From jpgorrono at ucdavis.edu  Mon May  1 02:18:11 2017
From: jpgorrono at ucdavis.edu (Jon Gorrono)
Date: Sun, 30 Apr 2017 17:18:11 -0700
Subject: How to export private ed25519 subkey to the SSH format
In-Reply-To: <fc07609c-2762-adca-bd73-930adf8d3938@softvisio.net>
References: <fc07609c-2762-adca-bd73-930adf8d3938@softvisio.net>
Message-ID: <CAK89=vZ-7PP0uSxuVynQ_yxU98yxSpkHHp0wgGU=ngSamL8+bw@mail.gmail.com>

I've used Monkeysphere's openpgp2ssh tool

https://incenp.org/notes/2014/gnupg-for-ssh-authentication.html

It's in a bunch of linux repo's and also brew...


On Sun, Apr 30, 2017 at 4:15 AM, zdm at softvisio.net <zdm at softvisio.net>
wrote:

> Hi,
>
> I want to use gpg as my primary keyring to store all keys.
>
> But sometimes I need to get private key in SSH format to use directly
> with SSH.
>
> For example - deployment keys, to access private projects on github via
> git from docker containers.
>
> Is it currently possible to get private key in SSH format?
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 

Jon Gorrono
PGP Key:
0x5434509D - *** KEY REVOKED *** - http{
pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
New key (signed by revoked key): 0xEFE6A913 - http{
pgp.mit.edu:11371/pks/lookup?search=
<http://pgp.mit.edu:11371/pks/lookup?search=0xEFE6A913&op=index>0xEFE6A913
&op=index <http://pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index>}

http{middleware.ucdavis.edu}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170430/a1a9713a/attachment.html>

From peter at digitalbrains.com  Mon May  1 11:07:31 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 1 May 2017 11:07:31 +0200
Subject: Trouble installing Version 2.1 on Debian Jessie
In-Reply-To: <29508c81-fd60-38be-fb3e-4f2ce18ff877@digitalbrains.com>
References: <CAEbDWPULip_i3pDtex67-OfThb+qjBNzEgEJpZJ+a80HLcCYfw@mail.gmail.com>
 <29508c81-fd60-38be-fb3e-4f2ce18ff877@digitalbrains.com>
Message-ID: <897a24c2-afae-e620-6c03-a253962c779d@digitalbrains.com>

On 30/04/17 20:04, Peter Lebbing wrote:
> Perhaps your pinning in apt-preferences is interfering with the -t
> option, because I think the -t option should promote dependencies to be
> downloaded from the specified suite as well.

Silly me. These dependencies are not to be found in experimental, so the
-t option will do you no good. Experimental is a bit special; it does
not contain a complete suite but only a few packages. If you would have
specified a full suite like stretch or sid, it can find its dependencies
there.

Still, just resolving all dependencies manually with aptitude's visual
mode is something that will always work. Since the whole idea of a
FrankenDebian is to use as few body parts from different suites as
possible, it shouldn't be a lot of manual labor.

Oh, mark dependencies as automatically installed with the M key (capital
m) when you install them. So press + to install, and them immediately
press Shift-M to mark it as auto. That way, they will be automatically
be removed if nothing still depends on them.

I agree that usually a FrankenDebian is a bad idea. You run a real risk
of breaking library dependencies[1], or confusing the APT system. Still,
I do it myself anyway, but only on desktops where breakage is not a
catastrophe. I can't recommend it, but I also won't say "oh, you
definitely shouldn't do that". It depends on your skill and willingness
to suffer breakage.

HTH,

Peter.

[1] Packages built in stretch and sid are compiled against the -dev
packages in those distributions, but its dependencies might be met by
packages in stable. This means the library built against is different
than the library that is loaded at runtime.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170501/cd91d4e1/attachment.sig>

From 2014-667rhzu3dc-lists-groups at riseup.net  Mon May  1 16:52:55 2017
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Mon, 1 May 2017 15:52:55 +0100
Subject: Extending Expiration dates of gnupg keys with the private key
 residing on a smart card
In-Reply-To: <6b5b17cd-95bc-836c-6dd2-ea2473d84ba4@digitalbrains.com>
References: <1491814017.1975.15.camel@graumannschaft.org> 
 <6b5b17cd-95bc-836c-6dd2-ea2473d84ba4@digitalbrains.com>
Message-ID: <1081334022.20170501155255@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Sunday 30 April 2017 at 7:34:40 PM, in
<mid:6b5b17cd-95bc-836c-6dd2-ea2473d84ba4 at digitalbrains.com>, Peter
Lebbing wrote:-



> I think keys 1, 2 and 3 are all subkeys; NOT your
> primary.

