: <66a965bd-32e9-de2a-e3a1-401bcc041373@gmail.com> On 2016-10-10 at 23:48, MFPA wrote: > I'm not sure what component in the package is a beta; GnuPG 2.1.15 > isn't and most of the version numbers match those in Gpg4win version > 2.3.3 (2016-08-18). > I think it's mostly the GpgOl and GpgEx parts of the bundle that are in beta, unless there's something different on Kleopatra and GPA Gpg4Win builds. -- Juan Miguel Navarro Mart?nez GPG Keyfingerprint: 5A91 90D4 CF27 9D52 D62A BC58 88E2 947F 9BC6 B3CF From daniel at pocock.pro Tue Oct 11 07:41:28 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Tue, 11 Oct 2016 07:41:28 +0200 Subject: making a Debian Live CD for managing GnuPG master key and smartcards In-Reply-To: <571F1E62.30203@pocock.pro> References: <571F1E62.30203@pocock.pro> Message-ID: <6d52d6e6-020c-e8d4-eec8-8d9bc08c5c4b@pocock.pro> On 26/04/16 09:53, Daniel Pocock wrote: > > There has been some discussion on debian-devel[1] about making a > bootable Debian Live CD specifically for GnuPG > This can now be used, command line only for the moment, as described in my blog[1] about it If anybody wants to help take this further please join the list[2] I set up for it Regards, Daniel 1. https://danielpocock.com/dvd-based-clean-room-for-pgp-and-pki 2. https://lists.alioth.debian.org/mailman/listinfo/pki-clean-room-devel From gnupg at jelmail.com Tue Oct 11 12:13:13 2016 From: gnupg at jelmail.com (John Lane) Date: Tue, 11 Oct 2016 11:13:13 +0100 Subject: Private key export for SSH In-Reply-To: References: Message-ID: On 10/10/16 21:12, Mauricio Tavares wrote: > Would > > gpg --export-secret-keys -a C00FFEE > secret > > do the trick? No, because that exports a gpg keyring and not an ssh private key. One might imply the below is possible, but the error would indicate that it isnt: $ gpg --export-secret-keys --export-ssh-key alice gpg: conflicting commands From peter at digitalbrains.com Tue Oct 11 11:47:17 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 11 Oct 2016 11:47:17 +0200 Subject: Private key export for SSH In-Reply-To: References: Message-ID: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> On 10/10/16 22:56, John Lane wrote: > The reason why I would like the private key is so that I can use it on > another host where I don't have the benefit of gpg 2.1 (or any gpg, for > that matter). I don't know if you can do private key export; perhaps with monkeysphere? Here's a different idea. An .ssh/authorized_keys file is a list of text lines, each line being a single authentication key. Normally, you append the contents of id_xxx.pub, a single line, to an .ssh/authorized_keys file to add that key. How about you just create a separate key for the machine where you don't use GnuPG, and then create a .pub file that contains two lines, one for the GnuPG key and one for the other key? $ rsync other:.ssh/id_rsa.pub combined.pub $ gpg --export-ssh-key alice >> combined.pub Note the second command appends to combined.pub. Then any time you add combined.pub to an .ssh/authorized_keys file, you're adding both keys, with the same procedure you would normally add a single key, no extra clicks, nothing :-). HTH. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From gnupg at jelmail.com Tue Oct 11 13:46:55 2016 From: gnupg at jelmail.com (John Lane) Date: Tue, 11 Oct 2016 12:46:55 +0100 Subject: Private key export for SSH In-Reply-To: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> References: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> Message-ID: <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> > I don't know if you can do private key export; perhaps with monkeysphere? I have Monkeysphere on my radar but I haven't got around to trying it out. I had hoped for a gpg solution without resorting to third party... > How about you just create a separate key for the machine where you don't > use GnuPG, and then create a .pub file that contains two lines, one for > the GnuPG key and one for the other key? Yes sure I could do that (and do) but I hoped for way to export the ssh private key from gpg. It feels cleaner to me to just have one key. So it sounds like it isn't possible then. Is there a reason why, beyond the possibility that it just hasn't been implemented? I would have thought doing this would complete the circle as far as gpg keys being used for ssh... From peter at digitalbrains.com Tue Oct 11 15:35:37 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 11 Oct 2016 15:35:37 +0200 Subject: Private key export for SSH In-Reply-To: <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> References: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> Message-ID: On 11/10/16 13:46, John Lane wrote: > I have Monkeysphere on my radar but I haven't got around to trying > it out. I had hoped for a gpg solution without resorting to third > party... I think I vaguely remember Monkeysphere supporting it. > Yes sure I could do that (and do) but I hoped for way to export the > ssh private key from gpg. It feels cleaner to me to just have one > key. (I'd consider key-per-user/workstation-combo cleaner :-) > Is there a reason why, beyond the possibility that it just hasn't > been implemented? I think other features simply were more important, and got priority... HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dkg at fifthhorseman.net Tue Oct 11 16:20:37 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 11 Oct 2016 10:20:37 -0400 Subject: Private key export for SSH In-Reply-To: References: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> Message-ID: <87y41vynka.fsf@alice.fifthhorseman.net> On Tue 2016-10-11 09:35:37 -0400, Peter Lebbing wrote: > On 11/10/16 13:46, John Lane wrote: >> I have Monkeysphere on my radar but I haven't got around to trying >> it out. I had hoped for a gpg solution without resorting to third >> party... > > I think I vaguely remember Monkeysphere supporting it. fwiw, monkeysphere doesn't explicitly support exporting OpenPGP secret key material to arbitrary formats. Rather, modern versions of monkeysphere (the ones that support gpg 2.1) include agent-transfer, a tool that knows how to export secret key material from a running gpg-agent and import into a running ssh agent. See the agent-transfer(1) manual page for more details. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From gnupg at jelmail.com Tue Oct 11 23:58:17 2016 From: gnupg at jelmail.com (John Lane) Date: Tue, 11 Oct 2016 22:58:17 +0100 Subject: Private key export for SSH In-Reply-To: <87y41vynka.fsf@alice.fifthhorseman.net> References: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> <87y41vynka.fsf@alice.fifthhorseman.net> Message-ID: <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com> >> >> I think I vaguely remember Monkeysphere supporting it. > > fwiw, monkeysphere doesn't explicitly support exporting OpenPGP secret > key material to arbitrary formats. > Ok, I have done it using "openpgp2ssh" from monkeysphere (I just installed 0.39 just to get that tool). The key has to be extracted and its password removed before it can be used with openpgp2ssh, hence my use of a temporary homedir in the below. Here is what I have done: First the public key: $ ssh-add -L > alice.key.pub or $ gpg --export alice | openpgp2ssh DD53AC86 > alice.key.pub where DD53AC86 is the id of the autentication subkey. Next the secret key: $ gpg --export-secret-key alice > alice.gpg $ mkdir -m 700 .gnupg-temp $ gpg --homedir .gnupg-temp --import alice.gpg $ gpg --homedir .gnupg-temp --passwd alice (remove the passwords) $ gpg --homedir .gnupg-temp --export-secret-key alice | \ openpgp2ssh DD53AC86 > alice.key $ chmod 600 alice.key With the above, I successfully connect to a remote (after putting alice.key.pub in its authorized_keys file): $ ssh -i alice.key some_host However, I note that the the agent complains with: > sign_and_send_pubkey: signing failed: agent refused operation so I unset the SSH_AUTH_SOCK after which the ssh command worked. I might have done something else wrong because I would not expect to have to do that. From strauss at positive-internet.com Wed Oct 12 01:29:48 2016 From: strauss at positive-internet.com (Nicholas Strauss) Date: Tue, 11 Oct 2016 16:29:48 -0700 Subject: gnupg pinentry Message-ID: <0dd4fd6a-146f-63fb-e57d-7b01bb3175c4@positive-internet.com> All, Trying to install thunderbird with gpg2 on ubuntu. got this working with /usr/local/bin/pinentry --> /usr/bin/pinentry and /usr/bin/pinentry --> /etc/alternatives/pinentry. Look good? Yours, strauss -- All postal correspondence to: The Positive Internet Company, 24 Ganton Street, London. W1F 7QY *Follow us on Twitter* @posipeople The Positive Internet Company Limited is registered in England and Wales. Registered company number: 3673639. VAT no: 726 7072 28. Registered office: Northside House, Mount Pleasant, Barnet, Herts, EN4 9EE. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB3082430.asc Type: application/pgp-keys Size: 8578 bytes Desc: not available URL: From dkg at fifthhorseman.net Wed Oct 12 05:23:43 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 11 Oct 2016 23:23:43 -0400 Subject: gnupg pinentry In-Reply-To: <0dd4fd6a-146f-63fb-e57d-7b01bb3175c4@positive-internet.com> References: <0dd4fd6a-146f-63fb-e57d-7b01bb3175c4@positive-internet.com> Message-ID: <874m4ixnb4.fsf@alice.fifthhorseman.net> On Tue 2016-10-11 19:29:48 -0400, Nicholas Strauss wrote: > > Trying to install thunderbird with gpg2 on ubuntu. > > got this working with > > /usr/local/bin/pinentry --> /usr/bin/pinentry > > and > > /usr/bin/pinentry --> /etc/alternatives/pinentry. > > Look good? It's not clear what this means. are these descriptions of symbolic links? If so, i don't know what you're trying to do here. Is there a reason to have /usr/local/bin/pinentry at all? on ubuntu, i recommend just installing the pinentry-* package that matches your preferred desktop environment and allowing it to be automatically selected. --dkg From gnupg at jelmail.com Wed Oct 12 17:36:30 2016 From: gnupg at jelmail.com (John Lane) Date: Wed, 12 Oct 2016 16:36:30 +0100 Subject: using with su/sudo In-Reply-To: <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org> References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com> <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org> Message-ID: > > I created a ticket at the bug tracker. > > https://bugs.gnupg.org/gnupg/issue2739 > > > With the situation of gpg-agent's allow-loopback-pinentry is default > now, perhaps, it would be the best (from the user's viewpoint) that > gpg-agent automatically fallbacks to loopback mode. > > On window system, I think it doesn't work either... > I just wanted to bring this to your attention because I think it is related. If you try to use "ssh-add" from within a sudo/su session to add a SSH private key to the gpg-agent (with all other GnuPG SSH configuration requirements satisfied), the request fails with an error: $ ssh-add ~/.ssh/private.key Enter passphrase for /home/alice/private.key: Could not add identity "/home/alice/.ssh/private.key": agent refused operation I did some investigation and I think it is the pinentry problem again. First, I tried the same from a non-su terminal and it worked: the agent pops up a pinentry dialog to request a passphrase for its copy of the private key (as explained in the gpg manual, chapter 2). I tried from a sudo with the tty ownership corrected but it didn't work. So I ran an agent with some logging and saw this: DBG: error calling pinentry: Inappropriate ioctl for device From gnupg at jelmail.com Wed Oct 12 17:52:19 2016 From: gnupg at jelmail.com (John Lane) Date: Wed, 12 Oct 2016 16:52:19 +0100 Subject: Private key export for SSH In-Reply-To: <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com> References: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> <87y41vynka.fsf@alice.fifthhorseman.net> <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com> Message-ID: <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com> This is just an observation. I thought that perhaps, if I had an extracted private key, that I could use "ssh-add" to add it and remove the need to manually edit "sshcontrol". I tried: $ ssh-add alice.key Identity added: alice.key (alice.key) Looking good. However... $ ssh-add -l The agent has no identities. No joy. I realise the documented way is to edit the sshcontrol file and put the keygrip into it. But the positive output above is misleading. That's where gpg knows about the key (e.g. on the machine where the extract was done). The "ssh-add alice.key" works if the key is unknown to gpg - the keygrip is written to sshcontrol and to private-keys-v1.d. furthermore, importing the alice.gpg key afterwards works fine too. # RSA key added on: 2016-10-12 15:44:05 # MD5 Fingerprint: d0:d1:43:af:ec:4a:4c:92:7c:af:1f:70:92:13:89:16 817A3B5A8596096E8AC2932617C10E4181F09B55 0 From dkg at fifthhorseman.net Wed Oct 12 23:51:30 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 12 Oct 2016 17:51:30 -0400 Subject: Private key export for SSH In-Reply-To: <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com> References: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> <87y41vynka.fsf@alice.fifthhorseman.net> <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com> <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com> Message-ID: <878tttutgd.fsf@alice.fifthhorseman.net> On Wed 2016-10-12 11:52:19 -0400, John Lane wrote: > This is just an observation. I thought that perhaps, if I had an > extracted private key, that I could use "ssh-add" to add it and remove > the need to manually edit "sshcontrol". I tried: > > $ ssh-add alice.key > Identity added: alice.key (alice.key) > > Looking good. However... > > $ ssh-add -l > The agent has no identities. > > No joy. I realise the documented way is to edit the sshcontrol file and > put the keygrip into it. But the positive output above is misleading. > > That's where gpg knows about the key (e.g. on the machine where the > extract was done). The "ssh-add alice.key" works if the key is unknown > to gpg - the keygrip is written to sshcontrol and to private-keys-v1.d. > furthermore, importing the alice.gpg key afterwards works fine too. > > # RSA key added on: 2016-10-12 15:44:05 > # MD5 Fingerprint: d0:d1:43:af:ec:4a:4c:92:7c:af:1f:70:92:13:89:16 > 817A3B5A8596096E8AC2932617C10E4181F09B55 0 It looks to me like you're referring to https://bugs.gnupg.org/gnupg/issue2316 , which was marked as "resolved". I just re-opened it to "chatting". --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From gniibe at fsij.org Thu Oct 13 01:27:46 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 13 Oct 2016 08:27:46 +0900 Subject: using with su/sudo In-Reply-To: References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com> <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org> Message-ID: On 10/13/2016 12:36 AM, John Lane wrote: > I just wanted to bring this to your attention because I think it is related. Thank you. Actually, I have a problem like that, everyday (literally). > I tried from a sudo with the tty ownership corrected but it didn't work. > > So I ran an agent with some logging and saw this: > > > DBG: error calling pinentry: Inappropriate ioctl for device Yes, this is the same error for me, too. In my case, I do: $ gpg-connect-agent updatestartuptty /bye to fix the situation. My case is that, I configure systemd to start up gpg-agent. In this case, gpg frontend works well with its session environment, but ssh doesn't work. In this configuration, gpg-agent starts with no env defined, like: $ gpg-connect-agent "getinfo std_startup_env" /bye OK $ Then, the command "updatestartuptty" can fix the situation. I think that gpg-agent is unkind enough (for error message, at least), it could/should know pinentry doesn't work well with not proper TTY ownership, no GPG_TTY. In the case of su/sudo, I would consider automatic fallback to loopback mode, or argue about file discriptor passing of UNIX domain socket. I have no idea how gpg-agent with null std_startup_env can do for SSH... -- From strauss at positive-internet.com Thu Oct 13 03:27:38 2016 From: strauss at positive-internet.com (Nicholas Strauss) Date: Wed, 12 Oct 2016 18:27:38 -0700 Subject: Gnupg-users Digest, Vol 157, Issue 15 In-Reply-To: References: Message-ID: Hi dkg, $ md5sum pinentry-gnome3 cf267ac78545eb9c3744b962082d4110 pinentry-gnome3 Look good? Yours, strauss -- All postal correspondence to: The Positive Internet Company, 24 Ganton Street, London. W1F 7QY *Follow us on Twitter* @posipeople The Positive Internet Company Limited is registered in England and Wales. Registered company number: 3673639. VAT no: 726 7072 28. Registered office: Northside House, Mount Pleasant, Barnet, Herts, EN4 9EE. From justus at g10code.com Thu Oct 13 11:33:32 2016 From: justus at g10code.com (Justus Winter) Date: Thu, 13 Oct 2016 11:33:32 +0200 Subject: Private key export for SSH In-Reply-To: <878tttutgd.fsf@alice.fifthhorseman.net> References: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> <87y41vynka.fsf@alice.fifthhorseman.net> <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com> <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com> <878tttutgd.fsf@alice.fifthhorseman.net> Message-ID: <878ttsy4nn.fsf@europa.jade-hamburg.de> Hi John :) Daniel Kahn Gillmor writes: > On Wed 2016-10-12 11:52:19 -0400, John Lane wrote: >> This is just an observation. I thought that perhaps, if I had an >> extracted private key, that I could use "ssh-add" to add it and remove >> the need to manually edit "sshcontrol". I tried: >> >> $ ssh-add alice.key >> Identity added: alice.key (alice.key) >> >> Looking good. However... >> >> $ ssh-add -l >> The agent has no identities. >> >> No joy. I realise the documented way is to edit the sshcontrol file and >> put the keygrip into it. But the positive output above is misleading. John, can you please tell us which version of GnuPG you are using, and just to be