From gnupg at raf.org  Thu Sep  1 01:30:42 2016
From: gnupg at raf.org (gnupg at raf.org)
Date: Thu, 1 Sep 2016 09:30:42 +1000
Subject: Key Discovery Made Simple
In-Reply-To: <688b1822-52e0-ef97-8e36-d76b546f7ee1@digitalbrains.com>
References: <874m625njg.fsf@wheatstone.g10code.de>
 <20160830234746.GA20856@raf.org>
 <688b1822-52e0-ef97-8e36-d76b546f7ee1@digitalbrains.com>
Message-ID: <20160831233042.GA719@raf.org>

Peter Lebbing wrote:

> On 31/08/16 01:47, gnupg at raf.org wrote:
> > In the cronjob, "*/4" is invalid on
> > systemd systems (or at least Debian8)
> 
> In Debian 8, the default cron daemon seems to come from the package 'cron'. I
> don't think you get the 'systemd-cron' package by default: you need to
> explicitly install it, and uninstall the 'Prio: important' package 'cron'.
> 
> Either way, I was unable to reproduce this. I installed systemd-cron, and it
> accepted my "*/4" happily (and did indeed run the command every four minutes).
> Though I no longer was able to edit my crontab as a regular user, I needed root
> to do it with "crontab -u peter".
> 
> Do you have a Debian bug reference for this? I don't see it. The snippet Werner
> quoted from the man page is also in the man page from 'systemd-cron', by the way.
> 
> I get the feeling systemd-cron is for supporting "legacy" stuff, and people who
> go all-out systemd will use systemd facilities such as timers to implement stuff
> "legacy people" ;-) do with crontabs.
> 
> Cheers,
> Peter.

That's good to hear. It must have been fixed (somehow).
When upgrading to Debian8, in November last year, I had read
https://www.debian.org/releases/stable/i386/release-notes/ch-information.en.html
which says, in section 5.17 Stricter validation of cron files in crontab:

  The crontab program is now more strict and may refuse to save a changed
  cron file if it is invalid. If you experience issues with crontab -e,
  please review your crontab for existing mistakes.

I thought nothing of it until I noticed that my log files hadn't rotated
for a while and tracked it down to cron ignoring /etc/crontab (and therefore
everything in /etc/cron.{daily,weekly,monthly}) because there was a */5 in
/etc/crontab. systemctl status cron showed a syntax error log message about it.

When I changed it to 0-55/5 it all started working again. And I have the cron
package, not systemd-cron so maybe it was just a debian problem.
I've just checked again and */5 definitely is working now. Yay.

Thanks for investigating this.

cheers,
raf



From mirimir at riseup.net  Thu Sep  1 02:55:09 2016
From: mirimir at riseup.net (Mirimir)
Date: Wed, 31 Aug 2016 18:55:09 -0600
Subject: keybase.io
In-Reply-To: <87bn091ivi.fsf_-_@wheatstone.g10code.de>
References: <874m625njg.fsf@wheatstone.g10code.de>
 <12185-1472573142-158545@sneakemail.com>
 <47ec0875-5cb9-927a-4fc1-02d841182aea@riseup.net>
 <87bn091ivi.fsf_-_@wheatstone.g10code.de>
Message-ID: <90af19ff-ccaf-9f50-a778-c81d44fd0a53@riseup.net>

On 08/31/2016 01:45 AM, Werner Koch wrote:
> On Wed, 31 Aug 2016 04:27, mirimir at riseup.net said:
> 
>> What are the defects in <https://keybase.io/>?
> 
> They not even try to minimize the use of meta data but use privacy
> invading services (Facebook, Twitter, etc) to connect the key into a way
> larger network than what we have with the Web of Trust.  Kind of key
> signing party for the Twitter generation.

But that's what I like about it :) Mirimir can't have an old-school Web
of Trust. Nobody that I know in meatspace knows that I use that
pseudonym. With KeyBase, Mirimir has signed proofs on Hacker News,
reddit, and GitHub. Even if someone compromised my KeyBase account, and
added a fake key, they couldn't change those published proofs, which are
signed by my true key.

I don't use Facebook or Twitter, because they're not friendly to
pseudonyms. But for those not using pseudonyms, privacy invasion through
verification of meatspace identity is a benefit, no? There's no privacy
in attending a key signing party, is there?

> I am not sure, but I heard that keybase.io is moving towards a
> centralized system for encrypted message exchange.
> 
> 
> Shalom-Salam,
> 
>    Werner
> 


From christian.heinrich at cmlh.id.au  Thu Sep  1 02:29:57 2016
From: christian.heinrich at cmlh.id.au (Christian Heinrich)
Date: Thu, 1 Sep 2016 10:29:57 +1000
Subject: keybase.io (was: Key Discovery Made Simple)
In-Reply-To: <87bn091ivi.fsf_-_@wheatstone.g10code.de>
References: <874m625njg.fsf@wheatstone.g10code.de>
 <12185-1472573142-158545@sneakemail.com>
 <47ec0875-5cb9-927a-4fc1-02d841182aea@riseup.net>
 <87bn091ivi.fsf_-_@wheatstone.g10code.de>
Message-ID: <CAGKxTUTP5eP6EtUnbOVwZM=jcC3Vic3CoSXb-RZASvNnQ=S=3w@mail.gmail.com>

Werner,

On Wed, Aug 31, 2016 at 5:45 PM, Werner Koch <wk at gnupg.org> wrote:
> I am not sure, but I heard that keybase.io is moving towards a
> centralized system for encrypted message exchange.

keybase.io ulterior motive is for the end user to use their PGP/GPG
Javascript  implementation but it is not mandatory (to upload your
existing Private Key) when the end user enrolls.

On Wed, Aug 31, 2016 at 5:45 PM, Werner Koch <wk at gnupg.org> wrote:
> They not even try to minimize the use of meta data but use privacy
> invading services (Facebook, Twitter, etc) to connect the key into a way
> larger network than what we have with the Web of Trust.  Kind of key
> signing party for the Twitter generation.

I'm enrolled at https://keybase.io/cmlh and it is worth noting that
there is no URL listed on keybase.io for SKS or
https://pgp.mit.edu/pks/lookup?search=0xA46325100EAEE92B&op=index&fingerprint=on&exact=on
for example.

That stated, for anything I don't want disclosed I would generate
separate subkeypairs.

Also, while keybase.io support GitHub their independent integration is
https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
as opposed to https://gist.github.com/cmlh/b3f0bcd38533a2dc05b8 for
example.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


From wk at gnupg.org  Thu Sep  1 08:02:22 2016
From: wk at gnupg.org (Werner Koch)
Date: Thu, 01 Sep 2016 08:02:22 +0200
Subject: keybase.io
In-Reply-To: <90af19ff-ccaf-9f50-a778-c81d44fd0a53@riseup.net>
 (mirimir@riseup.net's message of "Wed, 31 Aug 2016 18:55:09 -0600")
References: <874m625njg.fsf@wheatstone.g10code.de>
 <12185-1472573142-158545@sneakemail.com>
 <47ec0875-5cb9-927a-4fc1-02d841182aea@riseup.net>
 <87bn091ivi.fsf_-_@wheatstone.g10code.de>
 <90af19ff-ccaf-9f50-a778-c81d44fd0a53@riseup.net>
Message-ID: <874m60rwcx.fsf@wheatstone.g10code.de>

On Thu,  1 Sep 2016 02:55, mirimir at riseup.net said:

> verification of meatspace identity is a benefit, no? There's no privacy
> in attending a key signing party, is there?

I have long stopped to consider key signing parties a useful thing.  The
WoT is helpful but is independent of such events.  The better way of
providing assurance to always talk to the same key is TOFU.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160901/b058f84e/attachment.sig>

From mirimir at riseup.net  Thu Sep  1 08:34:58 2016
From: mirimir at riseup.net (Mirimir)
Date: Thu, 1 Sep 2016 00:34:58 -0600
Subject: keybase.io
In-Reply-To: <874m60rwcx.fsf@wheatstone.g10code.de>
References: <874m625njg.fsf@wheatstone.g10code.de>
 <12185-1472573142-158545@sneakemail.com>
 <47ec0875-5cb9-927a-4fc1-02d841182aea@riseup.net>
 <87bn091ivi.fsf_-_@wheatstone.g10code.de>
 <90af19ff-ccaf-9f50-a778-c81d44fd0a53@riseup.net>
 <874m60rwcx.fsf@wheatstone.g10code.de>
Message-ID: <845e6395-5aaa-19a0-deb7-8f859b470443@riseup.net>

On 09/01/2016 12:02 AM, Werner Koch wrote:
> On Thu,  1 Sep 2016 02:55, mirimir at riseup.net said:
> 
>> verification of meatspace identity is a benefit, no? There's no
>> privacy in attending a key signing party, is there?
> 
> I have long stopped to consider key signing parties a useful thing.
> The WoT is helpful but is independent of such events.  The better
> way of providing assurance to always talk to the same key is TOFU.

Ensuring that you keep talking to the same key is pretty easy. The
hard thing is knowing what key is correct for someone who's defined
only by an online presence. Where you have no WoT overlap. Comparing
public keys from multiple sources is workable, but tedious. Very cool
would be a tool to automate that, protect the keyring from corruption,
and remove any cruft. Maybe TOFU could do that?

> Shalom-Salam,
> 
> Werner
> 


From wk at gnupg.org  Thu Sep  1 10:15:50 2016
From: wk at gnupg.org (Werner Koch)
Date: Thu, 01 Sep 2016 10:15:50 +0200
Subject: keybase.io
In-Reply-To: <845e6395-5aaa-19a0-deb7-8f859b470443@riseup.net>
 (mirimir@riseup.net's message of "Thu, 1 Sep 2016 00:34:58 -0600")
References: <874m625njg.fsf@wheatstone.g10code.de>
 <12185-1472573142-158545@sneakemail.com>
 <47ec0875-5cb9-927a-4fc1-02d841182aea@riseup.net>
 <87bn091ivi.fsf_-_@wheatstone.g10code.de>
 <90af19ff-ccaf-9f50-a778-c81d44fd0a53@riseup.net>
 <874m60rwcx.fsf@wheatstone.g10code.de>
 <845e6395-5aaa-19a0-deb7-8f859b470443@riseup.net>
Message-ID: <87poooqbm1.fsf@wheatstone.g10code.de>

On Thu,  1 Sep 2016 08:34, mirimir at riseup.net said:

> Ensuring that you keep talking to the same key is pretty easy. The
> hard thing is knowing what key is correct for someone who's defined
> only by an online presence. Where you have no WoT overlap. Comparing

You see signed message from someone and over time you build up trust.
Eventually you want to send a mail and the TOFU system will consider
that email/key valid due to the signatures gathered over time.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160901/94b89556/attachment.sig>

From mirimir at riseup.net  Thu Sep  1 10:37:09 2016
From: mirimir at riseup.net (Mirimir)
Date: Thu, 1 Sep 2016 02:37:09 -0600
Subject: keybase.io
In-Reply-To: <87poooqbm1.fsf@wheatstone.g10code.de>
References: <874m625njg.fsf@wheatstone.g10code.de>
 <12185-1472573142-158545@sneakemail.com>
 <47ec0875-5cb9-927a-4fc1-02d841182aea@riseup.net>
 <87bn091ivi.fsf_-_@wheatstone.g10code.de>
 <90af19ff-ccaf-9f50-a778-c81d44fd0a53@riseup.net>
 <874m60rwcx.fsf@wheatstone.g10code.de>
 <845e6395-5aaa-19a0-deb7-8f859b470443@riseup.net>
 <87poooqbm1.fsf@wheatstone.g10code.de>
Message-ID: <58f37de3-3fee-3025-c175-85a71d84e7e3@riseup.net>

On 09/01/2016 02:15 AM, Werner Koch wrote:
> On Thu,  1 Sep 2016 08:34, mirimir at riseup.net said:
> 
>> Ensuring that you keep talking to the same key is pretty easy.
>> The hard thing is knowing what key is correct for someone who's
>> defined only by an online presence. Where you have no WoT
>> overlap. Comparing
> 
> You see signed message from someone and over time you build up
> trust. Eventually you want to send a mail and the TOFU system will
> consider that email/key valid due to the signatures gathered over
> time.

I'm guessing that's from a mail list. And I'll try it. Thanks :)

> Salam-Shalom,
> 
> Werner
> 


From anthony at cajuntechie.org  Thu Sep  1 17:47:30 2016
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Thu, 1 Sep 2016 10:47:30 -0500
Subject: Is the bug tracker maintained at all anymore?
Message-ID: <28771a99-e045-fb10-ff4f-32c1532813d8@cajuntechie.org>

So I just went to the public bug tracker and was greeted by a page full
of Quickbooks spam! Does the project even maintain the bug tracker
anymore? If not, I'd suggest getting rid of it as that looks /really/ bad!

Anthony

-- 
OpenPGP Key:    4096R/0x028ADF7453B04B15
Other Key Info: http://www.cajuntechie.org/p/my-pgp-key.html
XMPP?Jabber:    cajuntech at dukgo.com
VoIP/SIP:       1259010 at localphone.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160901/8a8668eb/attachment.sig>

From anthony at cajuntechie.org  Thu Sep  1 17:49:08 2016
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Thu, 1 Sep 2016 10:49:08 -0500
Subject: Never mind :-)
Message-ID: <416e8345-c306-a435-1c9f-fd4576090886@cajuntechie.org>

So I just looked and saw that all of the spam in the bug tracker is from
the last hour to hour and a half. Someone probably just hasn't had the
time to clean it up yet. Spoke too soon. My apologies.

Anthony

-- 
OpenPGP Key:    4096R/0x028ADF7453B04B15
Other Key Info: http://www.cajuntechie.org/p/my-pgp-key.html
XMPP?Jabber:    cajuntech at dukgo.com
VoIP/SIP:       1259010 at localphone.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160901/9a7b4c99/attachment.sig>

From whitey666 at sigaint.org  Thu Sep  1 18:27:00 2016
From: whitey666 at sigaint.org (whitey666 at sigaint.org)
Date: Thu, 1 Sep 2016 16:27:00 -0000
Subject: TOFU support in GnuPG 2.1
Message-ID: <3b84c01a68f0254a07ec77c187dbda8c.webmail@localhost>

Hello,

I have been using GnuPG 2.1.15 for several weeks having compiled
it from source.  After seeing several references to TOFU I decided to
try it.  I added "trust-model tofu+pgp" and "tofu-default-policy ask"
to gpg.conf.  When I ran gpg2, it balked at both entries so I reran
./configure and learned the my GnuPG 2.1.15 was compiled without TOFU
support:

GnuPG v2.1.15 has been configured as follows:

        Revision:  6bee88d  (27630)
        Platform:  GNU/Linux (x86_64-pc-linux-gnu)

        OpenPGP:   yes
        S/MIME:    yes
        Agent:     yes
        Smartcard: yes (without internal CCID driver)
        G13:       no
        Dirmngr:   yes
        Gpgtar:    yes
        WKS tools: no

        Protect tool:      (default)
        LDAP wrapper:      (default)
        Default agent:     (default)
        Default pinentry:  (default)
        Default scdaemon:  (default)
        Default dirmngr:   (default)

        Dirmngr auto start:  yes
        Readline support:    no
        LDAP support:        no
        DNS SRV support:     yes
        TLS support:         no
        TOFU support:        no
        Tor support:         only .onion

Two questions:
1) What must I do to include TOFU support?
2) Based on the above output, am I missing anything else I should
   have included?

Whitey





From wk at gnupg.org  Thu Sep  1 20:33:08 2016
From: wk at gnupg.org (Werner Koch)
Date: Thu, 01 Sep 2016 20:33:08 +0200
Subject: OpenPGP.conf streamed?
In-Reply-To: <561ec722-7833-c1f1-a401-9d63619043c9@cajuntechie.org> (Anthony
 Papillion's message of "Wed, 24 Aug 2016 19:05:08 -0500")
References: <561ec722-7833-c1f1-a401-9d63619043c9@cajuntechie.org>
Message-ID: <87bn07o4gr.fsf@wheatstone.g10code.de>

On Thu, 25 Aug 2016 02:05, anthony at cajuntechie.org said:
> I just realized that OpenPGP.conf is coming up in less than a month.
> Unfortunately, I won't be able to attend. Will anyone be streaming it
> live? If not, will there be videos posted?

Well, the social event will be in a week.

There will be no streaming, but video taping is planned.  I'll keep this
list posted of course.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160901/7e90ec27/attachment.sig>

From wk at gnupg.org  Thu Sep  1 20:30:21 2016
From: wk at gnupg.org (Werner Koch)
Date: Thu, 01 Sep 2016 20:30:21 +0200
Subject: Is the bug tracker maintained at all anymore?
In-Reply-To: <28771a99-e045-fb10-ff4f-32c1532813d8@cajuntechie.org> (Anthony
 Papillion's message of "Thu, 1 Sep 2016 10:47:30 -0500")
References: <28771a99-e045-fb10-ff4f-32c1532813d8@cajuntechie.org>
Message-ID: <87fupjo4le.fsf@wheatstone.g10code.de>

On Thu,  1 Sep 2016 17:47, anthony at cajuntechie.org said:
> So I just went to the public bug tracker and was greeted by a page full
> of Quickbooks spam! Does the project even maintain the bug tracker
> anymore? If not, I'd suggest getting rid of it as that looks /really/ bad!

Sorry, we are under spam attack.  I installed some anti spam rules but
just a few hours ago they adjusted to them.  I am cleaning up as soon as
I notice spam. 

Fortunately we have the Provisional User role and thus the spam will
not clutter existsing bug reports -  they create only new ones.

If nothing else help we would need to moderate registration of new users
- which is not the best solution.


Shalom-Salam,

   Werner



-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160901/2fe22ac6/attachment-0001.sig>

From wk at gnupg.org  Thu Sep  1 20:39:30 2016
From: wk at gnupg.org (Werner Koch)
Date: Thu, 01 Sep 2016 20:39:30 +0200
Subject: TOFU support in GnuPG 2.1
In-Reply-To: <3b84c01a68f0254a07ec77c187dbda8c.webmail@localhost> (whitey's
 message of "Thu, 1 Sep 2016 16:27:00 -0000")
References: <3b84c01a68f0254a07ec77c187dbda8c.webmail@localhost>
Message-ID: <877favo465.fsf@wheatstone.g10code.de>

On Thu,  1 Sep 2016 18:27, whitey666 at sigaint.org said:

> 1) What must I do to include TOFU support?

If you look through the config.log or the your screen backlog, you will
notice that GNUTLS is missing which you need for all kind of https:
access.  And you are missing SQLite3 which we require for TOFU.  You
need the "-dev" packages.

> 2) Based on the above output, am I missing anything else I should
>    have included?

adns and readline are a good choice


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160901/e45aae8c/attachment.sig>

From dgouttegattat at incenp.org  Thu Sep  1 20:25:22 2016
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Thu, 1 Sep 2016 20:25:22 +0200
Subject: TOFU support in GnuPG 2.1
In-Reply-To: <3b84c01a68f0254a07ec77c187dbda8c.webmail@localhost>
References: <3b84c01a68f0254a07ec77c187dbda8c.webmail@localhost>
Message-ID: <c84fd9c8-c017-e6aa-2a18-741982761963@incenp.org>

On 09/01/2016 06:27 PM, whitey666 at sigaint.org wrote:
> 1) What must I do to include TOFU support?

You're probably missing the development files of SQLite (depending on 
your distribution, they're probably in a package called sqlite-dev or 
similar).

To confirm, look at the output of the configure script for the following 
line:

   Building without SQLite support - TOFU disabled

Install the missing package and run the configure script again.


Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160901/f579dc75/attachment.sig>

From gabri.philippe at gmail.com  Fri Sep  2 11:13:09 2016
From: gabri.philippe at gmail.com (Gabriel Philippe)
Date: Fri, 2 Sep 2016 11:13:09 +0200
Subject: signatures from revoked key, trusted?
Message-ID: <CAJ-6NAuGR1YO07APWGFbnGXK55Vq-YiSm5ZnX5m8KEwhJC34ow@mail.gmail.com>

Hi,

A friend sends me signed messages wich signature is said correct by
GnuPG: "good signature from...".

I have just noticed I had signed his key with my old key, which is now
revoked in my keyring. So why does GnuPG consider the signature
correct? I would expect that, since I have revoked my old key, all
certifications done with this key should not be trusted anymore.

-- 
Gabriel


From whitey666 at sigaint.org  Fri Sep  2 13:15:12 2016
From: whitey666 at sigaint.org (whitey666 at sigaint.org)
Date: Fri, 2 Sep 2016 11:15:12 -0000
Subject: TOFU support in GnuPG 2.1
In-Reply-To: <877favo465.fsf@wheatstone.g10code.de>
References: <3b84c01a68f0254a07ec77c187dbda8c.webmail@localhost>
 <877favo465.fsf@wheatstone.g10code.de>
Message-ID: <b546a03d955a055dd91c4d044f20a507.webmail@localhost>

On Thu, September 1, 2016 6:39 pm, wk at gnupg.org wrote:
> On Thu,  1 Sep 2016 18:27, whitey666 at sigaint.org said:
>
>> 1) What must I do to include TOFU support?
>
> If you look through the config.log or the your screen backlog, you will
> notice that GNUTLS is missing which you need for all kind of https:
> access.  And you are missing SQLite3 which we require for TOFU.  You
> need the "-dev" packages.
>

sqlite3 was the problem.  Thanks to you and Damien for pointing it out. I
will probably be back with more questions once I begin testing TOFU in
earnest.

Still having issues with GNUTLS which doesn't completely install on my
Ubuntu-based distro leaving a broken package. But TOFU appears to
function, and that is a step forward.

Thanks again,
Whitey




From cr at rheloud.net  Fri Sep  2 17:52:52 2016
From: cr at rheloud.net (C. Rossberg)
Date: Fri, 02 Sep 2016 17:52:52 +0200
Subject: signatures from revoked key, trusted?
In-Reply-To: <CAJ-6NAuGR1YO07APWGFbnGXK55Vq-YiSm5ZnX5m8KEwhJC34ow@mail.gmail.com>
References: <CAJ-6NAuGR1YO07APWGFbnGXK55Vq-YiSm5ZnX5m8KEwhJC34ow@mail.gmail.com>
Message-ID: <87zinqguy3.fsf@rheloud.net>


Hi Gabriel,

> I have just noticed I had signed his key with my old key, which is now
> revoked in my keyring. So why does GnuPG consider the signature
> correct?

'Correctness' refers to the result of the process of 'verifying a
signature' - this has nothing to do with 'trusting a key'.

Correctness and trust belong to different realms.
You need to separate both concepts.

gpg(1) labels a signature as 'good' in order to attest that the file it
just verified 

- (a) has indeed been signed by a specific private key(!) and
- (b) that this file hasn't been modified in any way on it's way to you.

gpg(1) does this by 'relating' your friend's public key(!) to this key's
signature.

(More information
      https://gnupg.org/gph/en/manual.html#AEN216, esp. last paragraph.
      https://gnupg.org/gph/en/manual.html#AEN136)


'trust' - on the other hand - describes how thorough you have checked
the relation of ownership(!) between the key and the one who claims to own
it.

(More Information
        https://gnupg.org/faq/gnupg-faq.html#define_trust)

If Person_X claims to own Some_PubKey and you have checked successfully,
that Person_X really does own it, you may start to give Person_X's key a
trust-value of 'enough'. (Now Some_PubKey appears to be Person_X's key.)

To wrap it up: 'verifying' is 'checking a checksum' - and a particular
checksum may be 'correct' even if you don't trust the key.


Hope that solves at least one of your questions.



Regards


//c

















From mlisten at hammernoch.net  Fri Sep  2 21:39:34 2016
From: mlisten at hammernoch.net (=?UTF-8?B?THVkd2lnIEjDvGdlbHNjaMOkZmVy?=)
Date: Fri, 2 Sep 2016 21:39:34 +0200
Subject: signatures from revoked key, trusted?
In-Reply-To: <CAJ-6NAuGR1YO07APWGFbnGXK55Vq-YiSm5ZnX5m8KEwhJC34ow@mail.gmail.com>
References: <CAJ-6NAuGR1YO07APWGFbnGXK55Vq-YiSm5ZnX5m8KEwhJC34ow@mail.gmail.com>
Message-ID: <8b783ecf-a9ba-3303-080d-cc340b00b646@hammernoch.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 02.09.16 11:13, Gabriel Philippe wrote:
> Hi,
> 
> A friend sends me signed messages wich signature is said correct
> by GnuPG: "good signature from...".

"Good signature" _always_ means it is "good" in the cryptographical
technical sense: Your copy of the public key states that it comes from
the same source as the key owning entity. It does _not_ state that the
key is "valid" or that it belongs to the person stated by the user id
attached to the key.

> I have just noticed I had signed his key with my old key, which is
>  now revoked in my keyring. So why does GnuPG consider the
> signature correct? I would expect that, since I have revoked my old
> key, all certifications done with this key should not be trusted
> anymore.

GnuPG issues a respective warning; a test by verifying an old signed
mail with an old revoked key yields:

! gpg: Signature made Thu Jun 12 22:35:47 2008 CEST using RSA key ID
! <keyId>
! gpg: Good signature from <uid>
! gpg: WARNING: This key has been revoked by its owner!
! gpg:          This could mean that the signature is forged.

Ludwig
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXydVkAAoJEDrb+m0Aoeb+bMEQAMvCJ5MtKLt+jT76itoXTjBi
oTjhQQmTUPA1mgf5vOvzb0U9EFr/opGmUIt+2A4Qdgj/lfNiP4lKHxMCNYzelioS
lnjfTH7CEP+SSVIPQyTZTy99g+M9/G6k6FqlF+pJlQFvKVkahfQopNlE1Dar50kM
ucgLIob3gAt6/l+e0FgRnd1Wsuso9ACE4ICKSoXJ53ehmMiFMsvG3JNlJma9Ltyi
Qc+qHIDXEupvAx1XOf+bk+lntTZWkOnxopLmY0r7gTe5jd+5tnX9q4iaNJnfF6iT
D0QkQd369ENDAgULzujJ4eGfHJj3PYtxynHOzJfsTxw9Mpv0ieRjbtd3TQaNYwYH
IjaIdfHrChcD5eN3fnVrp6VcjPsQxySEvGjv8kuLUJrvtsFuQuNvNDxFTbzuqAcU
OnFtNUyToqorMogKnFwRfZ8FQ+p/wOwHI2RYwtj/xSIEujxrvPfcRtI783HRlN4V
aahlj2lSBdgcKn5bAPxdCQZW+d8RmTns5pRzKmfSh7MxVHa8Vo7RjDIl4Fv46I5l
180BLW+b+GKJOxx4x+4etAH763lVf5E5zgV8BLGjQKQ7gwOVzUaEWjQevBFeMqLT
9ghXaki0xKohu2gXlZCfs9fNkpSbVzIWi4uVM8SvwVaWmgbdO9Ba57Yf5q2YvU1H
3c43F/3hG1vGma12aPq4
=13Ay
-----END PGP SIGNATURE-----


From jnxx at posteo.net  Sat Sep  3 20:37:40 2016
From: jnxx at posteo.net (jnxx at posteo.net)
Date: Sat, 3 Sep 2016 19:37:40 +0100
Subject: I think that's a false dichotomy (was: Attacks on encrypted
 communicxatiopn rising in Europe)
In-Reply-To: <1c22f206-8293-86f4-7aa6-48c33c494b17@sixdemonbag.org>
References: <57BCA5FD.50500@vulcan.xs4all.nl>
 <1c22f206-8293-86f4-7aa6-48c33c494b17@sixdemonbag.org>
Message-ID: <20160903193740.31c555da@mangold.snakenest.scot>

On Tue, 23 Aug 2016 22:26:17 -0400
"Robert J. Hansen" <rjh at sixdemonbag.org> wrote:

> 
> Some serious questions --
> 
> 	1.  Are you a privacy absolutist?


Robert, I have a counter-question:

Do you think that privacy is a fundamental human right?

Also, it seems to me a bit that the discussion following up your
post partly confounds two rather different cases: Disabling
private communication for all citizens versus not investigating
at all if somebody is evidently committing serious crimes.

I think this is a false dichotomy. 

Human rights are, in essence, unconditional. Take, for example,
Article 3 of the Universal Declaration of Human Rights [1]:
"Everyone has the right to life, liberty and security of
person.". I think this is pretty clear.  Of course, is somebody
has committed a crime, he can end up in prison, according to the
laws. But before that, everyone has the right to walk free.

Now take article 12: "No one shall be subjected to arbitrary
interference with his privacy, family, home or correspondence,
nor to attacks upon his honour and reputation. Everyone has the
right to the protection of the law against such interference or
attacks."

I think this is pretty clear as well, and for me it is obvious
that any private digital communication fits the notion of
"correspondence" in that article.

Of course, if somebody is committing serious crimes, such as
murdering people or abusing children, he cannot protect his acts
by this rights, for the simple reason that he is already
severely harming the rights of others.  But the mere
*possibility* that some people commit crimes does not form a
valid reason to strip all other human beings of their rights.

I am not sure what your position is ... Do you agree with this or
not?

Also, I want to point to three further aspects which
might help the discussion:

First, if somebody is actually committing a crime such as child
abuse or murder, in this digital age he will not leave only
traces but a formidable broad dirt track of his activities. It
is actually near impossible to hide most activities completely.
For example, it is rather difficult to delete digital media
completely from any normal computer. For a targeted forensic
investigation, almost always there will be enough traces.
Actually, we rather have the inverse problem, as existent
massive collections of data such as cellphone location data and
its combination and fusion with other data can easily be used in
extremely invasive ways. It would, for example, be pretty easy
to construct a database of politicians or influential business
people which probably pursue extramarital affairs from such data.

Second, I think it is urgently necessary to understand the right
to privacy as a collective protection, just in the same way as
the right of secrecy of the ballot. The reason is that privacy
is part of the rights that protect a balance of power between
the majority of people and state institutions.  The right to
privacy is important in the collective sphere, as necessary to
maintain collective freedom. What is currently happening in
Turkey illustrates, I think, the issue well enough. 

I even think that much of the discussion about digital privacy
will have less effect on crime prosecution and is dominantly
concerned about negotiating the future of that power balance.
(With many sides involved... I think some parties might even
resort to troll online forums to influence opinions according to
their interests).


Thirdly, I would like to point out that the declaration of human
rights has a historical context, in that it was intended as a
defense against totalitarianism. I think it is a clear alarm
signal if these rights are questioned.


Johannes



[1]
http://www.un.org/en/universal-declaration-human-rights/index.html

























From rjh at sixdemonbag.org  Sun Sep  4 03:05:28 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 3 Sep 2016 21:05:28 -0400
Subject: I think that's a false dichotomy
In-Reply-To: <20160903193740.31c555da@mangold.snakenest.scot>
References: <57BCA5FD.50500@vulcan.xs4all.nl>
 <1c22f206-8293-86f4-7aa6-48c33c494b17@sixdemonbag.org>
 <20160903193740.31c555da@mangold.snakenest.scot>
Message-ID: <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>

> Do you think that privacy is a fundamental human right?

What does it mean for something to be a "fundamental" human right?  If
the question is meaningful, then there must be human rights that are
*not* fundamental.  So, what's a fundamental human right, and how is it
different from a normal human right?

Of course I believe privacy is a human right -- but I have no idea what
a "fundamental" human right is.

> Also, it seems to me a bit that the discussion following up your post
> partly confounds two rather different cases...

That was not a discussion I participated in, and not one I'm interested
in commenting on.

> Human rights are, in essence, unconditional.

All rights exist in a constant balancing act with the equal rights of
others.  The question of, "so where do we strike the balance, and why?"
is one of the central animating questions of democracy.  There is
nothing unconditional in that balancing act.  It's highly conditional.

> But the mere *possibility* that some people commit crimes does not 
> form a valid reason to strip all other human beings of their rights.

Nonsense.

I own a rifle.  With that rifle, I can deprive you of your right to
live.  But so long as I keep the rifle in the closet and use it
according to law, you haven't been deprived of anything.  Likewise,
you're conflating the possibility of the authorities having ways to
subvert the privacy of innocent people with them actually doing so.

Now, of course I don't want the civil authorities to have
legislatively-mandated back doors into every system.  I don't think
that's an appropriate solution.  But I do believe the civil authorities
need appropriate mechanisms to pursue their lawful ends (and effective
oversight systems to ensure they're being used lawfully).

> First, if somebody is actually committing a crime such as child abuse
> or murder, in this digital age he will not leave only traces but a
> formidable broad dirt track of his activities.

I'm transitioning out of my job, where for the last eight years I've
been doing research and development into digital forensics, mostly for
government customers.  After eight years I reached the point where I
began to think that every adult male should just have his clothes
surgically attached, and at that point it's time to move on to the next
challenge.

I wish you were right.  I really, honestly, truly do.  But you're not.
Quite often, we're stuck literally *watching kids get exploited* and
there's nothing we can do about it except wait for the exploiter to make
a mistake.

The amateurs are easy to catch.  But there are some genuinely crafty
people in this world, and they practice astonishingly good operational
security.

> It is actually near impossible to hide most activities completely. 
> For example, it is rather difficult to delete digital media 
> completely from any normal computer. For a targeted forensic 
> investigation, almost always there will be enough traces.

"Crack the hard drive in a clean room and go over it with an atomic
force microscope" is the kind of glib nonsense that gets bandied about
by people who have never struggled to get into a bunny suit (they never
have one in my size) or freaked out upon seeing the chemicals that get
used in the process (when you notice you're in the same room as a tank
of chlorine trifluoride, you begin thinking about a new career).


From peter at digitalbrains.com  Sun Sep  4 13:19:04 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sun, 4 Sep 2016 13:19:04 +0200
Subject: I think that's a false dichotomy
In-Reply-To: <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
References: <57BCA5FD.50500@vulcan.xs4all.nl>
 <1c22f206-8293-86f4-7aa6-48c33c494b17@sixdemonbag.org>
 <20160903193740.31c555da@mangold.snakenest.scot>
 <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
Message-ID: <2fea892c-c4ce-fe87-7ec5-fa034a9561d0@digitalbrains.com>

On 04/09/16 03:05, Robert J. Hansen wrote:
> I'm transitioning out of my job, where for the last eight years I've
> been doing research and development into digital forensics, mostly for
> government customers.  After eight years I reached the point where I
> began to think that every adult male should just have his clothes
> surgically attached, and at that point it's time to move on to the next
> challenge.

And, with all due respect, for that reason I think policy should not be
determined by people who have been exposed to a very unbalanced amount of
horrible people. Constantly being confronted by the worst scum of the gutter
skews your view of human behaviour.

The same goes for police. Constantly dealing with people who have broken the law
corrupts how you think the majority of people behaves. It's only natural.

Safety and liberty can't both be maximized, it's a trade-off. At the edges of
the spectrum, there are some truly horrendous violations of safety, that in a
just world definitely should not have happened. There truly is no excuse, and
liberty is not an excuse either. But I still think we should strive for that
liberty. Please note, Robert, that I'm not saying you are not striving for
liberty. I see how you argue against weakening encryption in general, and I
applaud you for keeping your back straight despite all the horror you've seen.

My 2 cents,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From rjh at sixdemonbag.org  Sun Sep  4 16:35:19 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 4 Sep 2016 10:35:19 -0400
Subject: I think that's a false dichotomy
In-Reply-To: <2fea892c-c4ce-fe87-7ec5-fa034a9561d0@digitalbrains.com>
References: <57BCA5FD.50500@vulcan.xs4all.nl>
 <1c22f206-8293-86f4-7aa6-48c33c494b17@sixdemonbag.org>
 <20160903193740.31c555da@mangold.snakenest.scot>
 <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
 <2fea892c-c4ce-fe87-7ec5-fa034a9561d0@digitalbrains.com>
Message-ID: <388a2755-ffb9-6076-b594-d03e95e8df4c@sixdemonbag.org>

> And, with all due respect, for that reason I think policy should not be
> determined by people who have been exposed to a very unbalanced amount of
> horrible people. Constantly being confronted by the worst scum of the gutter
> skews your view of human behaviour.

There are two ways to interpret this, Peter, one which I think you
intended and one which people might infer you meant.  So I both don't
disagree, and I vehemently disagree.  :)

Yes, it would be a mistake for policy to be determined by those who've
been down in the mud with this crap.  It would be deeply antidemocratic,
in fact.  This decision belongs to the people, not to an extremely small
subset of the people with a (perhaps-understandably) skewed worldview.

But that doesn't mean policy shouldn't be *informed* by our experiences.
 Laws that are made without consultation with the people who ultimately
have to live under those laws (whether being subjected to them, or being
made to enforce them) tend to be either ineffective, draconian, or both.

> Safety and liberty can't both be maximized, it's a trade-off.

True and false.  It's not necessarily a zero-sum game.  There are some
enhancements in liberty that also lead to enhancements in safety.  I
personally think we do ourselves a disservice when we think of it as a
zero-sum game.  I think we should be working as hard as we can to
enhance both simultaneously.


From peter at digitalbrains.com  Sun Sep  4 18:32:28 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sun, 4 Sep 2016 18:32:28 +0200
Subject: I think that's a false dichotomy
In-Reply-To: <388a2755-ffb9-6076-b594-d03e95e8df4c@sixdemonbag.org>
References: <57BCA5FD.50500@vulcan.xs4all.nl>
 <1c22f206-8293-86f4-7aa6-48c33c494b17@sixdemonbag.org>
 <20160903193740.31c555da@mangold.snakenest.scot>
 <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
 <2fea892c-c4ce-fe87-7ec5-fa034a9561d0@digitalbrains.com>
 <388a2755-ffb9-6076-b594-d03e95e8df4c@sixdemonbag.org>
Message-ID: <a52bb671-aaec-ecf2-d481-d0f041e48196@digitalbrains.com>

On 04/09/16 16:35, Robert J. Hansen wrote:
> Yes, it would be a mistake for policy to be determined by those who've been
> down in the mud with this crap.  It would be deeply antidemocratic, in fact.
> This decision belongs to the people, not to an extremely small subset of the
> people with a (perhaps-understandably) skewed worldview.

We (at least I) live in a representative democracy. All these decisions *are*
taken by an extremely small subset of the people (i.e., politicians). It is just
hoped that they do this in a way that is representative of what the society as a
whole wants; yet again without the tiranny of the majority. Reality is a *lot*
more complicated than "the decision belongs to the people".

> But that doesn't mean policy shouldn't be *informed* by our experiences.

Very true. But those experiences should be viewed in a proper light.

Over here, police is knowingly ignoring privacy laws because it "is so
effective". That's what I mean when I say this shouldn't be left to the people
enforcing the law and doing the detective work.

(What I'm specifically referring to here: Automatic traffic cameras record all
licence plates that pass the camera. The purpose is to monitor for "flagged"
licence plates and report when one of those passes the camera. However, all
recognized licence plates are stored in a database for I believe several months.
That way, you can retroactively consult whether somebody passed that camera.
This storage is not lawful, but police insist on doing it).

> True and false.  It's not necessarily a zero-sum game.

I didn't say it was a zero-sum game. I merely asserted that they can't both be
maximized. Sometimes they can both be increased, but the amount of liberty I
desire for this society definitely does cost you in safety.

People could get abducted. Suppose you can at all times see where everyone is,
through technological means (GPS+GSM tracking), and you also have cameras
viewing all streets in every city and a warning system detecting suspicious
movement on the cameras. It would be very, very, very difficult to abduct
someone in a city by dragging them into a car and disappear from the radar. Yet
I fervently hope this will not become reality. I'd rather run the risk of being
abducted. I'd also grudgingly rather have children run this risk. You can
actually buy GPS-trackers for your children. I don't have any children myself,
but I would maybe use this until the child is, let's say, five years old and
then stop using the device. At some point a child deserves its privacy, and I
think parents shouldn't want to track their child in this way. You still want to
know at all times where your child *is* until they are quite a lot older. I'm
convinced of that. But not by tagging them with GPS. Just in the same way we've
done it all this time before GPS and mobile telephony existed.

> I personally think we do ourselves a disservice when we think of it as a 
> zero-sum game.  I think we should be working as hard as we can to enhance
> both simultaneously.

I think it should not be viewed as a zero-sum game, but I do believe some
safety, and some forms of safety, needs to be lost in order to have liberty
increase. Or things left as they are for liberty, even though it costs us some
safety.

If you can find a way to increase both, that's great. But sometimes one or the
other needs to prevail. Some forms of liberty are not worth the risk, and some
forms of safety are stifling.

Life is risky. Life is also unfair. Not all of this is fixable. We should strive
to do so, but not at any cost.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From rjh at sixdemonbag.org  Sun Sep  4 19:58:53 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 4 Sep 2016 13:58:53 -0400
Subject: I think that's a false dichotomy
In-Reply-To: <a52bb671-aaec-ecf2-d481-d0f041e48196@digitalbrains.com>
References: <57BCA5FD.50500@vulcan.xs4all.nl>
 <1c22f206-8293-86f4-7aa6-48c33c494b17@sixdemonbag.org>
 <20160903193740.31c555da@mangold.snakenest.scot>
 <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
 <2fea892c-c4ce-fe87-7ec5-fa034a9561d0@digitalbrains.com>
 <388a2755-ffb9-6076-b594-d03e95e8df4c@sixdemonbag.org>
 <a52bb671-aaec-ecf2-d481-d0f041e48196@digitalbrains.com>
Message-ID: <59b38b35-d488-fb85-e88f-ad4b20b10b54@sixdemonbag.org>

> Reality is a *lot*
> more complicated than "the decision belongs to the people".