Isn't the primary "key 0"?

- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

It is easy to propose impossible remedies.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWQdLyV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5LgcAP9By3r7Pjfxx1T+DSNdi7Jir/3ICiHLTe0jnqKPSlN81gD/U3sCF8svA8zh
IWOH+wGj1aSJjrNeK8IgVdULd6AAVQuJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWQdLyV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8DvmB/9xm33Nebmfgxzj1sU8aPuR0feR
9e5+CdGyNDN4TLMN0D/JGCkfUVKfWtK9vbd8vwY3Oi43Wa4P6qS5qjVbJuGMYNrM
AyZvRktFFA5I+E/YmeWZiG0MEC0ayzj8Bjw35n6+saIey6fCShxbNceHwMMJ2xfa
f1RIgjmdf1LNY27dynkv4KFQvJd98KkTMKgkxp85dwK8wdsDjZT/Cdr7xkT1Zisx
hUcaZw3v57FJ/YZFmrprZJpbxrMniOWoh/Gbgeq1wD1IZFVLHSvqOeIh5fvTO9NP
TJHr1cmACcwSaEOioA8P1pd8ek0upWDXTXZZhzq2XPlFjMKLlUE/k9q8wJdk
=7JO0
-----END PGP SIGNATURE-----



From dkg at fifthhorseman.net  Mon May  1 18:32:10 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 01 May 2017 12:32:10 -0400
Subject: How to export private ed25519 subkey to the SSH format
In-Reply-To: <CAK89=vZ-7PP0uSxuVynQ_yxU98yxSpkHHp0wgGU=ngSamL8+bw@mail.gmail.com>
References: <fc07609c-2762-adca-bd73-930adf8d3938@softvisio.net>
 <CAK89=vZ-7PP0uSxuVynQ_yxU98yxSpkHHp0wgGU=ngSamL8+bw@mail.gmail.com>
Message-ID: <87h91435dh.fsf@fifthhorseman.net>

On Sun 2017-04-30 17:18:11 -0700, Jon Gorrono wrote:
> I've used Monkeysphere's openpgp2ssh tool
>
> https://incenp.org/notes/2014/gnupg-for-ssh-authentication.html
>
> It's in a bunch of linux repo's and also brew...

I don't think that monkeysphere's openpgp2ssh tool handles ed25519 at
the moment (i'm part of monkeysphere upstream).  It'd be great if it
did!

        --dkg


From peter at digitalbrains.com  Tue May  2 11:15:09 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 2 May 2017 11:15:09 +0200
Subject: Extending Expiration dates of gnupg keys with the private key
 residing on a smart card
In-Reply-To: <1081334022.20170501155255@riseup.net>
References: <1491814017.1975.15.camel@graumannschaft.org>
 <6b5b17cd-95bc-836c-6dd2-ea2473d84ba4@digitalbrains.com>
 <1081334022.20170501155255@riseup.net>
Message-ID: <d3a7b1fb-332c-c037-056d-cea1919b82f3@digitalbrains.com>

On 01/05/17 16:52, MFPA wrote:
> Isn't the primary "key 0"?

I was under the impression "key 0" deselected all subkeys and the man
page agrees with me :-). From the man page:

> key n  Toggle selection of subkey with index n or key ID n.  Use
>        * to select all and 0 to deselect all.

The important difference is that you could do

> key 1
> key 2

and select subkeys one and two. But either

> key 0
> key 1
> key 2

or

> key 1
> key 2
> key 0

will not select the primary as well as two subkeys. You can, however,
use "key 0" to return to extending the expiration of just the primary.