sure, also check that gpg-connect-agent 'getinfo version' /bye prints the expected version number? Thanks, Justus -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 454 bytes Desc: not available URL: From gnupg at jelmail.com Thu Oct 13 13:03:37 2016 From: gnupg at jelmail.com (John Lane) Date: Thu, 13 Oct 2016 12:03:37 +0100 Subject: Private key export for SSH In-Reply-To: <878ttsy4nn.fsf@europa.jade-hamburg.de> References: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> <87y41vynka.fsf@alice.fifthhorseman.net> <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com> <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com> <878tttutgd.fsf@alice.fifthhorseman.net> <878ttsy4nn.fsf@europa.jade-hamburg.de> Message-ID: <91bbac7b-7ba7-7acb-4b1b-17a6579f3742@jelmail.com> > > John, can you please tell us which version of GnuPG you are using, and > just to be sure, also check that > > gpg-connect-agent 'getinfo version' /bye > > prints the expected version number? > > $ gpg --version gpg (GnuPG) 2.1.14 libgcrypt 1.7.2 $ gpg-agent --version gpg-agent (GnuPG) 2.1.14 libgcrypt 1.7.2 $ gpg-connect-agent 'getinfo version' /bye D 2.1.14 OK Also, in case it's useful: $ uname -srvm Linux 4.6.4-1-ARCH #1 SMP PREEMPT Mon Jul 11 19:30:13 CEST 2016 i686 $ $ pacman -Qo gpg /usr/bin/gpg is owned by gnupg 2.1.14-1 $ cat /etc/os-release NAME="Arch Linux" ID=arch PRETTY_NAME="Arch Linux" ANSI_COLOR="0;36" HOME_URL="https://www.archlinux.org/" SUPPORT_URL="https://bbs.archlinux.org/" BUG_REPORT_URL="https://bugs.archlinux.org/" HTH John From justus at g10code.com Thu Oct 13 13:25:05 2016 From: justus at g10code.com (Justus Winter) Date: Thu, 13 Oct 2016 13:25:05 +0200 Subject: Private key export for SSH In-Reply-To: <91bbac7b-7ba7-7acb-4b1b-17a6579f3742@jelmail.com> References: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> <87y41vynka.fsf@alice.fifthhorseman.net> <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com> <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com> <878tttutgd.fsf@alice.fifthhorseman.net> <878ttsy4nn.fsf@europa.jade-hamburg.de> <91bbac7b-7ba7-7acb-4b1b-17a6579f3742@jelmail.com> Message-ID: <871szkxzhq.fsf@europa.jade-hamburg.de> John Lane writes: >> >> John, can you please tell us which version of GnuPG you are using, and >> just to be sure, also check that >> >> gpg-connect-agent 'getinfo version' /bye >> >> prints the expected version number? >> >> > > $ gpg --version > gpg (GnuPG) 2.1.14 > libgcrypt 1.7.2 Thanks. That bug is fixed in GnuPG 2.1.15. Justus -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 454 bytes Desc: not available URL: From brian at minton.name Thu Oct 13 22:03:00 2016 From: brian at minton.name (Brian Minton) Date: Thu, 13 Oct 2016 16:03:00 -0400 Subject: RSA 4096-bit Key In-Reply-To: References: Message-ID: On 10/08/2016 02:58 AM, Rohit P wrote: > > I am using latest version of GPG. I noticed there is no option to > generate RSA 4096-bit key. The same goes with DSA. > > It is, but you have to use the "full" key generation option: $ gpg --full-gen-key gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 325 bytes Desc: OpenPGP digital signature URL: From ng0 at we.make.ritual.n0.is Fri Oct 14 01:32:29 2016 From: ng0 at we.make.ritual.n0.is (ng0) Date: Thu, 13 Oct 2016 23:32:29 +0000 Subject: unable to decrypt a mail coming from apple mail Message-ID: <87mvi7vn8y.fsf@we.make.ritual.n0.is> Hi, I've just got an email where the X-Mailer is Apple Mail. It adds some bits and pieces, is a 7bit Content-Transfer-Encoding and I fail to decrypt it with gpg --decrypt (applied to the email as a file and also when applied to the BEGIN/END PGP block). The key is imported, still valid and yet I get: gpg: decryption failed: No secret key I'm running an unaltered Guix build here: ng0 at shadowwalker ~$ gpg --version gpg (GnuPG) 2.1.13 libgcrypt 1.7.3 Help is welcome -- ng0 From dkg at fifthhorseman.net Fri Oct 14 02:59:26 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 13 Oct 2016 20:59:26 -0400 Subject: Gnupg-users Digest, Vol 157, Issue 15 In-Reply-To: References: Message-ID: <87pon3sq35.fsf@alice.fifthhorseman.net> On Wed 2016-10-12 21:27:38 -0400, Nicholas Strauss wrote: > Hi dkg, > > $ md5sum pinentry-gnome3 > cf267ac78545eb9c3744b962082d4110 pinentry-gnome3 > Look good? sorry, i'm confused, and i don't have the context for this, or why you're asking me in particular on the gnupg-users mailing list. Can you explain what you're asking about? if you're asking whether that's the "right" md5sum for the pinentry-gnome3 binary (i.e., /usr/bin/pinentry-gnome3), all i can tell you is that it doesn't match my binary. but this isn't a useful question for a bunch of reasons, including: * you might have a different operating system than i do * you might have a different hardware platform than i do * either you or i might have built the binary independently or with different options and so on... if this is related to your earlier question about symlinks(?) that i also didn't really understand, i'm still puzzled. What problem are you trying to solve? What behaviors have you observed? What behaviors were you expecting to observe? What debugging steps have you tried? here are some useful pointers for effective bug-reporting: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html confusedly yours, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From stebe at mailbox.org Fri Oct 14 13:23:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Fri, 14 Oct 2016 11:23:00 +0000 Subject: unable to decrypt a mail coming from apple mail In-Reply-To: <87mvi7vn8y.fsf@we.make.ritual.n0.is> References: <87mvi7vn8y.fsf@we.make.ritual.n0.is> Message-ID: <5ada1a8e-1c05-393e-cacf-b3789f126315@mailbox.org> Hi, ng0: > Hi, > > I've just got an email where the X-Mailer is Apple Mail. It adds some > bits and pieces, is a 7bit Content-Transfer-Encoding and I fail to > decrypt it with gpg --decrypt (applied to the email as a file and also > when applied to the BEGIN/END PGP block). > The key is imported, still valid and yet I get: > gpg: decryption failed: No secret key > > I'm running an unaltered Guix build here: > ng0 at shadowwalker ~$ gpg --version > gpg (GnuPG) 2.1.13 > libgcrypt 1.7.3 have you checked the bug tracker at (1) ? There are several entries for gpg: decryption failed: No secret key. when you enter this very phrase into the search entry mask. Maybe there you'll find what you are looking for. Cheers Stephan (1) https://bugs.gnupg.org From daniel at pocock.pro Fri Oct 14 13:31:13 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Fri, 14 Oct 2016 13:31:13 +0200 Subject: mentors needed for the PGP Clean Room project in Outreachy/GSoC Message-ID: <968f3619-936f-c496-3c20-7f7000284e00@pocock.pro> Hi all, I've advertised[1] the PGP Clean Room in the current round of Outreachy and it will probably be promoted in GSoC 2017 too. We already have a couple of applicants interested in working on it, their details are in the pki-clean-room list archive[2] Would anybody from the GnuPG community be interested in collaborating as a co-mentor on this project? If so, please feel free to email me and/or subscribe to the pki-clean-room mailing list[3]. Regards, Daniel 1. https://danielpocock.com/outreachy-gsoc-2017-pki-clean-room 2. http://lists.alioth.debian.org/pipermail/pki-clean-room-devel/Week-of-Mon-20161010/date.html 3. https://lists.alioth.debian.org/mailman/listinfo/pki-clean-room-devel From ng0 at we.make.ritual.n0.is Fri Oct 14 20:28:31 2016 From: ng0 at we.make.ritual.n0.is (ng0) Date: Fri, 14 Oct 2016 18:28:31 +0000 Subject: unable to decrypt a mail coming from apple mail In-Reply-To: <5ada1a8e-1c05-393e-cacf-b3789f126315@mailbox.org> References: <87mvi7vn8y.fsf@we.make.ritual.n0.is> <5ada1a8e-1c05-393e-cacf-b3789f126315@mailbox.org> Message-ID: <87twce944w.fsf@we.make.ritual.n0.is> Stephan Beck writes: > Hi, > > ng0: >> Hi, >> >> I've just got an email where the X-Mailer is Apple Mail. It adds some >> bits and pieces, is a 7bit Content-Transfer-Encoding and I fail to >> decrypt it with gpg --decrypt (applied to the email as a file and also >> when applied to the BEGIN/END PGP block). >> The key is imported, still valid and yet I get: >> gpg: decryption failed: No secret key >> >> I'm running an unaltered Guix build here: >> ng0 at shadowwalker ~$ gpg --version >> gpg (GnuPG) 2.1.13 >> libgcrypt 1.7.3 > > have you checked the bug tracker at (1) ? > There are several entries for > gpg: decryption failed: No secret key. > > when you enter this very phrase into the search entry mask. > > Maybe there you'll find what you are looking for. > > Cheers > > Stephan > > (1) https://bugs.gnupg.org > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > >From the subjects of those 9 bugs I don't see how they are related to my problem. Nevertheless I will read into them in the next days. Thanks From gpg at noffin.com Fri Oct 14 20:11:48 2016 From: gpg at noffin.com (gpg at noffin.com) Date: Fri, 14 Oct 2016 11:11:48 -0700 Subject: Secret key Questions regarding expiration and backing up Message-ID: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co> Hi there - pretty new with GPG, but have been getting going with it without much issue. I'm just curious about a few best practices and so on. 1) Should you set an expiration on your secret key? Or do most people just secure it appropriately (with no expiration)? 2) If you do have the secret key expire, and I have a backup of it (file format) - And for some reason I forget to extend it before expiration - can I still extend it? I did a few tests exporting a secret key before and after extending the expiration date - and obviously the file contents changed. I just want to be sure that I have a good backup of it, however follow best practices. Thank you. From andrewg at andrewg.com Fri Oct 14 23:01:49 2016 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 14 Oct 2016 22:01:49 +0100 Subject: Secret key Questions regarding expiration and backing up In-Reply-To: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co> References: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co> Message-ID: <65006322-74A0-425C-8B97-2909F2161DE3@andrewg.com> On 14 Oct 2016, at 19:11, gpg at noffin.com wrote: > > Hi there - pretty new with GPG, but have been getting going with it > without much issue. I'm just curious about a few best practices and so on. > > 1) Should you set an expiration on your secret key? Or do most people just > secure it appropriately (with no expiration)? Secret keys don't have expiration dates, only public keys. Best practice is to set an expiration date of a year or two in the future on the primary key, and either the same or shorter on your subkeys (I use the same expiry myself, for simplicity). The reason for this is that you may lose your secret material or forget your password, and you don't want stale keys hanging around on the internet forever with no indication that they are no longer usable. > 2) If you do have the secret key expire, and I have a backup of it (file > format) - And for some reason I forget to extend it before expiration - > can I still extend it? Yes. Just edit the public key and republish. The expiration date only informs other people that their software should stop using the key - it doesn't prevent you from doing anything. Andrew From gpg at noffin.com Sat Oct 15 00:49:37 2016 From: gpg at noffin.com (gpg at noffin.com) Date: Fri, 14 Oct 2016 15:49:37 -0700 Subject: Secret key Questions regarding expiration and backing up In-Reply-To: <65006322-74A0-425C-8B97-2909F2161DE3@andrewg.com> References: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co> <65006322-74A0-425C-8B97-2909F2161DE3@andrewg.com> Message-ID: <47b4714ec48c77cd316f22b91a95c3e9.squirrel@isp.srvrs.co> > On 14 Oct 2016, at 19:11, gpg at noffin.com wrote: >> >> Hi there - pretty new with GPG, but have been getting going with it >> without much issue. I'm just curious about a few best practices and so >> on. >> >> 1) Should you set an expiration on your secret key? Or do most people >> just >> secure it appropriately (with no expiration)? > > Secret keys don't have expiration dates, only public keys. Best practice > is to set an expiration date of a year or two in the future on the primary > key, and either the same or shorter on your subkeys (I use the same expiry > myself, for simplicity). > > The reason for this is that you may lose your secret material or forget > your password, and you don't want stale keys hanging around on the > internet forever with no indication that they are no longer usable. > >> 2) If you do have the secret key expire, and I have a backup of it (file >> format) - And for some reason I forget to extend it before expiration - >> can I still extend it? > > Yes. Just edit the public key and republish. The expiration date only > informs other people that their software should stop using the key - it > doesn't prevent you from doing anything. > > Andrew > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > So for clarification then: If there are no expiry dates on secret keys, what does this output mean then? #gpg --list-secret-keys sec 2048R/xxxxxxxx 2014-10-30 [expires: 2017-10-31] And my next question is then... When I exported my secret key and moved it to another machine - why did the contents of the export to file change between the extension of the expiration date? (I exported before and after to test). Thanks in advance! From andrewg at andrewg.com Sat Oct 15 01:16:45 2016 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sat, 15 Oct 2016 00:16:45 +0100 Subject: Secret key Questions regarding expiration and backing up In-Reply-To: <47b4714ec48c77cd316f22b91a95c3e9.squirrel@isp.srvrs.co> References: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co> <65006322-74A0-425C-8B97-2909F2161DE3@andrewg.com> <47b4714ec48c77cd316f22b91a95c3e9.squirrel@isp.srvrs.co> Message-ID: <9A4321E9-ED09-45F4-8982-CB1658682A45@andrewg.com> On 14 Oct 2016, at 23:49, gpg at noffin.com wrote: > So for clarification then: > > If there are no expiry dates on secret keys, what does this output mean then? > > #gpg --list-secret-keys > > > sec 2048R/xxxxxxxx 2014-10-30 [expires: 2017-10-31] > The expiry date shown here is just a copy of the one on the public key. It is checked by gnupg to prevent it making signatures with a secret key that has an expired public key (and which are therefore unverifiable by others). I suppose you could think of this as being the expiry of the secret key, but it is always the same as that of the public key and the one on the public key is the important one. > And my next question is then... When I exported my secret key and moved it > to another machine - why did the contents of the export to file change > between the extension of the expiration date? (I exported before and after > to test). I'll defer to someone more expert than me on the internals, but my understanding is that a copy of some public key information (such as expiry dates) is kept in the corresponding secret key store, and this will be updated when the public key is edited. Andrew. From dkg at fifthhorseman.net Sat Oct 15 02:54:32 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 14 Oct 2016 20:54:32 -0400 Subject: Secret key Questions regarding expiration and backing up In-Reply-To: <9A4321E9-ED09-45F4-8982-CB1658682A45@andrewg.com> References: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co> <65006322-74A0-425C-8B97-2909F2161DE3@andrewg.com> <47b4714ec48c77cd316f22b91a95c3e9.squirrel@isp.srvrs.co> <9A4321E9-ED09-45F4-8982-CB1658682A45@andrewg.com> Message-ID: <87mvi6ph2v.fsf@alice.fifthhorseman.net> On Fri 2016-10-14 19:16:45 -0400, Andrew Gallagher wrote: > my understanding is that a copy of some public key information (such > as expiry dates) is kept in the corresponding secret key store, and > this will be updated when the public key is edited. This is exactly correct. see: https://tools.ietf.org/html/rfc4880#section-5.5.3 The Secret-Key and Secret-Subkey packets contain all the data of the Public-Key and Public-Subkey packets, with additional algorithm- specific secret-key data appended, usually in encrypted form. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From gnupg at jelmail.com Sat Oct 15 17:19:12 2016 From: gnupg at jelmail.com (John Lane) Date: Sat, 15 Oct 2016 16:19:12 +0100 Subject: Private key export for SSH In-Reply-To: <871szkxzhq.fsf@europa.jade-hamburg.de> References: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com> <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com> <87y41vynka.fsf@alice.fifthhorseman.net> <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com> <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com> <878tttutgd.fsf@alice.fifthhorseman.net> <878ttsy4nn.fsf@europa.jade-hamburg.de> <91bbac7b-7ba7-7acb-4b1b-17a6579f3742@jelmail.com> <871szkxzhq.fsf@europa.jade-hamburg.de> Message-ID: <52c56750-399f-0b92-9a24-1fbb82b2e8de@jelmail.com> > > Thanks. That bug is fixed in GnuPG 2.1.15. > > Justus > Thanks Justus. I have just updated my system and now have 2.1.15 and I can confirm that it works as one would expect. From gnupg at jelmail.com Sat Oct 15 17:33:42 2016 From: gnupg at jelmail.com (John Lane) Date: Sat, 15 Oct 2016 16:33:42 +0100 Subject: SSH public key comment field and gpg-agent Message-ID: <0707c687-95e6-9644-2240-6fdeda9e512f@jelmail.com> The SSH public key format contains a comment field (RFC4716, s3.3.2): The comment header contains a user-specified comment. user at example.com >From "man sshd": Public keys consist of the following space-separated fields: options, keytype, base64-encoded key, comment. The comment field is not used for anything (but may be convenient for the user to identify the key). If I load an SSH key from a file using 'ssh-add' the comment field is populated with the file name (i.e. "alice.pem") if the gpg-agent does not already contain that key. If I do "ssh-add -L" I will see "alice.pem" at the end of the output: ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 alice.pem If the key is in the agent because of the gpg keyring then it is known as "(none)". If I do "ssh-add -L" I will see "(none)" at the end of the output: ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (none) The reason that I stumbled upon this was because I was debugging a ssh connection that used the gpg-agent and the ssh debugging output displayed the following misleading output: debug1: Offering RSA public key: (none) which means the public key called "(none)" rather than, as I initially interpreted it, no public key. It's also useful client-side to see who a public key belongs to. It would be good if the comment field reflected the key source, perhaps the short (or long) key id. For example: ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (3A808C39) Or even the primary uid of the key ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 alice at example.org Incidentally, exporting the public key this way (which, I think, comes from the pubring rather than the agent) gpg --export alice | ./openpgp2ssh 63A808C39 results in no comment field at all: ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 I have no idea whether this is a gpg-agent thing, but is it possible to control how the comment field is populated ? [gpg (GnuPG) 2.1.15 libgcrypt 1.7.3] From gnupg at jelmail.com Sat Oct 15 17:34:14 2016 From: gnupg at jelmail.com (John Lane) Date: Sat, 15 Oct 2016 16:34:14 +0100 Subject: using with su/sudo In-Reply-To: References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com> <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org> Message-ID: > > Then, the command "updatestartuptty" can fix the situation. > I tried this and it worked, in a su/sudo I had to do this: $ script -q -c '(gpg-connect-agent updatestartuptty /bye; ssh-add alice.subkey)' From caro at nymph.paranoici.org Sun Oct 16 03:22:50 2016 From: caro at nymph.paranoici.org (Carola Grunwald) Date: Sun, 16 Oct 2016 01:22:50 +0000 (UTC) Subject: Implications of a common private keys directory in 2.1 Message-ID: <20161016012250.2CB31101F1EA@remailer.paranoici.org> Hi, my next problem with 2.1.15 on Windows 7. I add a pub/sec keypair to two different keyrings '--import ... --keyring a.kbx', then '--import ... --keyring b.kbx'. Following this I delete that key from one of the keyrings '--delete-secret-and-public-key ... --keyring a.kbx', which unfortunately as a side effect also removes the secret key associated with the other public keyring (b.kbx), as for both public key items there's only one single secret key file stored in the common private-keys-v1.d directory. Is there any chance to get that disentangled, maybe by defining a separate secret key directory for each public .kbx keyring in use? Kind regards, Caro From kevin at z.cash Sun Oct 16 19:58:59 2016 From: kevin at z.cash (Kevin Gallagher) Date: Sun, 16 Oct 2016 10:58:59 -0700 Subject: Why doesn't gpg-agent forwarding work? In-Reply-To: References: Message-ID: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash> Hi all, I've tried to get this working to no avail. I've consulted past postings to this list as well as various online references. Some people seem to have got this to work, but most seem to have trouble. I would appreciate any guidance or help anyone can offer. I want my gpg-agent to be shared with another host, specifically a Vagrant/VirtualBox virtual machine, via Unix socket forwarding, which is a feature that arrived with OpenSSH 6.7. I can get my gpg-agent's socket forwarded, and I can talk to it with gpg-connect-agent, and even obtain a list of keygrips for the keys residing on the local machine. However, the forwarded gpg-agent socket does not seem to interface with the GPG CLI utility, i.e. running `gpg2 --use-agent --list-keys` shows nothing. This is important because I'm in the process of developing a deterministic build environment for a project, and many of us prefer to use smartcards or YubiKeys, so copying our secret keys into the VM is not an option. The ability to forward the local gpg-agent into the VM for signing operations would be very convenient. GPG version on host: 2.1.15 (Debian stretch) GPG version on VM: 2.0.26 (Debian jessie) This illustrates what I'm doing: GPG_SOCK=$(echo "$GPG_AGENT_INFO" | cut -d: -f1) vagrant ssh vm -- -t -A \ -R /home/vagrant/.gnupg/S.gpg-agent:$GPG_SOCK \ -o StreamLocalBindUnlink=yes \ -o ExitOnForwardFailure=yes Setting some environment variables in the VM does not help: GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:0:1 GPG_SOCK=/home/vagrant/.gnupg/S.gpg-agent GPG_TTY=/dev/pts/1 I've tried alternate/matching versions of GnuPG, pored over the manpages and options, and tried other stuff, with no luck. Does anyone have any idea why it is that gpg-connect-agent can speak to the forwarded socket but not gpg? Has someone here got this working before? thanks in advance, Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From thomas at glanzmann.de Mon Oct 17 07:45:39 2016 From: thomas at glanzmann.de (Thomas Glanzmann) Date: Mon, 17 Oct 2016 07:45:39 +0200 Subject: Why doesn't gpg-agent forwarding work? In-Reply-To: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash> References: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash> Message-ID: <20161017054539.GA17983@glanzmann.de> Hello Kevin, > GPG version on host: 2.1.15 (Debian stretch) > GPG version on VM: 2.0.26 (Debian jessie) gpg 2.0.26 does the gpg operations local and not using gnupg-agent. Starting with the 2.1.x versions gnupg uses gnupg-agent for doing all operations. As a result you need to have 2.1.x on the remote machine. On the local you could have actually run 2.0 however your private key if not stored on a smartcard would be exposed using the remote socket. Find attached a build script do build gnupg 2.1.x for Debian jessie. Try not to replace gnupg in the system because it would break to many things. Instead install it to a separate location. Build dependencies are: sudo apt-get install texinfo transfig bison flex libbz2-dev libsqlite3-dev libgnutls28-dev pkg-config libusb-1.0-0-dev Cheers, Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: build.sh Type: application/x-sh Size: 2181 bytes Desc: not available URL: From justus at g10code.com Mon Oct 17 10:27:09 2016 From: justus at g10code.com (Justus Winter) Date: Mon, 17 Oct 2016 10:27:09 +0200 Subject: SSH public key comment field and gpg-agent In-Reply-To: <0707c687-95e6-9644-2240-6fdeda9e512f@jelmail.com> References: <0707c687-95e6-9644-2240-6fdeda9e512f@jelmail.com> Message-ID: <871szf8joi.fsf@europa.jade-hamburg.de> Hi :) -------------- next part -------------- John Lane writes: > If the key is in the agent because of the gpg keyring then it is known > as "(none)". If I do "ssh-add -L" I will see "(none)" at the end of the > output: > > ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (none) > > The reason that I stumbled upon this was because I was debugging a ssh > connection that used the gpg-agent and the ssh debugging output > displayed the following misleading output: > > debug1: Offering RSA public key: (none) > > which means the public key called "(none)" rather than, as I initially > interpreted it, no public key. > > It's also useful client-side to see who a public key belongs to. > > It would be good if the comment field reflected the key source, perhaps > the short (or long) key id. For example: > > ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (3A808C39) Agreed, that would be useful. Feel free to open a bug report. Cheers, Justus -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 454 bytes Desc: not available URL: From gnupg at jelmail.com Mon Oct 17 13:03:20 2016 From: gnupg at jelmail.com (John Lane) Date: Mon, 17 Oct 2016 12:03:20 +0100 Subject: SSH public key comment field and gpg-agent In-Reply-To: <871szf8joi.fsf@europa.jade-hamburg.de> References: <0707c687-95e6-9644-2240-6fdeda9e512f@jelmail.com> <871szf8joi.fsf@europa.jade-hamburg.de> Message-ID: <25ebbf98-22ec-dfd8-c760-d425d9bc369a@jelmail.com> > > Agreed, that would be useful. Feel free to open a bug report. > raised https://bugs.gnupg.org/gnupg/issue2760 From m4rtntns at gmail.com Mon Oct 17 12:31:16 2016 From: m4rtntns at gmail.com (Martin T) Date: Mon, 17 Oct 2016 13:31:16 +0300 Subject: regular update of all keys from a keyserver Message-ID: Hi, I am aware that one can update all the keys in local-keyring from a keyserver using "gpg --refresh-keys". Are there any disadvantages to simply put this command into user crontab and execute for example once a day? thanks, Martin From rjh at sixdemonbag.org Mon Oct 17 15:48:13 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 17 Oct 2016 09:48:13 -0400 Subject: regular update of all keys from a keyserver In-Reply-To: References: Message-ID: <023901d2287d$1b8b9040$52a2b0c0$@sixdemonbag.org> > I am aware that one can update all the keys in local-keyring from a keyserver > using "gpg --refresh-keys". Are there any disadvantages to simply put this > command into user crontab and execute for example once a day? Not that I know of. Some people will tell you that "an attacker listening in on your network connection could discover your social graph!", but honestly, if people are eavesdropping on my network connection they already have so many ways to discover my social graph that one more just doesn't matter. This 'problem' has always struck me as much ado about nothing much. From dkg at fifthhorseman.net Mon Oct 17 17:41:43 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 17 Oct 2016 11:41:43 -0400 Subject: regular update of all keys from a keyserver In-Reply-To: References: Message-ID: <8737jvoudk.fsf@alice.fifthhorseman.net> On Mon 2016-10-17 06:31:16 -0400, Martin T wrote: > I am aware that one can update all the keys in local-keyring from a > keyserver using "gpg --refresh-keys". Are there any disadvantages to > simply put this command into user crontab and execute for example once > a day? The only disadvantages are if you don't want to reveal the contents of your keyring to the public keyservers, or to announce your presence on the network. If you prefer to do these things in an anonymized way, you might prefer a tool like parcimonie, or if you're a coder (or have ways to encourage other coders to work on things you think are interesting), you might want to to look into ways to try to address https://bugs.gnupg.org/gnupg/issue1827 --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From stebe at mailbox.org Mon Oct 17 18:35:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Mon, 17 Oct 2016 16:35:00 +0000 Subject: Fwd: Re: regular update of all keys from a keyserver In-Reply-To: <59a9f9aa-76bf-fa59-ff07-a902965c76fd@mailbox.org> References: <59a9f9aa-76bf-fa59-ff07-a902965c76fd@mailbox.org> Message-ID: <502aab67-d8b3-609b-1674-974f83088b98@mailbox.org> I forgot to send it to the list as well... -------- Forwarded Message -------- Subject: Re: regular update of all keys from a keyserver Date: Mon, 17 Oct 2016 16:20:00 +0000 From: Stephan Beck Reply-To: stebe at mailbox.org To: Martin T Hi Martin, Martin T: > Hi, > > I am aware that one can update all the keys in local-keyring from a > keyserver using "gpg --refresh-keys". Are there any disadvantages to > simply put this command into user crontab and execute for example once > a day? Yes. To protect you and your contacts from an eavesdropper (may it be the ISP or someone else), you may refresh your keyring over the Tor Network, using Parcimonie (1), which opens another circuit for every single refreshing action (one refreshing action, one refreshed key), thus slowly refreshing the whole keyring. Actually, it works with gpg v1, I've never got it working with gpg2, though. If someone out there knows how to adapt it for use with gpg2, go ahead and tell us! Well, you don't tell us anything about your system or your gpg version, but another way (with gpg 2.1.10 or later) is using the in-built support for refreshing your keyring via Tor using --use-tor option. Quote from the 2.1.10 announce mail (2): * dirmngr: New option --use-tor. For full support this requires libassuan version 2.4.2 and a patched version of libadns (e.g. adns-1.4-g10-7 as used by the standard Windows installer). If you do not use or do not want to use Tor, I'd recommend using at least https in any case, retrieving the certificate of sks-keyservers.netCA.pem first (3), verifying it and copying it into your gnupg home directory, and adding it to the keyserver section in gpg.conf. I'd never refresh my keyring over plain http, because, yes, we "should all have something to hide" (4), whatever the threats may be that are already knocking on our doors and whoever might tell us that this battle is lost or useless. (1) https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ (2) https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000381.html (3) https://sks-keyservers.net/sks-keyservers.netCA.pe (4) https://moxie.org/blog/we-should-all-have-something-to-hide/ Cheers Stephan -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x4218732B.asc Type: application/pgp-keys Size: 4089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From brian at minton.name Mon Oct 17 18:52:40 2016 From: brian at minton.name (Brian Minton) Date: Mon, 17 Oct 2016 12:52:40 -0400 Subject: regular update of all keys from a keyserver In-Reply-To: <8737jvoudk.fsf@alice.fifthhorseman.net> References: <8737jvoudk.fsf@alice.fifthhorseman.net> Message-ID: <49c61be3-77ba-295e-1833-994a0216284f@minton.name> On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote: > On Mon 2016-10-17 06:31:16 -0400, Martin T wrote: > >> I am aware that one can update all the keys in local-keyring from a >> keyserver using "gpg --refresh-keys". Are there any disadvantages to >> simply put this command into user crontab and execute for example once >> a day? > The only disadvantages are if you don't want to reveal the contents of > your keyring to the public keyservers, or to announce your presence on > the network. > > If you prefer to do these things in an anonymized way, you might prefer > a tool like parcimonie, I run a key server, which allows me to do as many key-retrieval queries as I like, without giving any information away to the rest of the world. It also helps a little, but not completely, with the problem of adding keys to the keyserver network, with respect to my social network. In particular, it's not easy for any keyserver to see which of its peers' peers a given key or set of keys, originated from. However, in theory, an attacker could track the progress of a given key across the network of keyservers by quick querying, but it's a pretty small window between the introduction of keys to a single member of the pool, and it being shared to all the keyservers. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 325 bytes Desc: OpenPGP digital signature URL: From dsaklad at gnu.org Tue Oct 18 00:18:01 2016 From: dsaklad at gnu.org (Don Saklad) Date: Mon, 17 Oct 2016 18:18:01 -0400 Subject: Please develop even easier materials for complete novice type folks... Message-ID: <5i1szek4bq.fsf@fencepost.gnu.org> Please develop even easier materials for complete novice type folks other than at https://emailselfdefense.fsf.org/en/ and at https://gnupg.org From dkg at fifthhorseman.net Tue Oct 18 03:19:55 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 17 Oct 2016 21:19:55 -0400 Subject: using with su/sudo In-Reply-To: References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com> <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org> Message-ID: <87wph6h2ro.fsf@alice.fifthhorseman.net> On Sat 2016-10-15 11:34:14 -0400, John Lane wrote: >> >> Then, the command "updatestartuptty" can fix the situation. >> > > I tried this and it worked, in a su/sudo I had to do this: > > $ script -q -c '(gpg-connect-agent updatestartuptty /bye; ssh-add > alice.subkey)' so the use of script here is to allocate a new pseudoterminal, to get an independent tty, right? this seems like a pretty roundabout way to get the result the user is naively looking for. is it possible that we could offer some other easier/simpler mechanism for users invoking gpg-agent for its ssh-agent emulation across user accounts? --dkg From m4rtntns at gmail.com Tue Oct 18 09:09:53 2016 From: m4rtntns at gmail.com (Martin T) Date: Tue, 18 Oct 2016 10:09:53 +0300 Subject: regular update of all keys from a keyserver In-Reply-To: <49c61be3-77ba-295e-1833-994a0216284f@minton.name> References: <8737jvoudk.fsf@alice.fifthhorseman.net> <49c61be3-77ba-295e-1833-994a0216284f@minton.name> Message-ID: Thank you for all the replies! Martin On Mon, Oct 17, 2016 at 7:52 PM, Brian Minton wrote: > > > On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote: >> On Mon 2016-10-17 06:31:16 -0400, Martin T wrote: >> >>> I am aware that one can update all the keys in local-keyring from a >>> keyserver using "gpg --refresh-keys". Are there any disadvantages to >>> simply put this command into user crontab and execute for example once >>> a day? >> The only disadvantages are if you don't want to reveal the contents of >> your keyring to the public keyservers, or to announce your presence on >> the network. >> >> If you prefer to do these things in an anonymized way, you might prefer >> a tool like parcimonie, > > I run a key server, which allows me to do as many key-retrieval queries > as I like, without giving any information away to the rest of the > world. It also helps a little, but not completely, with the problem of > adding keys to the keyserver network, with respect to my social > network. In particular, it's not easy for any keyserver to see which of > its peers' peers a given key or set of keys, originated from. However, > in theory, an attacker could track the progress of a given key across > the network of keyservers by quick querying, but it's a pretty small > window between the introduction of keys to a single member of the pool, > and it being shared to all