Yes, democracy is a mess.  But "it belongs to the people" is a lot more
convenient than listing the complex, convoluted, and sometimes corrupt
machinery of government.  :)

> Over here, police is knowingly ignoring privacy laws because it "is so
> effective". That's what I mean when I say this shouldn't be left to the people
> enforcing the law and doing the detective work.

I'd take this as evidence to support a claim that policy should also be
informed by the reasonable fears of privacy activists.  :)


From johanw at vulcan.xs4all.nl  Sun Sep  4 21:07:25 2016
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Sun, 04 Sep 2016 21:07:25 +0200
Subject: I think that's a false dichotomy
In-Reply-To: <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
References: <57BCA5FD.50500@vulcan.xs4all.nl>
 <1c22f206-8293-86f4-7aa6-48c33c494b17@sixdemonbag.org>
 <20160903193740.31c555da@mangold.snakenest.scot>
 <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
Message-ID: <57CC70ED.2060708@vulcan.xs4all.nl>

On 04-09-2016 3:05, Robert J. Hansen wrote:

> Now, of course I don't want the civil authorities to have
> legislatively-mandated back doors into every system.  I don't think
> that's an appropriate solution.  But I do believe the civil authorities
> need appropriate mechanisms to pursue their lawful ends (and effective
> oversight systems to ensure they're being used lawfully).


In case of decent encryption, a backdoor is the only way to achieve that.

If the police stands at my door with a warrant, I have the right to deny
them entrance. However, if I do they will kick my door. They can
confiscate my encrypted files too, but without my help they can't get
in. Same situation, different outcome.

> I'm transitioning out of my job, where for the last eight years I've
> been doing research and development into digital forensics, mostly for
> government customers.

Do I smell a little bit of a Stockholm syndrome here?

> The amateurs are easy to catch.  But there are some genuinely crafty
> people in this world, and they practice astonishingly good operational
> security.

You have to accept that some crimes will go unpunished. In a nice
democracy even more than in a totalitarian dictatorship. In The
Netherlands, the lowest rate of crime was in the days during the German
occupation in WW2. Not only was there less to steal to begin with, but
the repression on lawbreakers was very severe.

I prefer to have some crimes unpunished above living in a totalitarian
dictatorship. Even if it are very serious crimes.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html



From rjh at sixdemonbag.org  Mon Sep  5 00:45:39 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 4 Sep 2016 18:45:39 -0400
Subject: I think that's a false dichotomy
In-Reply-To: <57CC70ED.2060708@vulcan.xs4all.nl>
References: <57BCA5FD.50500@vulcan.xs4all.nl>
 <1c22f206-8293-86f4-7aa6-48c33c494b17@sixdemonbag.org>
 <20160903193740.31c555da@mangold.snakenest.scot>
 <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
 <57CC70ED.2060708@vulcan.xs4all.nl>
Message-ID: <d0870abc-9c2e-610e-ceb1-23bcb26d1c39@sixdemonbag.org>

> Do I smell a little bit of a Stockholm syndrome here?

The Stockholm syndrome is half-pop science and half-real.  It stems from
a hostage situation in Stockholm where many of the hostages emotionally
bonded with their captors, and vice-versa, to the point where they
sympathized with each other.  Many of the hostages visited their captors
in prison in later years.

We see it in abused children, too -- kids have been known to commit
perjury in court in order to protect the parent they love, the parent
who has been abusing them.  It's incredibly sad when that happens: not
only is the kid a victim of abuse, but now the kid feels guilty for not
being able to protect Mom or Dad.

Colloquially, it means sympathy for the devil.  It means you're
empathizing with the people you're opposed to.  So what you've just done
is accused me of emotionally bonding with some of the worst evil in
humanity.

Maybe you meant exactly what you said.  Maybe it was just an
extraordinary act of foolishness.  I don't much care.  Goodbye.  You've
been added to my killfile.  We won't be speaking again.


From ochominutosdearco at gmail.com  Sun Sep  4 23:05:45 2016
From: ochominutosdearco at gmail.com (=?ISO-8859-1?Q?Ren=E9_M=E9rou?=)
Date: Sun, 04 Sep 2016 23:05:45 +0200
Subject: I think that's a false dichotomy
In-Reply-To: <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
References: <57BCA5FD.50500@vulcan.xs4all.nl>
 <20160903193740.31c555da@mangold.snakenest.scot>
 <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
Message-ID: <23020415.yXPo0hm5BA@libereso>

On dissabte, 3 de setembre de 2016 21:05:28 CEST Robert J. Hansen wrote:
> > Do you think that privacy is a fundamental human right?
> 
> What does it mean for something to be a "fundamental" human right?  If
> the question is meaningful, then there must be human rights that are
> *not* fundamental.  So, what's a fundamental human right, and how is it
> different from a normal human right?
> 
> Of course I believe privacy is a human right -- but I have no idea what
> a "fundamental" human right is.

This is one of the keys of this matter.

https://en.wikipedia.org/wiki/Fundamental_rights

Pretend to argue on something not knowing the basics just because you have 
your delightful brilliant common sense is ... very common but not so usefull.  

And it represents a open interstelar gate to tolls.  They do not need sight, 
knowledge or logical arguing, they just need to provoque. Not quality needed 
there.

The more quality you give in a witting, the more interesting and usefull it 
becomes.

regards
--
Jean-Ren? M?rou



From alec at alec.pl  Mon Sep  5 12:43:30 2016
From: alec at alec.pl (A.L.E.C)
Date: Mon, 5 Sep 2016 12:43:30 +0200
Subject: Key import issues
Message-ID: <25822097-6d0e-57e5-7f86-9af3c40f2b97@alec.pl>

A few users have (different) problems with importing secret keys
generated by OpenPGP.js. For me it works. Could anyone explain why gpg
exits with code 2 and what exactly these errors mean?

(gnupg 2.0.28 in this case)
ERROR: gpg: key FF0A6901: secret key imported
ERROR: gpg: assuming bad signature from key FF0A6901 due to an unknown
critical bit
ERROR: gpg: key FF0A6901: no valid user IDs
ERROR: gpg: this may be caused by a missing self-signature
ERROR: gpg: Total number processed: 1
ERROR: gpg: w/o user IDs: 1
ERROR: gpg: secret keys read: 1
ERROR: gpg: secret keys imported: 1
STATUS: IMPORT_OK 17 91FABCEE268FE9727BC116A43F4D44C4FF0A6901
STATUS: IMPORT_RES 1 1 0 0 0 0 0 0 0 1 1 0 0 0

(gnupg 2.0.29 for this case)
ERROR: gpg: key 0D20E76A: secret key imported
ERROR: gpg: key 0D20E76A was created 31 seconds in the future (time warp
or clock problem)
ERROR: gpg: key 0D20E76A: no valid user IDs
ERROR: gpg: this may be caused by a missing self-signature
ERROR: gpg: Total number processed: 1
ERROR: gpg:           w/o user IDs: 1
ERROR: gpg:       secret keys read: 1
ERROR: gpg:   secret keys imported: 1
STATUS: IMPORT_OK 17 3DDABF41C0AA422971DA1258C47F2A380D20E76A
STATUS: IMPORT_RES 1 1 0 0 0 0 0 0 0 1 1 0 0 0


-- 
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer         [http://kolab.org]
Roundcube Webmail Developer   [http://roundcube.net]
----------------------------------------------------
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com


From johanw at vulcan.xs4all.nl  Mon Sep  5 17:46:27 2016
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Mon, 05 Sep 2016 17:46:27 +0200
Subject: I think that's a false dichotomy
In-Reply-To: <d0870abc-9c2e-610e-ceb1-23bcb26d1c39@sixdemonbag.org>
References: <57BCA5FD.50500@vulcan.xs4all.nl>
 <1c22f206-8293-86f4-7aa6-48c33c494b17@sixdemonbag.org>
 <20160903193740.31c555da@mangold.snakenest.scot>
 <f316f048-03ed-2641-7451-b4dc809ab9d3@sixdemonbag.org>
 <57CC70ED.2060708@vulcan.xs4all.nl>
 <d0870abc-9c2e-610e-ceb1-23bcb26d1c39@sixdemonbag.org>
Message-ID: <57CD9353.4060706@vulcan.xs4all.nl>

On 05-09-2016 0:45, Robert J. Hansen wrote:

>> Do I smell a little bit of a Stockholm syndrome here?
> 
> The Stockholm syndrome is half-pop science and half-real.

I know what it is. You have obviously worked too much with those forces
in law enforcement that prefer that citizens can't keep any secrets from
them, and you are beginning to sympathise with them.

> So what you've just done
> is accused me of emotionally bonding with some of the worst evil in
> humanity.

I'm not _that_ fond of the police, but I would not yet call them "some
of the worst evil in humanity".

> You've been added to my killfile.  We won't be speaking again.

Long toes, eh? Fine with me, bye.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html



From dkg at fifthhorseman.net  Tue Sep  6 05:17:27 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 05 Sep 2016 23:17:27 -0400
Subject: Key import issues
In-Reply-To: <25822097-6d0e-57e5-7f86-9af3c40f2b97@alec.pl>
References: <25822097-6d0e-57e5-7f86-9af3c40f2b97@alec.pl>
Message-ID: <8760q990oo.fsf@alice.fifthhorseman.net>

On Mon 2016-09-05 06:43:30 -0400, A.L.E.C wrote:
> A few users have (different) problems with importing secret keys
> generated by OpenPGP.js. For me it works. Could anyone explain why gpg
> exits with code 2 and what exactly these errors mean?
>
> (gnupg 2.0.28 in this case)
> ERROR: gpg: key FF0A6901: secret key imported
> ERROR: gpg: assuming bad signature from key FF0A6901 due to an unknown
> critical bit
> ERROR: gpg: key FF0A6901: no valid user IDs
> ERROR: gpg: this may be caused by a missing self-signature
> ERROR: gpg: Total number processed: 1
> ERROR: gpg: w/o user IDs: 1
> ERROR: gpg: secret keys read: 1
> ERROR: gpg: secret keys imported: 1
> STATUS: IMPORT_OK 17 91FABCEE268FE9727BC116A43F4D44C4FF0A6901
> STATUS: IMPORT_RES 1 1 0 0 0 0 0 0 0 1 1 0 0 0

this sounds like an OpenPGP public key whose self-signature contains
either a subpacket with type in range 128-255:

    [0] https://tools.ietf.org/html/rfc4880#page-26

this implies that the subpacket is critical.

> (gnupg 2.0.29 for this case)
> ERROR: gpg: key 0D20E76A: secret key imported
> ERROR: gpg: key 0D20E76A was created 31 seconds in the future (time warp
> or clock problem)
> ERROR: gpg: key 0D20E76A: no valid user IDs
> ERROR: gpg: this may be caused by a missing self-signature
> ERROR: gpg: Total number processed: 1
> ERROR: gpg:           w/o user IDs: 1
> ERROR: gpg:       secret keys read: 1
> ERROR: gpg:   secret keys imported: 1
> STATUS: IMPORT_OK 17 3DDABF41C0AA422971DA1258C47F2A380D20E76A
> STATUS: IMPORT_RES 1 1 0 0 0 0 0 0 0 1 1 0 0 0

This sounds exactly like what it says.  Barring malice, the most likely
cause is clock skew between the machine that generated the key and the
machine that is consuming the key.

It would be great to see the specific OpenPGP public certificates, and a
description of how they were generated.

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20160905/5baaaebc/attachment.sig>

From mike at confidantmail.org  Tue Sep  6 06:43:13 2016
From: mike at confidantmail.org (Mike Ingle)
Date: Mon, 05 Sep 2016 21:43:13 -0700
Subject: How to detect patched versus bugged gpg binary
Message-ID: <57CE4961.4000502@confidantmail.org>

Question about GPG versions:

Due to CVE-2016-6313, I put out a new version of Confidant Mail where 
the Windows and Mac binaries include GPG 1.4.21.
I also put in a pop-up dialog to warn if someone uses it with a 
pre-1.4.21 version of GPG. However, Debian and Tails 2.6rc1
have patched 1.4.18 instead of using 1.4.21, and gpg --version does not 
show the patch level. Is there any call to gpg that will
display the Debian patch level and tell me if the version I'm using is 
fixed or not?

If not, I'm either going to have to remove the pop-up warning, or rely 
on calling dpkg to ask the version.

Thanks,
Mike
https://www.confidantmail.org



From karol at babioch.de  Tue Sep  6 09:17:41 2016
From: karol at babioch.de (Karol Babioch)
Date: Tue, 6 Sep 2016 09:17:41 +0200
Subject: How to detect patched versus bugged gpg binary
In-Reply-To: <57CE4961.4000502@confidantmail.org>
References: <57CE4961.4000502@confidantmail.org>
Message-ID: <a5eb5947-f800-bfee-29d1-ceb7f329d313@babioch.de>

Hi,

Am 06.09.2016 um 06:43 schrieb Mike Ingle:
> or rely on calling dpkg to ask the version.

Yes, I'm afraid that is the only feasible way - at least to my knowledge.

You could also check some hashes. However dpkg (AFAIK) does not offer an
"--verify" option, so you have to do it for your own. Apparently some
checksums are also stored in /var/lib/dpkg/info/<package>.md5sums, but
probably not all. Furthermore there is a debsums package [1].

First of all you obviously need to browse the package sources and try to
find out which version(s) have a particular patch already applied.

Best regards,
Karol Babioch

[1]:
https://serverfault.com/questions/322518/can-dpkg-verify-files-from-an-installed-package

P.S.: My personal opinion: The whole Debian approach is a mess. Rather
than contributing upstream and trying to improve the code there, they
are making frankenstein builds that were never intended in this way by
the upstream projects. Nobody knows which patches they do and do not
backport and in general Debian packages are massively outdated.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160906/b6be64b0/attachment.sig>

From beckus at beckus.eu  Wed Sep  7 22:20:42 2016
From: beckus at beckus.eu (Christopher Beck)
Date: Wed, 07 Sep 2016 22:20:42 +0200
Subject: Key Discovery Made Simple
In-Reply-To: <874m625njg.fsf@wheatstone.g10code.de>
References: <874m625njg.fsf@wheatstone.g10code.de>
Message-ID: <2554856.hWQQWDzbnA@maxwell>

Hi,

just a (maybe) stupid question: the matching key to my recipient can be 
fetched by keyservers and i determine the korrect key of all of the (sometimes 
"wrong" keys") by vaidating the signatures according to the WoT. So, what's 
the benefit of this new key service? It sounds much more complicated (and un-
trusworthy) than just using the WoT.

Confused Greetings

Beckus

On Tuesday, 30 August 2016 16:39:15 CEST Werner Koch wrote:
> Hi,
> 
> I just published a writeup on how to setup the Web Key Service at
> https://gnupg.org/blog/20160830-web-key-service.html
> 
> A plain text copy is below.  If you have comments, please send them as
> reply.
> 
> 
> Salam-Shalom,
> 
>    Werner
> 
> ============================================
> Table of Contents
> _________________
> 
> 1 Key Discovery Made Simple
> .. 1.1 Install GnuPG 2.1
> .. 1.2 Prepare the mail and web servers
> .. 1.3 Create submission key
> .. 1.4 Install the WKS server tool
> .. 1.5 Test your installation
> .. 1.6 Future work
> 
> 
> 
> 1 Key Discovery Made Simple
> ===========================
> 
>   A major hassle with sending encrypted mails is to find the key
>   matching the recipients mail address.  A na??ve method is to look for
>   the key at a keyserver.  In most cases this works surprisingly well.
>   However, there is no guarantee that this key really matches the mail
>   address --- anyone can create a key and put an arbitrary mail address
>   there.  It is quite disturbing to receive a mail which you can't
>   decrypt because it was encrypted to another key.
> 
>   GnuPG 2.1 provides an simple but efficient solution to store a key
>   under a well known URL and lookup it up via https.  For practical
>   deployment of this method (as well as for OpenPGP DANE) a method to
>   publishing a key is required.  The new [Web Key Service] protocol such
>   a protocol and GnuPG 2.1.15 comes with the tools to implement this.
>   Aside from GnuPG the other pre-requisites are:
> 
>   - A mail server for your domain with the full authority on the user
>     mail addresses for this domain.
> 
>   - A Unix system where you have an account to receive mails to a
>     dedicated mail address and to send mails via the sendmail tool.  An
>     account on the mail server will be the best choice.
> 
>   - A web server for the same domain to deliver static pages over TLS.
>     Re-direction to a different server is possible
> 
>   - The ability to install the latest GnuPG version from source.
> 
>   Here is a first step by step description on how to install and test
>   that service.
> 
> 
>   [Web Key Service]
>   https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-01.html
> 
> 
> 1.1 Install GnuPG 2.1
> ~~~~~~~~~~~~~~~~~~~~~
> 
>   Your system will already have a gpg version but we want the very
>   latest one and we want to install it locally.
> 
>   First you should create a new account on the machine.  Let's use
>   `webkey'.  Nothing special is required; thus a simple
> 
>   ,----
> 
>   | # adduser --disabled-password webkey
> 
>   `----
> 
>   as root will do.  Add an `.ssh/authorized_keys' file to make it easy
>   to access.  Now download GnuPG (as of this writing version 2.1.15):
> 
>   ,----
> 
>   | $ cd ~webkey
>   | $ wget ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.15.tar.bz2
>   | $ wget ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.15.tar.bz2.sig
>   | $ wget -O - https://gnupg.org/signature_key.html | gpg --import
>   | $ gpg --verify gnupg-2.1.15.tar.bz2.sig gnupg-2.1.15.tar.bz2
> 
>   `----
> 
>   The last line uses the standard gpg to check that the integrity of the
>   tarball.  Then please verify that the displayed fingerprints match the
>   desired ones; see [https://gnupg.org/download/integrity_check.html]
>   for more on this.
> 
>   The easiest way to install the latest GnuPG version is to use Speedo,
>   which downloads, verifies and builds all dependent packages.  To do
>   this first unpack the tarball:
> 
>   ,----
> 
>   | $ tar xjf gnupg-2.1.5.tar.bz2
> 
>   `----
> 
>   On non GNU system you may need to use this instead:
> 
>   ,----
> 
>   | $ zcat gnupg-2.1.5.tar.bz2 | tar xf -
> 
>   `----
> 
>   Then run:
> 
>   ,----
> 
>   | $ make -f ~/b-w32/speedo/gnupg-2.1.15/build-aux/speedo.mk            \
>   | 
>   | >  INSTALL_PREFIX=. speedo_pkg_gnupg_configure='--enable-gpg2-is-gpg \
>   | >  
>   | >      --disable-g13 --enable-wks-tools' native
> 
>   `----
> 
>   If you run into errors you are probably missing some development
>   tools; install them and try again.  If all succeeds you will notice a
>   bunch of new directories below webkey's home directory:
> 
>   ,----
> 
>   | PLAY  bin  include  lib  libexec  sbin  share  swdb.lst  swdb.lst.sig
> 
>   `----
> 
>   Optionally you may delete what is not anymore required:
> 
>   ,----
> 
>   | $ rm -rf PLAY include lib swdb.*
> 
>   `----
> 
>   To make use of your new GnuPG installation you need to run this first
>   (you should add it to webkey's .profile or .bashrc):
> 
>   ,----
> 
>   | PATH="$HOME/bin:$PATH"
>   | LD_LIBRARY_PATH="$(pwd)/lib"
>   | export LD_LIBRARY_PATH
> 
>   `----
> 
> 
> 1.2 Prepare the mail and web servers
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>   The Web Key Service requires a working directory to store keys pending
>   for publication.  As root create a working directory:
> 
>   ,----
> 
>   | # mkdir /var/lib/gnupg/wks
>   | # chown webkey:webkey /var/lib/gnupg/wks
>   | # chmod 2750 /var/lib/gnupg/wks
> 
>   `----
> 
>   Then under your webkey account create directories for all your
>   domains.  Here we do it for ???example.org???:
> 
>   ,----
> 
>   | $ mkdir /var/lib/gnupg/wks/example.org
> 
>   `----
> 
>   Then run
> 
>   ,----
> 
>   | $ gpg-wks-server --list-domains
> 
>   `----
> 
>   to create the required sub-directories with the permission set
>   correctly.  In particular the `hu' directory (???hashed-userid???) to
>   store pending keys most only be accessible by the webkey user.
>   Running the above command will also remind you to create a file with
>   the submission address for the domain.  Let???s do that:
> 
>   ,----
> 
>   | $ cd /var/lib/gnupg/wks/example.org
>   | $ echo key-submission at example.org >submission-address
> 
>   `----
> 
>   The submission address is the address the client uses to contact the
>   Web Key Service.  To make this actually work, that address needs to be
>   redirected to the webkey user; use the alias file of your MTA to do
>   this.
> 
>   To setup the web server there are at least two ways: If the web server
>   is on the same machine it is possible to use symlinks to publish the
>   working directories.  For example:
> 
>   ,----
> 
>   | $ cd /var/www/example.org/htdocs
>   | $ mkdir -p .well-known/openpgpkey
>   | $ cd .well-known/openpgpkey
>   | $ ln -s /var/lib/gnupg/wks/example.org/hu .
>   | $ ln -s /var/lib/gnupg/wks/example.org/submission-address .
> 
>   `----
> 
>   The more flexible way is the use of rsync optionally using an ssh
>   connection to a remote web server.  This can be done with a cron job;
>   run `crontab -e' and add this line (the backslashes below are used to
>   indicate line wrapping here; do not enter them into the crontab but
>   use a single long line):
> 
>   ,----
> 
>   | */4 * * * * rsync -r -p --chmod=Fa+r --delete \
>   | 
>   |     /var/lib/gnupg/wks/example/hu/            \
>   |     webserver:/var/www/all/example.org/.well-known/openpgpkey/hu/
> 
>   `----
> 
>   This job syncs every 4 minutes the local copy of the published keys to
>   the server.  The submission-address file does not change and thus it
>   is sufficient to copy it once by hand to the server.
> 
> 
> 1.3 Create submission key
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>   The protocol suggests that the key to be published is send with an
>   encrypted mail to the service.  Thus you need to create a key for the
>   submission address:
> 
>   ,----
> 
>   | $ gpg --batch --passphrase '' --quick-gen-key key-submission at example.org
>   | $ gpg --with-wkd-hash -K key-submission at example.org
> 
>   `----
> 
>   The output of the last command looks similar to this:
> 
>   ,----
> 
>   | sec   rsa2048 2016-08-30 [SC]
>   | 
>   |       C0FCF8642D830C53246211400346653590B3795B
>   | 
>   | uid           [ultimate] key-submission at example.org
>   | 
>   |               bxzcxpxk8h87z1k7bzk86xn5aj47intu at example.org
>   | 
>   | ssb   rsa2048 2016-08-30 [E]
> 
>   `----
> 
>   Take the hash of the string ???key-submission???, which is
>   `bxzcxpxk8h87z1k7bzk86xn5aj47intu' and manually publish that key:
> 
>   ,----
> 
>   | $ gpg --export-options export-minimal --export
>   | key-submission at example.org
>   | 
>   | >  -o /var/lib/gnupg/wks/example.org/hu/bxzcxpxk8h87z1k7bzk86xn5aj47intu
> 
>   `----
> 
>   Make sure that the created file is world readable.  We will eventually
>   provide a tool to make that step easier.
> 
> 
> 1.4 Install the WKS server tool
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>   The tool gpg-wks-server implements the server part of the web key
>   service protocol.  There are several ways to install this tool, what I
>   describe here is a setup which allows easy debugging.
> 
>   First install procmail and make sure that your MTA (Exim, Postfix,
>   sendmail) can run procmail as delivery agent.  In most cases it is
>   sufficient to create the file `.procmailrc' in the home directory
>   (e.g. `/home/webkey/.procmailrc').  Here is that file; you need to
>   replace ???example.org??? by your own domain name:
> 
>   ,----
> 
>   | PATH=$HOME/bin:/usr/bin:/bin:/usr/local/bin
>   | LD_LIBRARY_PATH=$HOME/lib
>   | 
>   | MAILDIR=$HOME/Mail
>   | LOGFILE=$HOME/Mail/from
>   | LOCKFILE=$HOME/Mail/.lockmail
>   | VERBOSE=yes
>   | 
>   | :0
>   | 
>   | * ^FROM_DAEMON
>   | from-daemon/
>   | 
>   | :0 c
>   | 
>   | archive/
>   | 
>   | :0
>   | 
>   | * !^From: webkey at example.org
>   | * !^X-WKS-Loop: webkey.example.org
>   | 
>   | |$HOME/bin/gpg-wks-server -v --receive \
>   | |
>   |      --header X-WKS-Loop=webkey.example.org \
>   |      --from webkey at example.org --send -o $HOME/send.log
>   | :
>   | :0
>   | 
>   | cruft/
> 
>   `----
> 
>   What it does: The first 6 lines set environment variables for use by
>   this tool and programs invoked.  In particular the setting of `PATH'
>   and `LD_LIBRARY_PATH' is important so that gpg-wks-server can properly
>   work.
> 
>   The first rule (rules are started with a colon line) detects mails
>   sent from daemon processes.  We don't want them and thus we save them
>   to the Maildir style folder `Mail/from-daemon' for later inspection.
>   For a production system it would be better to directly send those
>   mails to the bit bucket by replacing the last line of that rule with
>   `/dev/null'.
> 
>   The second rule stores a copy of all incoming mails to the folder
>   `Mail/archive'.  This is useful for debugging and to view the flow of
>   mails.  The 'c' after the ':0' means continue with the next rule after
>   having processed this rule (i.e. storing to the archive folder).  By
>   the way, do not forget the trailing slash at folder names; without a
>   slash a plain mbox style would be written (you can use an mbox too,
>   but Maildir is considered a better way to store mails).
> 
>   The third rule is the heart of this procmail script (in procmail
>   parlance ???recipe???).  The two lines starting with an asterisk give two
>   conditions on when this rule shall be skipped: If the mail comes from
>   us or if the mail has our loop detection mail header.  The command run
>   on this mail is the wks server in a mode which uses the
>   /usr/lib/sendmail tool for sending responses to the mail.  The output
>   of the tool is stored to the file `send.log' in the home directory; to
>   append to a log file use `-o -' and redirect to a log file.
> 
>   The final rule stores all not processed mails to the `cruft/' folder.
>   This can as well be replaced by =/dev/null=/
> 
>   Finally add an entry to your crontab (run `crontab -e') to expire non
>   confirmed publication requests: At the top of your crontab add:
> 
>   ,----
> 
>   | PATH=/home/webkey/bin:/usr/local/bin:/usr/bin:/bin
>   | LD_LIBRARY_PATH=/home/webkey/lib
>   | 
>   | 42 3 * * * gpg-wks-server --cron
> 
>   `----
> 
>   so that the server tool is run each night at, say, 3:42.
> 
> 
> 1.5 Test your installation
> ~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>   To test the Web Key Service, you can create some test accounts for
>   your domain and run the protocol.  For a proper test, do not just use
>   a different account on the server but use client box.
> 
>   Developers of [KMail] should already be able to use its brand new
>   builtin support for the Web Key Service.
> 
>   Integration of the Web Key Service into the other mail clients has not
>   yet been done.  Thus you need to run the test manually.  In this
>   example we assume that on you own box a sendmail like tool is
>   installed and you also installed GnuPG 2.1 along with the client part
>   of Web Key Service (gpg-wks-client which may require that you pass
>   --enable-wks-tools to the configure run).
> 
>   An easy way of testing the system exists for [Mutt] users: By adding
>   the two lines
> 
>   ,----
> 
>   | application/vnd.gnupg.wks; /usr/local/bin/gpg-wks-client \
>   | 
>   |    -v --read --send; needsterminal; description=WKS message
> 
>   `----
> 
>   to `/etc/mailcap' Mutt will do the decryption job and then call the
>   wks-client for the protocol handling.  It can be expected that Mutt
>   users have a /usr/lib/sendmail installed which is required here.  Note
>   that `--read' is used which tells the client that the input mail has
>   already been decrypted.
> 
>   For all others the protocol can be run by hand.  Let???s assume, you
>   have the key
> 
>   ,----
> 
>   | sub   cv25519 2016-07-15 [E]
>   | 
>   |       C444189BD549468C97992D7D3C79E8F960C69FCE
>   | 
>   | pub   ed25519 2016-06-28 [SC]
>   | 
>   |       64944BC035493D929EF2A2B9D19D22B06EE78668
>   | 
>   | uid           [ultimate] dewey at test.gnupg.org
>   | sub   cv25519 2016-06-28 [E]
>   | 
>   |       B3746B6927FF8021486561D83452DE414E0B5CCD
> 
>   `----
> 
>   which in fact is a real key of our own test environment.  To publish
>   that key you send the key to the mail provider:
> 
>   ,----
> 
>   | $ /usr/local/libexec/gpg-wks-client --create --send \
>   | 
>   | >  64944BC035493D929EF2A2B9D19D22B06EE78668 dewey at test.gnupg.org
> 
>   `----
> 
> 
>   As already mention, `--send' invokes `/usr/lib/sendmail' and sends out
>   the mail.  If that option is not used, the mail is written to stdout
>   (or to the file given with `--output') and the user is responsible to
>   feed this to the mail system.  If this all works a single message will
>   be show:
> 
>   ,----
> 
>   | gpg-wks-client: submitting request to 'key-submission at test.gnupg.org'
> 
>   `----
> 
>   Now, wait until you receive a mail back from your provider.  In this
>   example that mail was received and stored in the file
>   `new/1472561079.6352_1.foobar'.  We feed this file to the wks-client:
> 
>   ,----
> 
>   | $ /usr/local/libexec/gpg-wks-client --receive --send \
>   | 
>   | >       < new/1472561079.6352_1.foobar
> 
>   `----
> 
>   which may respond like this:
> 
>   ,----
> 
>   | gpg-wks-client: gpg: encrypted with 256-bit ECDH key, ID 3452DE414E[...]
>   | gpg-wks-client: gpg:       "dewey at test.gnupg.org"
>   | gpg-wks-client: new 'application/vnd.gnupg.wks' message part
>   | gpg-wks-client: gpg: automatically retrieved 'key-submission at test.g[...]
> 
>   `----
> 
>   and has send the confirmation mail back to the provider.  Over there
>   the confirmation mail is matched to the pending key database and the
>   key is then published.
> 
>   To check that the key has been published, use this:
> 
>   ,----
> 
>   | $ gpg -v --auto-key-locate=clear,wkd,local --locate-key
>   | dewey at test.gnupg.org
>   `----
> 
>   you should see:
> 
>   ,----
> 
>   | gpg: pub  ed25519/D19D22B06EE78668 2016-06-28  dewey at test.gnupg.org
>   | gpg: key D19D22B06EE78668: "dewey at test.gnupg.org" not changed
>   | gpg: Total number processed: 1
>   | gpg:              unchanged: 1
>   | gpg: auto-key-locate found fingerprint
>   | 64944BC035493D929EF2A2B9D19D22B06EE78668 gpg: automatically retrieved
>   | 'dewey at test.gnupg.org' via WKD
>   | pub   ed25519 2016-06-28 [SC]
>   | 
>   |       64944BC035493D929EF2A2B9D19D22B06EE78668
>   | 
>   | uid           [ultimate] dewey at test.gnupg.org
>   | sub   cv25519 2016-06-28 [E]
>   | 
>   |       B3746B6927FF8021486561D83452DE414E0B5CCD
> 
>   `----
> 
>   Despite that it tells you that the key did not change (well, you asked
>   the provider to publish this key), it also tells that the key was
>   found using the Web Key Directory (WKD).
> 
>   You may also use this lower level test:
> 
>   ,----
> 
>   | $ gpg-connect-agent --dirmngr --hex 'wkd_get dewey at test.gnupg.org' /bye
> 
>   `----
> 
>   which results in a hex listing of the key
> 
> 
>   [KMail] https://userbase.kde.org/KMail
> 
>   [Mutt] http://www.mutt.org
> 
> 
> 1.6 Future work
> ~~~~~~~~~~~~~~~
> 
>   The tools are not yet finished and improvements can be expected over
>   the next few GnuPG releases.  For example the server should send a
>   final mail back to announce that the key has been published.  We are
>   also considering slight changes to the protocol but the general
>   procedure on how to drive the tools is unlikely to change.
> 
>   We still need to add manual pages to describe the server and client
>   tools.  For now `--help' and the [gnupg-devel] mailing list are your
>   best friends.  For those who want to integrate support for the Web Key
>   Service into a MUA but do not want to fiddle with the server side of
>   things, we are happy to provide mail addresses for testing.
> 
> 
>   [gnupg-devel] https://lists.gnupg.org/mailman/listinfo/gnupg-devel


-- 
I use GnuPG (GPG) for e-mail encryption and signing. If you want some privacy, 
my public key ID is 2F9D4F14. The file "singature.asc" this message includes 
contains a cryptographic signature which enables you to verify this E-Mail 
really was written by me.

Christopher Beck, DL1CHB

Gerhart-Hauptmann-Str. 1
91058 Erlangen
Tel.: 09131 / 9245437
Fax.: 09131 / 8148708
Jabber: beckus at jabber.org



From antony at blazrsoft.com  Thu Sep  8 00:44:34 2016
From: antony at blazrsoft.com (Antony Prince)
Date: Wed, 7 Sep 2016 18:44:34 -0400
Subject: gpg-agent only works when started in terminal
Message-ID: <5c31a404-0c1f-ff6b-0e98-867f016b3cfd@blazrsoft.com>

I know this has got to be something simple. When invoking gpg2 normally
to decrypt, I get:

gpg: encrypted with 4096-bit RSA key, ID 0E98CD22ADB13E99, created
2015-05-06
      "Antony Prince <antony AT blazrsoft.com>"
gpg: public key decryption failed: No pinentry
gpg: decryption failed: No secret key

I have pinentry-program set properly in ~/.gnupg/gpg-agent.conf.

If I do:

killall gpg-agent
gpg-agent --daemon /bin/sh

The pinentry appears as it should and all is fine.
I also have:

GPG_TTY=$(tty)
export GPG_TTY

set in ~/.bashrc as I saw that mentioned somewhere as well.

agent info:
gpg-agent[14849]: gpg-agent (GnuPG) 2.1.15 started

gpg info:
antony at 050415:~$ gpg2 --version
gpg (GnuPG) 2.1.15
libgcrypt 1.7.3
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/antony/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

If anyone has any ideas, I'm all for them.

-- 

Antony Prince

Key ID: 0xAF3D4087301B1B19
Fingerprint: 591F F17F 7A4A A8D0 F659  C482 AF3D 4087 301B 1B19
URL:
http://pool.sks-keyservers.net/pks/lookup?op=get&search=0xAF3D4087301B1B19

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160907/53ce945d/attachment.sig>

From mac3iii at gmail.com  Thu Sep  8 01:04:43 2016
From: mac3iii at gmail.com (murphy)
Date: Wed, 7 Sep 2016 19:04:43 -0400
Subject: GnuPG-2.1.15 compile with tofu
Message-ID: <6d4b3fdf-ad96-7f37-774c-9b7e0ce4fb0e@gmail.com>

FYI - On a clean, fresh installation of Ubuntu 16.04 LTS the following
instructions will result in gnupg 2.1.15 with a functioning tofu:

cd ~/Downloads
wget https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.15.tar.bz2
wget https://gnupg.org/ftp/gcrypt/pinentry/pinentry-0.9.7.tar.bz2
tar xf gnupg-2.1.15.tar.bz2
tar xf pinentry-0.9.7.tar.bz2
cd gnupg-2.1.15
sudo apt-get update
sudo apt-get install libldap2-dev -y
sudo apt-get install gtk+-2 -y
sudo apt-get install rng-tools -y
sudo apt-get install libbz2-dev -y
sudo apt-get install zlib1g-dev -y
sudo apt-get install libgmp-dev -y
sudo apt-get install nettle-dev -y
sudo apt-get install libgnutls-dev -y
sudo apt-get install libsqlite3-dev -y
sudo apt-get install adns-tools -y
sudo apt-get install libreadline-dev -y
sudo make -f build-aux/speedo.mk native INSTALL_PREFIX=/usr/local
cd ..
cd pinentry-0.9.7
./configure
make
sudo make install
sudo ldconfig

After executing the above (it can be done as a bash file) reboot.  I
hope this saves people some time.  The same format with slight changes
will compile new versions.  If there are errors let me know but it does
work.  --Murphy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160907/e8579bc3/attachment.sig>

From oliver.wiese at fu-berlin.de  Thu Sep  8 09:17:33 2016
From: oliver.wiese at fu-berlin.de (Oliver Wiese)
Date: Thu, 8 Sep 2016 09:17:33 +0200
Subject: How do you backup your private keys?
Message-ID: <6192A82D-ECD4-4965-9E8E-131980CDE08E@fu-berlin.de>

Hi,

I am a doctoral-student at the Freie Universit?t Berlin, Germany and i am interested in how people backup their private keys. Therefore, I run a short survey with 10 multiple-choice questions and only 5 demographic questions. I will be glad if you take a short time to fill out my questions. Your inputs are anonymized and only used for research purposes. Your participation is free and unpaid. Feel free to share the survey. Please, fill out the survey only once.

Link to the survey: https://userpage.fu-berlin.de/~wieseoli/survey/index.php/987125?lang=en <https://userpage.fu-berlin.de/~wieseoli/survey/index.php/987125?lang=en>

Thank you and best regards
Oliver Wiese

Freie Universit?t Berlin; FB Mathematik und Informatik; AG Sichere Identit?t; 
http://www.inf.fu-berlin.de/groups/ag-si/ <http://www.inf.fu-berlin.de/groups/ag-si/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160908/c0e5028d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5330 bytes
Desc: not available
URL: </pipermail/attachments/20160908/c0e5028d/attachment.bin>

From einarr at pvv.org  Thu Sep  8 11:19:53 2016
From: einarr at pvv.org (Einar Ryeng)
Date: Thu, 8 Sep 2016 11:19:53 +0200
Subject: How do you backup your private keys?
In-Reply-To: <6192A82D-ECD4-4965-9E8E-131980CDE08E@fu-berlin.de>
References: <6192A82D-ECD4-4965-9E8E-131980CDE08E@fu-berlin.de>
Message-ID: <20160908091953.GE2738@pvv.ntnu.no>

On Thu, Sep 08, 2016 at 09:17:33AM +0200, Oliver Wiese wrote:
> 
> I am a doctoral-student at the Freie Universit?t Berlin, Germany and i am
> interested in how people backup their private keys. Therefore, I run a short
> survey with 10 multiple-choice questions and only 5 demographic questions. I
> will be glad if you take a short time to fill out my questions. Your inputs
> are anonymized and only used for research purposes. Your participation is
> free and unpaid. Feel free to share the survey. Please, fill out the survey
> only once.

Done. It would be nice if you could send an email notifying the list when you
publish the results.

-- 
Einar Ryeng



From stebe at mailbox.org  Thu Sep  8 13:40:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Thu, 08 Sep 2016 11:40:00 +0000
Subject: Key Discovery Made Simple
In-Reply-To: <2554856.hWQQWDzbnA@maxwell>
References: <874m625njg.fsf@wheatstone.g10code.de> <2554856.hWQQWDzbnA@maxwell>
Message-ID: <7afb6730-c517-5513-178b-9c33657ea466@mailbox.org>

Hi Christopher,

Christopher Beck:
> Hi,
>
> just a (maybe) stupid question: the matching key to my recipient can be
> fetched by keyservers and i determine the korrect key of all of the
> (sometimes
> "wrong" keys") by vaidating the signatures according to the WoT.

 So, what's
> the benefit of this new key service? It sounds much more complicated
(and un-
> trusworthy) than just using the WoT.

Within the WoT the certificate chain relies on the ultimate fact that
you have physically met at least one WoT member in persona, and that
each of you has checked that the other's ID document is valid and that
the photo corresponds to him/her, and exchanged and verified the
fingerprints of your pubkeys (off-line key verification). Then you send
the signed key to the other person. As your pubkey is now signed by a
person of the WoT and his key signed by you (and you updated your keys
with the new signature(s) on a keyserver), you are also "associated"
with other members of the WoT that the WoT member is directly associated
with.
With the WKS [1] it is not necessary to (physically) have met a person
beforehand. The server (of the mail provider) checks that a key sent
with/from the generated submission address has a user ID that really
corresponds to a legitimate mail address (account) of the user on that
server of the provider by sending a message containing a nonce and the
fingerprint. After a successful verification the key is published.
There is no offline key exchange/verification, although you might think
of "WKS users" that then meet in person and, additionally, do that.


What you mean with "untrustworthy" is (1) that you have to trust the
mail provider setting up the wks service and (2) that there is no
initial step of offline key exchange/verification, don't you?
I think it's to push the mass usage of OpenPGP keys (given the fact that
the WoT grows at a speed that is too low) but you surely have to rely on
the mail provider's trustworthiness. But there is no obstacle for doing
an off-line verification afterwards.
But I'd also like to know more about possible weak points related to the
usage of WKS.

Stebe


[1]https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-01.html

Christopher Beck:
> Hi,
> 
> just a (maybe) stupid question: the matching key to my recipient can be 
> fetched by keyservers and i determine the korrect key of all of the (sometimes 
> "wrong" keys") by vaidating the signatures according to the WoT. So, what's 
> the benefit of this new key service? It sounds much more complicated (and un-
> trusworthy) than just using the WoT.
> 
> Confused Greetings
> 
> Beckus
> 
> On Tuesday, 30 August 2016 16:39:15 CEST Werner Koch wrote:
>> Hi,
>>
>> I just published a writeup on how to setup the Web Key Service at
>> https://gnupg.org/blog/20160830-web-key-service.html
>>




-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4091 bytes
Desc: not available
URL: </pipermail/attachments/20160908/4f4fb0a4/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160908/4f4fb0a4/attachment-0001.sig>

From kloecker at kde.org  Thu Sep  8 15:24:49 2016
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Thu, 08 Sep 2016 15:24:49 +0200
Subject: Key Discovery Made Simple
In-Reply-To: <2554856.hWQQWDzbnA@maxwell>
References: <874m625njg.fsf@wheatstone.g10code.de> <2554856.hWQQWDzbnA@maxwell>
Message-ID: <2988848.y1zNcLGizS@collossus.ingo-kloecker.de>

On Wednesday 07 September 2016 22:20:42 Christopher Beck wrote:
> Hi,
> 
> just a (maybe) stupid question: the matching key to my recipient can be
> fetched by keyservers and i determine the korrect key of all of the
> (sometimes "wrong" keys") by vaidating the signatures according to the WoT.
> So, what's the benefit of this new key service? It sounds much more
> complicated (and un- trusworthy) than just using the WoT.

The WoT won't help you if the key isn't part of the WoT. That's the whole 
point of the new tofu trust model and the EasyGPG project. This new key 
service complements the tofu trust model in that it (kind of) guarantees that 
the email address/user id on the key is legitimate (provided the provider of 
the key service is trustworthy).


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160908/566b4b4f/attachment.sig>

From philip.jackson at nordnet.fr  Thu Sep  8 18:44:03 2016
From: philip.jackson at nordnet.fr (Philip Jackson)
Date: Thu, 8 Sep 2016 18:44:03 +0200
Subject: smart card no longer works
Message-ID: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>

I have changed from Ubuntu 14.04 to a clean install of Ubuntu 16.04.1

This comes with gpg 1.4.20 and gpg2 2.1.11 as distro standards.

I brought into the new installation my keyfiles and config files and
trust.db

The private-keys-v1.d directory is populated with a series of
xyzzz123333.key files

The problem I have is that I cannot any longer decrypt files and this
manifests in 2 ways :

1. with gpg2 :    gpg2 --card-status
gpg: error getting version from 'scdaemon': No SmartCard daemon
gpg: OpenPGP card not available: No SmartCard daemon


2. with gpg :   gpg --card-status gives a lengthy and apparently good
output.

But the command  gpg -o output_file -d input_file.gpg

seems to be proceeding ok and puts up a pinentry window (anonymous)
asking for my pin.
I enter the pin (and I have double checked that it is correct) and get
It's a real PITAa failure :

gpg: ccid_transceive failed: (0x1000a)
gpg: apdu_send_simple(0) failed: card I/O error
gpg: using subkey 0x79D467BFF5DF6C91 instead of primary key
0x26BD500A23543A63
gpg: encrypted with 2048-bit RSA key, ID 0x79D467BFF5DF6C91, created
2014-10-28
      "Philip Jackson (Jan 2013 +) <philip.jackson at nordnet.fr>"
gpg: public key decryption failed: general error
gpg: decryption failed: secret key not available

Its a real PITA that a simple clean installation of an OS won't give a
working smartcard operation. It looks like the whole smartcard thing is
a little lacking in robustness.

[evidently, I can no longer sign emails with enigmail either]

So if someone could indicate where to start looking for the problems
with gpg2 and gpg, I'd be very grateful.
Thanks,

Philip


From rjh at sixdemonbag.org  Thu Sep  8 22:06:44 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 8 Sep 2016 16:06:44 -0400
Subject: smart card no longer works
In-Reply-To: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
Message-ID: <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>

> 1. with gpg2 :    gpg2 --card-status
> gpg: error getting version from 'scdaemon': No SmartCard daemon
> gpg: OpenPGP card not available: No SmartCard daemon

The last I checked, Ubuntu's stock install did not include smartcard
drivers.  The good news is these can be easily installed via apt-get.  The
bad news is I don't remember what the package name is.  :(

> Its a real PITA that a simple clean installation of an OS won't give a
working
> smartcard operation. It looks like the whole smartcard thing is a little
lacking
> in robustness.

Although I understand your frustration, it would be best to aim that
frustration at Ubuntu -- they're the ones who elected to not make smartcard
drivers part of the base OS image.




From rjh at sixdemonbag.org  Thu Sep  8 22:21:25 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 8 Sep 2016 16:21:25 -0400
Subject: smart card no longer works
In-Reply-To: <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
Message-ID: <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>

> The last I checked, Ubuntu's stock install did not include smartcard
drivers.
> The good news is these can be easily installed via apt-get.  The bad news
is I
> don't remember what the package name is.  :(

A little searching suggests that "sudo apt-get install gnupg-pkcs11-scd" is
the magic you need.  Hope this helps!




From gniibe at fsij.org  Fri Sep  9 06:16:39 2016
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Fri, 9 Sep 2016 13:16:39 +0900
Subject: smart card no longer works
In-Reply-To: <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
Message-ID: <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>

On 09/09/2016 05:21 AM, Robert J. Hansen wrote:
>> The last I checked, Ubuntu's stock install did not include smartcard
> drivers.
>> The good news is these can be easily installed via apt-get.  The bad news
> is I
>> don't remember what the package name is.  :(
> 
> A little searching suggests that "sudo apt-get install gnupg-pkcs11-scd" is
> the magic you need.  Hope this helps!

Please use the standard scdaemon from GnuPG.

	apt-get install scdaemon

PC/SC service is optional.  In-stock CCID driver of GnuPG just works
well in most cases.  Only when it doesn't work, please try
to install pcscd and libpcsclite1.

For PKCS#11 things, we (GnuPG team) do totally in different way by
Scute, when people want to use the PKCS#11 API.  I don't think
gnupg-pkcs11-scd works, these days.

Packaging in Debian had been changed.  Now scdaemon is in a package of
"scdaemon" (used to be in "gnupg2" package).
-- 


From stebe at mailbox.org  Fri Sep  9 11:55:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Fri, 09 Sep 2016 09:55:00 +0000
Subject: gpg-agent only works when started in terminal
In-Reply-To: <5c31a404-0c1f-ff6b-0e98-867f016b3cfd@blazrsoft.com>
References: <5c31a404-0c1f-ff6b-0e98-867f016b3cfd@blazrsoft.com>
Message-ID: <da98d5f2-1b45-dda1-4272-3d8949e308bb@mailbox.org>

Hi Antony,

just some ideas to (possibly) track it down...

Antony Prince:
> I know this has got to be something simple. When invoking gpg2 normally
> to decrypt, I get:
> 
> gpg: encrypted with 4096-bit RSA key, ID 0E98CD22ADB13E99, created
> 2015-05-06
>       "Antony Prince <antony AT blazrsoft.com>"
> gpg: public key decryption failed: No pinentry
> gpg: decryption failed: No secret key

AFAIK, this means that the agent is not started when you "invoke gpg2
normally" (directly from the command line?), so the environment may be
incorrectly set. Or is there more than one agent instance running?
What does a
gpg-agent --daemon --write-env-file
output in terms of GPG-AGENT_INFO?
Is the correct socket being used?
> 
> I have pinentry-program set properly in ~/.gnupg/gpg-agent.conf.

And you symlinked /usr/bin/pinentry and the pinentry you might actually use?
> 
> If I do:
> 
> killall gpg-agent
> gpg-agent --daemon /bin/sh
> 
> The pinentry appears as it should and all is fine.

Yes, because using --daemon /bin/sh the environment is reset.

Stebe

> I also have:
> 
> GPG_TTY=$(tty)
> export GPG_TTY
> 
> set in ~/.bashrc as I saw that mentioned somewhere as well.
> 
> agent info:
> gpg-agent[14849]: gpg-agent (GnuPG) 2.1.15 started
> 
> gpg info:
> antony at 050415:~$ gpg2 --version
> gpg (GnuPG) 2.1.15
> libgcrypt 1.7.3
> Copyright (C) 2016 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <https://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> Home: /home/antony/.gnupg
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>         CAMELLIA128, CAMELLIA192, CAMELLIA256
> Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2
> 
> If anyone has any ideas, I'm all for them.
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


From philip.jackson at nordnet.fr  Fri Sep  9 16:52:34 2016
From: philip.jackson at nordnet.fr (Philip Jackson)
Date: Fri, 9 Sep 2016 16:52:34 +0200
Subject: :-(( Re: smart card no longer works
In-Reply-To: <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
Message-ID: <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>

On 09/09/16 06:16, NIIBE Yutaka wrote:
> On 09/09/2016 05:21 AM, Robert J. Hansen wrote:
>>> The last I checked, Ubuntu's stock install did not include smartcard
>> drivers.

> 
> Please use the standard scdaemon from GnuPG.

> PC/SC service is optional.  In-stock CCID driver of GnuPG just works
> well in most cases.  Only when it doesn't work, please try
> to install pcscd and libpcsclite1.

As I recall, in Ubuntu 14.04 I just used the in-stock driver in gnupg.

> Packaging in Debian had been changed.  Now scdaemon is in a package of
> "scdaemon" (used to be in "gnupg2" package).
> 

I have now installed the missing scdaemon deb package and that makes a
big improvement as far as gpg2 is concerned.

Both gpg and gpg2 --card-status return essentially the same data which
looks good.

For decrypting a file, both gpg and "gpg2 -o output_file -d
input_file.gpg" fail with the same message :


gpg: public key is 0x79D467BFF5DF6C91
gpg: using subkey 0x79D467BFF5DF6C91 instead of primary key
0x26BD500A23543A63
gpg: using subkey 0x79D467BFF5DF6C91 instead of primary key
0x26BD500A23543A63
gpg: encrypted with 2048-bit RSA key, ID 0x79D467BFF5DF6C91, created
2014-10-28
      "Philip Jackson (Jan 2013 +) <philip.jackson at nordnet.fr>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key

Since in my first attempts, the pinentry window which came up was
anonymous, I supposed there might be a problem with the choice of
pinentry.  So I put "pinentry-program /usr/bin/pinentry-gtk-2" into the
gpg-agent.conf file.

The pinentry dialogue is no longer anonymous, it does say
pinentry-gtk-2, but the result is the same, no decrypt.

Philip



From anthony at cajuntechie.org  Fri Sep  9 19:51:57 2016
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Fri, 9 Sep 2016 12:51:57 -0500
Subject: Keybase integration with GnuPG?
Message-ID: <fe1038d8-6809-62c2-40e7-8aa6d74f5665@cajuntechie.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Are there any current plans to integrate Keybase.io into GnuPG at some
point in the future? In my mind, doing so might present a bit stronger
validation that TOFU and a lot easier use to newbies than the WoT,
which is pretty much useless if the person is new to PGP.

Thanks,
Anthony

- -- 
OpenPGP Key:    4096R/0x028ADF7453B04B15
C5CE E687 DDC2 D12B 9063  56EA 028A DF74 53B0 4B15
Other Key Info: http://www.cajuntechie.org/p/my-pgp-key.html
XMPP/Jabber:    cajuntech at dukgo.com
VoIP/SIP:       1259010 at localphone.com


-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX0va9AAoJEAKK33RTsEsVOAoQAKqXFzs1ABV3pcyLFyk6Ceu4
jT23oL2kaGtu7pJtFLGOQdUooUzwKbBV6q2nLFhd0OEulFeYyR3gdpV2K6RdWLvk
NnfNGzIeUPaXNhV2kGm0ibaZOjL+JuZEFfo5kC+qiXINDoP/OXyetmrVCN8G8OwQ
6bXtK5NAlZv6Z/XYoGUdCkk/S7lpYBw/ycmzvfR/xWQAwUKxRlZdbfSpCT4M5fpq
Nnt38nNsUv5uR9U/AleimiET/lpNVl0Iz6dqgrISnbbJOUw3AzYt6yRWqEzTmOha
GjrQ7j77G/d7q4c+tcfw9BXNkFQWCnbGSsJ/It0zr46TGhsWVf08hh8Fl8+p/3I1
+pe5ZydK3itdgk/u2b9tw6nj1/IrSega7QVDvoDgcVioWKwx8OUbB6YjE/6FeBg3
NxFtI8c74I1qmKThF9mSnBFx6fJOoiz/ydcQlRrFd/6aWkwsh2dViGz+UpmRaDD7
/6HT7UUvszOhn0ewo4kokDb5zWtF6xdrXwnCd2V+pMz2hgk1lXUpd/cG6dX5XZ4g
XSQxStBJVjxo5HhBPM6nBCea5X7HzLTtSpdsXthhVnoVhkhiPYOMddaSk3zc4Reo
zez8CgMB22QwKtIH+42mKCVfl54EJtPWfjFNXusIRfMM+HL4Ke/gzaxTjblMvhyC
1B/LanuL3pT7QNpjy34t
=o7AY
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Fri Sep  9 22:46:59 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 9 Sep 2016 16:46:59 -0400
Subject: Keybase integration with GnuPG?
In-Reply-To: <fe1038d8-6809-62c2-40e7-8aa6d74f5665@cajuntechie.org>
References: <fe1038d8-6809-62c2-40e7-8aa6d74f5665@cajuntechie.org>
Message-ID: <02c001d20adb$50923380$f1b69a80$@sixdemonbag.org>

> Are there any current plans to integrate Keybase.io into GnuPG at some
> point in the future?

(ObWarning: I am not a GnuPG developer.)

I think this is unlikely to occur.  Werner's spoken out pretty strongly
against the keybase.io model, which relies heavily on social media outlets
like Facebook to provide confidence in an identity.  However, few people in
the privacy community like or trust Facebook, which makes relying on
something like keybase.io problematic -- it looks too much like GnuPG is
encouraging the use of a platform (FB) that it's philosophically opposed to.

The counterargument is that keybase.io works just fine with several other
back-ends which are more respecting of privacy -- and if a user wishes to
trust FB, why should GnuPG refuse to honor that user's choice?





From gniibe at fsij.org  Sat Sep 10 06:27:47 2016
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Sat, 10 Sep 2016 13:27:47 +0900
Subject: :-(( Re: smart card no longer works
In-Reply-To: <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
Message-ID: <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>

On 09/09/2016 11:52 PM, Philip Jackson wrote:
>> Packaging in Debian had been changed.  Now scdaemon is in a package of
>> "scdaemon" (used to be in "gnupg2" package).
>>
> 
> I have now installed the missing scdaemon deb package and that makes a
> big improvement as far as gpg2 is concerned.
> 
> Both gpg and gpg2 --card-status return essentially the same data which
> looks good.

Good.

> gpg: public key decryption failed: Operation cancelled
> gpg: decryption failed: No secret key
> 
> Since in my first attempts, the pinentry window which came up was
> anonymous, I supposed there might be a problem with the choice of
> pinentry.  So I put "pinentry-program /usr/bin/pinentry-gtk-2" into the
> gpg-agent.conf file.
> 
> The pinentry dialogue is no longer anonymous, it does say
> pinentry-gtk-2, but the result is the same, no decrypt.

I don't have any experience with this error behavior.  Please describe
the situation and the interaction; Did you input passphrase and push
[OK] button, and then gpg failed?

Please try again with pinentry-curses and/or pinentry-tty.  Does it work?
-- 


From wk at gnupg.org  Sat Sep 10 08:38:25 2016
From: wk at gnupg.org (Werner Koch)
Date: Sat, 10 Sep 2016 08:38:25 +0200
Subject: Keybase integration with GnuPG?
In-Reply-To: <fe1038d8-6809-62c2-40e7-8aa6d74f5665@cajuntechie.org> (Anthony
 Papillion's message of "Fri, 9 Sep 2016 12:51:57 -0500")
References: <fe1038d8-6809-62c2-40e7-8aa6d74f5665@cajuntechie.org>
Message-ID: <87eg4ss1i6.fsf@wheatstone.g10code.de>

On Fri,  9 Sep 2016 19:51, anthony at cajuntechie.org said:
> Are there any current plans to integrate Keybase.io into GnuPG at some
> point in the future? In my mind, doing so might present a bit stronger

That is unlikely because we try to change the _default_ key validation
model from the WoT to a TOFU based one.  Adding another WoT-alike model
would not be helpful.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160910/ae06deda/attachment.sig>

From wk at gnupg.org  Sat Sep 10 08:39:10 2016
From: wk at gnupg.org (Werner Koch)
Date: Sat, 10 Sep 2016 08:39:10 +0200
Subject: Keybase integration with GnuPG?
In-Reply-To: <02c001d20adb$50923380$f1b69a80$@sixdemonbag.org> (Robert
 J. Hansen's message of "Fri, 9 Sep 2016 16:46:59 -0400")
References: <fe1038d8-6809-62c2-40e7-8aa6d74f5665@cajuntechie.org>
 <02c001d20adb$50923380$f1b69a80$@sixdemonbag.org>
Message-ID: <87a8fgs1gx.fsf@wheatstone.g10code.de>

On Fri,  9 Sep 2016 22:46, rjh at sixdemonbag.org said:

> The counterargument is that keybase.io works just fine with several other
> back-ends which are more respecting of privacy -- and if a user wishes to
> trust FB, why should GnuPG refuse to honor that user's choice?

Given that Facebook users have the opportunity to store their public key
in their account, so that other Facebook users can access it, we will
probably add support for this.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160910/da3cb590/attachment.sig>

From philip.jackson at nordnet.fr  Sat Sep 10 14:27:50 2016
From: philip.jackson at nordnet.fr (Philip Jackson)
Date: Sat, 10 Sep 2016 14:27:50 +0200
Subject: :-(( Re: smart card no longer works
In-Reply-To: <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
Message-ID: <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>

On 10/09/16 06:27, NIIBE Yutaka wrote:

> I don't have any experience with this error behavior.  Please describe
> the situation and the interaction; Did you input passphrase and push
> [OK] button, and then gpg failed?
> 
> Please try again with pinentry-curses and/or pinentry-tty.  Does it work?
> 
I don't think the pinentry is the problem. I have tried several versions
and no matter if I enter the pin via dialogue box or on the command
line, the result is the same.

I verified the pin using gpg --card-edit & it is ok.

I think the problem must be more connected with how I introduced my
secring and pubring to the new distro installation when I installed
ubuntu 16.04

I have tried reverting to my old secring.gpg file from before starting
with the smartcard (back in 2014), the one with the full key and not the
'stubs'.  This enables me to run the file decrypt command but of course
I have to enter the old full passphrase rather than the six digit pin of
the smartcard.

Philip


From 2014-667rhzu3dc-lists-groups at riseup.net  Sat Sep 10 16:27:14 2016
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Sat, 10 Sep 2016 15:27:14 +0100
Subject: Has GPGME been extended to support TOFU yet?
Message-ID: <1336357472.20160910152714@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



Has GPGME been extended to support TOFU yet?

Neal's announcement of TOFU last October [0] included the note "GpgME
has not yet been extended to support TOFU so these messages might not
be shown."

I have searched, but not found any announcement saying this has
changed.


[0] <https://lists.gnupg.org/pipermail/gnupg-users/2015-October/054608.html>

- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Something must be done. This is something. Therefore, we must do it.
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJX1BhDXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwEuAH+wdsGHkagmjkIHw3ME/C3FqT
wi7JYvkVo4Jam2ntGj+zTzNbwxKW23yq73jOOgwqNK4x2ZjzJsP/UuYPYbXdmh/5
dEipTaFDD1RGgyG8Md+xCV3SZMJn4LeJYBoRoLr5TgrAf5iiI9nbeKy9JCNNy/Xc
sx4O+u6dOFKZfVsxOn9QNS8rRnkK9QPqmEJd3fc54pIyBYVbGO4ZrLZP6Bvcc9Rg
2dNm3MQID6X7w0UShM9VPktQU0Wpp6uXRV7d74BZt8mcmgbGtlZv56Agdk7HjqG0
aHsPCVv3VKLlajIisMwDsSm9zpYHsqBMBbU+ZOQKgGogZ3ROKNkCoUDKgYWq8MaI
vgQBFgoAZgUCV9QYQ18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45JcEAQCFrJwJNlUb/apqr7Wi/oMkG+v7
Y4Yx8Ibudumajl5MFgD/fn/6linAyt0GPnGwyQN0lbHzTA3VJ4CLvFpbCP9xdAY=
=ajRq
-----END PGP SIGNATURE-----


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



From tristan.santore at internexusconnect.net  Sat Sep 10 14:55:58 2016
From: tristan.santore at internexusconnect.net (Tristan Santore)
Date: Sat, 10 Sep 2016 14:55:58 +0200
Subject: :-(( Re: smart card no longer works
In-Reply-To: <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
Message-ID: <c6c42ff4-4f13-6376-8467-cd22c40a52ba@internexusconnect.net>

On 10/09/16 14:27, Philip Jackson wrote:
> On 10/09/16 06:27, NIIBE Yutaka wrote:
>
>> I don't have any experience with this error behavior.  Please describe
>> the situation and the interaction; Did you input passphrase and push
>> [OK] button, and then gpg failed?
>>
>> Please try again with pinentry-curses and/or pinentry-tty.  Does it work?
>>
> I don't think the pinentry is the problem. I have tried several versions
> and no matter if I enter the pin via dialogue box or on the command
> line, the result is the same.
>
> I verified the pin using gpg --card-edit & it is ok.
>
> I think the problem must be more connected with how I introduced my
> secring and pubring to the new distro installation when I installed
> ubuntu 16.04
>
> I have tried reverting to my old secring.gpg file from before starting
> with the smartcard (back in 2014), the one with the full key and not the
> 'stubs'.  This enables me to run the file decrypt command but of course
> I have to enter the old full passphrase rather than the six digit pin of
> the smartcard.
>
> Philip
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
This sounds like a bit of an issue I had with my Omnikey 38xx. I had a 
similar issue, where it always claimed the pin was wrong. I installed 
the omnikey drivers.... and then restarted PCSD. But I was using the 
pinpad on the device itself. Maybe your issue is different, depending on 
your hardware.


Regards,
Tristan

-- 
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore at fedoraproject.org


From rjh at sixdemonbag.org  Sat Sep 10 19:30:34 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 10 Sep 2016 13:30:34 -0400
Subject: Excessive quoting (was: smart card no longer works)
In-Reply-To: <c6c42ff4-4f13-6376-8467-cd22c40a52ba@internexusconnect.net>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <c6c42ff4-4f13-6376-8467-cd22c40a52ba@internexusconnect.net>
Message-ID: <7967a674-77d1-8006-4643-753dbdec1392@sixdemonbag.org>

> This sounds like a bit of an issue I had with my Omnikey 38xx...

You quoted 34 lines there and added 5 lines -- meaning your total
message was about 13% content.  I hate acting line a netiquette cop, but
could you please reduce the amount of unnecessary quoting you do in the
future?  Thanks.  :)


From rjh at sixdemonbag.org  Sat Sep 10 20:45:00 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 10 Sep 2016 14:45:00 -0400
Subject: Keybase integration with GnuPG?
In-Reply-To: <CAHmmZ3K0OwMEem25p0FyDBD9OMuGtsdmBofOsDjJh7Fa4Lm_Fg@mail.gmail.com>
References: <fe1038d8-6809-62c2-40e7-8aa6d74f5665@cajuntechie.org>
 <02c001d20adb$50923380$f1b69a80$@sixdemonbag.org>
 <CAHmmZ3K0OwMEem25p0FyDBD9OMuGtsdmBofOsDjJh7Fa4Lm_Fg@mail.gmail.com>
Message-ID: <85a6c227-059a-c34d-94cd-0187fd562032@sixdemonbag.org>

> I think you are operating under some assumptions about Keybase that are
> not entirely accurate. Contrary to what you state, Keybase.io does not
> support Facebook as a proof destination.

Ack, you're right -- I apologize to the keybase.io crowd.  Apparently I
got my wires crossed with "Facebook supports hosting your public key" to
"Facebook integrates with keybase.io".

Thank you for the correction!


From stebe at mailbox.org  Sat Sep 10 20:56:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Sat, 10 Sep 2016 18:56:00 +0000
Subject: :-(( Re: smart card no longer works
In-Reply-To: <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
Message-ID: <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>

Hi Philip,

Philip Jackson:
> On 10/09/16 06:27, NIIBE Yutaka wrote:
> 
>> I don't have any experience with this error behavior.  Please describe
>> the situation and the interaction; Did you input passphrase and push
>> [OK] button, and then gpg failed?
>>
>> Please try again with pinentry-curses and/or pinentry-tty.  Does it work?
>>
> I don't think the pinentry is the problem. I have tried several versions
> and no matter if I enter the pin via dialogue box or on the command
> line, the result is the same.
> 
> I verified the pin using gpg --card-edit & it is ok.
> 
> I think the problem must be more connected with how I introduced my
> secring and pubring to the new distro installation when I installed
> ubuntu 16.04

Have you recreated the key stubs on the new system after having imported
your public key first?

And before, still on 14.04, did you use the --export-secret-keys command?

Which were the steps you have taken for "migrating" keys to the new
installation?

And, by the way, does the screen output in your previous mail really
show that a subkey with the same ID as the pubkey (so, a duplicate of
the pubkey) is being used for decrypting a file encrypted to your
pubkey? I mean, that wouldn't make sense in terms of public key
cryptography and is duly canceled by gpg.
Am I missing something?

Cheers,

Stebe



From wk at gnupg.org  Sat Sep 10 21:10:24 2016
From: wk at gnupg.org (Werner Koch)
Date: Sat, 10 Sep 2016 21:10:24 +0200
Subject: Has GPGME been extended to support TOFU yet?
In-Reply-To: <1336357472.20160910152714@riseup.net> (MFPA's message of "Sat,
 10 Sep 2016 15:27:14 +0100")
References: <1336357472.20160910152714@riseup.net>
Message-ID: <874m5nsh9b.fsf@wheatstone.g10code.de>

On Sat, 10 Sep 2016 16:27, 2014-667rhzu3dc-lists-groups at riseup.net said:
> Has GPGME been extended to support TOFU yet?

There is support in the repo but we have recently changed data
structures.  Hopefully we can now keep it as it is and work towards the
1.7.0 release.

Missing items for the release are support for the new --quick commands
and for --tofu-policy.  I'll work on this next week; gpgme 1.7.0 has
currently top priority.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
 /* Join us at OpenPGP.conf  <https://openpgp-conf.org> */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160910/5f4d225a/attachment.sig>

From glenn at rempe.us  Sat Sep 10 20:30:31 2016
From: glenn at rempe.us (Glenn Rempe)
Date: Sat, 10 Sep 2016 18:30:31 +0000
Subject: Keybase integration with GnuPG?
In-Reply-To: <02c001d20adb$50923380$f1b69a80$@sixdemonbag.org>
References: <fe1038d8-6809-62c2-40e7-8aa6d74f5665@cajuntechie.org>
 <02c001d20adb$50923380$f1b69a80$@sixdemonbag.org>
Message-ID: <CAHmmZ3K0OwMEem25p0FyDBD9OMuGtsdmBofOsDjJh7Fa4Lm_Fg@mail.gmail.com>

>
>
> > Are there any current plans to integrate Keybase.io into GnuPG at some
> > point in the future?
>
> (ObWarning: I am not a GnuPG developer.)
>
> I think this is unlikely to occur.  Werner's spoken out pretty strongly
> against the keybase.io model, which relies heavily on social media outlets
> like Facebook to provide confidence in an identity.  However, few people in
> the privacy community like or trust Facebook, which makes relying on
> something like keybase.io problematic -- it looks too much like GnuPG is
> encouraging the use of a platform (FB) that it's philosophically opposed
> to.
>

I think you are operating under some assumptions about Keybase that are not
entirely accurate. Contrary to what you state, Keybase.io does not support
Facebook as a proof destination.

https://github.com/keybase/keybase-issues/issues/518

I have a pretty complete Keybase profile if you are interested to see the
services they *do* currently support.  Please note that many of these are
not social networking platforms but also domains, DNS records, and Bitcoin
accounts that I control.

https://keybase.io/grempe


> The counterargument is that keybase.io works just fine with several other
> back-ends which are more respecting of privacy -- and if a user wishes to
> trust FB, why should GnuPG refuse to honor that user's choice?


True. Keybase supports a number of ways to hosts proofs currently. I
imagine they will add more as they mature for those sites that can meet the
requirements for hosting a proof that is public and can only be controlled
by a single user. This not only allows you to find public keys for a
person, but to authenticate that a person who claims to control the account
on site A is provably the same person who claims to control an account on
site B or a certain GPG key.

You can also host proofs on your own domain as a static signed file or as a
DNS record. Here is an example where I demonstrate that I control my
personal website:

https://www.rempe.us/keybase.txt

You can learn a bit more about this here:

https://keybase.io/docs/server_security/following

Please also note that for most of the last year Keybase is in the midst of
a transition away from using GPG keys as the primary identifier and the
primary way of signing proofs. They have already moved to a model where
NaCl keypairs are used to identify various devices the user controls, and
then the user can sign proofs on various services with those NaCl keys. You
can still add one, or more, GPG keys into this mix.

https://keybase.io/blog/keybase-new-key-model

Keybase is creating a form of the Web of Trust, but it does not rely on, or
even require at all, GPG keys or the use of social networking services.
Facebook is not supported at all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160910/b537ae07/attachment.html>

From anthony at cajuntechie.org  Sat Sep 10 22:28:47 2016
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Sat, 10 Sep 2016 15:28:47 -0500
Subject: Confusion about a statement in the FAQ
Message-ID: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>

Hi Folks,

In the FAQ on the gnupg.org site there is a discussion about whether
it's acceptable to use PGP/MIME. The FAQ says yes and has the following
statement:

"Almost certainly. In the past this was a controversial question, but
recently there's come to be a consensus: use PGP/MIME whenever possible.
The reason for this is that it's possible to armor email headers and
metadata with PGP/MIME, but sending messages inline leaves this data
exposed."

I'm confused by this. What does it mean? What does 'armor the mail
headers" mean? Is this the same as 'encrypting' the mail headers or does
it mean something else?

Can someone explain this statement to me?

Thanks,
Anthony

-- 
OpenPGP Key:    4096R/0x028ADF7453B04B15
C5CE E687 DDC2 D12B 9063  56EA 028A DF74 53B0 4B15
Other Key Info: http://www.cajuntechie.org/p/my-pgp-key.html
XMPP/Jabber:    cajuntech at dukgo.com
VoIP/SIP:       1259010 at localphone.com




From rjh at sixdemonbag.org  Sat Sep 10 23:00:40 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 10 Sep 2016 17:00:40 -0400
Subject: Confusion about a statement in the FAQ
In-Reply-To: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
Message-ID: <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>

> I'm confused by this. What does it mean? What does 'armor the mail
> headers" mean? Is this the same as 'encrypting' the mail headers or does
> it mean something else?

It means there's a way to cryptographically protect most (but not all)
email headers, which foils many kinds of metadata analysis.

At present I don't think any email client supports this capability.
However, it's planned for Enigmail and other clients, and it's a good
reason to use PGP/MIME instead of inline.


From andrewg at andrewg.com  Sat Sep 10 23:13:34 2016
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Sat, 10 Sep 2016 22:13:34 +0100
Subject: Confusion about a statement in the FAQ
In-Reply-To: <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
 <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
Message-ID: <0B02E4E4-A629-49F1-AE0D-9CA85685728D@andrewg.com>

Do you have a link to how they plan to implement it?

Andrew Gallagher

On 10 Sep 2016, at 22:00, Robert J. Hansen <rjh at sixdemonbag.org> wrote:

>> I'm confused by this. What does it mean? What does 'armor the mail
>> headers" mean? Is this the same as 'encrypting' the mail headers or does
>> it mean something else?
> 
> It means there's a way to cryptographically protect most (but not all)
> email headers, which foils many kinds of metadata analysis.
> 
> At present I don't think any email client supports this capability.
> However, it's planned for Enigmail and other clients, and it's a good
> reason to use PGP/MIME instead of inline.
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


From rjh at sixdemonbag.org  Sat Sep 10 23:20:39 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 10 Sep 2016 17:20:39 -0400
Subject: Confusion about a statement in the FAQ
In-Reply-To: <0B02E4E4-A629-49F1-AE0D-9CA85685728D@andrewg.com>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
 <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
 <0B02E4E4-A629-49F1-AE0D-9CA85685728D@andrewg.com>
Message-ID: <6a52f070-f6b6-e56c-d82c-b91ef463591a@sixdemonbag.org>

> Do you have a link to how they plan to implement it?

Without knowing who you mean by "they", no, I can't.  Daiki Ueno is
planning on implementing it in Gnus.  Patrick Brunschwig has already
implemented limited support for it in Enigmail.  You'd have to ask them
how they plan to implement it.

If you mean "do I have a link to how the headers can be encrypted",
check ModernPGP:

	https://github.com/ModernPGP/memoryhole/


From anthony at cajuntechie.org  Sat Sep 10 23:19:28 2016
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Sat, 10 Sep 2016 16:19:28 -0500
Subject: Confusion about a statement in the FAQ
In-Reply-To: <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
 <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
Message-ID: <7d6317c8-da07-5e88-4632-daa6ef66b154@cajuntechie.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 9/10/2016 4:00 PM, Robert J. Hansen wrote:
>> I'm confused by this. What does it mean? What does 'armor the
>> mail headers" mean? Is this the same as 'encrypting' the mail
>> headers or does it mean something else?
> 
> It means there's a way to cryptographically protect most (but not
> all) email headers, which foils many kinds of metadata analysis.
> 
> At present I don't think any email client supports this
> capability. However, it's planned for Enigmail and other clients,
> and it's a good reason to use PGP/MIME instead of inline.

Hmm, OK that's kind of what I thought. But I'm still a little
confused. Doesn't the email server have to support it? For example, if
I send an email to someone using Gmail, how does Gmail route it if the
headers are encrypted? Or would the "to" be one of those things not
encrypted?

Anthony



-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX1HjfAAoJEAKK33RTsEsVHi0P/3pvxxom79zB0C3HjRXsuGiD
Lkic5Q6ZTlU8T6OHW82eg30tx6sduss8WSdJqtaLBkY+ob2aIPFW6sP+sekYCjDd
Y6k8dmRZmq7M0obt7MCOy+GN54PtUXl49JIUA9969NuayRD6nLmrBmUOTi/2Alup
Z+IgjkWo7PIoSo1nJW8r9iEaEQIRix7l0Lv+7+mI0mLfoBfuvfeTYeQYVvS4Xy9X
ldwbgf04lu3FQUEPAdu5OHXiNHzNbtq96g+Z9TovUHS3rlpM0vdAnSS0tf+V1l1W
Z+KRDx3tQZD2Dh6DZpaPuyuZQt2pbaHT1DqBWx4FdIhY6EIzMu02xwJLL5MZDAlb
N2FLO8S/98Ruzk4Oo4rxCFHviIwd9SVIr81ZDIeGUNvz3xvAxKs9M4cABPTc0T94
oM5sa6DWnWw8omKuy3aDNFoozL8qICf1GSLKtcmns97SuhGquJxTDTEkHykBuDIt
GWev2+QCha7fQSPInSO71jtH32YANpitEjW6HMrZzcC6QPOMQrNeKxu2BKs77UUm
ai/0hPGtmEW4AO/N3h4lyi6jqSZVtNQvtZjvE0S8VTdSDFCTAcfRlxRJOFbCC7ir
/mkhX+aAmdIQ7rRbAW3u8+C8kp0cstsLJ+pdjVGr++edsaDCktveEvJa2IBxubgM
vI23TVNvR0OZJosgdgmG
=JGbA
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Sun Sep 11 01:36:27 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 10 Sep 2016 19:36:27 -0400
Subject: Confusion about a statement in the FAQ
In-Reply-To: <7d6317c8-da07-5e88-4632-daa6ef66b154@cajuntechie.org>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
 <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
 <7d6317c8-da07-5e88-4632-daa6ef66b154@cajuntechie.org>
Message-ID: <63619217-eec6-59da-a409-db7378c606f2@sixdemonbag.org>

> Hmm, OK that's kind of what I thought. But I'm still a little
> confused. Doesn't the email server have to support it?

No.

> Or would the "to" be one of those things not encrypted?

Headers that are strictly required to process email are not armored.


From andrewg at andrewg.com  Sun Sep 11 02:00:35 2016
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Sun, 11 Sep 2016 01:00:35 +0100
Subject: Confusion about a statement in the FAQ
In-Reply-To: <6a52f070-f6b6-e56c-d82c-b91ef463591a@sixdemonbag.org>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
 <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
 <0B02E4E4-A629-49F1-AE0D-9CA85685728D@andrewg.com>
 <6a52f070-f6b6-e56c-d82c-b91ef463591a@sixdemonbag.org>
Message-ID: <B3864A02-08D8-42B1-8028-9DF35E3F1996@andrewg.com>

On 10 Sep 2016, at 22:20, Robert J. Hansen <rjh at sixdemonbag.org> wrote:

>> Do you have a link to how they plan to implement it?
> 
> Without knowing who you mean by "they", no, I can't.

Whichever "they" you had in mind when you brought it up...? ;-)

>  Daiki Ueno is
> planning on implementing it in Gnus.  Patrick Brunschwig has already
> implemented limited support for it in Enigmail.  You'd have to ask them
> how they plan to implement it.

memoryhole's readme (thanks for the link!) states that it has been implemented in enigmail but is disabled by default. Which probably answers my question. :-)

Thanks. 

A


From ca+gnupg-users at esmtp.org  Sun Sep 11 01:04:30 2016
From: ca+gnupg-users at esmtp.org (Claus Assmann)
Date: Sat, 10 Sep 2016 16:04:30 -0700
Subject: Confusion about a statement in the FAQ
In-Reply-To: <7d6317c8-da07-5e88-4632-daa6ef66b154@cajuntechie.org>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
 <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
 <7d6317c8-da07-5e88-4632-daa6ef66b154@cajuntechie.org>
Message-ID: <20160910230430.GA1532@x2.esmtp.org>

On Sat, Sep 10, 2016, Anthony Papillion wrote:

> I send an email to someone using Gmail, how does Gmail route it if the
> headers are encrypted? Or would the "to" be one of those things not

You might want to read the RFCs about e-mail: headers are not
used for mail routing, the envelope is (just like "snail-mail").


From rjh at sixdemonbag.org  Sun Sep 11 03:13:23 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 10 Sep 2016 21:13:23 -0400
Subject: Confusion about a statement in the FAQ
In-Reply-To: <B3864A02-08D8-42B1-8028-9DF35E3F1996@andrewg.com>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
 <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
 <0B02E4E4-A629-49F1-AE0D-9CA85685728D@andrewg.com>
 <6a52f070-f6b6-e56c-d82c-b91ef463591a@sixdemonbag.org>
 <B3864A02-08D8-42B1-8028-9DF35E3F1996@andrewg.com>
Message-ID: <60a86238-0f68-ce2f-c23b-e80504ba45e4@sixdemonbag.org>

> Whichever "they" you had in mind when you brought it up...? ;-)

I said "Enigmail and other clients" -- if you don't specify which
precise implementation you're interested in, I don't know which one you
want to know about.

> memoryhole's readme (thanks for the link!) states that it has been
> implemented in enigmail...

There's limited support for it.  I wouldn't say it's ready for prime
time, but if you feel like living on the bleeding edge, go for it!  :)


From anthony at cajuntechie.org  Sun Sep 11 06:51:05 2016
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Sat, 10 Sep 2016 23:51:05 -0500
Subject: Confusion about a statement in the FAQ
In-Reply-To: <20160910230430.GA1532@x2.esmtp.org>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
 <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
 <7d6317c8-da07-5e88-4632-daa6ef66b154@cajuntechie.org>
 <20160910230430.GA1532@x2.esmtp.org>
Message-ID: <27596eab-eedf-ac44-1b35-e0b977545a9b@cajuntechie.org>

On 9/10/2016 6:04 PM, Claus Assmann wrote:
> On Sat, Sep 10, 2016, Anthony Papillion wrote:
> 
>> I send an email to someone using Gmail, how does Gmail route it if the
>> headers are encrypted? Or would the "to" be one of those things not
> 
> You might want to read the RFCs about e-mail: headers are not
> used for mail routing, the envelope is (just like "snail-mail").

I've been using email for nearly 20 years and TIL something new. I've
never read the RFC before now. Thanks for the pointer. Pretty cool.

Anthony




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160910/759633a9/attachment.sig>

From philip.jackson at nordnet.fr  Sun Sep 11 12:28:11 2016
From: philip.jackson at nordnet.fr (Philip Jackson)
Date: Sun, 11 Sep 2016 12:28:11 +0200
Subject: :-(( Re: smart card no longer works
In-Reply-To: <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
Message-ID: <774544b6-8ac5-39fc-06be-1a3ec7f66327@nordnet.fr>

On 10/09/16 20:56, Stephan Beck wrote:
> Have you recreated the key stubs on the new system after having imported
> your public key first?
> 
No - how do you do that ?  I am just a user nunky-dunk.

> And before, still on 14.04, did you use the --export-secret-keys command?

Not specifically before doing the clean install of 1604. I didn't know I
had to. I backed up all my home directory and saved a few other things
that occurred to me but nothing specifically for gnupg (except the old
.gnupg in the home directory).
> 
> Which were the steps you have taken for "migrating" keys to the new
> installation?

I copied into the .gnupg directory of the new installation the files
that I have copied over onto other machines in the past : pubring,
secring,trustdb, and conf files.

> And, by the way, does the screen output in your previous mail really
> show that a subkey with the same ID as the pubkey (so, a duplicate of
> the pubkey) is being used for decrypting a file encrypted to your
> pubkey? I mean, that wouldn't make sense in terms of public key
> cryptography and is duly canceled by gpg.
> Am I missing something?

The screen output was just what gpg (1.4.20) displayed. After I solved
the missing scdaemon issue, gpg2 (2.1.11) produces the same output.

There doesn't appear to be anything wrong with the encrypted file
because it decrypts fine (as I noted) using my pre-smartcard secring.