the keyservers. > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From daniel at pocock.pro Tue Oct 18 09:51:20 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Tue, 18 Oct 2016 09:51:20 +0200 Subject: reviewing wiki / shortlist PIN-pad readers Message-ID: I was looking at this page: https://wiki.gnupg.org/CardReader/PinpadInput Are any of these more outstanding than the others, or it doesn't matter which one somebody chooses? Could anybody comment on which of those are easily available in small quantities for developers, or suppliers who are cost effective for small quantities? From kevin at z.cash Tue Oct 18 10:56:41 2016 From: kevin at z.cash (Kevin Gallagher) Date: Tue, 18 Oct 2016 01:56:41 -0700 Subject: Why doesn't gpg-agent forwarding work? In-Reply-To: <20161017054539.GA17983@glanzmann.de> References: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash> <20161017054539.GA17983@glanzmann.de> Message-ID: <86a9a7a8-351c-6152-6f39-697422b09fbb@z.cash> Hey Thomas, Thanks for the advice. But as I mentioned, I tried using GnuPG 2.1.15 on the target machine as well (via the packages in Debian sid), and this did not work. gpg2 is simply not speaking to the forwarded gpg-agent socket, however gpg-connect-agent can. Any other ideas? Kevin On 10/16/2016 10:45 PM, Thomas Glanzmann wrote: > Hello Kevin, > >> GPG version on host: 2.1.15 (Debian stretch) >> GPG version on VM: 2.0.26 (Debian jessie) > gpg 2.0.26 does the gpg operations local and not using gnupg-agent. > Starting with the 2.1.x versions gnupg uses gnupg-agent for doing all > operations. As a result you need to have 2.1.x on the remote machine. On > the local you could have actually run 2.0 however your private key if > not stored on a smartcard would be exposed using the remote socket. Find > attached a build script do build gnupg 2.1.x for Debian jessie. Try not > to replace gnupg in the system because it would break to many things. > Instead install it to a separate location. > > Build dependencies are: > > sudo apt-get install texinfo transfig bison flex libbz2-dev libsqlite3-dev libgnutls28-dev pkg-config libusb-1.0-0-dev > > Cheers, > Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From gniibe at fsij.org Tue Oct 18 10:58:31 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 18 Oct 2016 17:58:31 +0900 Subject: reviewing wiki / shortlist PIN-pad readers In-Reply-To: References: Message-ID: Sorry, I didn't have time to reply your call the other day. I think that Gemalto Shelltoken Card Reader, which is available at http://shop.kernelconcepts.de/ is good one. Please note that OpenPGP card requires specific card readers. Its users usually use RSA-2048, RSA-3072, or RSA-4096. For those key sizes, the communication is somewhat difficult for old standard of ISO 7816. (For RSA-1024, most smart card readers work well.) I recommend TPDU readers, because readers which support extended APDU level communication tend to have issues for larger size communication. On 10/18/2016 04:51 PM, Daniel Pocock wrote: > I was looking at this page: > > https://wiki.gnupg.org/CardReader/PinpadInput > > Are any of these more outstanding than the others, or it doesn't matter > which one somebody chooses? > > Could anybody comment on which of those are easily available in small > quantities for developers, or suppliers who are cost effective for small > quantities? I implemented the pinpad input support in scdaemon. While I know some claims that it is good feature, I, for myself, don't think it's worth to have. I don't think the attack to USB communication could be mitigated by pinpad card reader. If such an attack is possible, a user already would be defeated. It is common for such card readers to have only numeric pads. That limits the entropy of passphrase, considerably. And, as far as I know, I don't know any implementation of card readers in the market, which firmware is Free Software. With user interface like pinpad input, it is more difficult for me to trust an implementation of such a card reader. -- From gnudevliz at gmail.com Mon Oct 17 22:50:22 2016 From: gnudevliz at gmail.com (Elizabeth Ferdman) Date: Mon, 17 Oct 2016 13:50:22 -0700 Subject: smartcard reader Message-ID: <20161017205021.GA3273@localhost> Hello, I'm in the market for a smartcard reader and I live in the United States. I found two ways to get an OpenPGP card already, either from shop.kernelconcepts.de or from the FSFE as a sustaining member. Does anyone know how I can get a smart card reader though? It has to be one from this list: SCM SPR 532 USB ID: 04e6:e003 PC/SC reader name: SPRx32 KAAN Advanced USB ID: 0d46: FSIJ Gnuk Token USB ID: 234b:0000 Reiner cyberJack Go USB ID: 0c4b:0504 Vasco DigiPASS 920 USB ID: 1a44:0920 Cherry ST2000 USB ID: 046a:003e Thanks, Liz From daniel at pocock.pro Tue Oct 18 12:31:52 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Tue, 18 Oct 2016 12:31:52 +0200 Subject: reviewing wiki / shortlist PIN-pad readers In-Reply-To: References: Message-ID: On 18/10/16 10:58, NIIBE Yutaka wrote: > Please note that OpenPGP card requires specific card readers. Its > users usually use RSA-2048, RSA-3072, or RSA-4096. For those key > sizes, the communication is somewhat difficult for old standard of ISO > 7816. (For RSA-1024, most smart card readers work well.) > > I recommend TPDU readers, because readers which support extended APDU > level communication tend to have issues for larger size communication. > Of those readers with PIN-pads on the wiki shortlist[1], which of them are TPDU readers, or all of them? > On 10/18/2016 04:51 PM, Daniel Pocock wrote: >> I was looking at this page: >> >> https://wiki.gnupg.org/CardReader/PinpadInput >> >> Are any of these more outstanding than the others, or it doesn't matter >> which one somebody chooses? >> >> Could anybody comment on which of those are easily available in small >> quantities for developers, or suppliers who are cost effective for small >> quantities? > > I implemented the pinpad input support in scdaemon. While I know some > claims that it is good feature, I, for myself, don't think it's worth > to have. > > I don't think the attack to USB communication could be mitigated by > pinpad card reader. If such an attack is possible, a user already > would be defeated. > I thought that if the PIN is entered in the PIN-pad, it is never sent over the USB connection? > It is common for such card readers to have only numeric pads. That > limits the entropy of passphrase, considerably. And, as far as I > know, I don't know any implementation of card readers in the market, > which firmware is Free Software. With user interface like pinpad > input, it is more difficult for me to trust an implementation of such > a card reader. Isn't it more a case of choosing the lesser evil: - a PIN-pad reader with some proprietary firmware - the possibility that the user's OS has been compromised or that somebody fit a keystroke logger to their keyboard There is no such thing as perfect security and I wasn't claiming that a PIN-pad implies perfection. Regards, Daniel 1. https://wiki.gnupg.org/CardReader/PinpadInput From m4rtntns at gmail.com Tue Oct 18 12:42:24 2016 From: m4rtntns at gmail.com (Martin T) Date: Tue, 18 Oct 2016 13:42:24 +0300 Subject: list revoked UIDs Message-ID: Hi, I imported a public key from keyserver which has multiple UIDs and one of those UIDs is revoked. When I execute "gpg --list-keys " then I see only active UIDs and not that one revoked UID. Is there a way to list that revoked UID? Or wasn't that imported in the first place? thanks, Martin From stebe at mailbox.org Tue Oct 18 13:11:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Tue, 18 Oct 2016 11:11:00 +0000 Subject: reviewing wiki / shortlist PIN-pad readers In-Reply-To: References: Message-ID: Hi, NIIBE Yutaka: > Sorry, I didn't have time to reply your call the other day. > > I think that Gemalto Shelltoken Card Reader, which is available > at http://shop.kernelconcepts.de/ is good one. > > Please note that OpenPGP card requires specific card readers. Its > users usually use RSA-2048, RSA-3072, or RSA-4096. For those key > sizes, the communication is somewhat difficult for old standard of ISO > 7816. (For RSA-1024, most smart card readers work well.) > > I recommend TPDU readers, because readers which support extended APDU > level communication tend to have issues for larger size communication. > > On 10/18/2016 04:51 PM, Daniel Pocock wrote: >> I was looking at this page: >> >> https://wiki.gnupg.org/CardReader/PinpadInput >> >> Are any of these more outstanding than the others, or it doesn't matter >> which one somebody chooses? >> >> Could anybody comment on which of those are easily available in small >> quantities for developers, or suppliers who are cost effective for small >> quantities? > > I implemented the pinpad input support in scdaemon. While I know some > claims that it is good feature, I, for myself, don't think it's worth > to have. > > I don't think the attack to USB communication could be mitigated by > pinpad card reader. If such an attack is possible, a user already > would be defeated. > > It is common for such card readers to have only numeric pads. That > limits the entropy of passphrase, considerably. And, as far as I > know, I don't know any implementation of card readers in the market, > which firmware is Free Software. With user interface like pinpad > input, it is more difficult for me to trust an implementation of such > a card reader. > Just one note for now: For example, The Nitrokey Storage (1,2), a usb crypto stick with integrated card reader) is 100% open source, free software, verifiable firmware. On the other hand, it has no pinpad. There may be others (with free software), but I don't know of them. I just use the Nitrokey, without having any ties with its makers. If lack of PIN-pad device is not a knock-out criteria, you might ask them about quantities and conditions. (1) https://www.nitrokey.com/ (comparison table at bottom of page) (2) https://www.nitrokey.com/news/2016/nitrokey-storage-available (3) https://www.nitrokey.com/introduction (quick overview) (4) https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit (with links to the actual security audit pdf's) Cheers Stephan -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x4218732B.asc Type: application/pgp-keys Size: 4089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Tue Oct 18 13:25:32 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 18 Oct 2016 13:25:32 +0200 Subject: reviewing wiki / shortlist PIN-pad readers In-Reply-To: References: Message-ID: <3a344a7c-6991-1495-256a-fbacf6fc6abf@digitalbrains.com> On 18/10/16 10:58, NIIBE Yutaka wrote: > I don't think the attack to USB communication could be mitigated by > pinpad card reader. If such an attack is possible, a user already > would be defeated. It would IMO not prevent key usage, so in that sense the user is defeated. It would still limit the time of exposure, since key extraction should still be prohibitively difficult. This is a contentious topic I think :-). People put different amounts of stock in the protection afforded by smartcards, and the likelihood of attack scenarios. > It is common for such card readers to have only numeric pads. That > limits the entropy of passphrase, considerably. But luckily, entropy demands on a smartcard PIN are really low. The card locks after three tries. Conversely, if you protect your on-disk key with a 10-digit decimal number, an attacker having the encrypted file could do the required average of 500 million tries in less time than it takes you to make a cup of coffee. A PIN just needs to be unguessable, i.e., properly random. It doesn't have to withstand keyspace enumeration. My 2 cents, Peter. Note to self: make cup of coffee. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Tue Oct 18 13:29:36 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 18 Oct 2016 13:29:36 +0200 Subject: list revoked UIDs In-Reply-To: References: Message-ID: <9416a9e1-a1de-a5e3-ebdc-adfbf5e4b8db@digitalbrains.com> On 18/10/16 12:42, Martin T wrote: > Is there a > way to list that revoked UID? I think it's: gpg --list-options show-unusable-uids --list-keys <...> I grepped the man page for "revoked" until I hit upon this. > Or wasn't that imported in the first > place? That is a possibility, depending on import-options. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From m4rtntns at gmail.com Tue Oct 18 13:37:52 2016 From: m4rtntns at gmail.com (Martin T) Date: Tue, 18 Oct 2016 14:37:52 +0300 Subject: list revoked UIDs In-Reply-To: <9416a9e1-a1de-a5e3-ebdc-adfbf5e4b8db@digitalbrains.com> References: <9416a9e1-a1de-a5e3-ebdc-adfbf5e4b8db@digitalbrains.com> Message-ID: Thanks! This did the trick. Martin On Tue, Oct 18, 2016 at 2:29 PM, Peter Lebbing wrote: > On 18/10/16 12:42, Martin T wrote: >> Is there a >> way to list that revoked UID? > > I think it's: > > gpg --list-options show-unusable-uids --list-keys <...> > > I grepped the man page for "revoked" until I hit upon this. > >> Or wasn't that imported in the first >> place? > > That is a possibility, depending on import-options. > > HTH, > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > From meno.abels at adviser.com Tue Oct 18 15:09:57 2016 From: meno.abels at adviser.com (Meno Abels) Date: Tue, 18 Oct 2016 15:09:57 +0200 Subject: gpgsm --verify back to back gpgsm --gen-key Message-ID: <1AF3736E-0199-4BD6-93A4-062F1A1C9517@adviser.com> Hi, i tried to run some combinations of "gpgsm ?verify? all without any success. # gpgsm --batch --gen-key < gpgsm-keygen | gpgsm ?verify gpgsm (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpgsm: about to sign the certificate for key: &sjfwdfdkjafdkfsd gpgsm: certificate created gpgsm: ksba_cms_parse failed: No CMS object I did not have any success with any filetype which i send to gpgsm ?verify I tried the: - bin (without -a) - pem (with -a) - pem?s other sources file?s. i checked all the pem?s with openssl x509 -in?. all good. I tried to understand, the documentation without any success. I tried to read the source and i don?t understand why ?ksba_cms_parse? could fail on these filetypes. Is there somebody out who knows how ?verify should work? thx in advance Meno gpgsm (GnuPG) 2.1.15 libgcrypt 1.7.3 libksba 1.3.5 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /Users/menabe/.gnupg Supported algorithms: Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256 Pubkey: RSA, ECC Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL From jurgenpolster at gmail.com Tue Oct 18 16:39:44 2016 From: jurgenpolster at gmail.com (=?utf-8?Q?J=C3=BCrgen_Polster?=) Date: Tue, 18 Oct 2016 16:39:44 +0200 Subject: Please develop even easier materials for complete novice type folks... In-Reply-To: <5i1szek4bq.fsf@fencepost.gnu.org> References: <5i1szek4bq.fsf@fencepost.gnu.org> Message-ID: <9B95C8EB-914C-4EA1-B65E-4CBEB578FC15@gmail.com> Give this a try: https://gpg4win.de/doc/en/gpg4win-compendium.html Kind regards JP > Please develop even easier materials for complete novice type folks > other than at > https://emailselfdefense.fsf.org/en/ > > and at > https://gnupg.org > -------------- next part -------------- An HTML attachment was scrubbed... URL: From stebe at mailbox.org Tue Oct 18 17:40:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Tue, 18 Oct 2016 15:40:00 +0000 Subject: smartcard reader In-Reply-To: <20161017205021.GA3273@localhost> References: <20161017205021.GA3273@localhost> Message-ID: Hi Liz, Elizabeth Ferdman: > Hello, > > I'm in the market for a smartcard reader and I live in the United > States. I found two ways to get an OpenPGP card already, either from > shop.kernelconcepts.de or from the FSFE as a sustaining member. > Does anyone know how I can get a smart card reader though? > It has to be one from this list: [...] > FSIJ Gnuk Token > USB ID: 234b:0000 As stated at https://www.gnupg.org/blog/index.html you can order gnuk token at/from https://www.seeedstudio.com/FST-01-without-Enclosure-p-1276.html https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator. I just picked out this one, may another one pick out a different list item. Cheers Stephan From thomas at glanzmann.de Tue Oct 18 21:58:12 2016 From: thomas at glanzmann.de (Thomas Glanzmann) Date: Tue, 18 Oct 2016 21:58:12 +0200 Subject: Why doesn't gpg-agent forwarding work? In-Reply-To: <86a9a7a8-351c-6152-6f39-697422b09fbb@z.cash> References: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash> <20161017054539.GA17983@glanzmann.de> <86a9a7a8-351c-6152-6f39-697422b09fbb@z.cash> Message-ID: <20161018195812.GI9435@glanzmann.de> Hello Kevin, > Thanks for the advice. But as I mentioned, I tried using GnuPG 2.1.15 > on the target machine as well (via the packages in Debian sid), and > this did not work. gpg2 is simply not speaking to the forwarded > gpg-agent socket, however gpg-connect-agent can. Any other ideas? Check your configuration (gpg-agent.conf and gpg.conf). You have to put this two files on the remote and local machine. Also Understand how gpg 2.1.x interacts with gnupg from the diagram below. Enable debugging in the gpg agent. Forward GPG socket ------------------ # On the server echo 'StreamLocalBindUnlink yes' >> /etc/ssh/sshd_config sudo /etc/init.d/ssh restart # On the client ssh -R /home/sithglan/.gnupg/S.gpg-agent:/home/sithglan/.gnupg/S.gpg-agent-extra gmvl.de List secret keys ---------------- gpg-connect-agent "keyinfo --list" /bye GPG Agent Configuration ----------------------- .gnupg/gpg-agent.conf pinentry-program /usr/bin/pinentry extra-socket /home/sithglan/.gnupg/S.gpg-agent-extra enable-ssh-support default-cache-ttl 600 max-cache-ttl 7200 keep-tty keep-display # debug-level guru # debug-all # log-file /tmp/gpg-agent.log Remote GPG Setup ---------------- # Achtung vorher Backup machen rm .gnupg/secring* .gnupg/pubring* .gnupg/private-keys-v1.d/* # For every public key gpg2 --recv-key 0x9D106472D6D50DBA gpg2 --recv-key 0x03BF970657E19B02 # After that private