It looks like I got the process of moving to a new installation wrong.
So I am in need of a precise process description to start again and do
it correctly.
Philip



From peter at digitalbrains.com  Sun Sep 11 14:42:51 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sun, 11 Sep 2016 14:42:51 +0200
Subject: :-(( smart card no longer works
In-Reply-To: <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
Message-ID: <8dd1eadc-03a0-8044-2516-ce63e5152940@digitalbrains.com>

On 10/09/16 20:56, Stephan Beck wrote:
> And, by the way, does the screen output in your previous mail really
> show that a subkey with the same ID as the pubkey (so, a duplicate of
> the pubkey) is being used for decrypting a file encrypted to your
> pubkey? I mean, that wouldn't make sense in terms of public key
> cryptography and is duly canceled by gpg.
> Am I missing something?

It looks fine to me, I think you're getting confused by it referring to
the key in several ways. Here's part of the output for "gpg2 -v -d" for me:

> gpg: public key is 73A33BEE
> gpg: using subkey 73A33BEE instead of primary key DE500B3E
> gpg: using subkey 73A33BEE instead of primary key DE500B3E
> gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
>       "Peter Lebbing <peter at digitalbrains.com>"

It first notices the key it is encrypted to is 73A33BEE, which is a
subkey. Then it really wants me to know that it is using this subkey of
the primary DE500B3E :-). Finally it shows the actual subkey it was
encrypted to along with the primary User ID of the key as a whole.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From stebe at mailbox.org  Sun Sep 11 19:49:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Sun, 11 Sep 2016 17:49:00 +0000
Subject: :-(( Re: smart card no longer works
In-Reply-To: <774544b6-8ac5-39fc-06be-1a3ec7f66327@nordnet.fr>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
 <774544b6-8ac5-39fc-06be-1a3ec7f66327@nordnet.fr>
Message-ID: <0bdc52cc-41f5-316a-6a72-d33134871ed4@mailbox.org>


Philip Jackson:
> On 10/09/16 20:56, Stephan Beck wrote:


> It looks like I got the process of moving to a new installation wrong.
> So I am in need of a precise process description to start again and do
> it correctly.


Which type of smartcard do you have? Which gnupg versions were installed
on the the old system and with which of it did you generate keys?

It might be possible, though, that the error is somewhere else, so you
may gather more information first using gpg with the --debug-level
expert option, and checking the BTS (and the smartcard's support site)
to rule out other causes.

Cheers,

Stebe


From stebe at mailbox.org  Sun Sep 11 19:50:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Sun, 11 Sep 2016 17:50:00 +0000
Subject: :-(( smart card no longer works
In-Reply-To: <8dd1eadc-03a0-8044-2516-ce63e5152940@digitalbrains.com>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
 <8dd1eadc-03a0-8044-2516-ce63e5152940@digitalbrains.com>
Message-ID: <45804ca0-055e-f9ed-b150-90e6ce291df6@mailbox.org>



Peter Lebbing:
> On 10/09/16 20:56, Stephan Beck wrote:
> [...]
> It looks fine to me, I think you're getting confused by it referring to
> the key in several ways. Here's part of the output for "gpg2 -v -d" for me:
> 
>> gpg: public key is 73A33BEE
>> gpg: using subkey 73A33BEE instead of primary key DE500B3E
>> gpg: using subkey 73A33BEE instead of primary key DE500B3E
>> gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
>>       "Peter Lebbing <peter at digitalbrains.com>"
> 
> It first notices the key it is encrypted to is 73A33BEE, which is a
> subkey. Then it really wants me to know that it is using this subkey of
> the primary DE500B3E :-). Finally it shows the actual subkey it was
> encrypted to along with the primary User ID of the key as a whole.

Thanks, Peter. Yes, this referring to the key in several ways lead to my
confusion (and I didn't even try to reproduce the situation). But you
put your light and confusion is gone :-)

Cheers,

Stebe


From moritz at klammler.eu  Sun Sep 11 21:17:31 2016
From: moritz at klammler.eu (Moritz Klammler)
Date: Sun, 11 Sep 2016 21:17:31 +0200
Subject: What happened to this signature?
Message-ID: <87sht6z1o4.fsf@klammler.eu>


Today, I've posted a signed message (OpenPGP MIME) to a public mailing
list I'm subscribed to.  When it was delivered back to me, the signature
was broken.  I investigated the case and found out that some silly MTA
had un-escaped a minus-character in the message body (quoted-printable)
and added a blank line at the top.  This is annoying but is adequately
explained by stupidity so it didn't alarm me.  Similar things have
happened to me many times in the past.  What *did* alarm me is that a
further investigation reveled that the signature itself was changed,
too.

This is the original, good, signature as it was created by myself.

    -----BEGIN PGP SIGNATURE-----
    
    iQEcBAEBCAAGBQJX1XnOAAoJEM9sUWbzk6nA7JsH/1axM1lcgsDmLUvZM51yQGmg
    4B+P9p/iFLszGY7vXh/RY+Nfs6fEtlqUPaJf4iHWtM5AewzoAItNPeK7kRJqdTs7
    7DADoMdeAE63n8trTqDeAqU1gOq+YAvIhvs1b9ocalAwcPEQllKKUsmjS3NYFbRH
    LM1nhHdwQXlIWXGWOhqJI6HxcGBO1+ebMY66MndfNQIiT9hWQtAkRT4gg/qJHT1z
    1jsSff6RCj9QKA4ohKnIxeoe7uJFdpoOlueqnpSFCYPKwp86e4f8dRvxVxhSuDU1
    EPYILSMDkt0YKwXZGCF8LWlR6PG3wiHrmPQbmNfVdAf+7ygTmdLo59OIJ6778dc=
    =KUSY
    -----END PGP SIGNATURE-----

And this is the signature as it came back to me.

    -----BEGIN PGP SIGNATURE-----
    
    iQEcBAEBCAAGBQJX1XnJAAoJEM9sUWbzk6nAVQ4H/110oZwIor4UFJh2+41ydfJL
    8gRG95rDxSAhydHjqS0vdFcl+eG0uQfhvc7rndkmV4fLpM1GMiNqlDZhCWsTGyXy
    d/UAS9G4whs1bwJZcRHswDmuveH3EB3V7vu77zOzC1V+dsmXjlw63AMwKRoPojwU
    Zle9CSTx4yyPO5UIGbWkbAcYybpKuQ3uv/pe/jq6V659H1fZnq9iaQXDTnPhRr8w
    /F+n0NI1a4pFGWkY1wjuzuvzcedtb2bnn4pSbbkegli8Gnw7ILk0pzDi8r4rPjDo
    a9qoHv6DXczeHq9h8R5iJ3/OKSR90l7aydckZiyZ5Syd0TJR8LCsobDaMvDDmhg=
    =bTBV
    -----END PGP SIGNATURE-----

I have run `gpg --list-packets --verbose` on both signatures and found
that the "created", the "begin of digest" and the "data" field had
changed.  I've checked out RFC 4880 and concluded that "digest algo 8"
must mean that SHA256 has been used.  I *thought* that the "begin of
digest" field should then hold the two leftmost octets of the SHA256
hash of the signed message but this wasn't true for either message.  The
hashes are

    1e382398177e8cf1a7e5c7ae470ff8f756369d1531fcbe3c15c3825e15bfa726
    ce4f76719e0fb01f344c5dae9aad83daf00bf014f4884d33cf51e797ef3d0be2

for the original and modified messages respectively.  I'm confident that
I've hashed the correct parts of the MIME message because GnuPG verifies
the signature for the original message.

I'm not panicked because the changed signature file is invalid anyway
but I'm somewhat alerted whether the modified signature can still be
explained without assuming malice.  First of all, I would like to better
understand in what ways the signature was modified and appreciate any
help in analyzing the fields.  Secondly, I would like to know whether
this is something that happens on a regular basis to other people as
well.  I cannot see any signs of a real attack here because the message
was not altered in a way that an attacker could possibly benefit from.
The only conspiracy I can come up with is that somebody might have
wanted to challenge my awareness and test my response to such incidents.
Or simply annoy OpenPGP users such that they'll eventually stop using
it.

Thanks in advance for any insights.

-- 
OpenPGP:

Public Key:   http://openpgp.klammler.eu
Fingerprint:  2732 DA32 C8D0 EEEC A081  BE9D CF6C 5166 F393 A9C0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20160911/99c21d06/attachment.sig>

From philip.jackson at nordnet.fr  Sun Sep 11 22:36:46 2016
From: philip.jackson at nordnet.fr (Philip Jackson)
Date: Sun, 11 Sep 2016 22:36:46 +0200
Subject: :-(( Re: smart card no longer works
In-Reply-To: <0bdc52cc-41f5-316a-6a72-d33134871ed4@mailbox.org>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
 <774544b6-8ac5-39fc-06be-1a3ec7f66327@nordnet.fr>
 <0bdc52cc-41f5-316a-6a72-d33134871ed4@mailbox.org>
Message-ID: <5b62f4d0-9c70-04c7-206e-0835268c32e1@nordnet.fr>

On 11/09/16 19:49, Stephan Beck wrote:
> Which type of smartcard do you have? Which gnupg versions were installed
> on the the old system and with which of it did you generate keys?


The smartcard is a version2.0 made by ZeitControl and bought from
Kernel-concepts and used with a SCT3512 usb holder from SCM.

I bought it in or around August / September 2014 and installed it using
UbuntuStudio1404 LTS with gnupg 2.0.22.  The keys were generated in 2013
using the gnupg2 stuff in Windows 7 except for a couple of the sub keys
which were made on the card in October 2014.

I guess I'll have to dig in the archives and see if I can find records
of how I got it working back in 2014.

Philip


From kloecker at kde.org  Sun Sep 11 23:50:15 2016
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Sun, 11 Sep 2016 23:50:15 +0200
Subject: What happened to this signature?
In-Reply-To: <87sht6z1o4.fsf@klammler.eu>
References: <87sht6z1o4.fsf@klammler.eu>
Message-ID: <19396943.jrj2Ukhk1O@thufir>

On Sunday 11 September 2016 21:17:31 Moritz Klammler wrote:
> Today, I've posted a signed message (OpenPGP MIME) to a public
> mailing list I'm subscribed to.  When it was delivered back to me,
> the signature was broken.  I investigated the case and found out that
> some silly MTA had un-escaped a minus-character in the message body
> (quoted-printable) and added a blank line at the top.  This is
> annoying but is adequately explained by stupidity so it didn't alarm
> me.  Similar things have happened to me many times in the past.  What
> *did* alarm me is that a further investigation reveled that the
> signature itself was changed, too.

A possible explanation which does not involve any conspiracies would be 
that Gnus, for whatever reason, signs the copy of the message that is 
stored in the sent folder (which, I assume, is where you've got the 
"original, good, signature" from) separately from the copy of the 
message that it sends.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160911/1888bce7/attachment.sig>

From dkg at fifthhorseman.net  Mon Sep 12 02:52:25 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 12 Sep 2016 02:52:25 +0200
Subject: gpg-agent only works when started in terminal
In-Reply-To: <5c31a404-0c1f-ff6b-0e98-867f016b3cfd@blazrsoft.com>
References: <5c31a404-0c1f-ff6b-0e98-867f016b3cfd@blazrsoft.com>
Message-ID: <87pooadjna.fsf@alice.fifthhorseman.net>

Hi Antony--

On Thu 2016-09-08 00:44:34 +0200, Antony Prince wrote:

> I know this has got to be something simple. When invoking gpg2 normally
> to decrypt, I get:
>
> gpg: encrypted with 4096-bit RSA key, ID 0E98CD22ADB13E99, created 2015-05-06
>       "Antony Prince <antony AT blazrsoft.com>"
> gpg: public key decryption failed: No pinentry
> gpg: decryption failed: No secret key
>
> I have pinentry-program set properly in ~/.gnupg/gpg-agent.conf.
>
> If I do:
>
> killall gpg-agent
> gpg-agent --daemon /bin/sh
>
> The pinentry appears as it should and all is fine.

A few diagnostic questions might help other folks on this list point you
in the right direction:

this command should not cause the pinentry to appear; what command are
you running that actually causes pinentry to appear?  what operating
system are you running?  are the gnupg packages supplied by the OS or
have you built them by hand?

what does the output of the following command show?

   gpg --list-secret-keys 0E98CD22ADB13E99

how about:

   gpg --version

(you've already showed gpg2 --version which reports 2.1.15, but plain
gpg might show something different)

What do you have pinentry-program set to in gpg-agent.conf?

If it turns out that gpg is version 1.4, and has access to the secret
key, but 2.1.15 does not, then you can try importing your secret keyring
into your 2.1.15 secret keyring to solve the problem.  That'd look
something like:

   gpg2 --import < ~/.gnupg/secring.gpg

hope these questions and suggestions are useful.

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20160912/f78fbc90/attachment.sig>

From thecissou98 at hotmail.fr  Mon Sep 12 06:04:19 2016
From: thecissou98 at hotmail.fr (Le Roy Francis)
Date: Mon, 12 Sep 2016 04:04:19 +0000
Subject: Javascript and smartcard
Message-ID: <AM3PR01MB069328B4D10D7CBCB7B8252ED2FF0@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>

Hi, I was wondering if by any chances, there is, in addition to the Javascript port of gpgme (OpenPGP.js), a Node.js module to interact with smart card?

Regards.
Francis Le Roy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160912/c8664f82/attachment.html>

From rjh at sixdemonbag.org  Mon Sep 12 06:49:43 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 12 Sep 2016 00:49:43 -0400
Subject: Javascript and smartcard
In-Reply-To: <AM3PR01MB069328B4D10D7CBCB7B8252ED2FF0@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
References: <AM3PR01MB069328B4D10D7CBCB7B8252ED2FF0@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
Message-ID: <2da00e6e-aa19-702c-2139-a23cb7d89528@sixdemonbag.org>

> Hi, I was wondering if by any chances, there is, in addition to the
> Javascript port of gpgme (OpenPGP.js)...

OpenPGP.js is not a GPGME binding.  It doesn't use GnuPG at all.


From andre at colomb.de  Mon Sep 12 11:04:24 2016
From: andre at colomb.de (=?UTF-8?Q?Andr=c3=a9_Colomb?=)
Date: Mon, 12 Sep 2016 11:04:24 +0200
Subject: Local-signing without (offline) private master key
Message-ID: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>

Hi all,

this is my first post to GnuPG-users, please be gentle :-)

My OpenPGP setup currently includes an offline master key (see attached
public key) with three subkeys on a Yubikey USB "smartcard". Amongst
them is a signing subkey with "usage: S" flag, but only the master key
has the Certify capability (usage: SC).

Now I want to import someone else's key to verify a signature. In order
to verify that signature, I need to at least locally sign the owner's
key, AFAIK. However, I would need my offline master key (read: really
inconvenient) to issue a signature.

What is the recommended practice if I only want to verify message
integrity, but don't have the master key with Certify ability available?

One solution that comes to mind would be to add a new certification
subkey that I keep on my machine instead of the smartcard, and only use
it for local signatures. Would that make sense or what complications
should I expect?

Building a Web of Trust with an offline master key seems rather
difficult, even just to verify incoming emails. Maybe the upcoming TOFU
trust model would help my usage pattern?

Thanks for any pointers or explanation.

Kind regards,
Andr?
-- 
Greetings...
From: Andr? Colomb <andre at colomb.de>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x9F45D0FB.asc
Type: application/pgp-keys
Size: 5371 bytes
Desc: not available
URL: </pipermail/attachments/20160912/d887f110/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/d887f110/attachment-0001.sig>

From kristian.fiskerstrand at sumptuouscapital.com  Mon Sep 12 12:58:08 2016
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Mon, 12 Sep 2016 12:58:08 +0200
Subject: Local-signing without (offline) private master key
In-Reply-To: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>
References: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>
Message-ID: <c5943d2d-c70e-b2cf-c735-ff1448543cbe@sumptuouscapital.com>

On 09/12/2016 11:04 AM, Andr? Colomb wrote:
> What is the recommended practice if I only want to verify message
> integrity, but don't have the master key with Certify ability available?

I'd suggest creating another primary key for explicit local
certification purposes you never use anywhere else, and can rotate that
as often as wanted to start fresh from time to time.

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Veni vidi velcro
I came, I saw, I got stuck

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/e6cc1aed/attachment.sig>

From antony at blazrsoft.com  Mon Sep 12 13:45:38 2016
From: antony at blazrsoft.com (Antony Prince)
Date: Mon, 12 Sep 2016 07:45:38 -0400
Subject: Local-signing without (offline) private master key
In-Reply-To: <c5943d2d-c70e-b2cf-c735-ff1448543cbe@sumptuouscapital.com>
References: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>
 <c5943d2d-c70e-b2cf-c735-ff1448543cbe@sumptuouscapital.com>
Message-ID: <713B0318-9C69-419D-97D4-563F83162013@blazrsoft.com>

On September 12, 2016 6:58:08 AM EDT, Kristian Fiskerstrand <kristian.fiskerstrand at sumptuouscapital.com> wrote:
>
>I'd suggest creating another primary key for explicit local
>certification purposes you never use anywhere else, and can rotate that
>as often as wanted to start fresh from time to time.

That's what I do. I have a separate key on each machine dedicated to local certification that I don't use for anything else.


From dgouttegattat at incenp.org  Mon Sep 12 14:16:46 2016
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Mon, 12 Sep 2016 14:16:46 +0200
Subject: Local-signing without (offline) private master key
In-Reply-To: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>
References: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>
Message-ID: <e8be639d-84b7-52f8-f57e-409f635dad04@incenp.org>

On 09/12/2016 11:04 AM, Andr? Colomb wrote:
> Maybe the upcoming TOFU trust model would help my usage pattern?

I think so. Marking the binding between your correspondent's key and its 
email address with a "good" TOFU policy (something that does not require 
your private primary key) would be equivalent to locally signing the 
key: it's a private statement (only available to yourself) that you 
regard that key as valid, i.e. as belonging to the User ID it carries.

This does not prevent you from continuing to use the Web-of-Trust if 
you're so inclined, as the "tofu+pgp" model allows you to use both TOFU 
assertions and WoT certifications to validate a key.

If you're already using GnuPG >= 2.1.10 (with support for the TOFU 
model), I would argue this is your best option.

Regards,

Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/3ce382ca/attachment.sig>

From nathan.musoke at gmail.com  Mon Sep 12 13:08:50 2016
From: nathan.musoke at gmail.com (Nathan Musoke)
Date: Mon, 12 Sep 2016 23:08:50 +1200
Subject: Local-signing without (offline) private master key
In-Reply-To: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>
References: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>
Message-ID: <CAPcfAi8yU-D9+b3uZXOfqpLmi6DhAkcjA6BxA0EujOmu8Mi5bw@mail.gmail.com>

> Now I want to import someone else's key to verify a signature. In order
> to verify that signature, I need to at least locally sign the owner's
> key, AFAIK. However, I would need my offline master key (read: really
> inconvenient) to issue a signature.

I'm no expert, but as far as I know you don't need to locally sign a key to
verify a signature. My understanding is that setting the local trust should
be sufficient to make GnuPG happy. See
https://www.gnupg.org/gph/en/manual/x334.html

(Someone please correct me if I'm wrong...)


From kristian.fiskerstrand at sumptuouscapital.com  Mon Sep 12 15:32:22 2016
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Mon, 12 Sep 2016 15:32:22 +0200
Subject: Local-signing without (offline) private master key
In-Reply-To: <CAPcfAi8yU-D9+b3uZXOfqpLmi6DhAkcjA6BxA0EujOmu8Mi5bw@mail.gmail.com>
References: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>
 <CAPcfAi8yU-D9+b3uZXOfqpLmi6DhAkcjA6BxA0EujOmu8Mi5bw@mail.gmail.com>
Message-ID: <8cac3641-cee7-b52a-e289-3710ccda382a@sumptuouscapital.com>

On 09/12/2016 01:08 PM, Nathan Musoke wrote:
>> Now I want to import someone else's key to verify a signature. In order
>> to verify that signature, I need to at least locally sign the owner's
>> key, AFAIK. However, I would need my offline master key (read: really
>> inconvenient) to issue a signature.
> 
> I'm no expert, but as far as I know you don't need to locally sign a key to
> verify a signature. My understanding is that setting the local trust should
> be sufficient to make GnuPG happy. See
> https://www.gnupg.org/gph/en/manual/x334.html
> 
> (Someone please correct me if I'm wrong...)

This is wrong, trust and validity are distinct and separate concepts.
You use a local signature to assign an ephemeral validity, trust would
be a matter of whether you believe/trust in the other party's ability to
certify third parties (and with the exception of ultimate trust, that
you should only use on keys you control yourself already requires the
key to be validated)

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Ab esse ad posse
From being to knowing

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/195d7665/attachment.sig>

From moritz at klammler.eu  Mon Sep 12 17:06:23 2016
From: moritz at klammler.eu (Moritz Klammler)
Date: Mon, 12 Sep 2016 17:06:23 +0200
Subject: What happened to this signature?
In-Reply-To: =?utf-8?Q?Ingo_Kl=C3=B6cker?='s message of "Sun\, 11 Sep 2016
 23\:50\:15 +0200 \(17 hours\, 5 minutes\, 9 seconds ago\)"
Message-ID: <87wpihximo.fsf@klammler.eu>


>> Today, I've posted a signed message (OpenPGP MIME) to a public
>> mailing list I'm subscribed to.  When it was delivered back to me,
>> the signature was broken.  I investigated the case and found out that
>> some silly MTA had un-escaped a minus-character in the message body
>> (quoted-printable) and added a blank line at the top.  This is
>> annoying but is adequately explained by stupidity so it didn't alarm
>> me.  Similar things have happened to me many times in the past.  What
>> *did* alarm me is that a further investigation reveled that the
>> signature itself was changed, too.
>
> A possible explanation which does not involve any conspiracies would
> be that Gnus, for whatever reason, signs the copy of the message that
> is stored in the sent folder (which, I assume, is where you've got the
> "original, good, signature" from) separately from the copy of the
> message that it sends.

Thank you, I think you are right.  The "bad" signature happens to be a
valid signature of the (this time really) good message, too.  Isn't it
nice to learn new things about your MUA every day?  Quite embarrassing
though, that I didn't realize this behavior earlier.

I would still be interested to understand the meaning of the "begin of
digest" packet in a signature.  Apparently, it is not the two leftmost
bytes of the signed hash.  But what else is it then?


Moritz
-- 
OpenPGP:

Public Key:   http://openpgp.klammler.eu
Fingerprint:  2732 DA32 C8D0 EEEC A081  BE9D CF6C 5166 F393 A9C0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20160912/2aff06e0/attachment.sig>

From antony at blazrsoft.com  Mon Sep 12 20:02:55 2016
From: antony at blazrsoft.com (Antony Prince)
Date: Mon, 12 Sep 2016 14:02:55 -0400
Subject: gpg-agent only works when started in terminal
In-Reply-To: <da98d5f2-1b45-dda1-4272-3d8949e308bb@mailbox.org>
References: <5c31a404-0c1f-ff6b-0e98-867f016b3cfd@blazrsoft.com>
 <da98d5f2-1b45-dda1-4272-3d8949e308bb@mailbox.org>
Message-ID: <79145ced-2d16-fb3d-7ff4-8e772964b27d@blazrsoft.com>

On 09/09/2016 05:55 AM, Stephan Beck wrote:
> AFAIK, this means that the agent is not started when you "invoke gpg2
> normally" (directly from the command line?), so the environment may be
> incorrectly set. Or is there more than one agent instance running?

When gpg2 is called, the agent appears to start normally.

antony at 050415:~$ sudo ps -aux | grep gpg-agent | grep -v grep

antony    1717  0.0  0.0 174064   808 ?        Ss   13:33   0:00
/usr/local/bin/gpg-agent

> What does a
> gpg-agent --daemon --write-env-file
> output in terms of GPG-AGENT_INFO?
> Is the correct socket being used?

antony at 050415:~$ gpg-agent --daemon --write-env-file
gpg-agent[3176]: WARNING: "--write-env-file" is an obsolete option - it
has no effect
gpg-agent[3177]: gpg-agent (GnuPG) 2.1.15 started

antony at 050415:~$ echo $GPG_AGENT_INFO
/run/user/1000/keyring-Hs60Gh/gpg:0:1

> And you symlinked /usr/bin/pinentry and the pinentry you might actually use?

antony at 050415:~$ ls -la /usr/bin/pinentry
lrwxrwxrwx 1 root root 26 Sep 12 13:51 /usr/bin/pinentry ->
/etc/alternatives/pinentry
antony at 050415:~$ ls -la /usr/local/bin/pinentry
lrwxrwxrwx 1 root root 26 Sep 12 13:51 /usr/local/bin/pinentry ->
/etc/alternatives/pinentry
antony at 050415:~$ /etc/alternatives/pinentry
OK Your orders please

-- 

Antony Prince

Key ID: 0xAF3D4087301B1B19
Fingerprint: 591F F17F 7A4A A8D0 F659  C482 AF3D 4087 301B 1B19
URL:
http://pool.sks-keyservers.net/pks/lookup?op=get&search=0xAF3D4087301B1B19

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/75020a0b/attachment-0001.sig>

From antony at blazrsoft.com  Mon Sep 12 20:19:05 2016
From: antony at blazrsoft.com (Antony Prince)
Date: Mon, 12 Sep 2016 14:19:05 -0400
Subject: gpg-agent only works when started in terminal
In-Reply-To: <87pooadjna.fsf@alice.fifthhorseman.net>
References: <5c31a404-0c1f-ff6b-0e98-867f016b3cfd@blazrsoft.com>
 <87pooadjna.fsf@alice.fifthhorseman.net>
Message-ID: <d31e4b88-e980-f9eb-f5f0-a8f1eb961f13@blazrsoft.com>

On 09/11/2016 08:52 PM, Daniel Kahn Gillmor wrote:
> this command should not cause the pinentry to appear; what command are
> you running that actually causes pinentry to appear?  what operating
> system are you running?  are the gnupg packages supplied by the OS or
> have you built them by hand?

The command to cause pinentry to appear:
gpg2 -o enc.txt -d enc.gpg

enc.gpg is a text file encrypted to my key for testing purposes.

antony at 050415:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.5 LTS
Release:	14.04
Codename:	trusty

gpg2 binary was compiled by hand.

> what does the output of the following command show?
> 
>    gpg --list-secret-keys 0E98CD22ADB13E99
> 
> how about:
> 
>    gpg --version

antony at 050415:~$ gpg --list-secret-keys 0E98CD22ADB13E99
sec   4096R/301B1B19 2015-05-06 [expires: 2017-05-05]
uid                  Antony Prince <antony AT blazrsoft.com>
uid                  Antony Prince <aprince AT prestigedelivery.com>
uid                  Antony Prince <aprince AT lasership.com>
uid                  Antony Prince <antony.c.prince AT gmail.com>
ssb   4096R/ADB13E99 2015-05-06 [expires: 2017-05-05]

NOTE: uids have been altered here. They show correctly in the actual output.

antony at 050415:~$ gpg --version
gpg (GnuPG) 1.4.16
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

> What do you have pinentry-program set to in gpg-agent.conf?

antony at 050415:~$ cat ~/.gnupg/gpg-agent.conf
pinentry-program /etc/alternatives/pinentry

antony at 050415:~$ /etc/alternatives/pinentry
OK Your orders please

> If it turns out that gpg is version 1.4, and has access to the secret
> key, but 2.1.15 does not, then you can try importing your secret keyring

antony at 050415:~$ gpg2 --list-secret-keys 0E98CD22ADB13E99
sec   rsa4096 2015-05-06 [SC] [expires: 2017-05-05]
      591FF17F7A4AA8D0F659C482AF3D4087301B1B19
uid           [ultimate] Antony Prince <antony AT blazrsoft.com>
uid           [ultimate] Antony Prince <aprince AT prestigedelivery.com>
uid           [ultimate] Antony Prince <aprince AT lasership.com>
uid           [ultimate] Antony Prince <antony.c.prince AT gmail.com>
ssb   rsa4096 2015-05-06 [E] [expires: 2017-05-05]


-- 

Antony Prince

Key ID: 0xAF3D4087301B1B19
Fingerprint: 591F F17F 7A4A A8D0 F659  C482 AF3D 4087 301B 1B19
URL:
http://pool.sks-keyservers.net/pks/lookup?op=get&search=0xAF3D4087301B1B19

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/6397c492/attachment.sig>

From anthony at cajuntechie.org  Mon Sep 12 20:31:38 2016
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Mon, 12 Sep 2016 13:31:38 -0500
Subject: Why would I want S/MIME?
Message-ID: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>

I understand what S/MIME is and that it's probably the easiest crypto
solution for most email users. But why would someone comfortable with
GnuPG use it? Does it offer any advantages over traditional PGP keys? If
I understand correctly, it's a certificate that much like a SSL
certificate. If that's the case, doesn't it suffer from the same
weaknesses that SSL certs currently suffer from (like double issuance, etc)?

Why would I want to use S/MIME?

Thanks,
Anthony

-- 
OpenPGP Key:    4096R/0x028ADF7453B04B15
Keybase:        https://keybase.io/cajuntechie
Other Key Info: http://www.cajuntechie.org/p/my-pgp-key.html
XMPP/Jabber:    cajuntech at dukgo.com
VoIP/SIP:       1259010 at localphone.com



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/17699cca/attachment.sig>

From rjh at sixdemonbag.org  Mon Sep 12 21:10:24 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 12 Sep 2016 15:10:24 -0400
Subject: Why would I want S/MIME?
In-Reply-To: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>
References: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>
Message-ID: <020001d20d29$515f5c70$f41e1550$@sixdemonbag.org>

> I understand what S/MIME is and that it's probably the easiest crypto
> solution for most email users. But why would someone comfortable with
> GnuPG use it?

There's a subtle point here.  The question isn't whether you're comfortable with GnuPG; the question is whether the people you want to send email to are comfortable with GnuPG.
 
I use S/MIME literally daily at work.  My co-workers like S/MIME because it's close to an "it just works" solution.  Few of my co-workers have been willing to learn GnuPG.




From anthony at cajuntechie.org  Mon Sep 12 21:15:39 2016
From: anthony at cajuntechie.org (Anthony Papillion)
Date: Mon, 12 Sep 2016 14:15:39 -0500
Subject: Why would I want S/MIME?
In-Reply-To: <020001d20d29$515f5c70$f41e1550$@sixdemonbag.org>
References: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>
 <020001d20d29$515f5c70$f41e1550$@sixdemonbag.org>
Message-ID: <a60cb0b6-05ec-4047-7af0-4a198745c666@cajuntechie.org>

On 9/12/2016 2:10 PM, Robert J. Hansen wrote:
>> I understand what S/MIME is and that it's probably the easiest crypto
>> solution for most email users. But why would someone comfortable with
>> GnuPG use it?
> 
> There's a subtle point here.  The question isn't whether you're comfortable with GnuPG; the question is whether the people you want to send email to are comfortable with GnuPG.
>  
> I use S/MIME literally daily at work.  My co-workers like S/MIME because it's close to an "it just works" solution.  Few of my co-workers have been willing to learn GnuPG.

Your points are solid. I think that I might not have asked the right
question. Let me rephrase:

Assuming everyone is willing and comfortable with using GnuPG, is there
any compelling reason (aside from easy setup and use) to use S/MIME?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/d230bf3b/attachment.sig>

From dkg at fifthhorseman.net  Mon Sep 12 19:12:20 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 12 Sep 2016 19:12:20 +0200
Subject: What happened to this signature?
In-Reply-To: <19396943.jrj2Ukhk1O@thufir>
References: <87sht6z1o4.fsf@klammler.eu> <19396943.jrj2Ukhk1O@thufir>
Message-ID: <87a8fddouj.fsf@alice.fifthhorseman.net>

On Sun 2016-09-11 23:50:15 +0200, Ingo Kl?cker wrote:
> On Sunday 11 September 2016 21:17:31 Moritz Klammler wrote:
>> Today, I've posted a signed message (OpenPGP MIME) to a public
>> mailing list I'm subscribed to.  When it was delivered back to me,
>> the signature was broken.  I investigated the case and found out that
>> some silly MTA had un-escaped a minus-character in the message body
>> (quoted-printable) and added a blank line at the top.  This is
>> annoying but is adequately explained by stupidity so it didn't alarm
>> me.  Similar things have happened to me many times in the past.  What
>> *did* alarm me is that a further investigation reveled that the
>> signature itself was changed, too.
>
> A possible explanation which does not involve any conspiracies would be 
> that Gnus, for whatever reason, signs the copy of the message that is 
> stored in the sent folder (which, I assume, is where you've got the 
> "original, good, signature" from) separately from the copy of the 
> message that it sends.

Indeed, i believe it does.  I use notmuch-emacs, which also uses
mml-mode for composition; and that setup used to be the default
configuration before i switched over to using a native notmuch fcc
approach (see the notmuch mailing list thread starting on Message-Id:
<1465599772-10297-1-git-send-email-markwalters1009 at gmail.com> is a good
example of using notmuch-specific fcc, which removes the risk of
double-signing.

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20160912/84baa003/attachment.sig>

From rjh at sixdemonbag.org  Mon Sep 12 22:58:47 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 12 Sep 2016 16:58:47 -0400
Subject: Why would I want S/MIME?
In-Reply-To: <a60cb0b6-05ec-4047-7af0-4a198745c666@cajuntechie.org>
References: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>
 <020001d20d29$515f5c70$f41e1550$@sixdemonbag.org>
 <a60cb0b6-05ec-4047-7af0-4a198745c666@cajuntechie.org>
Message-ID: <023901d20d38$758473b0$608d5b10$@sixdemonbag.org>

> Assuming everyone is willing and comfortable with using GnuPG, is there any
> compelling reason (aside from easy setup and use) to use S/MIME?

Regulatory compliance.  For instance, if you were in the banking industry you'd be using S/MIME even if everyone preferred GnuPG -- S/MIME is part of several important banking standards, whereas GnuPG isn't.

That's the only compelling reason I can think of.




From dkg at fifthhorseman.net  Tue Sep 13 01:02:05 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 13 Sep 2016 01:02:05 +0200
Subject: Javascript and smartcard
In-Reply-To: <AM3PR01MB069328B4D10D7CBCB7B8252ED2FF0@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
References: <AM3PR01MB069328B4D10D7CBCB7B8252ED2FF0@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
Message-ID: <878tuwd8nm.fsf@alice.fifthhorseman.net>

On Mon 2016-09-12 06:04:19 +0200, Le Roy Francis wrote:
> Hi, I was wondering if by any chances, there is, in addition to the
> Javascript port of gpgme (OpenPGP.js), a Node.js module to interact
> with smart card?

You might consider writing a patch or extension to OpenPGP.js that knows
how to talk to gpg-agent for use of secret keys.  That way gpg-agent
could delegate the work to the smartcard via scdaemon, and OpenPGP.js
wouldn't need to know anything about the secret key material.

         --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20160913/f4efa270/attachment-0001.sig>

From aaron.toponce at gmail.com  Mon Sep 12 23:49:12 2016
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Mon, 12 Sep 2016 15:49:12 -0600
Subject: Why would I want S/MIME?
In-Reply-To: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>
References: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>
Message-ID: <20160912214910.tcxkg5ahbkxcgopf@eightyeight.xmission.com>

On Mon, Sep 12, 2016 at 01:31:38PM -0500, Anthony Papillion wrote:
> I understand what S/MIME is and that it's probably the easiest crypto
> solution for most email users. But why would someone comfortable with
> GnuPG use it? Does it offer any advantages over traditional PGP keys? If
> I understand correctly, it's a certificate that much like a SSL
> certificate. If that's the case, doesn't it suffer from the same
> weaknesses that SSL certs currently suffer from (like double issuance, etc)?
> 
> Why would I want to use S/MIME?

Are you comparing S/MIME to PGP/MIME and PGP/Inline? I assume so, with your
question regarding GnuPG. As such, S/MIME provides some advantages over
PGP/MIME, IMO:

    * S/MIME ships the entire public key as part of the email.
    * S/MIME certificates are usually created and managed by the organization.
    * There as wide-spread MUA support for S/MIME (EG: Outlook).

PGP/MIME and PGP/Inline generally mean getting the public key separately.
Because PGP and OpenPGP are decentralized, trust is manual (versus CAs with SSL
certificates in S/MIME). There is not widespread support for OpenPGP public
keys in MUAs, such as Outlook and most web-based MUAs. OpenPGP keys must be
managed independently, and this has shown to be more work than most people are
willing to put in.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
URL: </pipermail/attachments/20160912/0958dd73/attachment.sig>

From halocaridina at gmail.com  Tue Sep 13 02:12:56 2016
From: halocaridina at gmail.com (Scott R. Santos)
Date: Mon, 12 Sep 2016 19:12:56 -0500
Subject: [Linux/OS X] Identiv SCR3500 A working with OpenPGP Smartcards 2.1?
Message-ID: <20160913001255.GA6456@santos-son-of-ubuntu.auburn.edu>

Hello everyone,

I was interested in hearing from anyone who might be using OpenPGP v2.1 Smartcards with the Identiv SCR3500 A "SmartFold" USB Reader. A spec sheet on this reader can be found here:

http://files.identiv.com/products/smart-card-readers/contact/scr3500/SCR3500_A_DS.pdf

Specifically, has this reader been successfully used to read and write to OpenPGP v2.1 Smartcards under current distros/versions of Linux and/or Apple OS X using recent versions of gnupg?

The reader is natively recognized by the kernel on an up-to-date ArchLinux system with lsusb as:

Bus 001 Device 007: ID 04e6:5410 SCM Microsystems, Inc. SCR35xx Smart Card Reader
 
as well as Apple OS X (at least from reports on sites selling it), suggesting some level of support.

Any info would be greatly appreciated and thank you in advance,

halocaridina




From dgouttegattat at incenp.org  Tue Sep 13 08:17:58 2016
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Tue, 13 Sep 2016 08:17:58 +0200
Subject: [Linux/OS X] Identiv SCR3500 A working with OpenPGP Smartcards
 2.1?
In-Reply-To: <20160913001255.GA6456@santos-son-of-ubuntu.auburn.edu>
References: <20160913001255.GA6456@santos-son-of-ubuntu.auburn.edu>
Message-ID: <264b882a-c563-bd81-e4ba-ea0a06e1fe41@incenp.org>

On 09/13/2016 02:12 AM, Scott R. Santos wrote:
>  Specifically, has this reader been successfully used to read and
> write to OpenPGP v2.1 Smartcards under current distros/versions of
> Linux and/or Apple OS X using recent versions of gnupg?

I am successfully using it with an OpenPGP Smartcard v2.0 (not 2.1), 
under Slackware Linux with GnuPG 2.1.15.

It works both with Scdaemon's internal CCID driver and with the 
pcscd/libpcsclite stack.


> Any info would be greatly appreciated and thank you in advance,

If you don't plan to use your reader for anything else than GnuPG, you 
may use the internal CCID driver. In that case, there's not much to do; 
about the only thing you may have to take care of (if it's not already 
done on your system) is to make sure that your own user account is 
allowed to access the reader.

(That's for GNU/Linux; as for OS X, I have no clue.)

Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160913/0eb1861f/attachment.sig>

From wk at gnupg.org  Tue Sep 13 12:08:31 2016
From: wk at gnupg.org (Werner Koch)
Date: Tue, 13 Sep 2016 12:08:31 +0200
Subject: Why would I want S/MIME?
In-Reply-To: <020001d20d29$515f5c70$f41e1550$@sixdemonbag.org> (Robert
 J. Hansen's message of "Mon, 12 Sep 2016 15:10:24 -0400")
References: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>
 <020001d20d29$515f5c70$f41e1550$@sixdemonbag.org>
Message-ID: <87bmzsm7s0.fsf@wheatstone.g10code.de>

On Mon, 12 Sep 2016 21:10, rjh at sixdemonbag.org said:

> I use S/MIME literally daily at work.  My co-workers like S/MIME because it's close to an "it just works" solution.  Few of my co-workers have been willing to learn GnuPG.

You mean GPG.  GnuPG includes GPG and GPGSM and thus support for OpenPGP
and for S/MIME.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160913/05f5397c/attachment.sig>

From wk at gnupg.org  Tue Sep 13 12:19:11 2016
From: wk at gnupg.org (Werner Koch)
Date: Tue, 13 Sep 2016 12:19:11 +0200
Subject: Javascript and smartcard
In-Reply-To: <878tuwd8nm.fsf@alice.fifthhorseman.net> (Daniel Kahn Gillmor's
 message of "Tue, 13 Sep 2016 01:02:05 +0200")
References: <AM3PR01MB069328B4D10D7CBCB7B8252ED2FF0@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
 <878tuwd8nm.fsf@alice.fifthhorseman.net>
Message-ID: <877fagm7a8.fsf@wheatstone.g10code.de>

On Tue, 13 Sep 2016 01:02, dkg at fifthhorseman.net said:

> how to talk to gpg-agent for use of secret keys.  That way gpg-agent
> could delegate the work to the smartcard via scdaemon, and OpenPGP.js
> wouldn't need to know anything about the secret key material.

It might be worth to look at Native Messaging (Chrome) and Web
Extensions (Firefox) for accessing gpg-agent from OpenPGP.js.  The only
extra external dependency would then be a tool to connect stdin/stdout
to gpg-agent's socket (--browser-socket in that case) and maybe to
auto-start gpg-agent.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160913/87dd81ff/attachment.sig>

From andrewg at andrewg.com  Tue Sep 13 13:07:46 2016
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Tue, 13 Sep 2016 12:07:46 +0100
Subject: Confusion about a statement in the FAQ
In-Reply-To: <60a86238-0f68-ce2f-c23b-e80504ba45e4@sixdemonbag.org>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
 <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
 <0B02E4E4-A629-49F1-AE0D-9CA85685728D@andrewg.com>
 <6a52f070-f6b6-e56c-d82c-b91ef463591a@sixdemonbag.org>
 <B3864A02-08D8-42B1-8028-9DF35E3F1996@andrewg.com>
 <60a86238-0f68-ce2f-c23b-e80504ba45e4@sixdemonbag.org>
Message-ID: <cbf07ab5-0575-dbf7-fd59-a5938c6266cf@andrewg.com>

On 11/09/16 02:13, Robert J. Hansen wrote:
>> Whichever "they" you had in mind when you brought it up...? ;-)
> 
> I said "Enigmail and other clients" -- if you don't specify which
> precise implementation you're interested in, I don't know which one you
> want to know about.

Well, I sort of wanted to know about them all, i.e. if there was an
emerging consensus. Not much use if all the MUAs do it differently. ;-)

>> memoryhole's readme (thanks for the link!) states that it has been
>> implemented in enigmail...
> 
> There's limited support for it.  I wouldn't say it's ready for prime
> time, but if you feel like living on the bleeding edge, go for it!  :)

I've waited 20 years for it, no harm waiting a little longer for
stability... :-P

Thanks again.

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160913/b02315c1/attachment.sig>

From mwood at IUPUI.Edu  Tue Sep 13 13:32:33 2016
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Tue, 13 Sep 2016 07:32:33 -0400
Subject: Why would I want S/MIME?
In-Reply-To: <020001d20d29$515f5c70$f41e1550$@sixdemonbag.org>
References: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>
 <020001d20d29$515f5c70$f41e1550$@sixdemonbag.org>
Message-ID: <20160913113233.GA32603@IUPUI.Edu>

On Mon, Sep 12, 2016 at 03:10:24PM -0400, Robert J. Hansen wrote:
> > I understand what S/MIME is and that it's probably the easiest crypto
> > solution for most email users. But why would someone comfortable with
> > GnuPG use it?
> 
> There's a subtle point here.  The question isn't whether you're comfortable with GnuPG; the question is whether the people you want to send email to are comfortable with GnuPG.

Indeed, it's like telephones:  for communication to happen, both
parties must have them.

> I use S/MIME literally daily at work.  My co-workers like S/MIME because it's close to an "it just works" solution.  Few of my co-workers have been willing to learn GnuPG.

That echoes my experience.  At work we have a bulk-purchase
arrangement for certificates, so if I need one I just request one and
it magically appears.  OTOH most external correspondents have been
unwilling to pay the price of a certificate, so with those few who
*are* willing to pay the time to learn OpenPGP I use that.  At work,
Mutt (my MUA) is set up with keys for both and some rules to
automatically select the right one for each To: address.

In some workplaces, S/MIME is mandated.  That's another reason. :-)
With all the phishing going on these days, I foresee a wave of
companies issuing policies that unsigned mail seeming to come from a
fellow employee must be reported and then ignored.  Since it's already
easy to just buy certificates, they'll probably mostly go S/MIME.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: </pipermail/attachments/20160913/b1d9d62b/attachment-0001.sig>

From andrewg at andrewg.com  Tue Sep 13 14:02:22 2016
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Tue, 13 Sep 2016 13:02:22 +0100
Subject: Changing smartcard
Message-ID: <d8118326-e553-5314-ce23-8053e8280d57@andrewg.com>

I recently decided to change my default smartcard on one machine
because it was easier to use and carry a flat card than one in a USB
reader, and that particular machine has a smartcard slot. I had two
smartcards anyway for testing purposes.

I thought it would be a simple matter of deleting the key stubs on the
machine in question and running gpg --card-status, but even after doing
this for both gpg and gpg2 (debian!) it still sometimes asked for the
old smartcard.

Things that worked: poldi (on login screen), enigmail
Things that didn't work: ssh, sudo/poldi (on command line)

The only thing that might explain why poldi works on the login screen
but not for sudo is the agent (which isn't running at login time, so
poldi must call scdaemon directly at that point).

Using gpg-connect-agent:

> keyinfo --list
S KEYINFO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEDB763AD D - - - - - - -
S KEYINFO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxCFEF4E2C T
D276000124010201000500003F990000 OPENPGP.1 - - - - -
S KEYINFO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0EFB3577 T
D276000124010201000500003F990000 OPENPGP.2 - - - - -
S KEYINFO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxD39C4ACA D - - - - - - -
S KEYINFO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx20FE2863 T
D276000124010201000500002ED90000 OPENPGP.3 - - - - -
OK

This seems to indicate that the agent is still looking for the old card
(the one ending "2ED90000") for the slot 3 key (auth), but is correctly
configured for E and S (hence why enigmail works).

I found keystub entries that corresponded to these in
private-keys-v1.d. The offending keystub file had a modification date
earlier than the other two, so I deleted it and ran gpg --card-status
once more. The keystub file was regenerated and gpg-connect-agent now
reports the correct card ID. I didn't even have to log out and in.

So I'm happy now, but have two questions:

1. Why was the A keystub not deleted and regenerated when I did gpg
--delete-secret-keys; gpg --card-status, like the E and S ones
apparently were?

2. What do these fingerprint-like IDs in the agent and v1.d refer to?
They don't correspond to anything that --with-colons produces.

Thanks.
A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160913/430383ab/attachment.sig>

From jerry at seibercom.net  Tue Sep 13 12:54:53 2016
From: jerry at seibercom.net (Jerry)
Date: Tue, 13 Sep 2016 06:54:53 -0400
Subject: Unknown Protocol error message
Message-ID: <20160913065453.00007f8e@seibercom.net>

using claws-mail on a Windows 10 Pro / 64 bit machine, I see the
following error message appear quite often on the bottom of the screen:

The signature can't be checked - Unsupported protocol

I don't understand the reason for this or how to correct it. Can anyone
assist me?

-- 
Jerry


From gnupg-ml at seichter.de  Tue Sep 13 12:45:13 2016
From: gnupg-ml at seichter.de (Ralph Seichter)
Date: Tue, 13 Sep 2016 12:45:13 +0200
Subject: Why would I want S/MIME?
In-Reply-To: <a60cb0b6-05ec-4047-7af0-4a198745c666@cajuntechie.org>
References: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>
 <020001d20d29$515f5c70$f41e1550$@sixdemonbag.org>
 <a60cb0b6-05ec-4047-7af0-4a198745c666@cajuntechie.org>
Message-ID: <5e0a2796-561e-8bba-bde5-b0cd8b40a225@seichter.de>

On 12.09.2016 21:15, Anthony Papillion wrote:

> Assuming everyone is willing and comfortable with using GnuPG, is there
> any compelling reason (aside from easy setup and use) to use S/MIME?

The main reason I can think of is the fact that there are mail clients
that don't support PGP without significant hassle (or not at all), but
do support S/MIME, e.g. iOS devices. Not sure if you count this as a
specialized case of "easy setup and use".

-Ralph


From rjh at sixdemonbag.org  Tue Sep 13 15:12:36 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 13 Sep 2016 09:12:36 -0400
Subject: Why would I want S/MIME?
In-Reply-To: <87bmzsm7s0.fsf@wheatstone.g10code.de>
References: <f1b21f5f-5ad1-404f-afa4-9beb3072b045@cajuntechie.org>
 <020001d20d29$515f5c70$f41e1550$@sixdemonbag.org>
 <87bmzsm7s0.fsf@wheatstone.g10code.de>
Message-ID: <0833b98b-9d5e-b9dc-ac38-b9f54c31ef0e@sixdemonbag.org>

> You mean GPG.  GnuPG includes GPG and GPGSM and thus support for OpenPGP
> and for S/MIME.

No, they refuse to learn GnuPG.  If S/MIME was provided by GPGSM they'd
refuse to use S/MIME -- they want something that "just works," not
something they have to install and fiddle with.


From rene at bartschnet.de  Mon Sep 12 23:54:56 2016
From: rene at bartschnet.de (Rene "Renne" Bartsch, B.Sc. Informatics)
Date: Mon, 12 Sep 2016 23:54:56 +0200
Subject: DANE-OpenPGPkey lookup with GnuPG
Message-ID: <748e18f4-1ca5-3572-421e-44a34993a36f@bartschnet.de>

Hi,

I'm new to the list, so a "Hello" to all! ;)


I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC
7929) using the command 'gpg2 --auto-key-locate dane --search-keys
info at mail.de' on Ubuntu 16.04 (GnuPG version 2.1.11).
gpg2 always returns:

gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available

What's wrong with my command or gpg2?

Thanx for any hint,

Renne

-- 

OpenPGP-Key: IETF RFC 7929 or https://openpgpkey.info/?email=rene at bartschnet.de, OpenPGPkeys on Key-Servers are invalid!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x37460FFC.asc
Type: application/pgp-keys
Size: 3116 bytes
Desc: not available
URL: </pipermail/attachments/20160912/4d211d1a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rene.vcf
Type: text/x-vcard
Size: 121 bytes
Desc: not available
URL: </pipermail/attachments/20160912/4d211d1a/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160912/4d211d1a/attachment.sig>

From ml at bartschnet.de  Tue Sep 13 14:17:29 2016
From: ml at bartschnet.de (Rene "Renne" Bartsch, B.Sc. Informatics)
Date: Tue, 13 Sep 2016 14:17:29 +0200
Subject: DANE-OpenPGPkey lookup with GnuPG
Message-ID: <3f300f06-b128-493e-dc3f-0a3c076620e9@bartschnet.de>

Hi,

I'm new to the list, so a "Hello" to all! ;)


I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC
7929) using the command 'gpg2 --auto-key-locate dane --search-keys
info at mail.de' on Ubuntu 16.04 (GnuPG version 2.1.11).
gpg2 always returns:

gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available

What's wrong with my command or gpg2?

Thanx for any hint,

Renne

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x37460FFC.asc
Type: application/pgp-keys
Size: 3117 bytes
Desc: not available
URL: </pipermail/attachments/20160913/4eba73c6/attachment.key>

From dgouttegattat at incenp.org  Tue Sep 13 15:54:24 2016
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Tue, 13 Sep 2016 15:54:24 +0200
Subject: DANE-OpenPGPkey lookup with GnuPG
In-Reply-To: <748e18f4-1ca5-3572-421e-44a34993a36f@bartschnet.de>
References: <748e18f4-1ca5-3572-421e-44a34993a36f@bartschnet.de>
Message-ID: <4645215d-467b-6baf-3af6-62ce5d0d6a36@incenp.org>

Hi,

On 09/12/2016 11:54 PM, Rene "Renne" Bartsch, B.Sc. Informatics wrote:
> I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC
> 7929) using the command 'gpg2 --auto-key-locate dane --search-keys
> info at mail.de'
>
> What's wrong with my command or gpg2?

I think the --search-keys command is specifically meant to retrieve keys 
from keyservers.

To retrieve a key using the auto-key-locate mechanisms, use the 
--locate-keys command instead:

   $ gpg2 --auto-key-locate dane --locate-keys info at mail.de
   gpg: key 94206060: public key "info at mail.de <info at mail.de>" imported
   gpg: Total number processed: 1
   gpg:               imported: 1
   gpg: automatically retrieved 'info at mail.de' via DANE
   pub   rsa4096/94206060 2015-03-11 [SCA] [expires: 2020-03-09]
   uid         [ unknown] info at mail.de <info at mail.de>
   sub   rsa4096/8113910E 2015-03-11 [E] [expires: 2020-03-09]


Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160913/84760afb/attachment-0001.sig>

From wk at gnupg.org  Tue Sep 13 16:24:29 2016
From: wk at gnupg.org (Werner Koch)
Date: Tue, 13 Sep 2016 16:24:29 +0200
Subject: Unknown Protocol error message
In-Reply-To: <20160913065453.00007f8e@seibercom.net> (jerry@seibercom.net's
 message of "Tue, 13 Sep 2016 06:54:53 -0400")
References: <20160913065453.00007f8e@seibercom.net>
Message-ID: <87k2eflvxe.fsf@wheatstone.g10code.de>

On Tue, 13 Sep 2016 12:54, jerry at seibercom.net said:
> using claws-mail on a Windows 10 Pro / 64 bit machine, I see the
> following error message appear quite often on the bottom of the screen:
>
> The signature can't be checked - Unsupported protocol

Did you load all the OpenPGP and the S/MIME plugin?  
Is GnuPG-2 installed (try "gpgsm --version")?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160913/cdf293eb/attachment.sig>

From wk at gnupg.org  Tue Sep 13 16:33:01 2016
From: wk at gnupg.org (Werner Koch)
Date: Tue, 13 Sep 2016 16:33:01 +0200
Subject: Changing smartcard
In-Reply-To: <d8118326-e553-5314-ce23-8053e8280d57@andrewg.com> (Andrew
 Gallagher's message of "Tue, 13 Sep 2016 13:02:22 +0100")
References: <d8118326-e553-5314-ce23-8053e8280d57@andrewg.com>
Message-ID: <87d1k7lvj6.fsf@wheatstone.g10code.de>

On Tue, 13 Sep 2016 14:02, andrewg at andrewg.com said:

> 1. Why was the A keystub not deleted and regenerated when I did gpg
> --delete-secret-keys; gpg --card-status, like the E and S ones
> apparently were?

Did you get a pinentry prompt to confirm the deletion of the secret key
(actually two prompts for primary and subkey)?

> 2. What do these fingerprint-like IDs in the agent and v1.d refer to?
> They don't correspond to anything that --with-colons produces.
 
That is the "keygrip"; a protocol independent kind of fingerprint.  The
option --with-keygrip shows it; in the colon listing it is a record
named "grp".  The private keys as well as the key stubs are stored in
files with the keygrip as name.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160913/55192fae/attachment.sig>

From wk at gnupg.org  Tue Sep 13 16:36:36 2016
From: wk at gnupg.org (Werner Koch)
Date: Tue, 13 Sep 2016 16:36:36 +0200
Subject: DANE-OpenPGPkey lookup with GnuPG
In-Reply-To: <748e18f4-1ca5-3572-421e-44a34993a36f@bartschnet.de> (Rene
 Bartsch's message of "Mon, 12 Sep 2016 23:54:56 +0200")
References: <748e18f4-1ca5-3572-421e-44a34993a36f@bartschnet.de>
Message-ID: <878tuvlvd7.fsf@wheatstone.g10code.de>

On Mon, 12 Sep 2016 23:54, rene at bartschnet.de said:

> I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC
> 7929) using the command 'gpg2 --auto-key-locate dane --search-keys
> info at mail.de' on Ubuntu 16.04 (GnuPG version 2.1.11).

The command --search-keys is keyserver specific and may return a list of
keys.  What you want to use is --locate-keys which takes the
--auto-key-locate list in account.  For testing it is often useful to do
this:

  gpg --auto-key-locate clear,dane,local --locate-key  WHATEVER

clear clears all auto-key-locate settings from gpg.conf and the explicit
mentioning of local makes sure that "dane" is used before looking into
the "local" keyring.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160913/d90b831c/attachment.sig>

From andrewg at andrewg.com  Tue Sep 13 16:42:37 2016
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Tue, 13 Sep 2016 15:42:37 +0100
Subject: Changing smartcard
In-Reply-To: <87d1k7lvj6.fsf@wheatstone.g10code.de>
References: <d8118326-e553-5314-ce23-8053e8280d57@andrewg.com>
 <87d1k7lvj6.fsf@wheatstone.g10code.de>
Message-ID: <033f8880-ffc3-ebda-7791-3e136fa7c800@andrewg.com>

On 13/09/16 15:33, Werner Koch wrote:
> On Tue, 13 Sep 2016 14:02, andrewg at andrewg.com said:
> 
>> 1. Why was the A keystub not deleted and regenerated when I did gpg
>> --delete-secret-keys; gpg --card-status, like the E and S ones
>> apparently were?
> 
> Did you get a pinentry prompt to confirm the deletion of the secret key
> (actually two prompts for primary and subkey)?

I did get two slightly different terminal prompts along the lines of
"Do you really want to delete this secret key? [Y/N]". I replied Y to both.

Thanks,
A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160913/b932d3f9/attachment.sig>

From halocaridina at gmail.com  Tue Sep 13 18:25:57 2016
From: halocaridina at gmail.com (Scott R. Santos)
Date: Tue, 13 Sep 2016 11:25:57 -0500
Subject: [Linux/OS X] Identiv SCR3500 A working with OpenPGP Smartcards
 2.1?
In-Reply-To: <264b882a-c563-bd81-e4ba-ea0a06e1fe41@incenp.org>
References: <20160913001255.GA6456@santos-son-of-ubuntu.auburn.edu>
 <264b882a-c563-bd81-e4ba-ea0a06e1fe41@incenp.org>
Message-ID: <20160913162557.GA4844@santos-son-of-ubuntu.auburn.edu>

Dear Damien

Thank you greatly for your quick response and helpful information. This is very good news.

Setting up the reader for a normal user should be fairly straightforward using a udev rule, so thank you for the reminder.

Cheers,

Scott

Sent via Mutt from my Ubuntu Server.


Damien Goutte-Gattat wrote:
> On 09/13/2016 02:12 AM, Scott R. Santos wrote:
> > Specifically, has this reader been successfully used to read and
> >write to OpenPGP v2.1 Smartcards under current distros/versions of
> >Linux and/or Apple OS X using recent versions of gnupg?
> 
> I am successfully using it with an OpenPGP Smartcard v2.0 (not 2.1),
> under Slackware Linux with GnuPG 2.1.15.
> 
> It works both with Scdaemon's internal CCID driver and with the
> pcscd/libpcsclite stack.
> 
> 
> >Any info would be greatly appreciated and thank you in advance,
> 
> If you don't plan to use your reader for anything else than GnuPG,
> you may use the internal CCID driver. In that case, there's not much
> to do; about the only thing you may have to take care of (if it's
> not already done on your system) is to make sure that your own user
> account is allowed to access the reader.
> 
> (That's for GNU/Linux; as for OS X, I have no clue.)
> 
> Damien
> 





From djhaskin987 at gmail.com  Tue Sep 13 16:42:46 2016
From: djhaskin987 at gmail.com (Daniel Haskin)
Date: Tue, 13 Sep 2016 08:42:46 -0600
Subject: Serve up ssh key *and* gpg key?
Message-ID: <003001d20dcd$18b5a560$4a20f020$@gmail.com>

Long-time GPG user here, thanks so much for everyone's help and work on it.

 

I really like the feature GPG 2.1 has, where it can serve up a subkey of a
private key to SSH and act as an SSH agent. I use a particular subkey of my
master key for SSH authentication and I really like it.

 

But, at work, I was issued an SSH key to use to get into a particular server
via SSH. I was told to add it to my SSH-agent. 

 

My question is, can GPG serve up both? 

 

I don't think it's possible to turn the SSH key I was given into a GPG key,
or I would just do that so I gpg-agent could serve it and I could use it as
an SSH key.

 

I don't think it's possible to simultaneously run ssh-agent (or pageant, for
that matter) and gpg-agent at the same time.

 

Is there a way I would be able to have an application connect to gpg-agent
as if it were an ssh agent and have the gpg-agent serve both keys?

 

Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160913/372e30a6/attachment-0001.html>

From arbiel.perlacremaz at gmx.fr  Tue Sep 13 18:02:04 2016
From: arbiel.perlacremaz at gmx.fr (Arbiel Perlacremaz)
Date: Tue, 13 Sep 2016 18:02:04 +0200
Subject: Signing and symmetrically encrypting files
Message-ID: <trinity-32cbd7e2-3ac6-4f8b-8bb3-64d0341f2b03-1473782524808@3capp-mailcom-bs10>

An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160913/eb41479d/attachment-0001.html>

From dgouttegattat at incenp.org  Tue Sep 13 22:41:55 2016
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Tue, 13 Sep 2016 22:41:55 +0200
Subject: Serve up ssh key *and* gpg key?
In-Reply-To: <003001d20dcd$18b5a560$4a20f020$@gmail.com>
References: <003001d20dcd$18b5a560$4a20f020$@gmail.com>
Message-ID: <21782ab9-adf3-be56-a558-fe0d6da80616@incenp.org>

Hi,

On 09/13/2016 04:42 PM, Daniel Haskin wrote:
> My question is, can GPG serve up both?

Yes.


> I don't think it's possible to turn the SSH key I was given into a
> GPG key

You don't need to do that. Just load the key into the agent using the 
ssh-add tool, as you would do if you were using the "regular" ssh-agent.


> Is there a way I would be able to have an application connect to
> gpg-agent as if it were an ssh agent and have the gpg-agent serve
> both keys?

As long as gpg-agent is started with the --enable-ssh-support option, 
any program capable of talking to the "regular" ssh-agent can talk to 
gpg-agent. That's why you can just use ssh-add to load your key into the 
agent.


Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160913/751b5b86/attachment.sig>

From bernhard at intevation.de  Wed Sep 14 09:21:32 2016
From: bernhard at intevation.de (Bernhard Reiter)
Date: Wed, 14 Sep 2016 09:21:32 +0200
Subject: wiki.gnupg.org theme?
In-Reply-To: <201511111235.07600.bernhard@intevation.de>
References: <201504211026.21749.bernhard@intevation.de>
 <87vbgpx15k.fsf@vigenere.g10code.de>
 <201511111235.07600.bernhard@intevation.de>
Message-ID: <201609140921.36015.bernhard@intevation.de>

Am Mittwoch 11 November 2015 12:35:02 schrieb Bernhard Reiter:
> I've added a section on the wiki theme to:
> http://wiki.gnupg.org/improveThis

Update, we try to change the black to a GnuPG blue and enable 
https://moinmo.in/ThemeMarket/memodump as optinal theme.

Help with improving the theme towards GnuPG and Gpg4win is appreciated.

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160914/9f744387/attachment.sig>

From bernhard at intevation.de  Wed Sep 14 10:52:42 2016
From: bernhard at intevation.de (Bernhard Reiter)
Date: Wed, 14 Sep 2016 10:52:42 +0200
Subject: Web Key Directory / Web Key Service wiki page
Message-ID: <201609141052.42587.bernhard@intevation.de>

https://wiki.gnupg.org/WKD

Feedback and help appreciated! :)
Bernhard

= Much easier Email crypto, by fetching pubkey via HTTPS 

== How does it work?
As an email user, you just select the recipient(s) and can see that the email 
will be encrypted.

If you and your peers use email-providers offering this "web key service", 
it works by the first email. Otherwise encryption will start after you have 
exchanged some emails.


Technically your email client will automatically
* prepare for this by creating a crypto key for you and uploading 
  it to your provider (or second best to public keyservers).
* sign all emails so others see that you are ready for crypto 
  (unless you opt out)
* ask the mail provider of your recipients for their pubkeys.

An email-provider offering the "web key service" technically has to
* provide a pubkey for each user via ~HT~TPS
* allow each user's email client to automatically manage the pubkey 
   that gets published by email.

== Details / Discussion of the proposal
* [[EasyGpg2016/PubkeyDistributionConcept]] <- the (technical) details
[..]

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160914/3e4051ff/attachment.sig>

From bernhard at intevation.de  Wed Sep 14 12:26:42 2016
From: bernhard at intevation.de (Bernhard Reiter)
Date: Wed, 14 Sep 2016 12:26:42 +0200
Subject: DANE-OpenPGPkey lookup with GnuPG
In-Reply-To: <3f300f06-b128-493e-dc3f-0a3c076620e9@bartschnet.de>
References: <3f300f06-b128-493e-dc3f-0a3c076620e9@bartschnet.de>
Message-ID: <201609141226.42788.bernhard@intevation.de>

Hi Rene,

welcome to the GnuPG community, thanks for trying GnuPG 2.1. :)

Am Dienstag 13 September 2016 14:17:29 schrieb Rene "Renne" Bartsch:
> gpg2 --auto-key-locate dane --search-keys info at mail.de' 
> on Ubuntu 16.04 (GnuPG version 2.1.11). 
> gpg2 always returns:
>
> gpg: no keyserver known (use option --keyserver)

it seems that there is a check that keyserver needs to be configured
(even if it probably is not used). Try like

LANG=C gpg2 --keyserver hkp://keys.gnupg.net  \
  --auto-key-locate dane --search-keys info at mail.de

(my result:
gpg: error searching keyserver: No data
gpg: keyserver search failed: No data
)

The superfluous keyserver check should probably be checked for 2.1.15 and then 
reported to bugs.gnupg.org (if it isn't there already).

Best,
Bernhard


-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160914/1d692505/attachment.sig>

From bernhard at intevation.de  Wed Sep 14 12:31:03 2016
From: bernhard at intevation.de (Bernhard Reiter)
Date: Wed, 14 Sep 2016 12:31:03 +0200
Subject: Signing and symmetrically encrypting files
In-Reply-To: <trinity-32cbd7e2-3ac6-4f8b-8bb3-64d0341f2b03-1473782524808@3capp-mailcom-bs10>
References: <trinity-32cbd7e2-3ac6-4f8b-8bb3-64d0341f2b03-1473782524808@3capp-mailcom-bs10>
Message-ID: <201609141231.04182.bernhard@intevation.de>

Am Dienstag 13 September 2016 18:02:04 schrieb Arbiel Perlacremaz:
> I intend to define a specific password for each one of the groups to
> symmetrically encrypt the documents depending on which group they are
> dedicated to.

Wouldn't it make more sense to use asymmetric encryption 
to the groups to manage the access? 

Bernhard
ps.: Hint: Many people on this list do not look at HTML emails, try to send 
plain text mails (without HTML markup). Please also give the GnuPG version 
and platform you are working with.

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160914/0a662260/attachment.sig>

From bernhard at intevation.de  Wed Sep 14 12:34:24 2016
From: bernhard at intevation.de (Bernhard Reiter)
Date: Wed, 14 Sep 2016 12:34:24 +0200
Subject: DANE-OpenPGPkey lookup with GnuPG
In-Reply-To: <201609141226.42788.bernhard@intevation.de>
References: <3f300f06-b128-493e-dc3f-0a3c076620e9@bartschnet.de>
 <201609141226.42788.bernhard@intevation.de>
Message-ID: <201609141234.24790.bernhard@intevation.de>

Am Mittwoch 14 September 2016 12:26:42 schrieb Bernhard Reiter:
> Try like
>
> LANG=C gpg2 --keyserver hkp://keys.gnupg.net ?\
> ? --auto-key-locate dane --search-keys info at mail.de

Okay, just did not see that the question was already answered
previously. Sorry for the noise.

 gpg2 --auto-key-locate dane --locate-keys info at mail.de

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160914/2ce17397/attachment.sig>

From thomas at glanzmann.de  Wed Sep 14 16:28:38 2016
From: thomas at glanzmann.de (Thomas Glanzmann)
Date: Wed, 14 Sep 2016 16:28:38 +0200
Subject: gpg TOFU mutt
Message-ID: <20160914142838.GC23301@glanzmann.de>

Hello,
on my local workstation I have gpg-agent running and use gpg agent
forwarding to a remote machine where I run mutt. I have the newest
releast version of gpg2.1 compiled by myself on both machines and
they're in use. On my local workstation I also have the most recent
version of pinentry and use it in the gpg-agent.conf.  I set
'trust-model tofu+pgp' in .gnupg/gpg.conf on the remote machine I'm
using mutt with 'set crypt_use_gpgme=yes'. Now I wander which
interaction I should see and when I should see it? For now I can see
when I send an encrypted email to someone it is automatically markes as
'full'. Is there any other behaviour I should see, or is there a howto?

I already read: https://lists.gnupg.org/pipermail/gnupg-users/2015-October/054608.html

And I also saw Murphy's post that a newer pinentry than the one that
ships with Debian Jessie (which I'm running everywhere) is necessary. I
wondered why I did not get any questions if I trust a key or not.

If someone could shed some light on it, that would be nice.

I'm also waiting eagerly for the gpgsm tofu which I'm using as well
with the same setup.

Cheers,
        Thomas


From thecissou98 at hotmail.fr  Wed Sep 14 17:23:29 2016
From: thecissou98 at hotmail.fr (Le Roy Francis)
Date: Wed, 14 Sep 2016 15:23:29 +0000
Subject: Javascript and smartcard
In-Reply-To: <877fagm7a8.fsf@wheatstone.g10code.de>
References: <AM3PR01MB069328B4D10D7CBCB7B8252ED2FF0@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
 <878tuwd8nm.fsf@alice.fifthhorseman.net>
 <877fagm7a8.fsf@wheatstone.g10code.de>
Message-ID: <AM3PR01MB06932B7D0A5C7149DA808676D2F10@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>

Hi, I am trying to build a node.js module to interact with the smart card. I code the add-on in c++ with gpgme. Is there any way on knowing if the card is connected with gpgme?

Le 13 sept. 2016, ? 12:22, Werner Koch <wk at gnupg.org<mailto:wk at gnupg.org>> a ?crit:

On Tue, 13 Sep 2016 01:02, dkg at fifthhorseman.net said:

 how to talk to gpg-agent for use of secret keys.  That way gpg-agent
 could delegate the work to the smartcard via scdaemon, and OpenPGP.js
 wouldn't need to know anything about the secret key material.

It might be worth to look at Native Messaging (Chrome) and Web
Extensions (Firefox) for accessing gpg-agent from OpenPGP.js.  The only
extra external dependency would then be a tool to connect stdin/stdout
to gpg-agent's socket (--browser-socket in that case) and maybe to
auto-start gpg-agent.


Salam-Shalom,

   Werner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160914/86061a81/attachment-0001.html>

From arbiel.perlacremaz at gmx.fr  Wed Sep 14 17:28:59 2016
From: arbiel.perlacremaz at gmx.fr (Arbiel (gmx))
Date: Wed, 14 Sep 2016 17:28:59 +0200
Subject: Signing and symmetrically encrypting files
In-Reply-To: <57D944A7.7050707@gmx.fr>
References: <57D944A7.7050707@gmx.fr>
Message-ID: <57D96CBB.8020605@gmx.fr>




-------- Message transf?r? --------
From: 07 2016 <>
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00800000
X-Mozilla-Keys:
Subject: Re: Signing and symmetrically encrypting files
To: Bernhard Reiter <bernhard at intevation.de>
References:
<trinity-32cbd7e2-3ac6-4f8b-8bb3-64d0341f2b03-1473782524808 at 3capp-mailcom-bs10>
<201609141231.04182.bernhard at intevation.de>
From: Arbiel (gmx) <arbiel.perlacremaz at gmx.fr>
X-Enigmail-Draft-Status: N1110
Message-ID: <57D944A7.7050707 at gmx.fr>
Disposition-Notification-To: "Arbiel (gmx)" <arbiel.perlacremaz at gmx.fr>
Date: Wed, 14 Sep 2016 14:37:59 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <201609141231.04182.bernhard at intevation.de>
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="vMsqntdHTlvf8Fdbe1tbUnCoFL2DCwMSd"

Thank's, Bernhard, to taking time to reply to my post.

Asymmetric encryption requires the recipients to use my public key to
get access the documents, whereas symmetric encryption only requires
them to key in the encryption key. Obviously the recipients who are not
confident enough with using asymmetric encryption won't be able to
verify the authentity of the documents, but this a least drawback.

However, if I can't sign and encrypt in a single step, I'll sign and
then symmetrically encrypt the signed document, or the other way around.

I forgot to write that I want the process (sign and encrypt) to procede
without any keyboard-typing.

Le 14/09/2016 12:31, Bernhard Reiter a ?crit :
> Am Dienstag 13 September 2016 18:02:04 schrieb Arbiel Perlacremaz:
>> I intend to define a specific password for each one of the groups to
>> symmetrically encrypt the documents depending on which group they are
>> dedicated to.
> Wouldn't it make more sense to use asymmetric encryption 
> to the groups to manage the access? 
>
> Bernhard
> ps.: Hint: Many people on this list do not look at HTML emails, try to send 
> plain text mails (without HTML markup).
My previous message seems to have been a HTML message. I unchecked the
control and hope this answer is a clear text message
> Please also give the GnuPG version 
gpg (GnuPG) 1.4.16
> and platform you are working with.
Ubuntu 14.04
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users






-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160914/c759247a/attachment.sig>

From duane at nofroth.com  Wed Sep 14 17:10:29 2016
From: duane at nofroth.com (Duane Whitty)
Date: Wed, 14 Sep 2016 12:10:29 -0300
Subject: What is a reliable way to backup/restore my keys and test?
Message-ID: <57D96865.8020704@nofroth.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

I am relatively new to GNUPG so my apologies in advance if this
question is trivial.  I have been following the list and have seen
discussions of how to fix problems regarding backing up and restoring
of keys but I have not seen anything on how to do it properly to begin
with.

I've just copied my .gnupg directory to a usb key as a backup measure,
which I found as a method (more or less) on
http://www.glump.net/content/gpg_intro/.  I am planning on upgrading
my OS and I need to test this backup.  How can I make sure my private
key and trust assignments were copied properly?

Once I have completed my OS upgrade how do I restore my keys and the
trust levels assigned to them?

I use Thunderbird/Enigmail which is using gpg2 but I originally
created my key pair using gpg 1.4.  Does this have any ramifications?

$ uname -a
Linux XXX 4.2.0-38-generic #45~14.04.1-Ubuntu SMP Thu Jun 9 09:28:50
UTC 2016 i686 i686 i686 GNU/Linux

$ /usr/bin/gpg --version
gpg (GnuPG) 1.4.16
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

$ /usr/bin/gpg2 --version
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ?, ?
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Thunderbird 38.8.0

I hope this provides the required information.  Please let me know if
I should include something else.

Best Regards,
Duane

- -- 
Duane Whitty
duane at nofroth.com
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJX2WhlAAoJEOJfpr8UVxtkQ/sH/jZm9A0C927WXrEk68jk6+KF
Dj3M0KzOqjtb1h6VJJOPWxbbqRFwgnrksnn/Le8CBT0THwobbMd9wdlmT4PRBL6o
K0u1ir0bG5HwghYmzH7/nUmVio1c4s7SO8LfxzAW5AzaheTrcRaaCmspoP4fFXo+
eVbegU0RVt0Om9iXIxb8C/Ti1vmNmzT2SYrUraTUMsFYF5bqi1lE+TUhWO3Bi55z
kzLqFIVaSq6PfncmdSLzeUEy/4PG3aRRM1VC23jCqeUWUm6Ch2EO7nlWAWJIQqjF
xujHiMJzqckufNIC4f6wYSUeuiqGzt32Cj0FNkS8CK8TCeimwQkFaWbooGcwjAQ=
=njvq
-----END PGP SIGNATURE-----


From thomas at glanzmann.de  Wed Sep 14 18:31:22 2016
From: thomas at glanzmann.de (Thomas Glanzmann)
Date: Wed, 14 Sep 2016 18:31:22 +0200
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <57D96865.8020704@nofroth.com>
References: <57D96865.8020704@nofroth.com>
Message-ID: <20160914163122.GB25475@glanzmann.de>

Hello Duane,

> How can I make sure my private key and trust assignments were copied
> properly?

for me in the past taking a backup of .gnupg was sufficient. However you
can also export your secret key using:

gpg --export-secret-keys -a <keyid> > secret.asc

And the manual trust assignments by doing:

gpg --export-ownertrust > ownertrust.txt

Cheers,
        Thomas


From rjh at sixdemonbag.org  Wed Sep 14 21:01:47 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 14 Sep 2016 15:01:47 -0400
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <57D96865.8020704@nofroth.com>
References: <57D96865.8020704@nofroth.com>
Message-ID: <019201d20eba$7204d170$560e7450$@sixdemonbag.org>

> I am relatively new to GNUPG so my apologies in advance if this question
is
> trivial.

Welcome!  And your question is not trivial.

The following is the procedure I use on UNIX systems:

First, export all public certificates into a public keyring:

	$ gpg --armor --export > pub.asc

Second, export all secret certificates into a secret keyring:

	$ gpg --armor --export-secret-keys > priv.asc

Third, export ownertrust values and save those:

	$ gpg --armor --export-ownertrust > trust.asc

Fourth, copy all the *.conf files in ~/.gnupg into your current directory:

	$ cp ~/.gnupg/*.conf .

Fifth,  put these, and all your GnuPG .conf files, all into a single
archive:

	$ tar cJf gpg-backup.txz pub.asc priv.asc trust.asc *.conf

Copy gpg-backup.txz to the new machine.  Once you've done that, uncompress
it on the new machine:

	$ tar xJf gpg-backup.txz

Import your secret certificates:

	$ gpg --import < priv.asc

Import your public certificates:

	$ gpg --import < pub.asc

Import your ownertrust values:

	$ gpg --import-ownertrust < trust.asc

Make sure your ~/.gnupg directory exists.  If it doesn't, run gpg with no
arguments and hit Ctrl-C to break out of it.

	$ gpg

Copy your .conf files into ~/.gnupg:

	$ cp *.conf ~/.gnupg

... And at that point you should be done.  This technique should work
regardless of whether you're migrating from 1.4 to 2.0, 1.4 to 2.1, 2.0 to
1.4, 2.0 to 2.1, 2.1 to 2.0, or 2.1 to 1.4.  No matter which you're doing,
you're covered.

> I've just copied my .gnupg directory to a usb key as a backup measure,
which
> I found as a method (more or less) on
> http://www.glump.net/content/gpg_intro/.

It's a good idea to not copy the random_seed file.  PRNG states should not
be shared between computers.

> How can I make sure my private key and trust assignments were copied
properly?

Follow the above process and they will be.  Your private certificates were
exported, as were the trust assignments.

> Once I have completed my OS upgrade how do I restore my keys and the
> trust levels assigned to them?

See the above process.

> I use Thunderbird/Enigmail which is using gpg2 but I originally created my
key
> pair using gpg 1.4.  Does this have any ramifications?

None.




From dkg at fifthhorseman.net  Wed Sep 14 22:24:01 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 14 Sep 2016 16:24:01 -0400
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <019201d20eba$7204d170$560e7450$@sixdemonbag.org>
References: <57D96865.8020704@nofroth.com>
 <019201d20eba$7204d170$560e7450$@sixdemonbag.org>
Message-ID: <87poo62psu.fsf@alice.fifthhorseman.net>

Thanks for the very thorough walk-through, Robert.

Perhaps GnuPG ought to produce some kind of interchangeable backup
automatically on its own that it can re-consume, so this kind of
involved process isn't necessary.

A couple notes below:

On Wed 2016-09-14 15:01:47 -0400, Robert J. Hansen wrote:
> The following is the procedure I use on UNIX systems:
>
> First, export all public certificates into a public keyring:
>
> 	$ gpg --armor --export > pub.asc
>
> Second, export all secret certificates into a secret keyring:
>
> 	$ gpg --armor --export-secret-keys > priv.asc

the above two steps should include the arguments "--export-options
export-local" just before "--export".

> Import your secret certificates:
>
> 	$ gpg --import < priv.asc
>
> Import your public certificates:
>
> 	$ gpg --import < pub.asc


The above two steps should include the arguments "--import-options
import-local" just before "--import".


hth,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20160914/97029fac/attachment.sig>

From piotr at chmielnicki.com  Wed Sep 14 21:11:03 2016
From: piotr at chmielnicki.com (Piotr Chmielnicki)
Date: Wed, 14 Sep 2016 21:11:03 +0200
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <20160914163122.GB25475@glanzmann.de>
References: <57D96865.8020704@nofroth.com>
 <20160914163122.GB25475@glanzmann.de>
Message-ID: <eead5094-9fd2-a111-0ebb-a5a1dea6d61e@chmielnicki.com>



On 09/14/2016 06:31 PM, Thomas Glanzmann wrote:
> Hello Duane,
>
>> How can I make sure my private key and trust assignments were copied
>> properly?
> for me in the past taking a backup of .gnupg was sufficient. However you
> can also export your secret key using:
>
> gpg --export-secret-keys -a <keyid> > secret.asc
>
> And the manual trust assignments by doing:
>
> gpg --export-ownertrust > ownertrust.txt
>
> Cheers,
>         Thomas
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
You also migth want to take a look at --export-options in the gpg man page.

Piotr Chmielnicki
@piotrcki


From bernhard at intevation.de  Thu Sep 15 09:11:20 2016
From: bernhard at intevation.de (Bernhard Reiter)
Date: Thu, 15 Sep 2016 09:11:20 +0200
Subject: Signing and symmetrically encrypting files
In-Reply-To: <57D96CBB.8020605@gmx.fr>
References: <57D944A7.7050707@gmx.fr> <57D96CBB.8020605@gmx.fr>
Message-ID: <201609150911.20415.bernhard@intevation.de>

Hi Arbiel,

Am Mittwoch 14 September 2016 17:28:59 schrieb Arbiel (gmx):
> Asymmetric encryption requires the recipients to use my public key to
> get access the documents, whereas symmetric encryption only requires
> them to key in the encryption key. 

for decryption, only the private key of the recipient is needed.
Typing in that passphrase is as difficult (or easy) as typing in the symmetric 
key. Of course asymmetric crypto would need them to create a key-pair first.
But symmetric encryption has the problem of you needing to transfer the keys 
each time.

> Obviously the recipients who are not 
> confident enough with using asymmetric encryption won't be able to
> verify the authentity of the documents, but this a least drawback.
>
> However, if I can't sign and encrypt in a single step, I'll sign and
> then symmetrically encrypt the signed document, or the other way around.

Usually you sign first and then encrypt. This way the signature stay 
verifiable even after decryption.

> I forgot to write that I want the process (sign and encrypt) to procede
> without any keyboard-typing.

A passphrase is not needed for asymmetric encryption.
It is only needed to unlock your private key for signing.
If you want to build an automated system, one way is to just have a private 
key without passphrase (and secure the system). There are other ways of 
course.