keys should be listed gpg2 -K cat < .gnupg/gpg.conf keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options no-honor-keyserver-url cert-digest-algo SHA512 no-greeting lock-once default-key 1DD3BBDC897A94CD03F451B09D106472D6D50DBA encrypt-to 1DD3BBDC897A94CD03F451B09D106472D6D50DBA keyid-format 0xlong use-agent with-fingerprint quiet default-recipient-self no-secmem-warning keyserver-options auto-key-retrieve no-auto-check-trustdb default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed EOF GNUPG Interaction ----------------- Here are steps and the interaction. (1) here are the processes [gpgme]----[gpg]====[gpg-agent]----[scdaemon] ^--- possibly by forwarded socket (2) A client program (Mutt, in your case) asks decryption through gpgme decrypt [gpgme]--->[gpg]----[gpg-agent]----[scdaemon] (3) it goes to scdaemon decrypt [gpgme]----[gpg]--->[gpg-agent]----[scdaemon] decrypt [gpgme]----[gpg]----[gpg-agent]--->[scdaemon] (4) if the token is not authenticated yet, scdaemon asks a user PIN back through gpg-agent "PIN please" [gpgme]----[gpg]----[gpg-agent]<---[scdaemon] (5) Then, gpg-agent invokes pinentry. [gpgme]----[gpg]----[gpg-agent]----[scdaemon] | [pinentry]<---/ (6) pinentry pops up GUI dialog window to user. [gpgme]----[gpg]----[gpg-agent]----[scdaemon] | User <----[pinentry]----/ (7) User inputs PIN by the dialog. [gpgme]----[gpg]----[gpg-agent]----[scdaemon] | User ---->[pinentry]----/ PIN [gpgme]----[gpg]----[gpg-agent]----[scdaemon] ^ [pinentry]----/ PIN PIN [gpgme]----[gpg]----[gpg-agent]--->[scdaemon] (8) scdaemon sends the pin to the token to authenticate. PIN [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token] (9) Token is ready to decrypt, now. scdaemon sends encrypted message to the token. decrypt [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token] (10) token replies back by decrypted message.... to gpgme. decrypted [gpgme]----[gpg]----[gpg-agent]----[scdaemon]<--[token] decrypted [gpgme]----[gpg]----[gpg-agent]<---[scdaemon] decrypted [gpgme]----[gpg]<---[gpg-agent]----[scdaemon] decrypted [gpgme]<---[gpg]----[gpg-agent]----[scdaemon] Cheers, Thomas From stebe at mailbox.org Wed Oct 19 00:21:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Tue, 18 Oct 2016 22:21:00 +0000 Subject: Why doesn't gpg-agent forwarding work? In-Reply-To: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash> References: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash> Message-ID: <20932fa2-e987-fce1-53eb-6896d65a1539@mailbox.org> Hi Kevin, Kevin Gallagher: > Hi all, > > I've tried to get this working to no avail. I've consulted past postings > to this list as well as various online references. Some people seem to > have got this to work, but most seem to have trouble. I would appreciate > any guidance or help anyone can offer. > > I want my gpg-agent to be shared with another host, specifically a > Vagrant/VirtualBox virtual machine, via Unix socket forwarding, which is > a feature that arrived with OpenSSH 6.7. I can get my gpg-agent's socket > forwarded, and I can talk to it with gpg-connect-agent, and even obtain > a list of keygrips for the keys residing on the local machine. However, > the forwarded gpg-agent socket does not seem to interface with the GPG > CLI utility, i.e. running `gpg2 --use-agent --list-keys` shows nothing. Have you considered adding the debug flag to the command (--debug-level expert)? > > This is important because I'm in the process of developing a > deterministic build environment for a project, and many of us prefer to > use smartcards or YubiKeys, so copying our secret keys into the VM is > not an option. The ability to forward the local gpg-agent into the VM > for signing operations would be very convenient. > > GPG version on host: 2.1.15 (Debian stretch) > GPG version on VM: 2.0.26 (Debian jessie) > Setting some environment variables in the VM does not help: > > GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:0:1 > GPG_SOCK=/home/vagrant/.gnupg/S.gpg-agent > GPG_TTY=/dev/pts/1 And if you'd try to add this to the VM's .bashrc file via ssh/scp (assuming that the Vagrant's VM is headless and has a bash) if [ -f "${HOME}/.gpg-agent-info" ]; then . "${HOME}/.gpg-agent-info" export GPG_AGENT_INFO export SSH_AUTH_SOCK export SSH_AGENT_PID fi Wouldn't that start the "target shell" (forcibly) with the agent being fired up and all ready for sshing? Cheers Stephan -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x4218732B.asc Type: application/pgp-keys Size: 4089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From gniibe at fsij.org Wed Oct 19 01:36:27 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 19 Oct 2016 08:36:27 +0900 Subject: smartcard reader In-Reply-To: References: <20161017205021.GA3273@localhost> Message-ID: <06f81884-d8eb-5032-f4fa-75affba265c6@fsij.org> On 10/19/2016 12:40 AM, Stephan Beck wrote: >> FSIJ Gnuk Token >> USB ID: 234b:0000 Ah... This is not a card reader. It is the project of Free Software Initiative of Japan (FSIJ) since 2010. FSIJ acquired USB vendor ID, specifically for this project. Please visit: https://www.fsij.org/category/gnuk.html Card reader products are more complex than the hardware requirement of Gnuk. If you like KISS philosophy, you might prefer Gnuk Token. > you can order gnuk token at/from > https://www.seeedstudio.com/FST-01-without-Enclosure-p-1276.html It is sold as an evaluation board. It happened to have Gnuk 1.0.1 installed. It is an implementation of reader+card. > https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator. This has TRNG implementation (NeuG 1.0.4), instead. The source of noise is not that exotic, though. You can replace the firmware to Gnuk by yourself. The upgrade process doesn't require JTAG/SWD debugger, but having JTAG/SWD debugger is highly recommended to control your computing (or just in case when failure of upgrade). Hardware is same (sans cover). The support page is here: https://www.gniibe.org/category/fst-01.html I tried to sell the hardware widely as possible with help by Seeed and FSF, but my capability is limited. Selling hardware product means we need to follow regulations. That's difficult for me. For Europe, I heard that Nitrokey Start runs Gnuk 1.0.4. Availability of this product is better, I suppose. I think that Nitrokey Start and Nitrokey Pro is based on the hardware design of mine (although I was not involved). I got a report to Gnuk Mailing list about firmware upgrade of Gnuk doesn't work well on Nitrokey Start. If someone can investigate the cause and possibly fix an issue, it will be great. I gave a talk of Gnuk at https://openpgp-conf.org/program.html There is a link to my slides. -- From stebe at mailbox.org Wed Oct 19 10:29:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Wed, 19 Oct 2016 08:29:00 +0000 Subject: Why doesn't gpg-agent forwarding work? In-Reply-To: <20932fa2-e987-fce1-53eb-6896d65a1539@mailbox.org> References: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash> <20932fa2-e987-fce1-53eb-6896d65a1539@mailbox.org> Message-ID: Hi, (update) Stephan Beck: > Hi Kevin, > >> Setting some environment variables in the VM does not help: >> >> GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:0:1 >> GPG_SOCK=/home/vagrant/.gnupg/S.gpg-agent >> GPG_TTY=/dev/pts/1 > > And if you'd try to add this to the VM's .bashrc file via ssh/scp No, positively not via ssh, as you reported that this, precisely, ssh access is failing! So, just modifiying .bashrc manually. > (assuming that the Vagrant's VM is headless and has a bash) > > if [ -f "${HOME}/.gpg-agent-info" ]; then > . "${HOME}/.gpg-agent-info" > export GPG_AGENT_INFO > export SSH_AUTH_SOCK > export SSH_AGENT_PID > fi > > Wouldn't that start the "target shell" (forcibly) with the agent being > fired up and all ready for sshing? > > Cheers > > Stephan > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From stebe at mailbox.org Wed Oct 19 10:17:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Wed, 19 Oct 2016 08:17:00 +0000 Subject: smartcard reader In-Reply-To: <06f81884-d8eb-5032-f4fa-75affba265c6@fsij.org> References: <20161017205021.GA3273@localhost> <06f81884-d8eb-5032-f4fa-75affba265c6@fsij.org> Message-ID: <454a6247-e618-451a-2a07-d375aacedf82@mailbox.org> Hi, NIIBE Yutaka: > On 10/19/2016 12:40 AM, Stephan Beck wrote: >>> FSIJ Gnuk Token >>> USB ID: 234b:0000 > > Ah... This is not a card reader. It is the project of Free Software > Initiative of Japan (FSIJ) since 2010. FSIJ acquired USB vendor ID, > specifically for this project. Please visit: > > https://www.fsij.org/category/gnuk.html Went there and bookmarked it. I even went to https://www.fsij.org/doc-gnuk/index.html and gave it a thorough read. It's a clear, concise and well-structured doc. > > Card reader products are more complex than the hardware requirement of > Gnuk. If you like KISS philosophy, you might prefer Gnuk Token. The next one I'll try out will be the gnuk token. > >> you can order gnuk token at/from >> https://www.seeedstudio.com/FST-01-without-Enclosure-p-1276.html > > It is sold as an evaluation board. It happened to have Gnuk 1.0.1 > installed. It is an implementation of reader+card. I haven't found any information on whether gnuk token (as an implementation of reader and card) accepts the exchange of the integrated card (for another one)? That was one of the main reasons for the Nitrokey Storage (based on Atmel AT32UC3A3256S) now (in theory) permitting the exchange of the integrated card, people like FSFE members, for instance, could not use Nitrokey Pro as they have their own card. > >> https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator. > > This has TRNG implementation (NeuG 1.0.4), instead. The source of > noise is not that exotic, though. You can replace the firmware to > Gnuk by yourself. The upgrade process doesn't require JTAG/SWD > debugger, but having JTAG/SWD debugger is highly recommended to > control your computing (or just in case when failure of upgrade). > > Hardware is same (sans cover). The support page is here: > > https://www.gniibe.org/category/fst-01.html > > I tried to sell the hardware widely as possible with help by Seeed and > FSF, but my capability is limited. Selling hardware product means > we need to follow regulations. That's difficult for me. > > > For Europe, I heard that Nitrokey Start runs Gnuk 1.0.4. Availability > of this product is better, I suppose. Yes, I also read that they use Gnuk. > > I think that Nitrokey Start and Nitrokey Pro is based on the hardware > design of mine (although I was not involved). I got a report to Gnuk > Mailing list about firmware upgrade of Gnuk doesn't work well on > Nitrokey Start. If someone can investigate the cause and possibly fix > an issue, it will be great. > > > I gave a talk of Gnuk at https://openpgp-conf.org/program.html > There is a link to my slides. Thanks, I read the report on gnupg.org, I'll take a look at the slides. Thanks again for this very valuable first-hand information. Cheers (cup of coffee!) Stephan -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x4218732B.asc Type: application/pgp-keys Size: 4089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Oct 19 12:56:05 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 19 Oct 2016 12:56:05 +0200 Subject: reviewing wiki / shortlist PIN-pad readers In-Reply-To: (Stephan Beck's message of "Tue, 18 Oct 2016 11:11:00 +0000") References: Message-ID: <87zim0mwu2.fsf@wheatstone.g10code.de> On Tue, 18 Oct 2016 13:11, stebe at mailbox.org said: > For example, The Nitrokey Storage (1,2), a usb crypto stick with > integrated card reader) is 100% open source, free software, verifiable > firmware. On the other hand, it has no pinpad. and using a proprietary card for the reader ;-) SCNR, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From wk at gnupg.org Wed Oct 19 13:01:44 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 19 Oct 2016 13:01:44 +0200 Subject: smartcard reader In-Reply-To: <20161017205021.GA3273@localhost> (Elizabeth Ferdman's message of "Mon, 17 Oct 2016 13:50:22 -0700") References: <20161017205021.GA3273@localhost> Message-ID: <87vawomwkn.fsf@wheatstone.g10code.de> On Mon, 17 Oct 2016 22:50, gnudevliz at gmail.com said: > SCM SPR 532 > USB ID: 04e6:e003 > PC/SC reader name: SPRx32 FWIW, the company is known indentive but the readers still work. > KAAN Advanced > USB ID: 0d46: Has problems with larger signing keys - I used it in the past. > FSIJ Gnuk Token > USB ID: 234b:0000 Not a reader but a token which im-plements the same interface as a reader. I used it all the time; despite that it is not taper resistant. > Reiner cyberJack Go > USB ID: 0c4b:0504 Does not work. > Vasco DigiPASS 920 > USB ID: 1a44:0920 Never tried. > Cherry ST2000 > USB ID: 046a:003e I used it for some weeks. I stopped using it only due to local problems. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From wk at gnupg.org Wed Oct 19 13:06:48 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 19 Oct 2016 13:06:48 +0200 Subject: smartcard reader In-Reply-To: <454a6247-e618-451a-2a07-d375aacedf82@mailbox.org> (Stephan Beck's message of "Wed, 19 Oct 2016 08:17:00 +0000") References: <20161017205021.GA3273@localhost> <06f81884-d8eb-5032-f4fa-75affba265c6@fsij.org> <454a6247-e618-451a-2a07-d375aacedf82@mailbox.org> Message-ID: <87r37cmwc7.fsf@wheatstone.g10code.de> On Wed, 19 Oct 2016 10:17, stebe at mailbox.org said: > I haven't found any information on whether gnuk token (as an > implementation of reader and card) accepts the exchange of the > integrated card (for another one)? That was one of the main reasons for There is no integrated card. gnuk uses an SM32 MCU which implements the OpenPGP card and CCID interface specs. This has the huge advantage that all software (firmware) is free software. The drawback is that it is not tamper resistant - your safe with important woodware documents or your gpg key backup isn't tamper resistant either. I prefer the free software solution given that the attack surface is smaller. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From stebe at mailbox.org Wed Oct 19 14:15:00 2016 From: stebe at mailbox.org (Stephan Beck) Date: Wed, 19 Oct 2016 12:15:00 +0000 Subject: reviewing wiki / shortlist PIN-pad readers In-Reply-To: <87zim0mwu2.fsf@wheatstone.g10code.de> References: <87zim0mwu2.fsf@wheatstone.g10code.de> Message-ID: Werner Koch: > On Tue, 18 Oct 2016 13:11, stebe at mailbox.org said: > >> For example, The Nitrokey Storage (1,2), a usb crypto stick with >> integrated card reader) is 100% open source, free software, verifiable >> firmware. On the other hand, it has no pinpad. > > and using a proprietary card for the reader ;-) Unfortunately, yes. At the time I was interested in beginning to use a smart card, my focus was on the USB tokens, as I wanted to have a device where card and reader are integrated. At that time, I didn't know of any free software implementation other than this (which is only partially resolved, it's true), and I did/do have a particular threat model. With NK Storage, it should be easy to exchange the cards. On the other hand, everyone has to know the budget he/she can spend on new devices every x months. I'm unemployed at the moment, so I can't whitewash my free software chemise that quickly and will have to wait a bit... Cheers (another cup), Stephan -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x4218732B.asc Type: application/pgp-keys Size: 4089 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From gpg at noffin.com Wed Oct 19 18:16:23 2016 From: gpg at noffin.com (gpg at noffin.com) Date: Wed, 19 Oct 2016 09:16:23 -0700 Subject: Why are my expiration dates different? Message-ID: <62de007d347e6d00ae45a80e42991af8.squirrel@isp.srvrs.co> When I run the command: gpg --list-secret-keys /home/repo-owner/.gnupg/secring.gpg ----------------------------------- sec 2048R/XXXXXXXXX 2014-10-30 [expires: 2016-10-29] It shows the expiration date as: [expires: 2016-10-2. But then when I edit the key with: gpg --edit-key XXXXXXXXX gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 2048R/XXXXXXXXX created: 2014-10-30 expires: 2017-10-31 usage: SC trust: ultimate validity: ultimate sub 2048R/XXXXXXXXX created: 2014-10-30 expires: 2017-10-31 usage: E The keys show: expires: 2017-10-31 (which is what I expected). I had done to extend: # extend the expiration date on your key (Be sure to review sub keys). $ gpg --edit-key gpg> expire gpg> save # extend the expiration date on your sub key $ gpg --edit-key gpg> key gpg> expire gpg> save I just want to be safe that my key expiration was updated properly. Thank you in advance. From kevin at z.cash Wed Oct 19 18:45:42 2016 From: kevin at z.cash (Kevin Gallagher) Date: Wed, 19 Oct 2016 09:45:42 -0700 Subject: Invalid packet/keyring. How to find out what's responsible? Message-ID: <40454d9f-6d34-6d44-248b-57d1f65087de@z.cash> I've been seeing this error lately both with one of my local GPG keyrings, and with apt. gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_get_keyblock failed: Value not found gpg: [don't know]: invalid packet (ctb=2d) gpg: /tmp/tmp.rObzKgJEj5/pubring.gpg: copy to '/tmp/tmp.rObzKgJEj5/pubring.gpg.tmp' failed: Invalid packet gpg: error writing keyring '/tmp/tmp.rObzKgJEj5/pubring.gpg': Invalid packet gpg: [don't know]: invalid packet (ctb=2d) gpg: error reading '-': Invalid packet gpg: import from '-' failed: Invalid packet In the latter case, I solved it by exporting all my keys and importing them back again. But that doesn't work this time: apt-key exportall says: gpg: key export failed: Invalid keyring How can I figure out which specific key is corrupted or responsible for this, so I can repair my keyring? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ndk.clanbo at gmail.com Wed Oct 19 21:47:21 2016 From: ndk.clanbo at gmail.com (NdK) Date: Wed, 19 Oct 2016 21:47:21 +0200 Subject: smartcard reader In-Reply-To: <87r37cmwc7.fsf@wheatstone.g10code.de> References: <20161017205021.GA3273@localhost> <06f81884-d8eb-5032-f4fa-75affba265c6@fsij.org> <454a6247-e618-451a-2a07-d375aacedf82@mailbox.org> <87r37cmwc7.fsf@wheatstone.g10code.de> Message-ID: Il 19/10/2016 13:06, Werner Koch ha scritto: > There is no integrated card. gnuk uses an SM32 MCU which implements the > OpenPGP card and CCID interface specs. This has the huge advantage that > all software (firmware) is free software. The drawback is that it is > not tamper resistant - your safe with important woodware documents or > your gpg key backup isn't tamper resistant either. I prefer the free > software solution given that the attack surface is smaller. Well, actually the situation is a bit better: the keys at rest are stored encrypted, even if kdf function uses less rounds not to slow down unlocking too much... So even if an adversary manages to get the token and retrieve the memory contents, he still have to find the passphrase to decode the keys. Quite like the situation where he somehow accesses your privring from a powered down computer. BYtE, Diego From dkg at fifthhorseman.net Wed Oct 19 23:22:35 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 19 Oct 2016 17:22:35 -0400 Subject: Invalid packet/keyring. How to find out what's responsible? In-Reply-To: <40454d9f-6d34-6d44-248b-57d1f65087de@z.cash> References: <40454d9f-6d34-6d44-248b-57d1f65087de@z.cash> Message-ID: <87zim0dof8.fsf@alice.fifthhorseman.net> Hi Kevin-- On Wed 2016-10-19 12:45:42 -0400, Kevin Gallagher wrote: > I've been seeing this error lately both with one of my local GPG > keyrings, and with apt. > > gpg: [don't know]: invalid packet (ctb=2d) > gpg: keydb_get_keyblock failed: Value not found > gpg: [don't know]: invalid packet (ctb=2d) > gpg: /tmp/tmp.rObzKgJEj5/pubring.gpg: copy to > '/tmp/tmp.rObzKgJEj5/pubring.gpg.tmp' failed: Invalid packet > gpg: error writing keyring '/tmp/tmp.rObzKgJEj5/pubring.gpg': > Invalid packet > gpg: [don't know]: invalid packet (ctb=2d) > gpg: error reading '-': Invalid packet > gpg: import from '-' failed: Invalid packet > > In the latter case, I solved it by exporting all my keys and importing > them back again. But that doesn't work this time: > > apt-key exportall says: gpg: key export failed: Invalid keyring > > How can I figure out which specific key is corrupted or responsible for > this, so I can repair my keyring? what version of apt? what version of gpg? it sounds to me like you have some public keyring that is ascii-armored instead of raw. you might manually (individually) test /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/*.gpg to see whether they're ascii-armored or not. for example: grep 'BEGIN PGP' /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/*.gpg hth, --dkg From kevin at z.cash Wed Oct 19 23:41:06 2016 From: kevin at z.cash (Kevin Gallagher) Date: Wed, 19 Oct 2016 14:41:06 -0700 Subject: Invalid packet/keyring. How to find out what's responsible? In-Reply-To: <87zim0dof8.fsf@alice.fifthhorseman.net> References: <40454d9f-6d34-6d44-248b-57d1f65087de@z.cash> <87zim0dof8.fsf@alice.fifthhorseman.net> Message-ID: <42d2abde-6ba9-7bae-226f-21cf7d91329e@z.cash> That'll do it! Thanks. On 10/19/2016 02:22 PM, Daniel Kahn Gillmor wrote: > Hi Kevin-- > > On Wed 2016-10-19 12:45:42 -0400, Kevin Gallagher wrote: >> I've been seeing this error lately both with one of my local GPG >> keyrings, and with apt. >> >> gpg: [don't know]: invalid packet (ctb=2d) >> gpg: keydb_get_keyblock failed: Value not found >> gpg: [don't know]: invalid packet (ctb=2d) >> gpg: /tmp/tmp.rObzKgJEj5/pubring.gpg: copy to >> '/tmp/tmp.rObzKgJEj5/pubring.gpg.tmp' failed: Invalid packet >> gpg: error writing keyring '/tmp/tmp.rObzKgJEj5/pubring.gpg': >> Invalid packet >> gpg: [don't know]: invalid packet (ctb=2d) >> gpg: error reading '-': Invalid packet >> gpg: import from '-' failed: Invalid packet >> >> In the latter case, I solved it by exporting all my keys and importing >> them back again. But that doesn't work this time: >> >> apt-key exportall says: gpg: key export failed: Invalid keyring >> >> How can I figure out which specific key is corrupted or responsible for >> this, so I can repair my keyring? > what version of apt? what version of gpg? it sounds to me like you > have some public keyring that is ascii-armored instead of raw. you > might manually (individually) test /etc/apt/trusted.gpg and > /etc/apt/trusted.gpg.d/*.gpg to see whether they're ascii-armored or > not. > > for example: > > grep 'BEGIN PGP' /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/*.gpg > > hth, > > --dkg From dkg at fifthhorseman.net Thu Oct 20 00:44:53 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 19 Oct 2016 18:44:53 -0400 Subject: Why are my expiration dates different? In-Reply-To: <62de007d347e6d00ae45a80e42991af8.squirrel@isp.srvrs.co> References: <62de007d347e6d00ae45a80e42991af8.squirrel@isp.srvrs.co> Message-ID: <87r37cdkm2.fsf@alice.fifthhorseman.net> On Wed 2016-10-19 12:16:23 -0400, gpg at noffin.com wrote: > When I run the command: > > gpg --list-secret-keys > > /home/repo-owner/.gnupg/secring.gpg > ----------------------------------- > sec 2048R/XXXXXXXXX 2014-10-30 [expires: 2016-10-29] > [...] > gpg --edit-key XXXXXXXXX > gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Secret key is available. > > pub 2048R/XXXXXXXXX created: 2014-10-30 expires: 2017-10-31 usage: SC the difference here is looking at secret keys and public keys. in gpg version 1.4.x or 2.0.x, those are not well-synchronized. the expiration date seen in the pubring.gpg is the thing that any other user will see, so that's the one to rely on. in gpg version 2.1.x or later, the metadata is synchronized across secret keys and publicly (more specifically, the view of the secret keys shows the date that comes from the public keyring). --dkg From daniel at pocock.pro Thu Oct 20 09:49:20 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Thu, 20 Oct 2016 09:49:20 +0200 Subject: smartcard reader In-Reply-To: <87vawomwkn.fsf@wheatstone.g10code.de> References: <20161017205021.GA3273@localhost> <87vawomwkn.fsf@wheatstone.g10code.de> Message-ID: On 19/10/16 13:01, Werner Koch wrote: > On Mon, 17 Oct 2016 22:50, gnudevliz at gmail.com said: > >> SCM SPR 532 USB ID: 04e6:e003 PC/SC reader name: SPRx32 > > FWIW, the company is known indentive but the readers still work. > >> KAAN Advanced USB ID: 0d46: > > Has problems with larger signing keys - I used it in the past. > >> FSIJ Gnuk Token USB ID: 234b:0000 > > Not a reader but a token which im-plements the same interface as a > reader. I used it all the time; despite that it is not taper > resistant. > >> Reiner cyberJack Go USB ID: 0c4b:0504 > > Does not work. > >> Vasco DigiPASS 920 USB ID: 1a44:0920 > > Never tried. > >> Cherry ST2000 USB ID: 046a:003e > > I used it for some weeks. I stopped using it only due to local > problems. > Thanks for helping eliminate some of those from the list, is anybody able to update the wiki? Are there any new options that weren't listed already? I also added another blog about choosing hardware today: https://danielpocock.com/choosing-smartcards-readers-hardware-for-outreachy-2016 Regards, Daniel From initramfs at initramfs.io Thu Oct 20 12:29:05 2016 From: initramfs at initramfs.io (initramfs) Date: Thu, 20 Oct 2016 06:29:05 -0400 Subject: Concerning subkey passwords: changes to private key storage method? Message-ID: <0e31c534-9df7-5a69-1e70-8f78259fe3aa@initramfs.io> Dear GnuPG mailing list, Recently I've attempted to create a new GPG key (one master + 2 subkeys) with gpg --full-gen-key --expert and at the end of the key generation process (including gpg --edit-key --expert) I noticed I never got to set specific passwords/passphrases per subkey. This comes in contrast to my older GPG 2.1 master key, which requires a separate password per subkey (and one for the master). If I recall correctly, GPG private keys are stored under symmetric encryption where a PBKDF derives the symmetric encryption key, protecting the keys in case of compromise. Having separate passwords per subkey implies that each key is encrypted and stored separately. This does not seem to be the case with newer keys. Has the key storage method changed? Or I am missing an obvious option to set it as such? What's even more weird is that if I import my old master key into keychain, I get the "old" behavior of separate passwords for that specific key. Exporting and reimporting does not change the behavior. Whereas there doesn't seem to be an option (at least in --edit-key) to use the behavior of one password per subkey. Was there a change made within the 2.1.x branch that changed the behavior of key storage/encryption? If so, is there a way to toggle between the aforementioned behaviors? Regards, initramfs N.B. I'm fairly certain the "old" key I have was created with GPG 2.1 given that it's an ECC key. I've recently moved from Arch to Gentoo, if that matters at all (using the same GnuPG version). From lists at michel-messerschmidt.de Thu Oct 20 19:46:32 2016 From: lists at michel-messerschmidt.de (lists at michel-messerschmidt.de) Date: Thu, 20 Oct 2016 17:46:32 +0000 Subject: smartcard reader In-Reply-To: References: <20161017205021.GA3273@localhost> <87vawomwkn.fsf@wheatstone.g10code.de> Message-ID: <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >Are there any new options that weren't listed already? yubikey4 Although I had very good experience with the SPR 532 (and a lot of trouble with another Cyberjack reader, the Comfort IIRC), the yubikey token has a better trade-off between usability and security for me. Mainly because its usable on mobile devices through openkeychain, but good support of 4k RSA keys is also welcome. Lack of a pin-pad is the main drawback. Tamper resistance and firmware source may be other discussion topics. Regards, Michel - -- This mail scanned by NSA Internet Security -----BEGIN PGP SIGNATURE----- iQJRBAEBCgA7NBxNaWNoZWwgTWVzc2Vyc2NobWlkdCA8bWFpbEBtaWNoZWwtbWVz c2Vyc2NobWlkdC5kZT4FAlgJAu8ACgkQvTGBzyTSHbXPgw/+MQF13bXPrfVB6PS/ QkmVWiXJV2T18hm7jeg3V3eusGX2pgiRxZ6quK0xuB1zYpSOqmBHJYwE7CE+AZcK x0Z95JQSGGQ5cnZl1npsk41vMibdvr5LVYLRGT4h5VNPubOzp6BAV+Az9yMk1q8d wE8AU2mONWyoyWhZibZ/K5wFWG8neoIJKB1c9xh7FskncdCd3F/Hf0w0MdfAuf5H q8lDXaMfhTBBqNk913V04cp/tn5rTTiTQ2MqyNglqhmNBUDD6DaCD3KF8ycgqXmC WGNgWNnmxfDdEI7sGo+p9IF0lQNYdRWcTtUyNs3QZZr0+xw0qLQI3cDMm+VKoes6 3RTZc3/m6kltjVOoq8vcPl7HAoiBojHzt1oC4ggXsQ3NQCJaiLKns15TlQ4QzI3Y 0Z5admjxEKq9rZ84knwwXWVucHLBUZ2+lQm7vZISyHkFXHZhCb9BwOlRKv//Jxsd DAhlKjOoryWae23P5NtOyRLaY9OSQQi8iNGKevgAqLMiboTr6L4gj6fIhRBp3BG+ 72nKUsWyTxs89mvx3rDtbRJ+6LzWt1njOoozbxm3fc844ml3Nh1P1SIe709sy0iH yzoMFv3iiLC3WB/vYEkSjGQaDRk3FYu8c0wcushInSBHG+gDTjQgTxxbtOoL1sx+ TPTWrPpI1yWWlUx2mS7ffXkDfy4= =hCnc -----END PGP SIGNATURE----- From thomas.jarosch at intra2net.com Fri Oct 21 18:36:33 2016 From: thomas.jarosch at intra2net.com (Thomas Jarosch) Date: Fri, 21 Oct 2016 18:36:33 +0200 Subject: smartcard reader In-Reply-To: <87vawomwkn.fsf@wheatstone.g10code.de> References: <20161017205021.GA3273@localhost> <87vawomwkn.fsf@wheatstone.g10code.de> Message-ID: Am 19.10.2016 um 13:01 schrieb Werner Koch: [list of card readers] >> SCM SPR 532 >> USB ID: 04e6:e003 >> PC/SC reader name: SPRx32 > > .. > >> Reiner cyberJack Go >> USB ID: 0c4b:0504 > > Does not work. I've posted a "success report" about card readers a year ago: https://lists.gnupg.org/pipermail/gnupg-users/2015-August/054102.html The Reiner cyberJack Go "plus" (USB id 0c4b:0504) works fine, not sure about the version with "plus" though. The Cherry ST-2000 reader is a bit bulky, personally I like the SPR 532 but the cyberJack Go has a nice display and is easy to carry around. Yesterday I've came up with the idea if the cyberJack Go reader would also work with a USB OTG adapter on an Android based phone. Might be a nice alternative to NFC + software based pinpad. -> I will test this once I get my hands on an USB OTG adapter. HTH, Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From thomas at glanzmann.de Sat Oct 22 10:46:29 2016 From: thomas at glanzmann.de (Thomas Glanzmann) Date: Sat, 22 Oct 2016 10:46:29 +0200 Subject: yubikey 4 openkeychain rsa [WAS: smartcard reader] In-Reply-To: <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de> References: <20161017205021.GA3273@localhost> <87vawomwkn.fsf@wheatstone.g10code.de> <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de> Message-ID: <20161022084629.GD11644@glanzmann.de> Hello Michel, [RESEND: forgot list] > Mainly because its usable on mobile devices through openkeychain I have two yubikeys myself, one yubikey 4 nano constantly plugged into my main workstation and another yubikey4 on my keychain. I use it for ssh authentication and gpg also using ssh and gpg agent forwarding. Works like a charm. But since the yubikey has no option for RFID I wonder how you can use it on android? I use maildroid to read my email on android. Is there a step by step howto how to get that working? Cheers, Thomas From wk at gnupg.org Sat Oct 22 12:43:15 2016 From: wk at gnupg.org (Werner Koch) Date: Sat, 22 Oct 2016 12:43:15 +0200 Subject: Concerning subkey passwords: changes to private key storage method? In-Reply-To: <0e31c534-9df7-5a69-1e70-8f78259fe3aa@initramfs.io> (initramfs@initramfs.io's message of "Thu, 20 Oct 2016 06:29:05 -0400") References: <0e31c534-9df7-5a69-1e70-8f78259fe3aa@initramfs.io> Message-ID: <87a8dwk6kc.fsf@wheatstone.g10code.de> On Thu, 20 Oct 2016 12:29, initramfs at initramfs.io said: > If I recall correctly, GPG private keys are stored under symmetric > encryption where a PBKDF derives the symmetric encryption key, > protecting the keys in case of compromise. Having separate passwords per > subkey implies that each key is encrypted and stored separately. This Right. However, gpg tries to make sure that the same passphrase is used for the primary and the subkeys. This has always been the case. A new thing we do in 2.1 is to try a cached passphrase from any key on the keyblock. This solves the common use case to first decrypt a message (using a subkey) and then send a signed reply (using the primary key). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 162 bytes Desc: not available URL: From thomas.jarosch at intra2net.com Sat Oct 22 14:32:39 2016 From: thomas.jarosch at intra2net.com (Thomas Jarosch) Date: Sat, 22 Oct 2016 14:32:39 +0200 Subject: smartcard reader In-Reply-To: <20161021222626.6ugpnkn56kmgnbwn@len.workgroup> References: <20161017205021.GA3273@localhost> <87vawomwkn.fsf@wheatstone.g10code.de> <20161021222626.6ugpnkn56kmgnbwn@len.workgroup> Message-ID: Am 22.10.2016 um 00:26 schrieb Gregor Zattler: >> I've posted a "success report" about card readers a year ago: >> https://lists.gnupg.org/pipermail/gnupg-users/2015-August/054102.html >> >> The Reiner cyberJack Go "plus" (USB id 0c4b:0504) works fine, >> not sure about the version with "plus" though. > > Isn't there a contradiction between the last line and the line > before the last one? Sorry: did you test the "plus" version or not? yes, I noticed, too, after sending the message :o) I tested the plus version. The "with" should be a "without". See the earlier success report. May be we can add pictures to the wiki of some readers or include a side-by-side picture. I still have all three of them sitting on my desk. That might help others to decide. Cheers, Thomas From keastes at gmail.com Sat Oct 22 20:26:18 2016 From: keastes at gmail.com (kendrick eastes) Date: Sat, 22 Oct 2016 12:26:18 -0600 Subject: yubikey 4 openkeychain rsa [WAS: smartcard reader] In-Reply-To: <20161022084629.GD11644@glanzmann.de> References: <20161017205021.GA3273@localhost> <87vawomwkn.fsf@wheatstone.g10code.de> <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de> <20161022084629.GD11644@glanzmann.de> Message-ID: The Yubikey Neo has NFC which is how it is usable with android. There is a video of it in action here: https://grepular.com/An_NFC_PGP_SmartCard_For_Android On Sat, Oct 22, 2016 at 2:46 AM, Thomas Glanzmann wrote: > Hello Michel, > > [RESEND: forgot list] > > > Mainly because its usable on mobile devices through openkeychain > > I have two yubikeys myself, one yubikey 4 nano constantly plugged into > my main workstation and another yubikey4 on my keychain. I use it for > ssh authentication and gpg also using ssh and gpg agent forwarding. > Works like a charm. But since the yubikey has no option for RFID I > wonder how you can use it on android? I use maildroid to read my email > on android. Is there a step by step howto how to get that working? > > Cheers, > Thomas > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mls at bjoern-kahl.de Sun Oct 23 00:16:57 2016 From: mls at bjoern-kahl.de (Bjoern Kahl) Date: Sun, 23 Oct 2016 00:16:57 +0200 Subject: smartcard reader In-Reply-To: <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de> References: <20161017205021.GA3273@localhost> <87vawomwkn.fsf@wheatstone.g10code.de> <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de> Message-ID: <53ad93a4-1ede-b8fd-9193-a973aa6fe37f@bjoern-kahl.de> Hi All, Am 20.10.16 um 19:46 schrieb lists at michel-messerschmidt.de: >> Are there any new options that weren't listed already? > > yubikey4 > > Although I had very good experience with the SPR 532 (and a lot of trouble with another Cyberjack reader, the Comfort IIRC), the yubikey token has a better trade-off between usability and security for me. > > Mainly because its usable on mobile devices through openkeychain, but good support of 4k RSA keys is also welcome. Lack of a pin-pad is the main drawback. Tamper resistance and firmware source may be other discussion topics. Not sure the YubiKey4 is a good choice to start with. I bought one specifically for use with GnuPG (and for its U2F support). I had a lot of troubles getting my YubiKey on it. It finally worked using a recent Ubuntu, but on my Macbook with MacOS "El Capitan" I am unable to access the keys. I only get "card error". Digging deeper with dtruss (kind of "strace") I got as far as that scdaemon gets a "pcsc: sharing violation". I /think/ it worked exactly once. But then I played a bit with the PIV applet on the YubiKey (using yubico's piv-tool), and since then I can not get to the OpenPGP applet on the YubiKey. Only the PIV works (I see my x509 certificates in there in Keychain and can used in Safari to authenticate to for example StartSSL.com) (Any hints to get PIV and OpenPGP work side-by-side are most welcome.) Tl;dr: If adding the YubiKey, then there should be a warning not to never play with the PIV applet on it. Best regards Bj?rn -- | Bjoern Kahl +++ Siegburg +++ Germany | | "mls at -my-domain-" +++ www.bjoern-kahl.de | | Languages: German, English, Ancient Latin (a bit :-)) | From thomas at glanzmann.de Sun Oct 23 08:20:04 2016 From: thomas at glanzmann.de (Thomas Glanzmann) Date: Sun, 23 Oct 2016 08:20:04 +0200 Subject: yubikey 4 openkeychain rsa [WAS: smartcard reader] In-Reply-To: References: <20161017205021.GA3273@localhost> <87vawomwkn.fsf@wheatstone.g10code.de> <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de> <20161022084629.GD11644@glanzmann.de> Message-ID: <20161023062004.GE12077@glanzmann.de> Hello, > The Yubikey Neo has NFC which is how it is usable with android. There is a > video of it in action here: > https://grepular.com/An_NFC_PGP_SmartCard_For_Android I know about the Yubikey Neo. However it can only do 2048 Bit RSA. So I'm really interested how to use the Yubikey 4 or Yubikey 4 Nano without NFC with Android. Googeling a little bit around it seems there is patch which works for some people but I was unable to find a howto use it. Cheers, Thomas From kevin at z.cash Sun Oct 23 09:34:14 2016 From: kevin at z.cash (Kevin Gallagher) Date: Sun, 23 Oct 2016 00:34:14 -0700 Subject: Why doesn't gpg-agent forwarding work? In-Reply-To: <20161018195812.GI9435@glanzmann.de> References: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash> <20161017054539.GA17983@glanzmann.de> <86a9a7a8-351c-6152-6f39-697422b09fbb@z.cash> <20161018195812.GI9435@glanzmann.de> Message-ID: <63eeeb87-477d-049d-1c81-c268438f1b1f@z.cash> Ok, I figured out the cause of the problem I was having. As is indicated in your message, one must have the corresponding public keys in the remote keyring before the secret keys from the forwarded gpg-agent are listed as available. Thank you Thomas. I hope others will find this useful. On 10/18/2016 12:58 PM, Thomas Glanzmann wrote: > Hello Kevin, > >> Thanks for the advice. But as I mentioned, I tried using GnuPG 2.1.15 >> on the target machine as well (via the packages in Debian sid), and >> this did not work. gpg2 is simply not speaking to the forwarded >> gpg-agent socket, however gpg-connect-agent can. Any other ideas? > Check your configuration (gpg-agent.conf and gpg.conf). You have to put > this two files on the remote and local machine. Also Understand how gpg > 2.1.x interacts with gnupg from the diagram below. Enable debugging in > the gpg agent. > > Forward GPG socket > ------------------ > # On the server > echo 'StreamLocalBindUnlink yes' >> /etc/ssh/sshd_config > sudo /etc/init.d/ssh restart > > # On the client > ssh -R /home/sithglan/.gnupg/S.gpg-agent:/home/sithglan/.gnupg/S.gpg-agent-extra gmvl.de > > List secret keys > ---------------- > gpg-connect-agent "keyinfo --list" /bye > > GPG Agent Configuration > ----------------------- > .gnupg/gpg-agent.conf > pinentry-program /usr/bin/pinentry > extra-socket /home/sithglan/.gnupg/S.gpg-agent-extra > enable-ssh-support > default-cache-ttl 600 > max-cache-ttl 7200 > keep-tty > keep-display > # debug-level guru > # debug-all > # log-file /tmp/gpg-agent.log > > Remote GPG Setup > ---------------- > # Achtung vorher Backup machen > rm .gnupg/secring* .gnupg/pubring* .gnupg/private-keys-v1.d/* > # For every public key > gpg2 --recv-key 0x9D106472D6D50DBA > gpg2 --recv-key 0x03BF970657E19B02 > > # After that private keys should be listed > gpg2 -K > > cat < .gnupg/gpg.conf > keyserver hkps://hkps.pool.sks-keyservers.net > keyserver-options no-honor-keyserver-url > cert-digest-algo SHA512 > no-greeting > lock-once > default-key 1DD3BBDC897A94CD03F451B09D106472D6D50DBA > encrypt-to 1DD3BBDC897A94CD03F451B09D106472D6D50DBA > keyid-format 0xlong > use-agent > with-fingerprint > quiet > default-recipient-self > no-secmem-warning > keyserver-options auto-key-retrieve > no-auto-check-trustdb > default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed > EOF > > GNUPG Interaction > ----------------- > > Here are steps and the interaction. > > (1) here are the processes > [gpgme]----[gpg]====[gpg-agent]----[scdaemon] > ^--- possibly by forwarded socket > > (2) A client program (Mutt, in your case) asks decryption through gpgme > decrypt > [gpgme]--->[gpg]----[gpg-agent]----[scdaemon] > > (3) it goes to scdaemon > decrypt > [gpgme]----[gpg]--->[gpg-agent]----[scdaemon] > > decrypt > [gpgme]----[gpg]----[gpg-agent]--->[scdaemon] > > (4) if the token is not authenticated yet, > scdaemon asks a user PIN back through gpg-agent > "PIN please" > [gpgme]----[gpg]----[gpg-agent]<---[scdaemon] > > > (5) Then, gpg-agent invokes pinentry. > [gpgme]----[gpg]----[gpg-agent]----[scdaemon] > | > [pinentry]<---/ > > (6) pinentry pops up GUI dialog window to user. > [gpgme]----[gpg]----[gpg-agent]----[scdaemon] > | > User <----[pinentry]----/ > > (7) User inputs PIN by the dialog. > [gpgme]----[gpg]----[gpg-agent]----[scdaemon] > | > User ---->[pinentry]----/ > PIN > > [gpgme]----[gpg]----[gpg-agent]----[scdaemon] > ^ > [pinentry]----/ > PIN > > PIN > [gpgme]----[gpg]----[gpg-agent]--->[scdaemon] > > (8) scdaemon sends the pin to the token to authenticate. > PIN > [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token] > > (9) Token is ready to decrypt, now. > scdaemon sends encrypted message to the token. > decrypt > [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token] > > (10) token replies back by decrypted message.... to gpgme. > decrypted > [gpgme]----[gpg]----[gpg-agent]----[scdaemon]<--[token] > > decrypted > [gpgme]----[gpg]----[gpg-agent]<---[scdaemon] > > decrypted > [gpgme]----[gpg]<---[gpg-agent]----[scdaemon] > > decrypted > [gpgme]<---[gpg]----[gpg-agent]----[scdaemon] > > Cheers, > Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From amiteshmishra2005 at gmail.com Tue Oct 25 05:06:30 2016 From: amiteshmishra2005 at gmail.com (Amitesh Mishra) Date: Mon, 24 Oct 2016 23:06:30 -0400 Subject: pinentry dialog Message-ID: hi , I am using GnuPG 2.1.15 version installation on windows 2008 R2. [image: Inline image 1] While decryption , the pinentry pop up shows up although i have tried the following: 1. Added the passphrase to the perl script in the following manner system ("type $PASSFILE | gpg --no-tty --batch --passphrase-fd 0 --output $CONTACTDECRYPT --yes --decrypt $CONTACTTARGET"); where $PASSFILE = 'abc123$$'; $CONTACTTARGET = "XXX.pgp"; $CONTACTDECRYPT = "text.dat"; 2. preset passphrase as shown below : C:\Program Files (x86)\GnuPG\bin>gpg-connect-agent --homedir C:\Users\XXX\Ap pData\Roaming\gnupg "preset_passphrase B6938993903C4590B75FA651035A38377BE10CD8 -1 53656324537465663123313233" /bye OK Please suggest what i need to do so that i am able to pass on the passphrase without the pop up. -- ############################ Thanks & Regards, Amitesh Mishra ########################### -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 11064 bytes Desc: not available URL: From janardhan.bonthu at isd.sccgov.org Wed Oct 26 01:18:40 2016 From: janardhan.bonthu at isd.sccgov.org (Bonthu, Janardhan) Date: Tue, 25 Oct 2016 23:18:40 +0000 Subject: Cant decrypt in IIS hosted wcf service but works fine in console Message-ID: Hello Team, .Net WCF service development issues with GPG. I am using GPG for Encryption and Decryption of the message, however, I could not decrypt the message in WCF service hosted in IIS. But I can decrypt using the same code in console application. Please check the same and do the needful. Error : {"gpg: encrypted with RSA key, ID 642C729C\r\ngpg: encrypted with RSA key, ID 765F4971\r\ngpg: decryption failed: No secret key\r\n"} Thanks & Regards, Janardhan Bonthu Information Services Department 1555 Berger Drive, Bldg. 2, Floor 2 San Jose, CA 95112 Phone: 408.918.2705 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Wed Oct 26 15:39:59 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 26 Oct 2016 09:39:59 -0400 Subject: Cant decrypt in IIS hosted wcf service but works fine in console In-Reply-To: References: Message-ID: <8737jjfcuo.fsf@alice.fifthhorseman.net> On Tue 2016-10-25 19:18:40 -0400, Bonthu, Janardhan wrote: > .Net WCF service development issues with GPG. > > I am using GPG for Encryption and Decryption of the message, however, > I could not decrypt the message in WCF service hosted in IIS. But I > can decrypt using the same code in console application. > > Please check the same and do the needful. > > Error : {"gpg: encrypted with RSA key, ID 642C729C\r\ngpg: encrypted with RSA key, ID 765F4971\r\ngpg: decryption failed: No secret key\r\n"} Is IIS running as the same user account as the console application? If they're different user accounts, it seems likely that they'd have access to different secret keyrings. --dkg From peter at digitalbrains.com Wed Oct 26 18:12:21 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 26 Oct 2016 18:12:21 +0200 Subject: pinentry dialog In-Reply-To: References: Message-ID: On 25/10/16 05:06, Amitesh Mishra wrote: > 1. Added the passphrase to the perl script in the following manner > > system ("type $PASSFILE | gpg --no-tty --batch --passphrase-fd 0 --output > $CONTACTDECRYPT --yes --decrypt $CONTACTTARGET"); You need to add "--pinentry-mode loopback" to the arguments. Also, while this is all fine for testing and debugging, it doesn't appear to make sense in production. What use is it to encrypt file A with a passphrase that is in plaintext in file B? Better not to encrypt file A, your private key, in the first place, since you gain nothing in protection in the general case. Then you don't need passphrase entry anymore, the key will Just Work(TM). > 2. preset passphrase as shown below : > C:\Program Files (x86)\GnuPG\bin>gpg-connect-agent --homedir C:\Users\XXX\Ap > pData\Roaming\gnupg "preset_passphrase B6938993903C4590B75FA651035A38377BE10CD8 > -1 53656324537465663123313233" /bye > OK preset_passphrase takes a *keygrip* not a *fingerprint*. You can find the keygrip as follows: $ gpg2 --with-keygrip -K 035A38377BE10CD8 For my test key, it's as follows: sec rsa2048/3E7F0306 2013-07-26 [SC] [expires: 2016-11-02] Keygrip = BDAB81746D3696C48746896F4EA1670D312148C7 uid err Test extra UID uid err Test more extra UID uid err Testkey ssb rsa2048/459A39FE 2014-01-09 [E] [expires: 2016-11-02] Keygrip = 815F15F918ECF9922D4CF60D0ED5C03143746201 If I want to prime the passphrase for decryption, I would use the keygrip 815F15F918ECF9922D4CF60D0ED5C03143746201. For the passphrase for signing, I would need the other keygrip instead. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From amiteshmishra2005 at gmail.com Wed Oct 26 19:57:53 2016 From: amiteshmishra2005 at gmail.com (Amitesh Mishra) Date: Wed, 26 Oct 2016 13:57:53 -0400 Subject: pinentry dialog In-Reply-To: References: Message-ID: Thanks Peter for your reply. When i tried adding "--pinentry-mode loopback" in the argument, i dont get the pinentry dialog but it says: *gpg: encrypted with 2048-bit RSA key, ID 035A38377BE10CD8, created 2016-09-23* * "XXX Inc. "* *gpg: public key decryption failed: Bad passphrase* *gpg: decryption failed: No secret key* If i remove the pinentry parameter, the same password works fine. Any suggestions on that ? Regards, Amitesh On Wed, Oct 26, 2016 at 12:12 PM, Peter Lebbing wrote: > On 25/10/16 05:06, Amitesh Mishra wrote: > > 1. Added the passphrase to the perl script in the following manner > > > > system ("type $PASSFILE | gpg --no-tty --batch --passphrase-fd 0 --output > > $CONTACTDECRYPT --yes --decrypt $CONTACTTARGET"); > > You need to add "--pinentry-mode loopback" to the arguments. > > Also, while this is all fine for testing and debugging, it doesn't appear > to > make sense in production. What use is it to encrypt file A with a > passphrase > that is in plaintext in file B? Better not to encrypt file A, your private > key, > in the first place, since you gain nothing in protection in the general > case. > Then you don't need passphrase entry anymore, the key will Just Work(TM). > > > 2. preset passphrase as shown below : > > C:\Program Files (x86)\GnuPG\bin>gpg-connect-agent --homedir > C:\Users\XXX\Ap > > pData\Roaming\gnupg "preset_passphrase B6938993903C4590B75FA651035A38 > 377BE10CD8 > > -1 53656324537465663123313233" /bye > > OK > > preset_passphrase takes a *keygrip* not a *fingerprint*. You can find the > keygrip as follows: > > $ gpg2 --with-keygrip -K 035A38377BE10CD8 > > For my test key, it's as follows: > > sec rsa2048/3E7F0306 2013-07-26 [SC] [expires: 2016-11-02] > Keygrip = BDAB81746D3696C48746896F4EA1670D312148C7 > uid err Test extra UID > uid err Test more extra UID > uid err Testkey > ssb rsa2048/459A39FE 2014-01-09 [E] [expires: 2016-11-02] > Keygrip = 815F15F918ECF9922D4CF60D0ED5C03143746201 > > If I want to prime the passphrase for decryption, I would use the keygrip > 815F15F918ECF9922D4CF60D0ED5C03143746201. For the passphrase for signing, > I > would need the other keygrip instead. > > HTH, > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > -- ############################ Thanks & Regards, Amitesh Mishra Mobile: +1-248 497 4746 Home: +1-248 233 0593 ########################### -------------- next part -------------- An HTML attachment was scrubbed... URL: From m4rtntns at gmail.com Wed Oct 26 22:21:48 2016 From: m4rtntns at gmail.com (Martin T) Date: Wed, 26 Oct 2016 23:21:48 +0300 Subject: ways to ensure that GPG public key belongs to right person in business to business communication Message-ID: Hi, let's say that Alice from company A and Bob from company B need to exchange some private data with each other. Alice and Bob need to encrypt data just that one time, they do not belong to web-of-trust, but both company A and company B websites are trusted by certification authority, secure and available only over TLS. This gives a first option where both Alice and Bob ask their IT departments to publish their public keys on the company website so Alice can get Bobs public key over TLS from company B website and the other way around. Or when for example website of company B is not trusted by CA, then Alice can pick up the phone, call the customer-support of the company B and ask for Bob and then ask Bob to send her an e-mail with a public key and verify the fingerprint of the public key over a phone? Are there better(easier to use or more secure) ways to ensure that GPG public key belongs to right person in business to business communication? thanks, Martin From dkg at fifthhorseman.net Wed Oct 26 22:51:40 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 26 Oct 2016 16:51:40 -0400 Subject: ways to ensure that GPG public key belongs to right person in business to business communication In-Reply-To: References: Message-ID: <87oa26esv7.fsf@alice.fifthhorseman.net> Hi Martin-- On Wed 2016-10-26 16:21:48 -0400, Martin T wrote: > let's say that Alice from company A and Bob from company B need to > exchange some private data with each other. Alice and Bob need to > encrypt data just that one time, they do not belong to web-of-trust, > but both company A and company B websites are trusted by certification > authority, secure and available only over TLS. This gives a first > option where both Alice and Bob ask their IT departments to publish > their public keys on the company website so Alice can get Bobs public > key over TLS from company B website and the other way around. Or when > for example website of company B is not trusted by CA, then Alice can > pick up the phone, call the customer-support of the company B and ask > for Bob and then ask Bob to send her an e-mail with a public key and > verify the fingerprint of the public key over a phone? Are there > better(easier to use or more secure) ways to ensure that GPG public > key belongs to right person in business to business communication? It depends on how much involvement you want the IT department to have. There are a few more options: * if Alice and Bob can meet in person, they can give each other business cards with their fingerprints on them. If this is how Alice finds Bob's e-mail address in the first place, this is a natural place to exchange cryptographic details as well. * the two companies could use WKD (web key directory), which is in its infancy, but is at least supported by GnuPG 2.1.x. * Alice and Bob could submit their keys to a third-party notary like Symantec's PGP Global Directory (if such a thing still exists) * Alice and Bob could publish their public keys in the public keyservers (e.g. gpg --send-key $FINGERPRINT) when they create their keys. Then they could look each other up in the public keyservers; if Alice finds only one public key associated with Bob's e-mail address, she might just decide to assume it's the right one. These all have slightly different security properties and failure modes, which might have different value to Alice and Bob, depending on their threat model and any other economic or logistical pressure they're under. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From aheinecke at intevation.de Thu Oct 27 17:33:45 2016 From: aheinecke at intevation.de (Andre Heinecke) Date: Thu, 27 Oct 2016 17:33:45 +0200 Subject: Hosting a Web Key Directory Message-ID: <5946421.vGOQITrRMC@esus> Hi! I just published how to host your own Web Key Directory on the gnupg blog. Find below a plain text version of my blog entry https://gnupg.org/blog/20161027-hosting-a-web-key-directory.html Andre 1 Hosting a Web Key Directory ????????????????????????????? With the improvements in GnuPG for Key Discovery (see: [Key Discovery Made Simple]) you may want to provide the OpenPGP keys for your domain. The Web Key Service (WKS) describes a protocol for Mail Service Providers or large organisations to maintain a Web Key Directory (WKD) for their users. A Web Key Directory is a static collection of keys provided under well known URLs under your domain. This directory can also be manually generated without using the Web Key Service protocol. By providing a Web Key Directory other people (or their Mail Software) can obtain the OpenPGP keys for your domain with a simple query like: ????? ? $ gpg --auto-key-locate wkd --locate-keys ????? In this note, I explain how to do that. Note: An updated version of this article may be available in the [GnuPG Wiki] [Key Discovery Made Simple] https://www.gnupg.org/blog/20160830-web-key-service.html [GnuPG Wiki] https://wiki.gnupg.org/WKD#Hosting%20a%20Web%20Key%20Directory 1.1 Requirements ???????????????? ? A web server that provides https with a trusted certificate for your domain. ? A client machine with Python and PyME installed (debian package python-pyme) ? The script: [generate-openpgpkey-hu] (in the [Mercurial repository "wkd-tools"]) [generate-openpgpkey-hu] https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/generate-openpgpkey-hu [Mercurial repository "wkd-tools"] https://hg.intevation.de/gnupg/wkd-tools/ 1.2 Setup ????????? You can either export all the keys in your keyring that belong to a domain or provide an explicit keyring containing just those keys that you want to publish. The call: ????? ? $ ./generate-openpgpkey-hu example.com hu ????? Will create a directory called hu containing all the keys with user ids that include @example.com. If there are multiple valid keys for a user in your keyring this command will error out. In that case you can prepare a keyring with only the keys that you want to publish. For example: ????? ? $ gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \ ? > gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import ????? And then provide that keyring to generate-openpgpkey-hu: ????? ? ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg ????? 1.3 Publishing ?????????????? The hu directory has to be published on your server as ????? ? https://example.com/.well-known/openpgpkey/hu/ ????? Create the directory structure and set the permissions accordingly. This example [Makefile] automates the hu directory generation and publishing. Edit the variables at the top of the makefile to set `RSYNC_TARGET' The `KEYRING' variable is optional and can be left empty. That's it. You can now test your setup by calling: ????? ? $ gpg --auto-key-locate wkd --locate-keys ????? you should see something like this: ????? ? gpg: key AC12F94881D28CB7: public key "testuser10 at test.gnupg.org" imported ? gpg: Total number processed: 1 ? gpg: imported: 1 ? gpg: automatically retrieved 'testuser10 at test.gnupg.org' via WKD ? pub ed25519 2016-07-15 [SC] ? 5506894357DC548CC65B0BCFAC12F94881D28CB7 ? uid [ unknown] testuser10 at test.gnupg.org ? sub cv25519 2016-07-15 [E] ????? [Makefile] https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: This is a digitally signed message part. URL: From vitruvio-42 at yandex.com Thu Oct 27 19:10:07 2016 From: vitruvio-42 at yandex.com (MARCOS VITRUVIO BACCUS) Date: Thu, 27 Oct 2016 20:10:07 +0300 Subject: small question... Message-ID: <119281477588207@web17j.yandex.ru> An HTML attachment was scrubbed... URL: From m4rtntns at gmail.com Thu Oct 27 22:52:23 2016 From: m4rtntns at gmail.com (Martin T) Date: Thu, 27 Oct 2016 23:52:23 +0300 Subject: ways to ensure that GPG public key belongs to right person in business to business communication In-Reply-To: <87oa26esv7.fsf@alice.fifthhorseman.net> References: <87oa26esv7.fsf@alice.fifthhorseman.net> Message-ID: Hi, thanks for reply! Unfortunately, Alice and Bob cannot meet in person because of geographical distance. If they could, then this would definitely be the best way to exchange public keys. I further simplified my initial idea: Alice from company A asks Bob from company B to send her Bobs public key using an e-mail. Both Alice and Bob know each other e-mail addresses because they have been in contact before during a project which involves both company A and company B. Now when Alice receives Bobs public key, she will send hers in return to same e-mail address which she received the Bobs public key. Then she looks up the phone number of the customer support department of company B from company B official website and calls there and asks for Bob. Once she gets Bob on the phone, she asks Bob to tell the fingerprint of his public key and then Alice tells her public key fingerprint to Bob and asks Bob to confirm that it matches. I guess this provides reasonable security? thanks, Martin On Wed, Oct 26, 2016 at 11:51 PM, Daniel Kahn Gillmor wrote: > Hi Martin-- > > On Wed 2016-10-26 16:21:48 -0400, Martin T wrote: > >> let's say that Alice from company A and Bob from company B need to >> exchange some private data with each other. Alice and Bob need to >> encrypt data just that one time, they do not belong to web-of-trust, >> but both company A and company B websites are trusted by certification >> authority, secure and available only over TLS. This gives a first >> option where both Alice and Bob ask their IT departments to publish >> their public keys on the company website so Alice can get Bobs public >> key over TLS from company B website and the other way around. Or when >> for example website of company B is not trusted by CA, then Alice can >> pick up the phone, call the customer-support of the company B and ask >> for Bob and then ask Bob to send her an e-mail with a public key and >> verify the fingerprint of the public key over a phone? Are there >> better(easier to use or more secure) ways to ensure that GPG public >> key belongs to right person in business to business communication? > > It depends on how much involvement you want the IT department to have. > > There are a few more options: > > * if Alice and Bob can meet in person, they can give each other > business cards with their fingerprints on them. If this is how Alice > finds Bob's e-mail address in the first place, this is a natural > place to exchange cryptographic details as well. > > * the two companies could use WKD (web key directory), which is in its > infancy, but is at least supported by GnuPG 2.1.x. > > * Alice and Bob could submit their keys to a third-party notary like > Symantec's PGP Global Directory (if such a thing still exists) > > * Alice and Bob could publish their public keys in the public > keyservers (e.g. gpg --send-key $FINGERPRINT) when they create their > keys. Then they could look each other up in the public keyservers; > if Alice finds only one public key associated with Bob's e-mail > address, she might just decide to assume it's the right one. > > These all have slightly different security properties and failure modes, > which might have different value to Alice and Bob, depending on their > threat model and any other economic or logistical pressure they're > under. > > --dkg From Daniel.Ranft at giepa.de Fri Oct 28 10:50:47 2016 From: Daniel.Ranft at giepa.de (Daniel Ranft) Date: Fri, 28 Oct 2016 10:50:47 +0200 Subject: Decrypting a non-mdc encrypted message results in Exitcode 0 but also in status DECRYPTION_FAILED Message-ID: <1DC3C8C67280FB4C9A402CB6DB1358F51BCCB65A44@S2008SBS.intern.giepa.de> Hi, we have a customer that receives emails from totemomail. These messages are not MDC protected and therefore will cause a warning. Sadly this will (since GnuPG modern) also result in a DECRYPTION_FAILED status message, which we are parsing. Is this intended like that? What should we parse instead? Thanks, Daniel Ranft gpg4o developer -- Verschl?sseln Sie Ihre E-Mails mit gpg4o f?r Outlook | Encrypt your email with gpg4o Meinen PGP-Schl?ssel finden Sie auf hkp://pgp.mit.edu. Key-ID: B8DAE2A2 ------------------------------------------------------------------------------------------------------------------- Daniel Ranft Softwareentwickler Giegerich & Partner GmbH? Robert-Bosch-Stra?e 18 | D-63303 Dreieich Tel. +49 6103 5881-50 |?Fax +49 6103 5881-49 daniel.ranft at giepa.de | http://www.giepa.de Gesch?ftsf?hrer: Dipl.-Ing. (TU) Hans-Joachim Giegerich Amtsgericht Offenbach/Main | HRB 33236 ------------------------------------------------------------------------------------------------------------------- From listofactor at mail.ru Fri Oct 28 13:50:48 2016 From: listofactor at mail.ru (listo factor) Date: Fri, 28 Oct 2016 11:50:48 +0000 Subject: self-decrypting message In-Reply-To: <119281477588207@web17j.yandex.ru> References: <119281477588207@web17j.yandex.ru> Message-ID: <5b05a5c6-702f-5661-33b6-071c8c8caf11@mail.ru> > ...Can I send an encrypted e-mail so that it decodes itself automatically once it reaches the recipient? An e-mail message is just a piece of data; it is always a computer program (i.e., a piece of software, not data) that performs either encryption or decryption. It is therefore not possible to construct a message that would somehow "decrypt itself" upon arrival on ~any~ computer, but it is possible to set up a program on a specific recipient's computer to do that. Details would depend on the nature of recipient's computer and software - specifically the e-mail client program - used on it. This would of course only make sense if the attacker has absolutely no access to recipient's computer, not even via the network. From dkg at fifthhorseman.net Fri Oct 28 18:40:08 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 28 Oct 2016 12:40:08 -0400 Subject: web-based manpage version? Message-ID: <87mvhobf6f.fsf@alice.fifthhorseman.net> Hi all-- I just noticed (from interactions on IRC) that the web-based manual page for GnuPG isn't clear about which version of GnuPG it documents: https://www.gnupg.org/documentation/manpage.html I believe it's either from the "classic" or "stable" branch, but it doesn't say so explicitly. As a result, it documents things like "--force-v3-sigs" even though the "modern" branch of GnuPG explicitly says: > --force-v3-sigs > --no-force-v3-sigs > > --force-v4-certs > --no-force-v4-certs > These options are obsolete and have no effect since GnuPG 2.1. How is the web-based manpage maintained? Can we update it to contain relevant information like the above option deprecation? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From wk at gnupg.org Fri Oct 28 21:09:55 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 28 Oct 2016 21:09:55 +0200 Subject: web-based manpage version? In-Reply-To: <87mvhobf6f.fsf@alice.fifthhorseman.net> (Daniel Kahn Gillmor's message of "Fri, 28 Oct 2016 12:40:08 -0400") References: <87mvhobf6f.fsf@alice.fifthhorseman.net> Message-ID: <87k2cs47ek.fsf@wheatstone.g10code.de> On Fri, 28 Oct 2016 18:40, dkg at fifthhorseman.net said: > How is the web-based manpage maintained? Can we update it to contain > relevant information like the above option deprecation? Not really maintained. Can you please open an issue that we create that, and the other man pages, always from the latest released version? Needs a bit of script but it is worth the work. I think the current version was once manually HTMLized (and later converted to org). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available URL: From ml.throttle at xoxy.net Sat Oct 29 08:01:54 2016 From: ml.throttle at xoxy.net (Helmut Waitzmann) Date: Sat, 29 Oct 2016 08:01:54 +0200 Subject: How to fold long lines in the gpg.conf file? Message-ID: <87d1ijitg3.fsf@helmutwaitzmann.news.arcor.de> Is there a way to fold long lines in the gpg.conf file? From peter at digitalbrains.com Sat Oct 29 14:21:10 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 29 Oct 2016 14:21:10 +0200 Subject: pinentry dialog In-Reply-To: References: Message-ID: <0d469410-5228-6042-b0f9-1cfa23232c13@digitalbrains.com> On 26/10/16 19:57, Amitesh Mishra wrote: > If i remove the pinentry parameter, the same password works fine. Any > suggestions on that ? I just used $ echo test | gpg2 --no-tty --batch --pinentry-mode loopback --passphrase-fd 0 -o test.out --yes -d test.gpg as a variation on the precise invocation you provided, and it worked fine; under Linux. And yes, the passphrase for the key is the word test. Are you completely sure that the command correctly accesses the file "abc123$$$" in your current directory when invoked, and that the password in that file is correct? If so, all I can think of is line endings. DOS files end in CR LF where most Unix-like systems end lines in just LF. Sure enough: -------------------------8<------------->8------------------------- $ cat test-crlf.txt | gpg2 --no-tty --batch --pinentry-mode loopback --passphrase-fd 0 -o test.out --yes -d test.gpg gpg: encrypted with 2048-bit RSA key, ID 459A39FE, created 2014-01-09 "Test extra UID" gpg: public key decryption failed: Bad passphrase gpg: decryption failed: No secret key -------------------------8<------------->8------------------------- Here I made the text file have DOS line endings. On Linux, it's not very surprising, but maybe gpg also wants just an LF as a line end on DOS/Windows. It works for me with either LF or no line end: -------------------------8<------------->8------------------------- $ hd test-lf.txt 00000000 74 65 73 74 0a |test.| 00000005 $ hd test-noend.txt 00000000 74 65 73 74 |test| 00000004 $ hd test-crlf.txt 00000000 74 65 73 74 0d 0a |test..| 00000006 $ cat test-lf.txt | gpg2 --no-tty --batch --pinentry-mode loopback --passphrase-fd 0 -o test.out --yes -d test.gpg gpg: encrypted with 2048-bit RSA key, ID 459A39FE, created 2014-01-09 "Test extra UID" $ gpgconf --reload gpg-agent $ cat test-noend.txt | gpg2 --no-tty --batch --pinentry-mode loopback --passphrase-fd 0 -o test.out --yes -d test.gpg gpg: encrypted with 2048-bit RSA key, ID 459A39FE, created 2014-01-09 "Test extra UID" $ gpgconf --reload gpg-agent $ cat test-crlf.txt | gpg2 --no-tty --batch --pinentry-mode loopback --passphrase-fd 0 -o test.out --yes -d test.gpg gpg: encrypted with 2048-bit RSA key, ID 459A39FE, created 2014-01-09 "Test extra UID" gpg: public key decryption failed: Bad passphrase gpg: decryption failed: No secret key -------------------------8<------------->8------------------------- Since my agent caches passphrases, I need to flush the cache in between each invocation or the results would make no sense. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Sun Oct 30 11:49:48 2016 From: wk at gnupg.org (Werner Koch) Date: Sun, 30 Oct 2016 11:49:48 +0100 Subject: How to fold long lines in the gpg.conf file? In-Reply-To: <87d1ijitg3.fsf@helmutwaitzmann.news.arcor.de> (Helmut Waitzmann's message of "Sat, 29 Oct 2016 08:01:54 +0200") References: <87d1ijitg3.fsf@helmutwaitzmann.news.arcor.de> Message-ID: <87eg2y2jsj.fsf@wheatstone.g10code.de> On Sat, 29 Oct 2016 08:01, ml.throttle at xoxy.net said: > Is there a way to fold long lines in the gpg.conf file? No. However there is no limit on the length of a line. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available URL: From dkg at fifthhorseman.net Sun Oct 30 20:20:11 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 30 Oct 2016 15:20:11 -0400 Subject: web-based manpage version? In-Reply-To: <87k2cs47ek.fsf@wheatstone.g10code.de> References: <87mvhobf6f.fsf@alice.fifthhorseman.net> <87k2cs47ek.fsf@wheatstone.g10code.de> Message-ID: <87eg2xabkk.fsf@alice.fifthhorseman.net> On Fri 2016-10-28 15:09:55 -0400, Werner Koch wrote: > On Fri, 28 Oct 2016 18:40, dkg at fifthhorseman.net said: > >> How is the web-based manpage maintained? Can we update it to contain >> relevant information like the above option deprecation? > > Not really maintained. Can you please open an issue that we create > that, and the other man pages, always from the latest released version? Sure, here you go: https://bugs.gnupg.org/gnupg/issue2823 It would be great to make this happen automatically at each release. Thanks, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 930 bytes Desc: not available URL: From mpiaser at novexsystems.com Sun Oct 30 21:23:08 2016 From: mpiaser at novexsystems.com (Michael Piaser) Date: Sun, 30 Oct 2016 20:23:08 +0000 Subject: GNU Privacy Assistance Signing help Message-ID: <574EE815C9292A489763C5E06EAA700B1D2D60FC@SBS2011.novex.local> I'm hoping somebody can give me an idea of what I'm doing wrong. I can't get any of the keys to show up in the Sign As box. I had a key there yesterday (and have been encrypting and signing with that key for two years). Today I'm trying to implement a new key and I deleted the old key. The key says it can be used for signing but I can't get it in the Sign As box. Please email me your ideas at mpiaser at novexsystems.com Thanks in Advance [cid:image003.jpg at 01D232C9.E0D64600][cid:image004.jpg at 01D232C9.E0D64600] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 80527 bytes Desc: image003.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.jpg Type: image/jpeg Size: 44998 bytes Desc: image004.jpg URL: From peter at digitalbrains.com Mon Oct 31 11:20:31 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 31 Oct 2016 11:20:31 +0100 Subject: GNU Privacy Assistance Signing help In-Reply-To: <574EE815C9292A489763C5E06EAA700B1D2D60FC@SBS2011.novex.local> References: <574EE815C9292A489763C5E06EAA700B1D2D60FC@SBS2011.novex.local> Message-ID: <986e139f-cc9c-851b-56c5-9434d73d708a@digitalbrains.com> The key manager at the bottom says "The key has only a public part" so you can't sign or decrypt with it, as that needs the secret part. If you exported and then imported this key, you should export the secret part as well. Usually, you only export public keys, so it's a different procedure for secret keys. I could fire up a different computer that has GPA installed and try to see what you should do, but perhaps you can figure it out with just this hint, so I'll leave it at this first. Do ask for more information if you can't figure it out. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at