> My previous message seems to have been a HTML message. I unchecked the
> control and hope this answer is a clear text message

Yes, it is. :)


Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160915/831e0f47/attachment-0001.sig>

From andre at colomb.de  Thu Sep 15 09:17:22 2016
From: andre at colomb.de (=?UTF-8?Q?Andr=c3=a9_Colomb?=)
Date: Thu, 15 Sep 2016 09:17:22 +0200
Subject: Local-signing without (offline) private master key
In-Reply-To: <e8be639d-84b7-52f8-f57e-409f635dad04@incenp.org>
References: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>
 <e8be639d-84b7-52f8-f57e-409f635dad04@incenp.org>
Message-ID: <44613390-ce27-3634-f615-52ab9d64515f@colomb.de>

Damien Goutte-Gattat <dgouttegattat at incenp.org> wrote on 2016-09-12
14:16 (UTC+0200)
> If you're already using GnuPG >= 2.1.10 (with support for the TOFU
> model), I would argue this is your best option.

This sounds reasonable. I'm on Ubuntu 16.04, GnuPG 2.1.11, so the TOFU
stuff seems to work fine.

It seems hard to discover the current TOFU ratings for individual keys.
The man page only says "see: [trust-model-tofu]" in some places, and
there is no option to show the trust status except for the classic WoT
checking. Looking at the SQLite database at least gives some indication,
but is not easy data to interpret.

Did I miss some option here, or are any such additions planned?

Regards
Andr?
-- 
Greetings...
From: Andr? Colomb <andre at colomb.de>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160915/15c2b665/attachment.sig>

From mac3iii at gmail.com  Thu Sep 15 13:58:08 2016
From: mac3iii at gmail.com (murphy)
Date: Thu, 15 Sep 2016 07:58:08 -0400
Subject: What is a reliable way to backup/restore my keys and test?
Message-ID: <21517108-5f96-1176-a6ea-6ac445cc581b@gmail.com>

Also how to handle the tofu.db?  A quick check doesn't find any
--import-tofu or --export-tofu options.  Does a simple backup and
transfer of tofu.db suffice?  --Murphy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160915/53435af8/attachment.sig>

From duane at nofroth.com  Thu Sep 15 16:11:01 2016
From: duane at nofroth.com (Duane Whitty)
Date: Thu, 15 Sep 2016 11:11:01 -0300
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <019201d20eba$7204d170$560e7450$@sixdemonbag.org>
References: <57D96865.8020704@nofroth.com>
 <019201d20eba$7204d170$560e7450$@sixdemonbag.org>
Message-ID: <57DAABF5.2090806@nofroth.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 16-09-14 04:01 PM, Robert J. Hansen wrote:
>> I am relatively new to GNUPG so my apologies in advance if this
>> question
> is
>> trivial.
> 
> Welcome!  And your question is not trivial.
> 
> The following is the procedure I use on UNIX systems:
> 
> First, export all public certificates into a public keyring:
> 
> $ gpg --armor --export > pub.asc
> 
> Second, export all secret certificates into a secret keyring:
> 
> $ gpg --armor --export-secret-keys > priv.asc
> 
> Third, export ownertrust values and save those:
> 
> $ gpg --armor --export-ownertrust > trust.asc
> 
> Fourth, copy all the *.conf files in ~/.gnupg into your current
> directory:
> 
> $ cp ~/.gnupg/*.conf .
> 
> Fifth,  put these, and all your GnuPG .conf files, all into a
> single archive:
> 
> $ tar cJf gpg-backup.txz pub.asc priv.asc trust.asc *.conf
> 
> Copy gpg-backup.txz to the new machine.  Once you've done that,
> uncompress it on the new machine:
> 
> $ tar xJf gpg-backup.txz
> 
> Import your secret certificates:
> 
> $ gpg --import < priv.asc
> 
> Import your public certificates:
> 
> $ gpg --import < pub.asc
> 
> Import your ownertrust values:
> 
> $ gpg --import-ownertrust < trust.asc
> 
> Make sure your ~/.gnupg directory exists.  If it doesn't, run gpg
> with no arguments and hit Ctrl-C to break out of it.
> 
> $ gpg
> 
> Copy your .conf files into ~/.gnupg:
> 
> $ cp *.conf ~/.gnupg
> 
> ... And at that point you should be done.  This technique should
> work regardless of whether you're migrating from 1.4 to 2.0, 1.4 to
> 2.1, 2.0 to 1.4, 2.0 to 2.1, 2.1 to 2.0, or 2.1 to 1.4.  No matter
> which you're doing, you're covered.
> 
>> I've just copied my .gnupg directory to a usb key as a backup
>> measure,
> which
>> I found as a method (more or less) on 
>> http://www.glump.net/content/gpg_intro/.
> 
> It's a good idea to not copy the random_seed file.  PRNG states
> should not be shared between computers.
> 
>> How can I make sure my private key and trust assignments were
>> copied
> properly?
> 
> Follow the above process and they will be.  Your private
> certificates were exported, as were the trust assignments.
> 
>> Once I have completed my OS upgrade how do I restore my keys and
>> the trust levels assigned to them?
> 
> See the above process.
> 
>> I use Thunderbird/Enigmail which is using gpg2 but I originally
>> created my
> key
>> pair using gpg 1.4.  Does this have any ramifications?
> 
> None.
> 
> 

Thanks for the detailed walk-through, Robert.  Much appreciated!

Best Regards,
Duane

- -- 
Duane Whitty
duane at nofroth.com
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJX2qv1AAoJEOJfpr8UVxtkNEQH/iImTGTQNomSipe0B2yccLMd
I1OKbeAIP59sORzC8UegelhtH4k1F9WZRVZUjRXfeEY4jWK5GX1pSsZbSIuDZGL/
0qHS63nrLm5qbSD7VSEzEmadHCVATkChYFBUGdPP2i1fCWjU1cWlJrNQxAohBZHr
ZUC/zh8BsXzIAbtLnb6zRgQ8lxgxLZzozLprwn5eGfnTBsC7GtSO/sjSQgC2hVpn
rRTviX3TNapt3DlnY4MtM/NNUOdWKeCGp+DkZBXiem1KDkIr+cfnuUY8+N/oJtfo
SlgJ3LrLS6I/w8eQ4Ru+qBK4qal28OChrO8fbtX+BY+4H8cdXjrsjqk7MpQZtEM=
=qOtt
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Thu Sep 15 16:32:22 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 15 Sep 2016 10:32:22 -0400
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <57DAAE1A.9010104@nofroth.com>
References: <57D96865.8020704@nofroth.com>
 <019201d20eba$7204d170$560e7450$@sixdemonbag.org>
 <87poo62psu.fsf@alice.fifthhorseman.net> <57DAAE1A.9010104@nofroth.com>
Message-ID: <007601d20f5d$f9a59800$ecf0c800$@sixdemonbag.org>

> I am unable to find any references in man to export-local in
> - --export-options except for export-local-sigs.  Maybe this is an
> undocumented parameter to the --export-options option?  What is it
> supposed to do?

--export-local is the same as --export-local-sigs.  Likewise with
--import-local.

I don't use local signatures myself, which is why my process skips those.
But I agree with Daniel that it's important to include those options if you
have local signatures on your keyring.




From bernhard at intevation.de  Thu Sep 15 16:42:11 2016
From: bernhard at intevation.de (Bernhard Reiter)
Date: Thu, 15 Sep 2016 16:42:11 +0200
Subject: Web Key Directory / Web Key Service wiki page
In-Reply-To: <201609141624.15711.bernhard@intevation.de>
References: <201609141052.42587.bernhard@intevation.de>
 <201609141624.15711.bernhard@intevation.de>
Message-ID: <201609151642.16108.bernhard@intevation.de>

https://wiki.gnupg.org/WKD

> === Mail Service Providers
> * (gnupg.org) Testing accounts by request for developers implementing WKS
> in Free Software MUAs.

Posteo announced that they will fully support WKD/WKS in the next months.

https://wiki.gnupg.org/EasyGpg2016/PubkeyDistributionConcept
has been completely reworked. Catching more of the design process
and the current status of what changes are still being discussed.

It is a 10 page document now, so I'm not posting it here
(let me know, if you'd prefer this).

What do you think about these wiki-pages?
I will now see if I can approach more mail service providers.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160915/f43a9d49/attachment.sig>

From duane at nofroth.com  Thu Sep 15 16:20:10 2016
From: duane at nofroth.com (Duane Whitty)
Date: Thu, 15 Sep 2016 11:20:10 -0300
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <87poo62psu.fsf@alice.fifthhorseman.net>
References: <57D96865.8020704@nofroth.com>
 <019201d20eba$7204d170$560e7450$@sixdemonbag.org>
 <87poo62psu.fsf@alice.fifthhorseman.net>
Message-ID: <57DAAE1A.9010104@nofroth.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 16-09-14 05:24 PM, Daniel Kahn Gillmor wrote:
> Thanks for the very thorough walk-through, Robert.
> 
> Perhaps GnuPG ought to produce some kind of interchangeable backup 
> automatically on its own that it can re-consume, so this kind of 
> involved process isn't necessary.
> 
> A couple notes below:
> 
> On Wed 2016-09-14 15:01:47 -0400, Robert J. Hansen wrote:
>> The following is the procedure I use on UNIX systems:
>> 
>> First, export all public certificates into a public keyring:
>> 
>> $ gpg --armor --export > pub.asc
>> 
>> Second, export all secret certificates into a secret keyring:
>> 
>> $ gpg --armor --export-secret-keys > priv.asc
> 
> the above two steps should include the arguments "--export-options 
> export-local" just before "--export".
> 
I am unable to find any references in man to export-local in
- --export-options except for export-local-sigs.  Maybe this is an
undocumented parameter to the --export-options option?  What is it
supposed to do?

>> Import your secret certificates:
>> 
>> $ gpg --import < priv.asc
>> 
>> Import your public certificates:
>> 
>> $ gpg --import < pub.asc
> 
> 
> The above two steps should include the arguments "--import-options 
> import-local" just before "--import".
> 
Same here, can't find the parameter import-local, just import-local-sigs

> 
> hth,
> 
> --dkg
> 

Best Regards,
Duane

- -- 
Duane Whitty
duane at nofroth.com
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJX2q4aAAoJEOJfpr8UVxtkYKQIAJXXOW0XXwa8em36YjkyzGY3
bz2QpikFEe6b4mBvEE6IUy/DR7//fy4WnA3SZCUP2JbKrdRUFJGStgirmH1uMcby
TLBslsAh3tdmQ7ryrLKISZDqLIDhXcuSnKIjgaH01a6/JqNVK3Ig/HMo4wwQ4idU
HeOc7+5bzD/JSwbaACh/oPtiDglFmRrwr0JD/QjRvWfAJkctIJzFpMiM5JtwKn5M
4sKo9Q7sCd7CupL115gqjBDyrCH/O8QDqrFtBn628KIQmUp0nBY1Pqew2jWSzOpj
BFZAq/bh8SwAYhctSPnqm7y5Wz/06LANcrXHd9Tifaypo2xZXpTcklb9SkjBgw4=
=0hD0
-----END PGP SIGNATURE-----


From 2014-667rhzu3dc-lists-groups at riseup.net  Thu Sep 15 21:32:32 2016
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Thu, 15 Sep 2016 20:32:32 +0100
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <007601d20f5d$f9a59800$ecf0c800$@sixdemonbag.org>
References: <57D96865.8020704@nofroth.com> 
 <019201d20eba$7204d170$560e7450$@sixdemonbag.org>
 <87poo62psu.fsf@alice.fifthhorseman.net> <57DAAE1A.9010104@nofroth.com>
 <007601d20f5d$f9a59800$ecf0c800$@sixdemonbag.org>
Message-ID: <1647196706.20160915203232@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Thursday 15 September 2016 at 3:32:22 PM, in
<mid:007601d20f5d$f9a59800$ecf0c800$@sixdemonbag.org>, Robert J.
Hansen wrote:-

> But I agree with Daniel that it's important to include those
> options if you have local signatures on your keyring.

Does exporting local signatures make it somehow more likely they might
be accidentally sent to a keyserver?

And if they are accidentally sent to a keyserver, does the keyserver
strip them because they are marked as non-exportable?


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

I think not, said Descartes, and promptly disappeared
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJX2vdSXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwEDwH/1hJnVhqT5tUlw7t5O7WUihC
QQil5xxKSrgQ29x769F9l9TTh9KG/oCTWJuRbZEFMyTzenV2BImEo5xX6ESzsP4r
cOmeKCXMFylSZb7kDVybvs9IlYGz6tC8JMYcmoQ4H5dpYzwPhQ15J0mk17cyaetv
Hl8ArSNfWIVi7G+98P1miphbIVwAR4jj+UEt1fYuaBT1Ad+DRo0ST5bkrNhRbkp5
WyQnNN6EYtAmlZ7r1GygxCyE9NbUgYAS6FUGe4+RHi/A1zRBnXd1W/PYZH/kQ2ez
H2odXrkziKh/Ak8JA9gFz3h2AL1s1tCd2Lk751tzJ5jYBRhyxnBOUH87nMhui0aI
vgQBFgoAZgUCV9r3Yl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45N9QAQCNsyoieFo7UGa7g9GJVtfA+2V+
tQKe5KRfvvylM9dk0wEArqjxpyoEtwQsOZB20qYHGJfQD1rR3gNtn3i4RtsYWw4=
=Up9A
-----END PGP SIGNATURE-----



From rjh at sixdemonbag.org  Thu Sep 15 21:38:50 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 15 Sep 2016 15:38:50 -0400
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <1647196706.20160915203232@riseup.net>
References: <57D96865.8020704@nofroth.com>
 <019201d20eba$7204d170$560e7450$@sixdemonbag.org>
 <87poo62psu.fsf@alice.fifthhorseman.net> <57DAAE1A.9010104@nofroth.com>
 <007601d20f5d$f9a59800$ecf0c800$@sixdemonbag.org>
 <1647196706.20160915203232@riseup.net>
Message-ID: <013701d20f88$c985e550$5c91aff0$@sixdemonbag.org>

> Does exporting local signatures make it somehow more likely they might be
> accidentally sent to a keyserver?

No.




From dkg at fifthhorseman.net  Thu Sep 15 21:56:41 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Thu, 15 Sep 2016 15:56:41 -0400
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <1647196706.20160915203232@riseup.net>
References: <57D96865.8020704@nofroth.com>
 <019201d20eba$7204d170$560e7450$@sixdemonbag.org>
 <87poo62psu.fsf@alice.fifthhorseman.net> <57DAAE1A.9010104@nofroth.com>
 <007601d20f5d$f9a59800$ecf0c800$@sixdemonbag.org>
 <1647196706.20160915203232@riseup.net>
Message-ID: <87r38l0wee.fsf@alice.fifthhorseman.net>

On Thu 2016-09-15 15:32:32 -0400, MFPA wrote:
> And if they are accidentally sent to a keyserver, does the keyserver
> strip them because they are marked as non-exportable?

It should but the current sks keyservers do not do this right, and an
attempt to fix this has been stalled for years:

  https://bitbucket.org/skskeyserver/sks-keyserver/pull-requests/20

sigh,

  --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20160915/fb366118/attachment.sig>

From bernhard at intevation.de  Fri Sep 16 11:46:08 2016
From: bernhard at intevation.de (Bernhard Reiter)
Date: Fri, 16 Sep 2016 11:46:08 +0200
Subject: wiki.gnupg.org theme?
In-Reply-To: <201609140921.36015.bernhard@intevation.de>
References: <201504211026.21749.bernhard@intevation.de>
 <201511111235.07600.bernhard@intevation.de>
 <201609140921.36015.bernhard@intevation.de>
Message-ID: <201609161146.08776.bernhard@intevation.de>

Am Mittwoch 14 September 2016 09:21:32 schrieb Bernhard Reiter:
> Update, we try to change the black to a GnuPG blue and enable
> https://moinmo.in/ThemeMarket/memodump as optional theme.

You can now enable "memodump" in your personal settings, 
when logged into wiki.gnupg.org. 

Color and logo would still need to be adapted.

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20160916/0b132208/attachment.sig>

From thecissou98 at hotmail.fr  Fri Sep 16 20:45:23 2016
From: thecissou98 at hotmail.fr (Le Roy Francis)
Date: Fri, 16 Sep 2016 18:45:23 +0000
Subject: Call gpg with gpgme
Message-ID: <AM3PR01MB0693E3B073F67A1B8D1214CAD2F30@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>

Hi, how can I interface directly with gpg via gpgme like in the
gpgme_op_edit. Is gpgme_op_spawn of any use in this case ? Is there an
equivalent of gpgme_op_assuan_transact_ext for GPG ?

Thanks.

FLR

From stebe at mailbox.org  Fri Sep 16 22:09:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Fri, 16 Sep 2016 20:09:00 +0000
Subject: :-(( Re: smart card no longer works
In-Reply-To: <5b62f4d0-9c70-04c7-206e-0835268c32e1@nordnet.fr>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
 <774544b6-8ac5-39fc-06be-1a3ec7f66327@nordnet.fr>
 <0bdc52cc-41f5-316a-6a72-d33134871ed4@mailbox.org>
 <5b62f4d0-9c70-04c7-206e-0835268c32e1@nordnet.fr>
Message-ID: <239d7378-4296-38c3-c612-9c8d6a49c861@mailbox.org>

Hi,

Philip Jackson:
> On 11/09/16 19:49, Stephan Beck wrote:
>> Which type of smartcard do you have? Which gnupg versions were installed
>> on the the old system and with which of it did you generate keys?
> 
> 
> The smartcard is a version2.0 made by ZeitControl and bought from
> Kernel-concepts and used with a SCT3512 usb holder from SCM.
> 
> I bought it in or around August / September 2014 and installed it using
> UbuntuStudio1404 LTS with gnupg 2.0.22.  The keys were generated in 2013
> using the gnupg2 stuff in Windows 7 except for a couple of the sub keys
> which were made on the card in October 2014.
> 
> I guess I'll have to dig in the archives and see if I can find records
> of how I got it working back in 2014.
> 
Sorry for the delayed response.
It's not enough to simply copy and paste all the files into the new
~/.gnupg directory, as you write you did in your previous mail. You have
to run gpg2 with the --import option to import your public key and then
(having your smartcard inserted and doing a gpg2 --card-status) generate
key stubs for the secret subkeys on the new system.From what you say, it
seems that you haven't done this. It's my wild guess that things may
have gone wrong there.

But as I don't know the detailed steps you took including those with
gpg4win on Windows7, I simply refer you to two docs (1,2) I found useful.

(1) https://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups
(2)
https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard

They may talk about other smartcards (I do not promote any!) than you
have and/or not match exactly your use case, but are quite detailed and
may be useful for detecting whether there is a particular step you might
have missed.

Stebe


From wk at gnupg.org  Sat Sep 17 13:26:31 2016
From: wk at gnupg.org (Werner Koch)
Date: Sat, 17 Sep 2016 13:26:31 +0200
Subject: Call gpg with gpgme
In-Reply-To: <AM3PR01MB0693E3B073F67A1B8D1214CAD2F30@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
 (Le Roy Francis's message of "Fri, 16 Sep 2016 18:45:23 +0000")
References: <AM3PR01MB0693E3B073F67A1B8D1214CAD2F30@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
Message-ID: <8760puahso.fsf@wheatstone.g10code.de>

On Fri, 16 Sep 2016 20:45, thecissou98 at hotmail.fr said:
> Hi, how can I interface directly with gpg via gpgme like in the
> gpgme_op_edit. Is gpgme_op_spawn of any use in this case ? Is there an
> equivalent of gpgme_op_assuan_transact_ext for GPG ?

Yes, you need to implement the callback for gpgme_op_edit (or
gpgme_op_interact in the forthcoming 1.7).  You probably want to build
an FSM for this.  If you encounter an unknown keyword simply send a LF,
which is what you would have done on the command line too to use the
default answer.

For an example on how to build such a thing, check out the file
src/gpgmeedit.c from GPA.

gpgme_op_spawn is of no use for you.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160917/27c0d0fc/attachment.sig>

From thecissou98 at hotmail.fr  Sat Sep 17 13:59:34 2016
From: thecissou98 at hotmail.fr (Le Roy Francis)
Date: Sat, 17 Sep 2016 11:59:34 +0000
Subject: Call gpg with gpgme
In-Reply-To: <8760puahso.fsf@wheatstone.g10code.de>
References: <AM3PR01MB0693E3B073F67A1B8D1214CAD2F30@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
 <8760puahso.fsf@wheatstone.g10code.de>
Message-ID: <AM3PR01MB06932B4A9EB8C30D7D10DCD9D2F20@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>

I have found another way, as my project is based on node js. I use the child_process package to launch gpg. I have already wrote a function to generate a new key pair directly in a smart card. Nonetheless, if I fail to create a node js function good enough for my needs, I give your solution a try.

Thanks.
FLR.

Le 17 sept. 2016, ? 13:32, Werner Koch <wk at gnupg.org<mailto:wk at gnupg.org>> a ?crit:

On Fri, 16 Sep 2016 20:45, thecissou98 at hotmail.fr said:
 Hi, how can I interface directly with gpg via gpgme like in the
 gpgme_op_edit. Is gpgme_op_spawn of any use in this case ? Is there an
 equivalent of gpgme_op_assuan_transact_ext for GPG ?

Yes, you need to implement the callback for gpgme_op_edit (or
gpgme_op_interact in the forthcoming 1.7).  You probably want to build
an FSM for this.  If you encounter an unknown keyword simply send a LF,
which is what you would have done on the command line too to use the
default answer.

For an example on how to build such a thing, check out the file
src/gpgmeedit.c from GPA.

gpgme_op_spawn is of no use for you.


Shalom-Salam,

   Werner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160917/dbfaae36/attachment-0001.html>

From philip.jackson at nordnet.fr  Sat Sep 17 15:18:07 2016
From: philip.jackson at nordnet.fr (Philip Jackson)
Date: Sat, 17 Sep 2016 15:18:07 +0200
Subject: :-(( Re: smart card no longer works
In-Reply-To: <239d7378-4296-38c3-c612-9c8d6a49c861@mailbox.org>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
 <774544b6-8ac5-39fc-06be-1a3ec7f66327@nordnet.fr>
 <0bdc52cc-41f5-316a-6a72-d33134871ed4@mailbox.org>
 <5b62f4d0-9c70-04c7-206e-0835268c32e1@nordnet.fr>
 <239d7378-4296-38c3-c612-9c8d6a49c861@mailbox.org>
Message-ID: <e63c45a4-9dd9-f7b5-9227-284317c75ae4@nordnet.fr>

On 16/09/16 22:09, Stephan Beck wrote:
> Sorry for the delayed response.
> It's not enough to simply copy and paste all the files into the new
> ~/.gnupg directory, as you write you did in your previous mail. You have
> to run gpg2 with the --import option to import your public key and then
> (having your smartcard inserted and doing a gpg2 --card-status) generate
> key stubs for the secret subkeys on the new system.From what you say, it
> seems that you haven't done this. It's my wild guess that things may
> have gone wrong there.

Thank you Stephan - got it working.  For the record, I did not undo
anything that I had previously done. Just left the installation as it
was then did :

gpg2 --import /path-to-my-key/mykey.asc
inserted smartcard
gpg2 --card-status

then run tests. Can now sign and encrypt emails, sign and encrypt and
decrypt files although verify on its own causes me a problem but I
shouldn't think that is connected with the smartcard.

Thanks.
Philip


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 520 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160917/400dd62f/attachment.sig>

From thecissou98 at hotmail.fr  Sat Sep 17 19:13:55 2016
From: thecissou98 at hotmail.fr (Le Roy Francis)
Date: Sat, 17 Sep 2016 17:13:55 +0000
Subject: Call gpg with gpgme
In-Reply-To: <AM3PR01MB06932B4A9EB8C30D7D10DCD9D2F20@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
References: <AM3PR01MB0693E3B073F67A1B8D1214CAD2F30@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
 <8760puahso.fsf@wheatstone.g10code.de>
 <AM3PR01MB06932B4A9EB8C30D7D10DCD9D2F20@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
Message-ID: <AM3PR01MB0693B233D5FDBCE2CC3CBAA7D2F20@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>

My snippet works just fine if not for the pinentry. Is there a way of
avoiding the pinentry pop-up and enter the pin in STDIN ? Is gpg
--pinentry-mode loopback of any use ?

Thanks.
FLR.

Le 17/09/2016 ? 13:59, Le Roy Francis a ?crit :
> I have found another way, as my project is based on node js. I use the
> child_process package to launch gpg. I have already wrote a function to
> generate a new key pair directly in a smart card. Nonetheless, if I fail
> to create a node js function good enough for my needs, I give your
> solution a try.
> 
> Thanks. 
> FLR. 
> 
> Le 17 sept. 2016, ? 13:32, Werner Koch <wk at gnupg.org
> <mailto:wk at gnupg.org>> a ?crit:
> 
>     On Fri, 16 Sep 2016 20:45, thecissou98 at hotmail.fr said:
> 
>         Hi, how can I interface directly with gpg via gpgme like in the
>         gpgme_op_edit. Is gpgme_op_spawn of any use in this case ? Is
>         there an
>         equivalent of gpgme_op_assuan_transact_ext for GPG ?
> 
> 
>     Yes, you need to implement the callback for gpgme_op_edit (or
>     gpgme_op_interact in the forthcoming 1.7).  You probably want to build
>     an FSM for this.  If you encounter an unknown keyword simply send a LF,
>     which is what you would have done on the command line too to use the
>     default answer.
> 
>     For an example on how to build such a thing, check out the file
>     src/gpgmeedit.c from GPA.
> 
>     gpgme_op_spawn is of no use for you.
> 
> 
>     Shalom-Salam,
> 
>        Werner
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


From thn64394 at protonmail.com  Sat Sep 17 17:01:50 2016
From: thn64394 at protonmail.com (Thn64394)
Date: Sat, 17 Sep 2016 11:01:50 -0400
Subject: About encrypting files
Message-ID: <jOv_gMN2It7-mg-gizHxorws_-WeA89Mt1yij0gQ__18oS4TVV9PhzSnWHiePAzKifuzmtn8smIgSoMk9YMLdM6lXUyztgQSJfVq3qTr5NY=@protonmail.com>

Hi,
I always use GpgEX and Kleopatra to encrypt my files.
However, i just wonder how my files are encrypted.
Will my files be encrypted with the symmetric cryptography first, then use the Public-key cryptography to encrypt symmetric key?
Or, the whole of my files are encrypted with the Public-key cryptography?

Thank you,
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160917/45717fa0/attachment.html>

From arbiel.perlacremaz at gmx.fr  Sat Sep 17 22:40:43 2016
From: arbiel.perlacremaz at gmx.fr (Arbiel (gmx))
Date: Sat, 17 Sep 2016 22:40:43 +0200
Subject: Signing and symmetrically encrypting files
In-Reply-To: <201609150911.20415.bernhard@intevation.de>
References: <57D944A7.7050707@gmx.fr> <57D96CBB.8020605@gmx.fr>
 <201609150911.20415.bernhard@intevation.de>
Message-ID: <c4c92e4e-80b1-168f-dd43-55c86cce83ea@gmx.fr>

Hi Bernhard

I eventually changed my mind as I have'nt found out how to extract the
source document from a signed one.

So I decided to procede with detached signatures applied, as you
suggest, on the source documents and not on the crypted ones.
Regarding asymmetric versus symmetric cryptography, I stick with the
latter one, which allows me to crypt a document only once with a single
key, a "document-key", and either transfert the asymmetrically crypted
document-key to recipients whom I know their public keys, or its
symmetrically crypted value with a permanent password specific to each
of the others recipients I share their passwords with. I don't know yet
how to share and manage these passwords.

I finally download on the public server an archive containing the
document-key symmetrically-crypted document, the clear document
signature and the bunch of asymmetrically or symmetrically crypted
document-keys, and send messages, "release notifications", to inform the
recipients a new document has been released on the server.

I'm still wondering how each of them will know the specific file they
have to uncrypted to get the document-key. That is, I haven't yet
figured out whether or not to keep the list of recipient secret. I can
obviously consider to provide the information in the
release-notification e-mail, but I don't know if e-mail clients can
handle symmetrically crypted messages.

Thank's again for your help.

Le 15/09/2016 ? 09:11, Bernhard Reiter a ?crit :
> Hi Arbiel,
> 
> Am Mittwoch 14 September 2016 17:28:59 schrieb Arbiel (gmx):
>> Asymmetric encryption requires the recipients to use my public key to
>> get access the documents, whereas symmetric encryption only requires
>> them to key in the encryption key. 
> 
> for decryption, only the private key of the recipient is needed.
> Typing in that passphrase is as difficult (or easy) as typing in the symmetric 
> key. Of course asymmetric crypto would need them to create a key-pair first.
> But symmetric encryption has the problem of you needing to transfer the keys 
> each time.
> 
>> Obviously the recipients who are not 
>> confident enough with using asymmetric encryption won't be able to
>> verify the authentity of the documents, but this a least drawback.
>>
>> However, if I can't sign and encrypt in a single step, I'll sign and
>> then symmetrically encrypt the signed document, or the other way around.
> 
> Usually you sign first and then encrypt. This way the signature stay 
> verifiable even after decryption.
> 
>> I forgot to write that I want the process (sign and encrypt) to procede
>> without any keyboard-typing.
> 
> A passphrase is not needed for asymmetric encryption.
> It is only needed to unlock your private key for signing.
> If you want to build an automated system, one way is to just have a private 
> key without passphrase (and secure the system). There are other ways of 
> course.
> 
>> My previous message seems to have been a HTML message. I unchecked the
>> control and hope this answer is a clear text message
> 
> Yes, it is. :)
> 
> 
> Best Regards,
> Bernhard
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160917/878a1513/attachment.sig>

From rjh at sixdemonbag.org  Sat Sep 17 23:57:15 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 17 Sep 2016 17:57:15 -0400
Subject: About encrypting files
In-Reply-To: <jOv_gMN2It7-mg-gizHxorws_-WeA89Mt1yij0gQ__18oS4TVV9PhzSnWHiePAzKifuzmtn8smIgSoMk9YMLdM6lXUyztgQSJfVq3qTr5NY=@protonmail.com>
References: <jOv_gMN2It7-mg-gizHxorws_-WeA89Mt1yij0gQ__18oS4TVV9PhzSnWHiePAzKifuzmtn8smIgSoMk9YMLdM6lXUyztgQSJfVq3qTr5NY=@protonmail.com>
Message-ID: <c82686b1-75c7-7417-f686-22f287ec0046@sixdemonbag.org>

> However, i just wonder how my files are encrypted.

The data is encrypted with a symmetric cipher, then the symmetric key is
encrypted with the recipient's public key.

It's possible to do purely symmetric encryption, but this isn't the default.


From techlist at 123mail.org  Sun Sep 18 15:09:45 2016
From: techlist at 123mail.org (techlist at 123mail.org)
Date: Sun, 18 Sep 2016 15:09:45 +0200
Subject: Is creating GPG keys with MailVelope as secure as using a program?
Message-ID: <1474204185.3061276.729231969.5EC96068@webmail.messagingengine.com>

I installed MailVelope not long ago and I was wondering if creating my
GPG keys with this extension within the browser is as secure as
installing a GPG program in my computer to do this and then import the
keys.

I also see that key creation settings in MailVelope is fixed at RSA
4096bit and it can not be changed. But this is fine, I don't really care
about settings, I am only concerned about security.



From wk at gnupg.org  Mon Sep 19 08:55:35 2016
From: wk at gnupg.org (Werner Koch)
Date: Mon, 19 Sep 2016 08:55:35 +0200
Subject: What is a reliable way to backup/restore my keys and test?
In-Reply-To: <57D96865.8020704@nofroth.com> (Duane Whitty's message of "Wed,
 14 Sep 2016 12:10:29 -0300")
References: <57D96865.8020704@nofroth.com>
Message-ID: <87shsw7508.fsf@wheatstone.g10code.de>

On Wed, 14 Sep 2016 17:10, duane at nofroth.com said:

> Once I have completed my OS upgrade how do I restore my keys and the
> trust levels assigned to them?

If you restore the backup of ~/.gnupg (with all sub directories) with
the right permissions (tar xpf) you should be done.  GnuPGnstores all
its data in a mahinve independet format and thus a copy of the directory
works on all platforms.

For cleanness, you may not want to exclude ~/.gnupg/random_seed from the
backup or delete that file from the target box after restoring.

> I use Thunderbird/Enigmail which is using gpg2 but I originally
> created my key pair using gpg 1.4.  Does this have any ramifications?

No.  If you start using gnupg 2.1 the secret keys will be automatically
migrated to the new format (the old secring.gpg will be kept but not
used by 2.1).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160919/ed9783e9/attachment-0001.sig>

From bks00016 at gmail.com  Mon Sep 19 05:36:36 2016
From: bks00016 at gmail.com (aguy whowrites)
Date: Mon, 19 Sep 2016 15:36:36 +1200
Subject: Checking Integrity of GPG4Windows
Message-ID: <CAN9A90jP+DYTJNncFo9cvZY2LF5Gm3nLqf6X4_peOq15ANbC7A@mail.gmail.com>

Hi,

Not sure if this is the right place or if I will get a reply or if I will
have to check the mailing list for replies but I'm going to give it a try.

I am trying to install GPG4Windows and want to check the integrity of GPG
but am struggling to follow the instructions at the site:
https://www.gnupg.org/download/integrity_check.html

I am trying to follow the instructions for not having an old version of GPG
installed, however where do I enter the following code they suggest and how
do I modify it for my GPG4Windows executable file? What program do I use?
Keep in mind I don't have an old version of GPG installed.

sha1sum gnupg-2.0.30.tar.bz2

To be clear I do not have an old version of GPG installed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160919/d2cd3aae/attachment.html>

From justus at g10code.com  Mon Sep 19 11:11:39 2016
From: justus at g10code.com (Justus Winter)
Date: Mon, 19 Sep 2016 11:11:39 +0200
Subject: Call gpg with gpgme
In-Reply-To: <AM3PR01MB0693B233D5FDBCE2CC3CBAA7D2F20@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
References: <AM3PR01MB0693E3B073F67A1B8D1214CAD2F30@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
 <8760puahso.fsf@wheatstone.g10code.de>
 <AM3PR01MB06932B4A9EB8C30D7D10DCD9D2F20@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
 <AM3PR01MB0693B233D5FDBCE2CC3CBAA7D2F20@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
Message-ID: <8760pstfsk.fsf@europa.jade-hamburg.de>

Hi,

Le Roy Francis <thecissou98 at hotmail.fr> writes:
> My snippet works just fine if not for the pinentry.

Please reconsider.  Your code may work today, but if you are not using
gpgme, it will likely break in the future.

> Is there a way of
> avoiding the pinentry pop-up and enter the pin in STDIN ? Is gpg
> --pinentry-mode loopback of any use ?

Yes.

Cheers,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20160919/ddcd980b/attachment.sig>

From stebe at mailbox.org  Mon Sep 19 13:02:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Mon, 19 Sep 2016 11:02:00 +0000
Subject: :-(( Re: smart card no longer works
In-Reply-To: <e63c45a4-9dd9-f7b5-9227-284317c75ae4@nordnet.fr>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
 <774544b6-8ac5-39fc-06be-1a3ec7f66327@nordnet.fr>
 <0bdc52cc-41f5-316a-6a72-d33134871ed4@mailbox.org>
 <5b62f4d0-9c70-04c7-206e-0835268c32e1@nordnet.fr>
 <239d7378-4296-38c3-c612-9c8d6a49c861@mailbox.org>
 <e63c45a4-9dd9-f7b5-9227-284317c75ae4@nordnet.fr>
Message-ID: <124ed774-2688-b9d7-f890-97bef8eee28a@mailbox.org>



Philip Jackson:
> On 16/09/16 22:09, Stephan Beck wrote:
>> Sorry for the delayed response.
>> It's not enough to simply copy and paste all the files into the new
>> ~/.gnupg directory, as you write you did in your previous mail. You have
>> to run gpg2 with the --import option to import your public key and then
>> (having your smartcard inserted and doing a gpg2 --card-status) generate
>> key stubs for the secret subkeys on the new system.From what you say, it
>> seems that you haven't done this. It's my wild guess that things may
>> have gone wrong there.
> 
> Thank you Stephan - got it working.  For the record, I did not undo
> anything that I had previously done. Just left the installation as it
> was then did :
> 
> gpg2 --import /path-to-my-key/mykey.asc
> inserted smartcard
> gpg2 --card-status
> 
> then run tests. Can now sign and encrypt emails, sign and encrypt and
> decrypt files although verify on its own causes me a problem but I
> shouldn't think that is connected with the smartcard.

Another wild guess: maybe it's because the ownertrust values of your own
public key have not been imported together with the key. You have to
reassign trust.
Try
gpg2 --edit-key [yourkeyID]
gpg> trust
5

Another way (I forgot to mention this in my previous mail)
is to import your key with
gpg2 --import-keep-ownertrust [yourkeyID]

Then the ownertrust value is being imported as well.

Does it change anything with respect to your verification problems?

HTH

Stephan


From juanmi.3000 at gmail.com  Mon Sep 19 16:37:03 2016
From: juanmi.3000 at gmail.com (=?UTF-8?Q?Juan_Miguel_Navarro_Mart=c3=adnez?=)
Date: Mon, 19 Sep 2016 16:37:03 +0200
Subject: Checking Integrity of GPG4Windows
In-Reply-To: <CAN9A90jP+DYTJNncFo9cvZY2LF5Gm3nLqf6X4_peOq15ANbC7A@mail.gmail.com>
References: <CAN9A90jP+DYTJNncFo9cvZY2LF5Gm3nLqf6X4_peOq15ANbC7A@mail.gmail.com>
Message-ID: <9476204f-317b-f53c-aa7b-747c6101af75@gmail.com>

On 2016-09-19 at 05:36, aguy whowrites wrote:
> I am trying to follow the instructions for not having an old version of
> GPG installed, however where do I enter the following code they suggest
> and how do I modify it for my GPG4Windows executable file? What program
> do I use? Keep in mind I don't have an old version of GPG installed.

You need to use a checksum software for it. Usually it would be md5sum
or shaXsum, as the page you shared tells, but Windows does not have
those natively. You'll have to download a compiled binary of those
elsewhere.

Fortunately, there's a native tool for computing hash on Windows, but
you'll need to manually compare both hashes yourself or have a script do
that for you. By opening a CMD or Powershell console and entering:

   certutil -hashfile [PATH\TO\]FILE ALGORITHM

It will output the hash separated by spaces of the file using the
algorithm specified on the command (ex: MD5, SHA1, SHA256 and SHA512).

Also, Powershell has the Get-FileHash command which, by using the next
command, you can compare file hashes easily:

   if("HASH" -eq (Get-FileHash -Algorithm ALGO -path FILE) { echo "OK" }
else { echo "Hash mismatch"}

Where HASH is the hash you want to check, ALGO is the algorithm for the
hash you want to compute/check and FILE is the path to the file you want
to compute/check the has. If it says "OK" then you have the correct file.

If all this seems complicated you can also use third-party software
alternatives:

* [Easy] Install and use any GUI checksum software like HashTab or
HashCheck to name two. HashTab integrates to the explorer so by
right-clicking on a file, going to its properties and going to the File
Hashes tab it will show a list of hashes and you can compare the hash in
that same tab.

* [Moderate] Install Git for Windows which should install the *sum
software and you can just do the command on that page.

* [Moderate] Cygwin also have them when you install it but it may be
confusing to use as Cygwin's home is different that your user one and to
access a drive you must use cd /cygdrive/c/path/to/file (if it's on C,
else use the other letter). Other than that, it's similar to us Git for
Windows.

* [Advanced; Windows 10 Build 1511 or greater] Not a third party
software. Install Windows Subsystem for Linux (WSL) which should have
the *sum software. It requires you to know how to mount a system on
Unix, as WSL has no access to the files in C: or any other drives initially.

There are other alternatives but those are some I'd recommend.

At last, if you trust me I haven't modified these files, you can
download the portable checksum binaries from this folder. I wish I could
credit the one that built them but Google is giving me no results.

https://keybase.pub/starkythefox/checksum-software/

No need for installation, just download and use CMD or Powershell
console, go to the folder where you downloaded them with "cd
path\to\folder" and use the specific binary for the algorithm.

Feel free to ask anything if you still need help.

-- 
Juan Miguel Navarro Mart?nez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160919/2a055988/attachment.sig>

From flapflap at riseup.net  Mon Sep 19 15:33:00 2016
From: flapflap at riseup.net (flapflap)
Date: Mon, 19 Sep 2016 13:33:00 +0000
Subject: Checking Integrity of GPG4Windows
In-Reply-To: <CAN9A90jP+DYTJNncFo9cvZY2LF5Gm3nLqf6X4_peOq15ANbC7A@mail.gmail.com>
References: <CAN9A90jP+DYTJNncFo9cvZY2LF5Gm3nLqf6X4_peOq15ANbC7A@mail.gmail.com>
Message-ID: <0460402e-3d25-abc7-e37e-39014a5cd646@riseup.net>

Hi,

aguy whowrites:
> Not sure if this is the right place or if I will get a reply or if I will
> have to check the mailing list for replies but I'm going to give it a try.
> 
> I am trying to install GPG4Windows and want to check the integrity of GPG
> but am struggling to follow the instructions at the site:
> https://www.gnupg.org/download/integrity_check.html
> 
> I am trying to follow the instructions for not having an old version of GPG
> installed, however where do I enter the following code they suggest and how
> do I modify it for my GPG4Windows executable file? What program do I use?
> Keep in mind I don't have an old version of GPG installed.
> 
> sha1sum gnupg-2.0.30.tar.bz2

That is the command for Linux/Unix systems. If you are under Windows,
you'll use

  certutil -hashfile FileToHash.ext sha1

(via
https://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_hashfile)

In your case (gpg4win), your "FileToHash.ext" is most likely
"gpg4win-2.3.3.exe" (depends on the package you downloaded from
gpg4win.org).

1. launch "cmd.exe" (e.g. via start menu)
2. type the command

   certutil -hashfile gpg4win-2.3.3.exe sha1

3. press [enter] to start the command
4. compare the output with the "SHA1 checksum" for your file listed on
     https://www.gpg4win.org/package-integrity.html

Cheers,
~flapflap


From wk at gnupg.org  Tue Sep 20 10:02:27 2016
From: wk at gnupg.org (Werner Koch)
Date: Tue, 20 Sep 2016 10:02:27 +0200
Subject: Checking Integrity of GPG4Windows
In-Reply-To: <9476204f-317b-f53c-aa7b-747c6101af75@gmail.com> ("Juan Miguel
 Navarro =?utf-8?Q?Mart=C3=ADnez=22's?= message of "Mon, 19 Sep 2016
 16:37:03 +0200")
References: <CAN9A90jP+DYTJNncFo9cvZY2LF5Gm3nLqf6X4_peOq15ANbC7A@mail.gmail.com>
 <9476204f-317b-f53c-aa7b-747c6101af75@gmail.com>
Message-ID: <87d1jzvw18.fsf@wheatstone.g10code.de>

On Mon, 19 Sep 2016 16:37, juanmi.3000 at gmail.com said:

> If all this seems complicated you can also use third-party software
> alternatives:

Also [Easy] as long as you trust the GnuPG server or build it yourself:

  https://gnupg.org/ftp/gcrypt/binary/sha1sum.exe

Source is

  https://gnupg.org/ftp/gcrypt/binary/sha1sum.c


SHA-1 checksum from the tool itself:

  4a578ecd09a2d0c8431bdd8cf3d5c5f3ddcddfc9  sha1sum.exe

but as with all other tools (maybe except for certutil) this is a
Catch-22.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160920/6f02b00e/attachment.sig>

From janprunk at gmail.com  Tue Sep 20 09:13:25 2016
From: janprunk at gmail.com (Jan Prunk)
Date: Tue, 20 Sep 2016 09:13:25 +0200
Subject: Smartcard reader Precise Biometrics 200 MC
Message-ID: <CALnoPX5gNeGQfwRsatdMufN2o+9mGmScTDJJGO8L75CwDKQ6JA@mail.gmail.com>

Hello,

I am wondering if the smartcard reader "Precise Biometrics 200 MC" [1] is
among the supported readers to be used with GnuPG ? Is there a guideline to
follow for setting it up ?

1 -
http://precisebiometrics.com/wp-content/uploads/2014/11/ProductSheetPrecise200MC.pdf

Kind regards,
Jan Prunk
-- 
Jan Prunk   http://prunk.si
PGP Pubkey  http://prunk.si/0x9FD7F151.txt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160920/a58fc68a/attachment-0001.html>

From gniibe at fsij.org  Tue Sep 20 11:15:28 2016
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Tue, 20 Sep 2016 18:15:28 +0900
Subject: Smartcard reader Precise Biometrics 200 MC
In-Reply-To: <CALnoPX5gNeGQfwRsatdMufN2o+9mGmScTDJJGO8L75CwDKQ6JA@mail.gmail.com>
References: <CALnoPX5gNeGQfwRsatdMufN2o+9mGmScTDJJGO8L75CwDKQ6JA@mail.gmail.com>
Message-ID: <64668c21-4209-7d80-57d8-a857d07c8c38@fsij.org>

On 09/20/2016 04:13 PM, Jan Prunk wrote:
> I am wondering if the smartcard reader "Precise Biometrics 200 MC" [1]
> is among the supported readers to be used with GnuPG ? Is there a
> guideline to follow for setting it up ?

For the reader, I found this discussion in 2010:


http://musclecard.996296.n3.nabble.com/pcsc-lite-ccid-Precise-MC-200-problems-with-T-1-td4543.html

It seemed that it became "unsupported" by PC/SC lite.  So, it is
highly likely not working with GnuPG.


Well, I maintain this list:

    https://wiki.debian.org/GnuPG/CCID_Driver

Please install scdaemon.  Your operating system may require some
other permission settings.  For example, Debian GNU/Linux has:

    /lib/udev/rules.d/60-scdaemon.rules

If your reader is not listed in such a file, you need your own
settings.
-- 


From philip.jackson at nordnet.fr  Tue Sep 20 22:43:17 2016
From: philip.jackson at nordnet.fr (Philip Jackson)
Date: Tue, 20 Sep 2016 22:43:17 +0200
Subject: :-(( Re: smart card no longer works
In-Reply-To: <124ed774-2688-b9d7-f890-97bef8eee28a@mailbox.org>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
 <774544b6-8ac5-39fc-06be-1a3ec7f66327@nordnet.fr>
 <0bdc52cc-41f5-316a-6a72-d33134871ed4@mailbox.org>
 <5b62f4d0-9c70-04c7-206e-0835268c32e1@nordnet.fr>
 <239d7378-4296-38c3-c612-9c8d6a49c861@mailbox.org>
 <e63c45a4-9dd9-f7b5-9227-284317c75ae4@nordnet.fr>
 <124ed774-2688-b9d7-f890-97bef8eee28a@mailbox.org>
Message-ID: <a6629972-b20a-de78-2dce-2382f5492ed7@nordnet.fr>

On 19/09/16 13:02, Stephan Beck wrote:
>> then run tests. Can now sign and encrypt emails, sign and encrypt and
>> > decrypt files although verify on its own causes me a problem but I
>> > shouldn't think that is connected with the smartcard.
> Another wild guess: maybe it's because the ownertrust values of your own
> public key have not been imported together with the key. You have to
> reassign trust.
> Try
> gpg2 --edit-key [yourkeyID]
> gpg> trust
> 5
> 
> Another way (I forgot to mention this in my previous mail)
> is to import your key with
> gpg2 --import-keep-ownertrust [yourkeyID]
> 
> Then the ownertrust value is being imported as well.


Yes, Stephan, that seems to have solved the issues I had with
verification. The command you suggested does not work as you wrote it -
I got words to the effect that the command was not recognised.

After consulting man gpg2, I tried the following and this worked.

gpg2 --import --import-options keep-ownertrust
~/path-to-my-key/mykey.sec.asc

Thanks,
Philip


From wk at gnupg.org  Wed Sep 21 09:24:58 2016
From: wk at gnupg.org (Werner Koch)
Date: Wed, 21 Sep 2016 09:24:58 +0200
Subject: Local-signing without (offline) private master key
In-Reply-To: <44613390-ce27-3634-f615-52ab9d64515f@colomb.de>
 (=?utf-8?Q?=22Andr=C3=A9?=
 Colomb"'s message of "Thu, 15 Sep 2016 09:17:22 +0200")
References: <0962656f-20d8-4901-475a-9f8623d19328@colomb.de>
 <e8be639d-84b7-52f8-f57e-409f635dad04@incenp.org>
 <44613390-ce27-3634-f615-52ab9d64515f@colomb.de>
Message-ID: <877fa5vho5.fsf@wheatstone.g10code.de>

On Thu, 15 Sep 2016 09:17, andre at colomb.de said:

> Did I miss some option here, or are any such additions planned?

If you use the key and gpg detects a conflict, it shows you a lot of
info.  For a per key output you need to run 

  gpg --with-tofu-info --with-colons --trust-mode=tofu+pgp -k  USERID

which emits the new "tfs" records.  However, this requires the latest
version.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160921/165be4de/attachment.sig>

From wk at gnupg.org  Wed Sep 21 09:28:22 2016
From: wk at gnupg.org (Werner Koch)
Date: Wed, 21 Sep 2016 09:28:22 +0200
Subject: Javascript and smartcard
In-Reply-To: <AM3PR01MB06932B7D0A5C7149DA808676D2F10@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
 (Le Roy Francis's message of "Wed, 14 Sep 2016 15:23:29 +0000")
References: <AM3PR01MB069328B4D10D7CBCB7B8252ED2FF0@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
 <878tuwd8nm.fsf@alice.fifthhorseman.net>
 <877fagm7a8.fsf@wheatstone.g10code.de>
 <AM3PR01MB06932B7D0A5C7149DA808676D2F10@AM3PR01MB0693.eurprd01.prod.exchangelabs.com>
Message-ID: <8737ktvhih.fsf@wheatstone.g10code.de>

On Wed, 14 Sep 2016 17:23, thecissou98 at hotmail.fr said:
> Hi, I am trying to build a node.js module to interact with the smart
> card. I code the add-on in c++ with gpgme. Is there any way on knowing
> if the card is connected with gpgme?

Yes, you can use the Assuan protocol to directly talk to scdaemon via
gpg-agent.  GPGME has support this, albeit not documented.
gpa/src/cardman.c uses this feature.  For testing you can employ
gpg-connect-agent, for example:

  gpg-connect-agent 'scd serialno' /bye



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160921/1477f28d/attachment.sig>

From wk at gnupg.org  Wed Sep 21 10:23:44 2016
From: wk at gnupg.org (Werner Koch)
Date: Wed, 21 Sep 2016 10:23:44 +0200
Subject: [Announce] GnuPG Made Easy (GPGME) 1.7.0 released
Message-ID: <87shstu0dr.fsf@wheatstone.g10code.de>

Hello!

We are pleased to announce version 1.7.0 of GPGME.

  GnuPG Made Easy (GPGME) is a C language library that allows to add
  support for cryptography to a program.  It is designed to make access
  to public key crypto engines as included in GnuPG easier for
  applications.  GPGME provides a high-level crypto API for encryption,
  decryption, signing, signature verification, and key management.


Noteworthy changes in version 1.7.0
===================================

  * New language bindings for Python 2 and 3.  See
    <https://gnupg.org/blog/20160921-python-bindings-for-gpgme.html>

  * New language bindings for C++ and the Qt-Framework API.

  * New functions gpgme_op_createkey and gpgme_op_createsubkey to make
    key creation easier (requires GnuPG 2.1).

  * New functions gpgme_op_adduid and gpgme_op_revuid to make user id
    management easier (requires GnuPG 2.1).

  * New function gpgme_op_keysign to make key signing easier (requires
    GnuPG 2.1).

  * New function gpgme_op_interact to replace the now deprecated
    functions gpgme_op_edit and gpgme_op_card_edit.

  * New function gpgme_pubkey_algo_string to convert a public key
    algorithm into a GnuPG 2.1 style string.

  * Support for GnuPG 2.1's TOFU trust model.

  * Notation flags are now correctly set on verify.

  * New global flag "require-gnupg" to set a minimal gnupg version.

  * More supported items in gpgme_get_dirinfo.

  * New function gpgme_data_set_flag and flag "size-hint".

  * New function gpgme_set_ctx_flag and flags "full-status" and
    "raw-description".

  * Improved gpgme_data_identify to distinguish more file types.

  * New flag GPGME_ENCRYPT_SYMMETRIC for gpgme_op_encrypt to allow
    mixed public key and symmetric encryption.

  * New field KEYGRIP in gpgme_subkey_t.  New fields FPR in gpgme_key_t.

  * New flag GPGME_DATA_ENCODING_MIME to declare that the encrypted or
    signed data is a valid MIME part.  This is to support future GnuPG
    versions.


Download
========

  You may download this library and its OpenPGP signature from:

    ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.7.0.tar.bz2 (1252k)
    ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.7.0.tar.bz2.sig

  or

    https://gnupg.org/ftp/gcrypt/gpgme/gpgme-1.7.0.tar.bz2 (1252k)
    https://gnupg.org/ftp/gcrypt/gpgme/gpgme-1.7.0.tar.bz2.sig

  The SHA-1 checksum is

    41030f0f317100af6e9a1a05a4b0218aee684d8a  gpgme-1.7.0.tar.bz2

  but you better check the integrity using the provided signature. See
  https://gnupg.org/download/integrity_check.html for details.


Support
=======

  Please consult the archive of the gnupg-devel mailing list before
  reporting a bug <https://gnupg.org/documentation/mailing-lists.html>.
  We suggest to send bug reports for a new release to this list in favor
  of filing a bug at <https://bugs.gnupg.org>.  If you need commercial
  support check out <https://gnupg.org/service.html>.

  Maintenance and development of GnuPG is mostly financed by donations.
  The GnuPG project employs 3 full-time developers, one part-timer, and
  one contractor.  They all work exclusivly on GnuPG and closely related
  software like Libgcrypt and GPA.  Please consider to donate via:

                  https://gnupg.org/donate/


Thanks
======

  We have to thank all the people who helped with this release, be it
  testing, coding, translating, suggesting, auditing, administering the
  servers, spreading the word, answering questions on the mailing lists,
  and donating money.  Special thanks to Justus Winter and Andre
  Heinecke for integrating the Python and C++/Qt language bindings.


For the GnuPG team,

  Werner


p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-devel 'at' gnupg.org mailing list.

p.p.s 
List of Release Signing Keys:

To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these four keys:

  2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
  Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
  Werner Koch (dist sig)

  rsa2048/E0856959 2014-10-29 [expires: 2019-12-31]
  Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
  David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com>

  rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28]
  Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
  NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org>

  rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31]
  Key fingerprint = D238 EA65 D64C 67ED 4C30  73F2 8A86 1B1C 7EFD 60D9
  Werner Koch (Release Signing Key)

You may retrieve these keys from a keyserver using this command

  gpg --keyserver hkp://keys.gnupg.net --recv-keys  \
                  249B39D24F25E3B6 04376F3EE0856959 \
                  2071B08A33BD3F06 8A861B1C7EFD60D9

The keys are also available at https://gnupg.org/signature_key.html and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160921/4813ffc3/attachment.sig>
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

From stebe at mailbox.org  Wed Sep 21 13:47:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Wed, 21 Sep 2016 11:47:00 +0000
Subject: :-(( Re: smart card no longer works
In-Reply-To: <a6629972-b20a-de78-2dce-2382f5492ed7@nordnet.fr>
References: <bc08fced-7e89-d366-bcea-05036ca09568@nordnet.fr>
 <013e01d20a0c$864108a0$92c319e0$@sixdemonbag.org>
 <014901d20a0e$937e17e0$ba7a47a0$@sixdemonbag.org>
 <01c63f6e-fa92-d187-107a-6ede0e7bc583@fsij.org>
 <11ef6de0-8625-a89d-104f-8550f5dcaa55@nordnet.fr>
 <93bb4c24-20e3-7a86-fd49-a6b344f7b3a3@fsij.org>
 <30030b1e-5225-84eb-1a97-aa74c41acf97@nordnet.fr>
 <7d06ac13-fefd-a727-44bc-7537aa3b1352@mailbox.org>
 <774544b6-8ac5-39fc-06be-1a3ec7f66327@nordnet.fr>
 <0bdc52cc-41f5-316a-6a72-d33134871ed4@mailbox.org>
 <5b62f4d0-9c70-04c7-206e-0835268c32e1@nordnet.fr>
 <239d7378-4296-38c3-c612-9c8d6a49c861@mailbox.org>
 <e63c45a4-9dd9-f7b5-9227-284317c75ae4@nordnet.fr>
 <124ed774-2688-b9d7-f890-97bef8eee28a@mailbox.org>
 <a6629972-b20a-de78-2dce-2382f5492ed7@nordnet.fr>
Message-ID: <a2d15d43-7e58-711e-e2bb-ffdb38fd5617@mailbox.org>

Hi,

Philip Jackson:
> On 19/09/16 13:02, Stephan Beck wrote:

> 
> Yes, Stephan, that seems to have solved the issues I had with
> verification. The command you suggested does not work as you wrote it -
> I got words to the effect that the command was not recognised.
> 
> After consulting man gpg2, I tried the following and this worked.
> 
> gpg2 --import --import-options keep-ownertrust
> ~/path-to-my-key/mykey.sec.asc

Oops, sorry for having omitted the "--import-options" and the bad
syntax. I haven't used the command for a while and I typed it from
memory. But I'm glad you could solve the verification issue.

Stephan




From wk at gnupg.org  Thu Sep 22 15:01:29 2016
From: wk at gnupg.org (Werner Koch)
Date: Thu, 22 Sep 2016 15:01:29 +0200
Subject: GnuPG this Past Summer
Message-ID: <87eg4cjdg6.fsf@wheatstone.g10code.de>

Hi!

here is a text copy of Neal's 
https://gnupg.org/blog/20160922-gnupg-this-summer.html
article:


1 GnuPG this Past Summer
========================

1.1 Development
~~~~~~~~~~~~~~~

  As usual, Werner has made a cornucopia of contributions.  He improved
  `--quick-addkey' and `--quick-gen-key', he changed `gpg-agent' and
  `dirmngr' to exit if their sockets disappear, he added an assuan
  logging monitor, he implemented new export and import filters, he did
  some work on `g13', he added `/run/user/UID/gnupg' sockets, he
  introduced an option (`--recipient-file') to work directly with keys
  stored in a file, and he made a number of improvements to GPGME
  including adding TOFU support.

  The filtering changes allow controlling what packets are imported or
  exported.  For instance, if you want to only keep a single user id
  when exporting a key, you could use:

  ,----
  | gpg --no-options --import-options import-export       \
  |     --import-filter keep-uid='mbox = joe at example.org' \
  |     --import  < full-key.pub > key-with-one-uid.pub
  `----

  More information about this feature is available in his [note] to the
  GnuPG mailing list or `gpg''s documentation.

  The `--recipient-file' option is an oft-requested feature, which
  allows [working with keys without importing them].

  Werner also fixed a critical bug in the way the mixer in the random
  number generator stirred the pool.  Specifically, the bug allowed an
  attacker who obtains 580 bytes from the standard random number
  generator (RNG) to trivially predict the next 20 bytes of output.
  Fortuitously, [this bug does not affect the default generation of
  keys] ([more details]).

  Justus continued to improve our new test suite for GnuPG.  The
  improvements included not only fixes to the new scheme-based driver,
  but also a bunch of new tests.  A couple of the changes included [bug
  fixes to TinySCHEME].  Unfortunately, the upstream developers don't
  appear to be interested in the fixes.

  Most of Justus' time recently has been focused not on the test suite,
  but on improving the Python bindings for GPGME.  This work was started
  by Ben McGinnes, who contributed an initial port of the [PyME
  bindings] to Python 3.  Justus finished this port, restored Python 2
  compatibility, and added more pythonic interfaces (e.g., making
  everything work with objects implementing the buffer protocol like
  byte strings).  The low-level interface has, however, been retained
  and existing applications should continue to work (if not, this is a
  bug, please [file a bug report]).  He also ported the GPGME test suite
  to the Python bindings.  This uncovered a number of latent bugs in the
  bindings, which he fixed.  From our perspective, these are now the
  official Python bindings for GPGME: we've added them to the GPGME
  repository, and we will continue to maintain them in the foreseeable
  future.  Nevertheless, to be more compatible with Python developers'
  work flow, we are also packaging `pyme3' for [`pypi'], which means
  that the bindings can be installed using `pip install pyme3'.  More
  information is available in Justus' [blog post].

  Justus also set up a Jenkins host for continuous integration.  In
  addition to running `make check' for each commit under several
  configurations, it also runs the checks with various sanitizers
  enabled.  This has already prevented a number of minor bugs from
  making it into releases.

  Andre has made a number of end-user facing contributions.  The most
  notable is for users of Kleopatra, which now has new dialogs for File
  Encryption and Decryption / Verification.  These greatly reduce the
  number of required interactions to perform these operations.  He also
  worked on the new file type registration on Windows so that decrypting
  a file only requires a double click.  Additionally, he has continued
  his work on the GnuPG plugin for Outlook, which should be released
  with gpg3win-3 this fall.  The code is already in good form, and
  testers are encouraged to check it out together with the new Kleopatra
  (see [Test version of Gpg4win-3].)  Andre has also been working on
  improving KMail's `gpg' support.  One of the focuses of this work has
  been adding TOFU support to the libraries used by KMail.  Andre also
  merged the C++ and Qt bindings for GPGME from KDE into the official
  GPGME repository.  This included a port of the C++ API to pure
  standard C++ without boost, and the removal of some KDE-Framework use
  in the Qt bindings so that the bindings now only require Qt 5 base.
  This should make working with `gpg' in a Qt application even more
  convenient.  In particular, executing operations asynchronously is
  very easy.  Finally, Andre fixed some CRL-related bugs in `dirmngr'.

  Kai's recent work has focused on porting [Mailpile] [to use GPGME]
  rather than its own wrapper, which only works with GnuPG 1.4.
  Unfortunately, many projects decide to take a similar approach to
  Mailpile, and write their own code to interact with `gpg'.  As a
  reminder, we strongly encourage all developers to not directly
  interact with `gpg', but to use [GPGME], which is not only more
  complete, but also has seen a lot of testing.  We realize that GPGME's
  interface's are not always ideal, however, we are open to suggestions
  for improvements, and feature requests.  Similarly, if you don't
  understand how to do what you want using GPGME, we encourage you to
  ask for help on the [gnupg-devel mailing list].

  Jussi Kivilinna has continued his work optimizing libgcrypt.  In the
  recent past, most of his effort was spent on implementing assembly
  versions of various cryptographic functions for the ARMv8/AArch32
  architecture.

  Niibe worked on mitigating the recently published [Flip Feng Shui]
  exploit.  Flip Feng Shui uses a cross-VM, row hammer-based exploit to
  change the `trusted.gpg' file, which is used by Debian's package
  manager apt to verify downloads, and apt's `sources.list' file, which
  determines where packages are downloaded from, in a controlled manner.
  This allows attackers to replace packages that are installed with
  their own versions.  The [fix] is to make sure that `gpgv' always
  checks that self-signatures are valid.

  Niibe also spent time improving GnuPG's smartcard support.  This has
  primarily consisted of many small, but important improvements
  including smartcard support for ECC keys and various bug fixes.
  Further, Niibe investigated adding signature verification for ssh keys
  stored in the authorized_keys file.  This would allow detecting
  corrupted keys, which could happen via a Flip Feng Shui-type attack.
  Although there is some support for [signature verification in ssh],
  Niibe discovered that this particular mode of operation is not yet
  supported by ssh-agent.

  Finally, Niibe has released [a new version of GnuK (1.2.1)].  GnuK is
  a fully free cryptographic token (hardware and software).  Not only is
  GnuK based on free software, but the entire hardware specification is
  open, and the parts are relatively easy to buy and assemble.  The GnuK
  token can be ordered from [seeed] or the [FSF].

  As usual, dkg contributed various clean ups and bug fixes.  He
  contributed a patch to avoid publishing the GnuPG version by default,
  and another to improve `--quick-revuid'.  He also provided a patch to
  reenable exporting secret keys without a passphrase, which was
  possible in `gpg' 1.4 and 2.0, but, due to various technicalities, was
  not possible in 2.1.  dkg also started a [discussion about having
  systemd manage `gpg''s daemons].  This would ensure that GnuPG's
  daemons are stopped when the user logs out.  He provided patches, but
  so far these changes have not yet been accepted.

  Ben Kibbey made a number of contributions.  Among his bug fixes and
  clean ups, he fixed the OpenIndiana (Solaris) builds.

  I (Neal) returned from a several month sabbatical.  My first order of
  business was to tie up some loose ends with the TOFU support in GnuPG.
  Among other things, I added several checks to reduce the number of
  gratuitous conflicts.  In particular, if two keys have the same email
  address and are cross signed, then they are almost certainly
  controlled by the same person.  In fact, this is a usual way of
  indicating key rotation.  I also set the default policy to "good" for
  keys that the user has directly signed.


  [note]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-July/031294.html

  [working with keys without importing them]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-July/031308.html

  [this bug does not affect the default generation of keys]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-August/031507.html

  [more details]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-August/031516.html

  [bug fixes to TinySCHEME]
  https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=history;f=tests/gpgscm/scheme.c;h=5a85063eeb3aef98bde640bca11d84173ebb6a51;hb=HEAD

  [PyME bindings] https://bitbucket.org/malb/pyme

  [file a bug report] https://bugs.gnupg.org

  [`pypi'] https://pypi.python.org/pypi/pyme3

  [blog post]
  https://www.gnupg.org/blog/20160921-python-bindings-for-gpgme.html

  [Test version of Gpg4win-3]
  https://wiki.gnupg.org/Gpg4win/Testversions

  [Mailpile] https://www.mailpile.is/

  [to use GPGME] https://github.com/mailpile/Mailpile/pull/1621

  [GPGME] https://www.gnupg.org/documentation/manuals/gpgme/

  [gnupg-devel mailing list]
  https://lists.gnupg.org/mailman/listinfo/gnupg-devel

  [Flip Feng Shui]
  https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/razavi

  [fix]
  https://git.gnupg.org/cgi-bin/gitweb.cgi?p%3Dgnupg.git%3Ba%3Dcommit%3Bh%3De32c575e0f3704e7563048eea6d26844bdfc494b

  [signature verification in ssh]
  http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?annotate%253DHEAD%5D%5Bas

  [a new version of GnuK (1.2.1)]
  https://www.fsij.org/gnuk/version1_2_1.html

  [seeed]
  https://www.seeedstudio.com/FST-01-without-Enclosure-p-1276.html

  [FSF]
  https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator

  [discussion about having systemd manage `gpg''s daemons]
  https://lists.gnupg.org/pipermail/gnupg-devel/2016-August/031478.html


1.2 Releases
~~~~~~~~~~~~

  There have been several GnuPG releases since the last status update:
  [2.1.13], [2.1.14], [2.1.15], and [1.4.21]; and two releases of
  libgcrypt [1.7.1] and [1.7.2].  Finally, a new version of GPGME is
  available, [1.7.0], which includes the newly upstreamed Python, C++
  and Qt bindings as well as a number of bugs fixes and various
  improvements.


  [2.1.13]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q2/000390.html

  [2.1.14]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000393.html

  [2.1.15]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000396.html

  [1.4.21]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html

  [1.7.1]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q2/000389.html

  [1.7.2]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000396.html

  [1.7.0]
  https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000397.html


1.3 Public Appearances
~~~~~~~~~~~~~~~~~~~~~~

  Werner held a keynote at GUADEC, "We Want More Centralization, Do
  We?."  His talk was [covered by LWN].

  In May, Neal held his "An Advanced Introduction to GnuPG" talk at
  INRIA, and again at GHM in August.  Neal will hold the same talk on
  October 3rd at 18:00 at the ACM chapter at Johns Hopkins University in
  Baltimore, and again on October 5th at 18:30 at the [NYLUG] (you need
  to RSVP for this event).

  In August, we took part in the GUUG-hosted [OpenPGP.conf].  I've
  already posted a [report] to our blog.

  Note: We are looking to interview representatives from organizations
  who rely on GnuPG, e.g., journalists, lawyers, NGOs, governmental
  organizations, software distributors, companies, etc., for some
  publicity material that we are producing.  If you fall into this
  category, or know someone who does, and would be willing to be
  interviewed, [please get in touch with me]!


  [covered by LWN] https://lwn.net/Articles/697450/

  [NYLUG] http://www.meetup.com/nylug-meetings/

  [OpenPGP.conf] https://www.gnupg.org/conf/index.html

  [report] https://www.gnupg.org/blog/20160921-openpgp-conf.html

  [please get in touch with me] mailto:neal-nospam at gnupg.org


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160922/f02451b3/attachment-0001.sig>

From wk at gnupg.org  Thu Sep 22 15:03:26 2016
From: wk at gnupg.org (Werner Koch)
Date: Thu, 22 Sep 2016 15:03:26 +0200
Subject: Python bindings for GPGME
Message-ID: <87a8f0jdcx.fsf@wheatstone.g10code.de>

This is a plaintext copy of Justus'
https://gnupg.org/blog/20160921-python-bindings-for-gpgme.html


1 Python bindings for GPGME
===========================

  GPGME 1.7 includes bindings for Python >= 2.7.  The bindings are a
  port of the [`pyme'] bindings to Python 3 retaining compatibility with
  Python 2.7, with a small shim on top to provide a more idiomatic
  interface.  For the purposes of this post I will refer to the
  preexisting bindings that are for Python 2 only `pyme2', and to our
  new bindings as `pyme3'.  Existing applications using `pyme2' should
  continue to work no changes.

  `pyme2' offers an interface that is very close to that of GPGME.  This
  interface exposes all features of the underlying library, but it is
  not very "pythonic".  Therefore, we made an effort to provide a nicer
  interface on top of that.  Let me demonstrate how that looks.

  One important aspect is how to pass data around.  GPGME uses
  `gpgme_data_t' for that, and in `pyme2' one had to explicitly create
  `pyme.core.Data' objects to pass data to GPGME or to receive data.
  With `pyme3' one can use every object that implements the buffer
  protocol (e.g. `bytes'), file-like objects with a `fileno' method, or
  explicit `pyme.Data' objects in places where GPGME expects a
  `gpgme_data_t' object:

  ,----
  | import pyme
  | with pyme.Context(armor=True) as c:
  |     ciphertext, _, _ = c.encrypt(b"Hello Python world :)", passphrase="foo")
  `----

  This will encrypt the given plaintext using symmetric encryption and
  the given passphrase, wrap it up using the OpenPGP protocol, and
  encode it using ASCII-armor.  The plaintext is easily recovered using:

  ,----
  | with pyme.Context() as c:
  |     plaintext, _, _ = c.decrypt(ciphertext, passphrase="foo")
  | assert plaintext == b"Hello Python world :)"
  `----

  If `passphrase' is omitted, it is asked for out-of-band using GnuPG's
  pinentry mechanism.  Alternatively, if one or more recipients are
  specified, asymmetric encryption is used.  For details, please have a
  look at the docstring of `pyme.Context.encrypt'.

  Most file-like objects can be used without explicit wrapping.  This is
  a filter that decrypts OpenPGP messages in three lines of code:

  ,----
  | import sys
  | import pyme
  | pyme.Context().decrypt(sys.stdin, sink=sys.stdout)
  `----

  For more examples, have a look at the tests and examples shipped with
  the bindings under `lang/python'.

  If you cannot wait until `pyme3' is packaged by your distribution, and
  you do not want to build GPGME 1.7 from source merely to get `pyme3',
  you can build it out-of-tree provided you have at least GPGME 1.6, the
  Python development packages, and SWIG.  You can get it from [pypi] or
  directly install it using `pip':

  ,----
  | # As of this writing, there is no released version uploaded to pypi,
  | # hence we need --pre.
  | $ pip install --pre pyme3
  `----


  [`pyme'] https://bitbucket.org/malb/pyme

  [pypi] https://pypi.python.org/pypi/pyme3

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160922/8c82ec54/attachment.sig>

From wk at gnupg.org  Thu Sep 22 15:05:16 2016
From: wk at gnupg.org (Werner Koch)
Date: Thu, 22 Sep 2016 15:05:16 +0200
Subject: OpenPGP.conf: A Success
Message-ID: <8760pojd9v.fsf@wheatstone.g10code.de>

This is a plaintext copy of Neal's
https://gnupg.org/blog/20160921-openpgp-conf.html
article:


1 OpenPGP.conf: A Success
=========================

  On September 8th and 9th, the first [OpenPGP.conf] took place in K?ln,
  Germany.  The conference was organized by the German Unix User Group
  (GUUG) and attracted over 50 [participants] from around the world.
  The program consisted of 18 highly technical talks.  Lunch and dinner
  were provided at the venue, which resulted in lots of time to increase
  ties between projects as well as exchange and develop ideas.

  [[https://www.gnupg.org/ftp/media/openpgp.conf/2016/gnupg-team-smaller.jpg]]

  From the GnuPG project, Werner presented an introduction to the new
  [web key service (WKS) protocol], which is being deployed by several
  mail providers including [Posteo].  The basic problem that WKS
  addresses is how to find someone's key.  Currently, most people just
  search the key servers for keys matching the person's email address.
  Although this works reasonably well, the [recent evil32 attack] has
  reminded many people that the keyservers provide no guarantees that a
  returned key is controlled by the stated owner.  In WKS, people upload
  their keys to their mail provider.  Since only the email account's
  owner can change the association, this is guaranteed to not only be
  the right key, but the user's preferred key.  Of course, users still
  need to trust their mail provider to deliver the correct key.  But, we
  believe this provides a significant improvement both in terms of
  security and usability over the status quo.  Those requiring stronger
  guarantees are still encouraged to either directly verify their
  communication partner's key or use the web of trust.  The German news
  site [Golem reported on Werner's presentation].  Meskio from the LEAP
  project also present [how LEAP is doing key discovery].  Phillip
  Hallam-Baker discussed [key management in the Mesh].  And, Holger
  Krekel discussed [how to distribute keys inline].

  Justus discussed his proposal for [a common OpenPGP test suite].  The
  main problem that he observed in his recent work on the GPGME Python
  bindings is that GPG, GPGME, and each of the GPGME bindings have their
  own test suite that tests similar functionality to the other test
  suites.  His idea is to merge the common parts by defining a simple
  interface, and having each component just map the API to its own API.

  Niibe presented his fully free cryptographic token, [GnuK]
  (pronounced: ???nu?k), which he started developing in 2010.  The GnuK
  is special in that it is the only cryptographic token that is based
  entirely on Free Software, the entire hardware specification is open,
  and the parts are relatively easy to buy.  This is motivated not only
  by ethical concerns, but also security concerns: being able to
  assemble it yourself makes it harder for an adversary to inject a
  trojan during production.  Niibe also avoids specialized hardware.
  This has less to do with making it easier to get the components, and
  more to do with security: getting documentation for secure chips, for
  instance, requires signing an NDA and, due to their specialized
  nature, are more likely to have a backdoor.  Instead, the GnuK uses a
  general purpose MCU (microcontroller unit).  To protect the secret key
  material, it uses the flash ROM protection feature.  There are
  currently discussions underway to further increase the security of
  this by partially decrypting the secret key material on the host with
  its much more capable CPU, which would make a brute force attack
  significantly more expensive should the key material be extracted.
  The GnuK can currently be ordered either from [seeed] or the [FSF].

  Andre discussed [how to use GPGME].  The main takeaway is that
  although GPGME's API is sometimes inconveniently low-level and some
  features are missing, it is much easier to interact with GPG using
  GPGME than to build another parser to parse GPG's `--status-fd'
  output.  Moreover, language bindings, such as Andre's bindings for Qt,
  can significantly simplify working with GPGME.

  Daniel reported on [GnuPG in Debian].  In particular, he discussed how
  Debian is dealing with co-installing GnuPG 1.4 and GnuPG 2.1,
  migration from 1.4 to 2.1, managing background processes, and system
  integration.  He also discussed some issues that he has observed with
  packages that use GnuPG.  In particular, their test suits often don't
  test their use of GnuPG, because this requires so much effort.  He
  indicated that one thing that would make life easier would be standard
  pinentry driver programs for different languages.  He's since
  submitted those for PHP, Perl, Python and Bash, and they will be part
  of the next GnuPG release.

  Another talk included a discussion of encrypted mailing list software
  and the current state of Schleuder by Ilf and Paz.  Schleuder is
  apparently the only encrypted mailing list software that currently
  works (it is also actively maintained).  Its design, however, requires
  that the mailing list server be able to decrypt the messages in order
  to reencrypt them to all of the subscribers.  The authors would like a
  better solution, but, as they point out, there are ideas out there
  (including my own proposal for [practical encrypted mailing lists]),
  but none of them work today.  This presentation was also [reported on
  by Golem].

  One of my favorite talks was [Nick Skelsey's talk on GlobaLeaks].  He
  discussed typical leaking interactions, how their leaking platform
  works, and the issues they face making the platform secure in the face
  of non-technical users.

  Other talks included an overview of some [work that the German BSI has
  contracted], [an analysis of OpenPGP], [a history of OpenPGP],
  [OpenKeychain UX decisions], [how to bypass pinentry], [an update on
  the sks keyservers], an overview of PEP, and an analysis of the
  keyserver data.

  Given the very positive reactions from the participants and our own
  positive impressions, we expect there to be a second edition of the
  conference in the near future.


  [OpenPGP.conf] https://www.gnupg.org/conf/program.html

  [participants]
  https://www.gnupg.org/ftp/media/openpgp.conf/2016/openpgpconf-participants-small.jpg

  [[https://www.gnupg.org/ftp/media/openpgp.conf/2016/gnupg-team-smaller.jpg]]
  https://www.gnupg.org/ftp/media/openpgp.conf/2016/gnupg-team-small.jpg

  [web key service (WKS) protocol]
  https://www.gnupg.org/blog/20160830-web-key-service.html

  [Posteo] https://posteo.de

  [recent evil32 attack]
  https://www.ncsc.nl/english/current-topics/factsheets/duplicate-pgp-keys.html

  [Golem reported on Werner's presentation]
  http://www.golem.de/news/web-key-service-openpgp-schluessel-ueber-https-verteilen-1609-123194.html

  [how LEAP is doing key discovery] https://meskio.net/openpgp.conf/#/

  [key management in the Mesh]
  https://www.gnupg.org/conf/2016/openpgp-2016-the-mathematical-mesh.pptx

  [how to distribute keys inline]
  https://www.gnupg.org/conf/2016/openpgp-2016-automatic-email-encryption-holger-krekel/index.html#/step-1

  [a common OpenPGP test suite]
  https://www.gnupg.org/conf/2016/openpgp-2016-common-openpgp-testsuite.pdf

  [GnuK] http://www.gniibe.org/pdf/openpgp-2016/gnuk-1_2.html

  [seeed]
  https://www.seeedstudio.com/FST-01-without-Enclosure-p-1276.html

  [FSF]
  https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator

  [how to use GPGME]
  https://files.intevation.de/users/aheinecke/gpgme.pdf

  [GnuPG in Debian]
  https://dkg.fifthhorseman.net/gnupg-in-debian-2016.svg

  [practical encrypted mailing lists]
  http://hssl.cs.jhu.edu/~neal/encrypted-mailing-lists.pdf

  [reported on by Golem]
  http://www.golem.de/news/schleuder-wie-verschluesselt-man-eine-mailingliste-1609-123206.html

  [Nick Skelsey's talk on GlobaLeaks] http://nskelsey.com/glbc-2016.pdf

  [work that the German BSI has contracted]
  http://www.intevation.de/~bernhard/presentations/201609-openpgpconf/20160908-3bsi-contracts.pdf

  [an analysis of OpenPGP]
  https://www.gnupg.org/conf/2016/openpgp-2016-a-few-concerns.pdf

  [a history of OpenPGP]
  http://altlasten.lutz.donnerhacke.de/mitarb/lutz/vortrag/openpgp-history.pdf

  [OpenKeychain UX decisions]
  https://www.gnupg.org/conf/2016/openpgp-2016-openkeychain.pdf

  [how to bypass pinentry]
  https://www.gnupg.org/conf/2016/openpgp-2016-bypass-pinentry.pdf

  [an update on the sks keyservers]
  https://sks-keyservers.net/files/2016-09_OpenPGP-Conf-sks-keyservers.pdf

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160922/dabc4cae/attachment.sig>

From felix at audiofair.de  Sat Sep 24 14:10:27 2016
From: felix at audiofair.de (Felix Winterhalter)
Date: Sat, 24 Sep 2016 14:10:27 +0200
Subject: Using GPGAgent as SSHAgent on Windows with cygwin/mingw
Message-ID: <c7bdaf24-57bb-fb8f-9295-1d90b60569ee@audiofair.de>

So I am currently trying to get gpg-agent to play nice with ssh on
Windows. I'm running gpg version 2.1.15.

Using Linux I was able to get everything to run the way I want by adding

enable-ssh-support to the agent config

and setting the environment variable
SSH_AUTH_SOCK to the gpg agents ssh socket.

However on Windows I now get the error:

 ssh-add -L
Error connecting to agent: Bad file descriptor

Same for simple ssh during the public key lookup stage.

I can read the socket file using cat or less however and I get:

52655
?<D%uI?s?dt??

which seems to me to be a process ID + binary data. So the socket
appears to be there and it is recreated when I restart gpg-agent.

So the question is whether this is actually a gpg related bug or has
something to do with how ssh from cygwin works.

I do get the same error using ssh/ssh-add from MinGW though.

If anyone has any idea how to resolve this I'd be glad for some help.

However please don't suggest to simply use putty, I prefer to have a
shared configuration across my Linux and Windows boxes and I do use the
command line ssh utilities a lot for different things on Windows too.

Best regards,
Felix


From wk at gnupg.org  Sat Sep 24 20:40:26 2016
From: wk at gnupg.org (Werner Koch)
Date: Sat, 24 Sep 2016 20:40:26 +0200
Subject: Using GPGAgent as SSHAgent on Windows with cygwin/mingw
In-Reply-To: <c7bdaf24-57bb-fb8f-9295-1d90b60569ee@audiofair.de> (Felix
 Winterhalter's message of "Sat, 24 Sep 2016 14:10:27 +0200")
References: <c7bdaf24-57bb-fb8f-9295-1d90b60569ee@audiofair.de>
Message-ID: <878tuh9m5h.fsf@wheatstone.g10code.de>

On Sat, 24 Sep 2016 14:10, felix at audiofair.de said:

> which seems to me to be a process ID + binary data. So the socket
> appears to be there and it is recreated when I restart gpg-agent.

On Windows an emulation of Unix Domain Sockets is used by putting a
cookie and a port number into a plain file which is then used by the
client to to a local TCP connection to that port and check the cookie.

The way Cygwin does that is different from the way GnUPG does that.
IIRC, Cygwin added the cookie only later.  Thus the Unix emulated ssh
(using the Cyrwin dll) can't connect to native Windows program
gpg-agent.

We have code in libassuan/src/assuan-socket.c to cope with the Cygwin
socket emulation code (see below).  However, that code was never tested
by me and in fact implemented in blind flight mode.


Salam-Shalom,

   Werner


==========
commit 6d4a8ee2a6c749eec70bd3ae804f21456e375727
Author: Werner Koch <wk at gnupg.org>
Date:   Tue Jun 30 16:24:52 2015 +0200

    Support Cygwin local sockets.
    
    * src/assuan-socket.c (cygwin_fdtable, cygwin_fdtable_cs): New.
    (is_cygwin_fd, insert_cygwin_fd, delete_cygwin_fd): New.
    (assuan_sock_init) [W32]: Init the CS.
    (assuan_sock_deinit) [W32]: Deinit the CS.
    (read_port_and_nonce): Add arg cygwin and detect Cygwin socket files.
    (_assuan_sock_set_flag): Add "cygwin" flag.
    (_assuan_sock_get_flag): Ditto.
    (do_readn, do_writen): New.
    (_assuan_sock_bind): Create a Cygwin socket file depending on a socket
    flag.
    (_assuan_sock_connect): Handle the cygwin socket protocol.
    (_assuan_sock_check_nonce): Ditto.
    --
    
    This code has not been tested.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160924/d9e71076/attachment.sig>

From stebe at mailbox.org  Sun Sep 25 08:35:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Sun, 25 Sep 2016 06:35:00 +0000
Subject: Compilation problems while building GnuPG 2.1.15, no TLS no
 sqlite3
In-Reply-To: <feed7293-229f-5903-5d2e-0d7c7e25203e@mailbox.org>
References: <feed7293-229f-5903-5d2e-0d7c7e25203e@mailbox.org>
Message-ID: <b3375c95-27a9-acb9-7ce3-7cf5222b87ee@mailbox.org>

I sent this message yesterday at midnight and it hasn't made it to the
list yet, so I resend it.

Stephan Beck:
> Hi,
> 
> compiling the latest version of GnuPG, there were some config errors and
> gnupg was compiled without TOFU and TLS, although I have installed the
> packages gnutls-bin and sqlite3 after a first compilation run had given
> the same result. In config.log I detected the
> following:
> 
> yat2m: writing 'gpg-error-config.1'
> yat2m: writing 'hmac256.1'
> configure: WARNING:
> ***
> *** Building without SQLite support - TOFU disabled
> ***
> *** No package 'sqlite3' found
> ***
> configure: WARNING:
> ***
> *** The config script ~/PLAY/inst/bin/npth-config was
> *** built for x86_64-unknown-linux-gnu and thus may not match the
> *** used host x86_64-pc-linux-gnu.
> *** You may want to use the configure option --with-npth-prefix
> *** to specify a matching config script.
> ***
> configure: WARNING:
> ***
> *** Building without NTBTLS and GNUTLS - no TLS access to keyservers.
> ***
> *** No package 'gnutls' found
> ***
> configure: WARNING:
> ***
> *** Building without LDAP support.
> *** No CRL access or X.509 certificate search available.
> ***
> 
> How do I use the configure option and how do I specify a matching config
> script, and where can I find it?
> 
> 
> Thanks in advance.
> 
> Stephan
> 
> 
> 


From wk at gnupg.org  Mon Sep 26 13:05:45 2016
From: wk at gnupg.org (Werner Koch)
Date: Mon, 26 Sep 2016 13:05:45 +0200
Subject: Compilation problems while building GnuPG 2.1.15,
 no TLS no sqlite3
In-Reply-To: <b3375c95-27a9-acb9-7ce3-7cf5222b87ee@mailbox.org> (Stephan
 Beck's message of "Sun, 25 Sep 2016 06:35:00 +0000")
References: <feed7293-229f-5903-5d2e-0d7c7e25203e@mailbox.org>
 <b3375c95-27a9-acb9-7ce3-7cf5222b87ee@mailbox.org>
Message-ID: <871t067wfq.fsf@wheatstone.g10code.de>

On Sun, 25 Sep 2016 08:35, stebe at mailbox.org said:
> Stephan Beck:

>> gnupg was compiled without TOFU and TLS, although I have installed the
>> packages gnutls-bin and sqlite3 after a first compilation run had given

You need to install the -dev packages.  On Debian

  apt-get install libsqlite3-dev libgnutls28-dev


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160926/380dba23/attachment-0001.sig>

From stebe at mailbox.org  Mon Sep 26 13:16:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Mon, 26 Sep 2016 11:16:00 +0000
Subject: Fwd: Compilation problems while building GnuPG 2.1.15, no TLS no
 sqlite3
In-Reply-To: <feed7293-229f-5903-5d2e-0d7c7e25203e@mailbox.org>
References: <feed7293-229f-5903-5d2e-0d7c7e25203e@mailbox.org>
Message-ID: <6ea11fc6-9241-fe48-90ab-47f9fe3971a6@mailbox.org>

Hi,

I learned that speedo does not pull in ALL development files needed for
compiling, it pulls in GnuPG's libraries.

Now, I only have a problem with libgnutls28-dev, the only dev package of
gnutls I can see in the package manager (Debian Jessie). It has
dependencies on other installed gnutls components apt/synaptic cannot
resolve on my specific intallation.

Stephan


-------- Forwarded Message --------
Subject: Compilation problems while building GnuPG 2.1.15, no TLS no sqlite3
Date: Sat, 24 Sep 2016 22:12:00 +0000
From: Stephan Beck <stebe at mailbox.org>
Reply-To: stebe at mailbox.org
To: gnupg-users at gnupg.org

Hi,

compiling the latest version of GnuPG, there were some config errors and
gnupg was compiled without TOFU and TLS, although I have installed the
packages gnutls-bin and sqlite3 after a first compilation run had given
the same result.
[...]


From stebe at mailbox.org  Mon Sep 26 13:26:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Mon, 26 Sep 2016 11:26:00 +0000
Subject: Compilation problems while building GnuPG 2.1.15, no TLS no
 sqlite3
In-Reply-To: <871t067wfq.fsf@wheatstone.g10code.de>
References: <feed7293-229f-5903-5d2e-0d7c7e25203e@mailbox.org>
 <b3375c95-27a9-acb9-7ce3-7cf5222b87ee@mailbox.org>
 <871t067wfq.fsf@wheatstone.g10code.de>
Message-ID: <c30d7629-1814-1e4c-6c87-1e50bf57dac8@mailbox.org>

Thanks, Werner.

Werner Koch:
> On Sun, 25 Sep 2016 08:35, stebe at mailbox.org said:
>> Stephan Beck:
>
>>> gnupg was compiled without TOFU and TLS, although I have installed the
>>> packages gnutls-bin and sqlite3 after a first compilation run had given
>
> You need to install the -dev packages.  On Debian
>
>   apt-get install libsqlite3-dev libgnutls28-dev

I just read your email after having sent my previous message. I will try
to resolve dependency problems concerning libgnutls28-dev because I'm
keen on using the latest version, finally!

Many thanks.

Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20160926/96c50b0f/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160926/96c50b0f/attachment.sig>

From daniel at pocock.pro  Wed Sep 28 11:07:49 2016
From: daniel at pocock.pro (Daniel Pocock)
Date: Wed, 28 Sep 2016 10:07:49 +0100
Subject: short list of recommended card readers?
Message-ID: <95c7d1bc-7539-05f2-5e71-77e67f375943@pocock.pro>



Can anybody make recommendations for a short list of card readers,
preferably with PIN pads?


I've got the SPR532[1] and found it works fine but it is no longer
listed on the vendor's web site[2], I've previously tested Reiner SCT
cyberJack Secoder 2 and found it didn't[3] work.  I'm looking at what to
recommend for other people trying the clean room live DVD[4]


This list appears to suggest choosing one of the 6 readers that support
variable length PIN, although the first on the list is the SPR532 (no
longer in production) so it is not clear if this is current:

https://wiki.gnupg.org/CardReader/PinpadInput

Is that a good list to refer people to, or can anybody suggest changes?


I came across this list:

https://www.gnupg.org/howtos/card-howto/en/ch02s02.html

Is that considered up-to-date?  Some of the readers appear quite old
now, should somebody starting today buy one of those or something newer?


Debian has a list of card readers that appear to be supported by
drivers, but it is quite long and doesn't really make any recommendations:

https://wiki.debian.org/Smartcards#Supported_Hardware


The FSFE guide doesn't give any recommendation about choosing a reader,
although it does emphasize the use of readers with PIN pad:

http://wiki.fsfe.org/TechDocs/CardHowtos/CardWithSubkeysUsingBackups#On_PIN_security


PC/SC Lite has a list, it is also rather long though:

http://pcsclite.alioth.debian.org/ccid/supported.html




1.
http://www.scm-pc-card.de/index.php?lang=en&page=product&function=show_product&product_id=221

2.
https://www.identiv.com/products/smart-card-readers/contact-smart-card-readers

3. https://lists.gnupg.org/pipermail/gnupg-users/2016-May/055933.html

4. https://wiki.debian.org/OpenPGP/CleanRoomLiveEnvironment




From arbiel.perlacremaz at gmx.fr  Wed Sep 28 13:44:27 2016
From: arbiel.perlacremaz at gmx.fr (Arbiel (gmx))
Date: Wed, 28 Sep 2016 13:44:27 +0200
Subject: recording and retrieving "secrets" into gpg files
Message-ID: <e00adc61-5cb2-1f1b-334c-56d399792cb5@gmx.fr>

Hi

Seahorse (distributed within Ubuntu) allows for the storing and retrieving of "secrets", as passwords, into what I understand to be gpg keyrings, or at the least, files.

Y've been through pgp's manpage and several tutorials without finding any clue as how to record those
secrets and get them back at a later time.

Thanks to anybody who will inform me on the commands to be used, or direct me to a tutorial containing such informations ?

Arbiel



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160928/07e88365/attachment.sig>

From andrewg at andrewg.com  Wed Sep 28 15:25:14 2016
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Wed, 28 Sep 2016 14:25:14 +0100
Subject: recording and retrieving "secrets" into gpg files
In-Reply-To: <e00adc61-5cb2-1f1b-334c-56d399792cb5@gmx.fr>
References: <e00adc61-5cb2-1f1b-334c-56d399792cb5@gmx.fr>
Message-ID: <b3882195-baac-acc0-a505-3a67dbf1ffb3@andrewg.com>

On 28/09/16 12:44, Arbiel (gmx) wrote:
> Hi
> 
> Seahorse (distributed within Ubuntu) allows for the storing and
> retrieving of "secrets", as passwords, into what I understand to be
> gpg keyrings, or at the least, files.

Seahorse stores passwords in the Gnome keyring, which is not related to
PGP -- it uses symmetric encryption based on an iterative password
hash. Try the docs for "gnome-keyring"?

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160928/090afa6a/attachment.sig>

From tim.dclinc at gmail.com  Wed Sep 28 22:22:57 2016
From: tim.dclinc at gmail.com (tim.dclinc at gmail.com)
Date: Wed, 28 Sep 2016 16:22:57 -0400
Subject: automate pga clipboard
Message-ID: <0a530c26-fa7d-7492-4d47-f2ea67b515dc@gmail.com>

i am using GPA 0.9.9 to encrypt text file data. i copy/paste my text 
into the clipboard and hit encrypt. Im prompted to choose public key. 
After choosing, i get the following results (less the blah blahs).

I would like to do this from a command line so i can do unattended. can 
this be done? does anyone have examples of syntax?

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2
blah..
blah..
blah..
-----END PGP MESSAGE-----



From gnupg at jelmail.com  Thu Sep 29 12:23:47 2016
From: gnupg at jelmail.com (John Lane)
Date: Thu, 29 Sep 2016 11:23:47 +0100
Subject: Terminology - certificate or key ?
Message-ID: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>

I was reading the FAQ and noticed that it uses the word 'certificate' to
describe what I think people commonly refer to as their 'key' (ref
gnupg-faq.html section 7.4 and 7.5) that they would upload to a 'key
server'.

* A certificate is a large data structure that contains one or more
/keys/, and optionally information that identifies the user, designated
revokers, who has vouched for this certificate, and so on.

* A keyserver is a service that publishes public-key certificates and
makes them searchable. You can upload your certificate to a keyserver so
that other users can find it.

Certificate makes sense to me (it contains multiple public keys and
other things) but common parlance uses 'key' and what should be called a
'certificate server' is called a 'key server'. The only place I've seen
it definitively called a 'certificate' is in the GnuPG documentation,
but RFC4880 casually mentions the relationship (in para 5.5.1.1):

* A Public-Key packet starts a series of packets that forms an OpenPGP
key (sometimes called an OpenPGP certificate).

I was just wondering whether I've misunderstood or if there is some
historic reason for my confusion.

Thanks,
John



-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160929/99a3c26a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: </pipermail/attachments/20160929/99a3c26a/attachment-0001.sig>

From jernst at invacarecontractor.com  Wed Sep 28 19:14:35 2016
From: jernst at invacarecontractor.com (Jim Ernst)
Date: Wed, 28 Sep 2016 17:14:35 +0000
Subject: gpg: signing failed: Inappropriate ioctl for device Error Message on
 Linux
Message-ID: <SN1PR0701MB19675DF45CE1A8ABB2D3A2E7ABCF0@SN1PR0701MB1967.namprd07.prod.outlook.com>

Hello -

I am currently testing keys I created using gpg version 2 2.1.15 (libgcrypt 1.7.3) and I am trying to encrypt a file using a shell script in a LINUX environment. I am getting the following error when the command is executed:

gpg: signing failed: Inappropriate ioctl for device

Has anyone encountered this issue ?

Thanks,
Jim Ernst
NTT Data
NOTE: The sender of this email is an independent contractor of Invacare Corporation or one of its subsidiaries. CONFIDENTIALITY NOTICE: The information in this e-mail message and any attachments may contain privileged, confidential or proprietary information, including confidential health information, protected by applicable Federal or state laws. Such information is intended only for the recipient named above. If you are not the intended recipient, please notify the sender immediately, and take notice that any use, disclosure or distribution of such information is prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160928/e36a66a8/attachment.html>

From rjh at sixdemonbag.org  Thu Sep 29 14:52:40 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 29 Sep 2016 08:52:40 -0400
Subject: Terminology - certificate or key ?
In-Reply-To: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
Message-ID: <3a1d5a69-0fbf-65ff-dca5-aed501e530c7@sixdemonbag.org>

> I was reading the FAQ and noticed that it uses the word 'certificate' to
> describe what I think people commonly refer to as their 'key' (ref
> gnupg-faq.html section 7.4 and 7.5) that they would upload to a 'key
> server'.

"Certificate" is the correct word, but "key" has historically also been
used and has a tremendous amount of inertia behind it.

A certificate contains one or more keys as well as supporting metadata,
like user IDs, signatures, and so on.


From justus at g10code.com  Thu Sep 29 14:53:29 2016
From: justus at g10code.com (Justus Winter)
Date: Thu, 29 Sep 2016 14:53:29 +0200
Subject: gpg: signing failed: Inappropriate ioctl for device Error Message
 on Linux
In-Reply-To: <SN1PR0701MB19675DF45CE1A8ABB2D3A2E7ABCF0@SN1PR0701MB1967.namprd07.prod.outlook.com>
References: <SN1PR0701MB19675DF45CE1A8ABB2D3A2E7ABCF0@SN1PR0701MB1967.namprd07.prod.outlook.com>
Message-ID: <87k2du50l2.fsf@europa.jade-hamburg.de>

Jim Ernst <jernst at invacarecontractor.com> writes:

> Hello -
>
> I am currently testing keys I created using gpg version 2 2.1.15 (libgcrypt 1.7.3) and I am trying to encrypt a file using a shell script in a LINUX environment. I am getting the following error when the command is executed:
>
> gpg: signing failed: Inappropriate ioctl for device
>
> Has anyone encountered this issue ?

Yes.  https://bugs.gnupg.org/gnupg/issue2680

Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20160929/e05bf4b1/attachment.sig>

From dgouttegattat at incenp.org  Thu Sep 29 15:23:35 2016
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Thu, 29 Sep 2016 15:23:35 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
Message-ID: <9d050eeb-b773-8efd-ea1f-92a19646c86d@incenp.org>

On 09/29/2016 12:23 PM, John Lane wrote:
> I was just wondering whether I've misunderstood

No, you understood well. What we commonly call an "OpenPGP public key" 
should really be called, strictly speaking, an "OpenPGP certificate". 
And "signing a key" is really "certifying" the binding between a (true) 
public key and an user ID.


> or if there is some historic reason for my confusion.

It seems there is, according to one of the authors of RFCs 2440 and 
4880. Apparently, at the time they were told by the IETF to avoid 
speaking of "certificates" so that OpenPGP would not seem to rivalize 
with PKIX [1].

Network Associates did not have this concern, and in their "Introduction 
to Cryptography" [2] they clearly talk about "PGP certificates" instead 
of "PGP public keys".

Damien


[1] http://www.ietf.org/mail-archive/web/openpgp/current/msg07712.html

[2] ftp://ftp.pgpi.org/pub/pgp/6.5/docs/english/IntroToCrypto.pdf

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160929/2e9bd454/attachment.sig>

From rjh at sixdemonbag.org  Thu Sep 29 17:17:55 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 29 Sep 2016 11:17:55 -0400
Subject: Terminology - certificate or key ?
In-Reply-To: <9d050eeb-b773-8efd-ea1f-92a19646c86d@incenp.org>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <9d050eeb-b773-8efd-ea1f-92a19646c86d@incenp.org>
Message-ID: <019401d21a64$a7f308a0$f7d919e0$@sixdemonbag.org>

> It seems there is, according to one of the authors of RFCs 2440 and
> 4880. Apparently, at the time they were told by the IETF to avoid
> speaking of "certificates" so that OpenPGP would not seem to rivalize
> with PKIX...

For related reasons, GnuPG and PGP have different names for some of the same algorithms.  What GnuPG calls Elgamal, PGP calls Diffie-Hellman.  The correct name is Elgamal, but waybackwhen PGP had a licensing agreement with ... blanking on the company ... which offered them a reduction in licensing fees if they'd call it Diffie-Hellman instead.  PGP wanted the reduced licensing fees so they went along with the misnaming, and now the misnaming is so entrenched in the PGP community that it would be impractical for them to change the name, even though there's no longer a business case for calling it Diffie-Hellman.

Likewise with SHA-x.  The family of modern SHAs is called SHA-2, and specific hashes within SHA-2 are called SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.  (GnuPG implements -224, -256, -384, and -512; it does not implement -512/224 or -512/256.)  GnuPG calls these hashes by their correct NIST nomenclature.  PGP insists on calling them "SHA-2-256", "SHA-2-512", and so on.

I have to admit to being extremely annoyed with the state of the language we use.  OpenPGP is hard enough to learn without having to be confused by multiple names for the same algorithms, confusing usage of "certificate", "key", and "Key", and every other bit of linguistic tomfoolery we seem to have accumulated.




From gnupg at jelmail.com  Fri Sep 30 11:37:31 2016
From: gnupg at jelmail.com (John Lane)
Date: Fri, 30 Sep 2016 10:37:31 +0100
Subject: Terminology - certificate or key ?
In-Reply-To: <9d050eeb-b773-8efd-ea1f-92a19646c86d@incenp.org>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <9d050eeb-b773-8efd-ea1f-92a19646c86d@incenp.org>
Message-ID: <7f08cd7e-138e-7949-977b-a8f29f7fb55c@jelmail.com>


> [1] http://www.ietf.org/mail-archive/web/openpgp/current/msg07712.html
> 
> [2] ftp://ftp.pgpi.org/pub/pgp/6.5/docs/english/IntroToCrypto.pdf
> 
Great link [1], very interesting. I think the language used hasn't
helped the uptake of this technology. The other thing mentioned in there
is trust vs validitity which made my head spin more than my grandad's
Poit?n! [2] is on my reading list now :)



From gnupg at jelmail.com  Fri Sep 30 11:38:07 2016
From: gnupg at jelmail.com (John Lane)
Date: Fri, 30 Sep 2016 10:38:07 +0100
Subject: Terminology - certificate or key ?
In-Reply-To: <019401d21a64$a7f308a0$f7d919e0$@sixdemonbag.org>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <9d050eeb-b773-8efd-ea1f-92a19646c86d@incenp.org>
 <019401d21a64$a7f308a0$f7d919e0$@sixdemonbag.org>
Message-ID: <e06f050c-59a1-9a3c-6fd6-d7e453baf45f@jelmail.com>

> I have to admit to being extremely annoyed with the state of the language we use.  OpenPGP is hard enough to learn without having to be confused by multiple names for the same algorithms, confusing usage of "certificate", "key", and "Key", and every other bit of linguistic tomfoolery we seem to have accumulated.

I agree wholeheartedly with this sentiment. Thanks for confirming what I
hoped was the case.



From stebe at mailbox.org  Fri Sep 30 12:12:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Fri, 30 Sep 2016 10:12:00 +0000
Subject: automate pga clipboard
In-Reply-To: <0a530c26-fa7d-7492-4d47-f2ea67b515dc@gmail.com>
References: <0a530c26-fa7d-7492-4d47-f2ea67b515dc@gmail.com>
Message-ID: <8e6e78f1-2ce5-2a9f-af64-236c4f262906@mailbox.org>

Hi,

tim.dclinc at gmail.com:
> i am using GPA 0.9.9 to encrypt text file data. i copy/paste my text
> into the clipboard and hit encrypt. Im prompted to choose public key.
> After choosing, i get the following results (less the blah blahs).
> 
> I would like to do this from a command line so i can do unattended. can
> this be done? does anyone have examples of syntax?
> 
> -----BEGIN PGP MESSAGE-----
> Version: GnuPG v2
> blah..
> blah..
> blah..
> -----END PGP MESSAGE-----

I never have used any automated mode with gnupg and usually I use a
smartcard, but, generally speaking, you have to use the --batch option
and provide your passphrase via command line.
Maybe
gpg2 --batch --passphrase-file [passphrasefile] --recipient [uid or
fingerprint of recipient's key] --sign --encrypt [yourtext.txt]

But I'm not sure. Please (more expert people) correct me if I am wrong.

Cheers,

Stephan




From wk at gnupg.org  Fri Sep 30 12:34:29 2016
From: wk at gnupg.org (Werner Koch)
Date: Fri, 30 Sep 2016 12:34:29 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com> (John Lane's
 message of "Thu, 29 Sep 2016 11:23:47 +0100")
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
Message-ID: <87eg41wua2.fsf@wheatstone.g10code.de>

On Thu, 29 Sep 2016 12:23, gnupg at jelmail.com said:

> * A Public-Key packet starts a series of packets that forms an OpenPGP
> key (sometimes called an OpenPGP certificate).

In OpenPGP this is called a "keyblock".  The term certificate is used
only for some special thinks (revocation certificate).  Certificate also
has the bad connotation that a third party issues this; which is not the
case for common OpenPGP use cases

An OpenPGP keyblock is very different from an X.509 certificate.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160930/aeee6a2d/attachment.sig>

From peter at digitalbrains.com  Fri Sep 30 12:59:33 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 30 Sep 2016 12:59:33 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <019401d21a64$a7f308a0$f7d919e0$@sixdemonbag.org>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <9d050eeb-b773-8efd-ea1f-92a19646c86d@incenp.org>
 <019401d21a64$a7f308a0$f7d919e0$@sixdemonbag.org>
Message-ID: <d80432c1-cc2b-52c9-7956-4d9d8a2ee5d9@digitalbrains.com>

On 29/09/16 17:17, Robert J. Hansen wrote:
> I have to admit to being extremely annoyed with the state of the language we use.

IMO, TOFU has just made it even worse.

I tried to be really strict, talk about ownertrust and validity. Always trying
to keep them separate. Personally avoiding the word "trust" without the "owner-"
prefix.

Then we get Trust On First Use, which... increases or establishes validity of a
key on the first use...

Ugh.

I suppose, in this case, that's what you get when you import a term from outside
of the ecosystem. If invented here, it would be Validity On First Use.

Peter.

PS: A while ago I said "I think it might be worth it to file a bug report if you
see the word 'trust' used for validity in the official documentation that
accompanies GnuPG." Then I read the new documentation on TOFU, and mentally
tagged it WONTFIX. It's just undoable with that terminology.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From justus at g10code.com  Fri Sep 30 14:37:31 2016
From: justus at g10code.com (Justus Winter)
Date: Fri, 30 Sep 2016 14:37:31 +0200
Subject: gpg: signing failed: Inappropriate ioctl for device Error Message
 on Linux
In-Reply-To: <SN1PR0701MB1967A0AFE957CCC2CA24C0E2ABCE0@SN1PR0701MB1967.namprd07.prod.outlook.com>
References: <SN1PR0701MB19675DF45CE1A8ABB2D3A2E7ABCF0@SN1PR0701MB1967.namprd07.prod.outlook.com>
 <87k2du50l2.fsf@europa.jade-hamburg.de>
 <SN1PR0701MB1967A0AFE957CCC2CA24C0E2ABCE0@SN1PR0701MB1967.namprd07.prod.outlook.com>
Message-ID: <87intdh8c4.fsf@europa.jade-hamburg.de>

Hello,

please don't drop the mailing list when replying.

Jim Ernst <jernst at invacarecontractor.com> writes:
>> I am currently testing keys I created using gpg version 2 2.1.15 (libgcrypt 1.7.3) and I am trying to encrypt a file using a shell script in a LINUX environment. I am getting the following error when the command is executed:
>>
>> gpg: signing failed: Inappropriate ioctl for device
>>
>> Has anyone encountered this issue ?
>
> Yes.  https://bugs.gnupg.org/gnupg/issue2680
>
> Was the "echo test | gpg2 --sign --armor -u $USER" the method for fixing the issue ? I am running on a Linux box .

No.  You were asking if anyone else has encountered the issue, and I
replied by pointing you to the bug report of someone who also
encountered the issue.

The problem is that either there is no graphical pinentry, or there is,
but it cannot execute e.g. due to DISPLAY not being set, *and* the
fallback pinentry failed to open the terminal due to the fact that stdin
of the gpg process is not connected to a terminal.  The latter can
happen for example when gpg is used in a pipe.

Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20160930/4ae5b743/attachment.sig>

From rjh at sixdemonbag.org  Fri Sep 30 14:46:11 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 30 Sep 2016 08:46:11 -0400
Subject: Terminology - certificate or key ?
In-Reply-To: <87eg41wua2.fsf@wheatstone.g10code.de>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
Message-ID: <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>

> In OpenPGP this is called a "keyblock".

Where can I find this usage documented?  In almost 25 years in the PGP
community I've heard the word "key" used >95% of the time, "certificate"
<5% of the time, and this is literally the first time I've heard the
word "keyblock".

Also see:

https://www.gnutls.org/manual/html_node/OpenPGP-certificates.html
https://www.gpg4win.org/doc/en/gpg4win-compendium_12.html
http://www.pgpi.org/doc/pgpintro/
https://tools.ietf.org/html/rfc6091

All of these are well-respected authorities (Gnutls, GnuPG, PGP
Corporation, and the IETF) using the certificate terminology.

I have been unable to find reputable uses of "keyblock" in a five-minute
Google search.  If this is the officially approved language, could you
please point me to where it's documented?


From kristian.fiskerstrand at sumptuouscapital.com  Fri Sep 30 14:51:17 2016
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Fri, 30 Sep 2016 14:51:17 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
Message-ID: <84d3ae20-2cb0-3524-c12c-3a32901928ff@sumptuouscapital.com>

On 09/30/2016 02:46 PM, Robert J. Hansen wrote:
>> In OpenPGP this is called a "keyblock".
> 
> Where can I find this usage documented?  In almost 25 years in the PGP
> community I've heard the word "key" used >95% of the time, "certificate"
> <5% of the time, and this is literally the first time I've heard the
> word "keyblock".
> 

I'd start with -----BEGIN PGP PUBLIC KEY BLOCK----- :)

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Ubi mel ibi apes
Where there's honey, there are bees

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160930/9a6fceef/attachment.sig>

From arbiel.perlacremaz at gmx.fr  Fri Sep 30 15:56:08 2016
From: arbiel.perlacremaz at gmx.fr (Arbiel (gmx))
Date: Fri, 30 Sep 2016 15:56:08 +0200
Subject: recording and retrieving "secrets" into gpg files
In-Reply-To: <b3882195-baac-acc0-a505-3a67dbf1ffb3@andrewg.com>
References: <e00adc61-5cb2-1f1b-334c-56d399792cb5@gmx.fr>
 <b3882195-baac-acc0-a505-3a67dbf1ffb3@andrewg.com>
Message-ID: <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr>

Hi

Thank you Andrew.

In the material I've been ready lately, all examples are written in a
programming language and I only have abilities in bash scripting.

Can somebody, please, direct me toward a url where they provide bash
scripting examples.

Arbiel

Le 28/09/2016 ? 15:25, Andrew Gallagher a ?crit :
> On 28/09/16 12:44, Arbiel (gmx) wrote:
>> Hi
>>
>> Seahorse (distributed within Ubuntu) allows for the storing and
>> retrieving of "secrets", as passwords, into what I understand to be
>> gpg keyrings, or at the least, files.
> 
> Seahorse stores passwords in the Gnome keyring, which is not related to
> PGP -- it uses symmetric encryption based on an iterative password
> hash. Try the docs for "gnome-keyring"?
> 
> A
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160930/1e2a6189/attachment.sig>

From wk at gnupg.org  Fri Sep 30 16:13:36 2016
From: wk at gnupg.org (Werner Koch)
Date: Fri, 30 Sep 2016 16:13:36 +0200
Subject: gpg: signing failed: Inappropriate ioctl for device Error Message
 on Linux
In-Reply-To: <87intdh8c4.fsf@europa.jade-hamburg.de> (Justus Winter's message
 of "Fri, 30 Sep 2016 14:37:31 +0200")
References: <SN1PR0701MB19675DF45CE1A8ABB2D3A2E7ABCF0@SN1PR0701MB1967.namprd07.prod.outlook.com>
 <87k2du50l2.fsf@europa.jade-hamburg.de>
 <SN1PR0701MB1967A0AFE957CCC2CA24C0E2ABCE0@SN1PR0701MB1967.namprd07.prod.outlook.com>
 <87intdh8c4.fsf@europa.jade-hamburg.de>
Message-ID: <87h98xv5kf.fsf@wheatstone.g10code.de>

On Fri, 30 Sep 2016 14:37, justus at g10code.com said:

> fallback pinentry failed to open the terminal due to the fact that stdin
> of the gpg process is not connected to a terminal.  The latter can
> happen for example when gpg is used in a pipe.

That does not matter.  The pinentry opens the tty on its own.  To do
this it needs to know the tty.  Fortunately gpg knows the tty or can
take it from the GPG_TTY envvar and passes the name of the tty device
via gpg-agent up to pinentry.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160930/09c8cc71/attachment.sig>

From rjh at sixdemonbag.org  Fri Sep 30 16:24:55 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 30 Sep 2016 10:24:55 -0400
Subject: Terminology - certificate or key ?
In-Reply-To: <84d3ae20-2cb0-3524-c12c-3a32901928ff@sumptuouscapital.com>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
 <84d3ae20-2cb0-3524-c12c-3a32901928ff@sumptuouscapital.com>
Message-ID: <007001d21b26$6b280de0$417829a0$@sixdemonbag.org>

> I'd start with -----BEGIN PGP PUBLIC KEY BLOCK----- :)

You are technically correct (the best kind of correct!) [1] -- no, wait!  That's "key block", not "keyblock"!

I'm more technically correct!  I win!  :)

In all seriousness, the only context in which I've seen "key block" has been the beginning of an armored certificate, and I've literally never seen "keyblock", nor have I ever heard anyone call their certificate a "keyblock" or "key block" outside of the narrow context of "look for -----BEGIN PGP PUBLIC KEY BLOCK-----".

[1] https://www.youtube.com/watch?v=hou0lU8WMgo



From wk at gnupg.org  Fri Sep 30 16:22:39 2016
From: wk at gnupg.org (Werner Koch)
Date: Fri, 30 Sep 2016 16:22:39 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org> (Robert
 J. Hansen's message of "Fri, 30 Sep 2016 08:46:11 -0400")
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
Message-ID: <87d1jlv55c.fsf@wheatstone.g10code.de>

On Fri, 30 Sep 2016 14:46, rjh at sixdemonbag.org said:

> https://www.gpg4win.org/doc/en/gpg4win-compendium_12.html

We had a long discussion many years ago on how to name the beast.  The
compendium somewhat prioritizes S/MIME and thus we tried to unify the
terms by using "certificate" also for OpenPGP.  I think that experiment
failed because it mixes two entirely different concepts.

The root of the problem might be the concept of "public key" and
"private key".  You need to educate users that these are very different
things but still belong together.  Many users only notice "key",
associate that with password, and notice the passphrase they use to
unprotect the private key.

So for example "lock" and "private key" may be better.  But we can't
change that anymore, as the train left the station a long time ago.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20160930/ddcdca14/attachment.sig>

From kristian.fiskerstrand at sumptuouscapital.com  Fri Sep 30 17:25:26 2016
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Fri, 30 Sep 2016 17:25:26 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <007001d21b26$6b280de0$417829a0$@sixdemonbag.org>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
 <84d3ae20-2cb0-3524-c12c-3a32901928ff@sumptuouscapital.com>
 <007001d21b26$6b280de0$417829a0$@sixdemonbag.org>
Message-ID: <3431c546-e84d-9d74-2f92-0deaff6e0363@sumptuouscapital.com>

On 09/30/2016 04:24 PM, Robert J. Hansen wrote:
>> I'd start with -----BEGIN PGP PUBLIC KEY BLOCK----- :)
> 
> You are technically correct (the best kind of correct!) [1] -- no,
> wait!  That's "key block", not "keyblock"!
> 
> I'm more technically correct!  I win!  :)
> 
> In all seriousness, the only context in which I've seen "key block"
> has been the beginning of an armored certificate, and I've literally
> never seen "keyblock", nor have I ever heard anyone call their
> certificate a "keyblock" or "key block" outside of the narrow context
> of "look for -----BEGIN PGP PUBLIC KEY BLOCK-----".
> 

I for one try to make the distinction, you'll find it back to my signing
policy document[0] (that hasn't been updated for a very long time.., but
doesn't seem like people care too much about things like this today so I
should remove it): "The signed keyblock is uploaded to a randomly chosen
set of keyservers. The signee may hint on what key server or choose to
receive it through mail instead."

References:
[0] https://sumptuouscapital.com/pgp/
-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"If you are successful, you may win false friends and true enemies.
Succeed anyway."
(Mother Teresa)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160930/6b11b183/attachment.sig>

From stebe at mailbox.org  Fri Sep 30 17:30:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Fri, 30 Sep 2016 15:30:00 +0000
Subject: recording and retrieving "secrets" into gpg files
In-Reply-To: <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr>
References: <e00adc61-5cb2-1f1b-334c-56d399792cb5@gmx.fr>
 <b3882195-baac-acc0-a505-3a67dbf1ffb3@andrewg.com>
 <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr>
Message-ID: <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org>

Hi Arbiel,

Arbiel (gmx):
> Hi
> 
> Thank you Andrew.
> 
> In the material I've been ready lately, all examples are written in a
> programming language and I only have abilities in bash scripting.
> 
> Can somebody, please, direct me toward a url where they provide bash
> scripting examples.
[...]
Bash scripting in general?
http://bash-hackers.org

related to gpg? For instance,
https://github.com/Whonix/gpg-bash-lib

Cheers,

Stephan


From mirimir at riseup.net  Fri Sep 30 17:59:09 2016
From: mirimir at riseup.net (Mirimir)
Date: Fri, 30 Sep 2016 09:59:09 -0600
Subject: Terminology - certificate or key ?
In-Reply-To: <007001d21b26$6b280de0$417829a0$@sixdemonbag.org>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
 <84d3ae20-2cb0-3524-c12c-3a32901928ff@sumptuouscapital.com>
 <007001d21b26$6b280de0$417829a0$@sixdemonbag.org>
Message-ID: <a3754c93-baa8-64ca-5ada-5defa13187a0@riseup.net>

On 09/30/2016 08:24 AM, Robert J. Hansen wrote:
>> I'd start with -----BEGIN PGP PUBLIC KEY BLOCK----- :)
> 
> You are technically correct (the best kind of correct!) [1] -- no, wait!  That's "key block", not "keyblock"!
> 
> I'm more technically correct!  I win!  :)
> 
> In all seriousness, the only context in which I've seen "key block" has been the beginning of an armored certificate, and I've literally never seen "keyblock", nor have I ever heard anyone call their certificate a "keyblock" or "key block" outside of the narrow context of "look for -----BEGIN PGP PUBLIC KEY BLOCK-----".
> 
> [1] https://www.youtube.com/watch?v=hou0lU8WMgo

Well, it's a "key" in a block, with regular line breaks.


From andrewg at andrewg.com  Fri Sep 30 18:50:01 2016
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Fri, 30 Sep 2016 17:50:01 +0100
Subject: Terminology - certificate or key ?
In-Reply-To: <87d1jlv55c.fsf@wheatstone.g10code.de>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
 <87d1jlv55c.fsf@wheatstone.g10code.de>
Message-ID: <2cab7221-0b52-77eb-a63e-497e281d50e2@andrewg.com>

The problems always start with the words "public key"...

On 30/09/16 15:22, Werner Koch wrote:
> 
> So for example "lock" and "private key" may be better.

"Lock and key" works for symmetric crypto, because you lock and unlock
with the same key. "Latch and key" is the best analogy I know of to
public key crypto, because anyone can pull a latch closed, but you need
the key to open it again.

It's true that the term "certificate" can imply an unwarranted level of
authority - but that's also true of most things in the real world that
we call "certificates", so I don't think the problem is entirely in the
terminology...! ;-)

Another problem with the signature analogy is that you don't sign with
a "key" in the real world -- but there are other physical objects that
you can "sign" with, such as a signet ring, which is a more intuitive
analogy than "private key". But then what is the "public key" in this
analogy?

There just isn't anything in the physical world that works as a
watertight analogy for the underlying mathematics. The fact that the
same process can be used (with subtle differences) in *both directions*
is where all known analogies come completely unglued...

A


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160930/f7e314a9/attachment.sig>

From ineiev at gnu.org  Fri Sep 30 17:30:56 2016
From: ineiev at gnu.org (Ineiev)
Date: Fri, 30 Sep 2016 11:30:56 -0400
Subject: Terminology - certificate or key ?
In-Reply-To: <87d1jlv55c.fsf@wheatstone.g10code.de>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
 <87d1jlv55c.fsf@wheatstone.g10code.de>
Message-ID: <20160930153055.GA30569@gnu.org>

On Fri, Sep 30, 2016 at 04:22:39PM +0200, Werner Koch wrote:
> 
> The root of the problem might be the concept of "public key" and
> "private key".  You need to educate users that these are very different
> things but still belong together.

There is one more: "secret key".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: </pipermail/attachments/20160930/5eea7aef/attachment.sig>

From jernst at invacarecontractor.com  Fri Sep 30 19:11:19 2016
From: jernst at invacarecontractor.com (Jim Ernst)
Date: Fri, 30 Sep 2016 17:11:19 +0000
Subject: gpg: signing failed: Inappropriate ioctl for device Error Message
 on Linux
In-Reply-To: <87h98xv5kf.fsf@wheatstone.g10code.de>
References: <SN1PR0701MB19675DF45CE1A8ABB2D3A2E7ABCF0@SN1PR0701MB1967.namprd07.prod.outlook.com>
 <87k2du50l2.fsf@europa.jade-hamburg.de>
 <SN1PR0701MB1967A0AFE957CCC2CA24C0E2ABCE0@SN1PR0701MB1967.namprd07.prod.outlook.com>
 <87intdh8c4.fsf@europa.jade-hamburg.de>
 <87h98xv5kf.fsf@wheatstone.g10code.de>
Message-ID: <SN1PR0701MB19679CA0205DE1E7DD79300FABC10@SN1PR0701MB1967.namprd07.prod.outlook.com>

Hi Werner and Justus - thank you for the info !!

Is this issue normally associated with a --passphrase-fd 0 command being used with gpg2? I am doing the following:

    v_recipient='RECIPIENT'
    v_passphrase=`cat  pfile.txt`
   /usr/local/bin/gpg2 --batch --local-user $v_recipient --passphrase=$v_passphrase --output $<output file name>  --sign <signed file name>

And it is erroring with :

gpg: signing failed: Inappropriate ioctl for device

I was figuring this was not even trying to utilize any kind of STDIN since it was in --batch mode and not using the "passphrase-fd 0"....

Thanks!!
Jim Ernst

-----Original Message-----
From: Werner Koch [mailto:wk at gnupg.org]
Sent: Friday, September 30, 2016 10:14 AM
To: Justus Winter <justus at g10code.com>
Cc: Jim Ernst <jernst at invacarecontractor.com>; gnupg-users at gnupg.org
Subject: Re: gpg: signing failed: Inappropriate ioctl for device Error Message on Linux

On Fri, 30 Sep 2016 14:37, justus at g10code.com said:

> fallback pinentry failed to open the terminal due to the fact that
> stdin of the gpg process is not connected to a terminal.  The latter
> can happen for example when gpg is used in a pipe.

That does not matter.  The pinentry opens the tty on its own.  To do this it needs to know the tty.  Fortunately gpg knows the tty or can take it from the GPG_TTY envvar and passes the name of the tty device via gpg-agent up to pinentry.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
NOTE: The sender of this email is an independent contractor of Invacare Corporation or one of its subsidiaries. CONFIDENTIALITY NOTICE: The information in this e-mail message and any attachments may contain privileged, confidential or proprietary information, including confidential health information, protected by applicable Federal or state laws. Such information is intended only for the recipient named above. If you are not the intended recipient, please notify the sender immediately, and take notice that any use, disclosure or distribution of such information is prohibited by law.