TIL, "*" will select all subkeys. I did not know that.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170502/9ad6690c/attachment-0001.sig>

From peter at digitalbrains.com  Tue May  2 11:22:05 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 2 May 2017 11:22:05 +0200
Subject: Trouble installing Version 2.1 on Debian Jessie
In-Reply-To: <87poft3mwm.fsf@fifthhorseman.net>
References: <CAEbDWPULip_i3pDtex67-OfThb+qjBNzEgEJpZJ+a80HLcCYfw@mail.gmail.com>
 <20170430094512.eqx3piwyu2zka6lb@grep.be> <87poft3mwm.fsf@fifthhorseman.net>
Message-ID: <da39ce82-ab13-64a3-ea8f-97e30fa11a64@digitalbrains.com>

On 30/04/17 18:01, Daniel Kahn Gillmor wrote:
> There are actually several different backports needed to make this work

Actually, all dependencies are now in jessie-backports. To be exact:
- debhelper and its dependencies
- libassuan-dev, libassuan, libgcrypt20-dev, libgcrypt20,
libgpg-error-dev, libgpg-error0, libksba-dev, libksba8, libnpth0-dev and
libntph0

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170502/f9fef414/attachment.sig>

From jeffersoncarpenter2 at gmail.com  Tue May  2 04:12:41 2017
From: jeffersoncarpenter2 at gmail.com (Jefferson Carpenter)
Date: Mon, 1 May 2017 21:12:41 -0500
Subject: What is an RSA subkey? [eom]
Message-ID: <CANs4HCQt8rXumSWvqTkMPkCeN9O9=fg72mb1T1pPvOw_wpo90Q@mail.gmail.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170501/ce0724fe/attachment.html>

From peter at digitalbrains.com  Tue May  2 12:20:44 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 2 May 2017 12:20:44 +0200
Subject: Trouble installing Version 2.1 on Debian Jessie
In-Reply-To: <da39ce82-ab13-64a3-ea8f-97e30fa11a64@digitalbrains.com>
References: <CAEbDWPULip_i3pDtex67-OfThb+qjBNzEgEJpZJ+a80HLcCYfw@mail.gmail.com>
 <20170430094512.eqx3piwyu2zka6lb@grep.be> <87poft3mwm.fsf@fifthhorseman.net>
 <da39ce82-ab13-64a3-ea8f-97e30fa11a64@digitalbrains.com>
Message-ID: <a4835f77-6a88-ff0b-c986-f83daabf5b33@digitalbrains.com>

On 02/05/17 11:22, Peter Lebbing wrote:
> Actually, all dependencies are now in jessie-backports.

Oh wait, unless of course you mean if you want GnuPG 2.1 to provide the
/usr/bin/gpg binary that in jessie is provided by GnuPG 1.4. I suspect
that's what you meant, because all the libraries were just a recompile
away from a backport, AFAIK.

By the way, your contribution to this thread got held up for almost a
day before it went through:

> Received: from fifthhorseman.net (unknown [38.109.115.130])
>  by che.mayfirst.org (Postfix) with ESMTPSA id D3EF5F993;
>  Mon,  1 May 2017 09:17:55 -0400 (EDT)
> Received: by fifthhorseman.net (Postfix, from userid 1000)
>  id D20C82002E; Sun, 30 Apr 2017 09:01:16 -0700 (MST)

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170502/23c1422f/attachment.sig>

From peter at digitalbrains.com  Tue May  2 18:00:04 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 2 May 2017 18:00:04 +0200
Subject: Question on Putty and gpg-agent
In-Reply-To: <dc2f6a7c-99bf-b526-4368-fe4dd0167e85@digitalbrains.com>
References: <43389bbb-e09d-a045-f61a-2cae27576761@blazrsoft.com>
 <dc2f6a7c-99bf-b526-4368-fe4dd0167e85@digitalbrains.com>
Message-ID: <12500711-c9b8-85b6-e7ba-f932400770eb@digitalbrains.com>

On 30/04/17 20:41, Peter Lebbing wrote:
> It is a decidedly different behaviour than gpg-agent on Linux. There, it
> will check if a smartcard is currently connected and if so, offer such a
> key for authentication. For SSH, it will *never ask* to insert a card!
> It'll just skip it outright.

It turns out this isn't true. If you add the keygrip to sshcontrol, it
will ask for the card. However, I hadn't added my smartcard keygrip to
sshcontrol because it is unnecessary.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170502/6b7adae0/attachment.sig>

From rjh at sixdemonbag.org  Tue May  2 21:10:18 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 2 May 2017 15:10:18 -0400
Subject: What is an RSA subkey? [eom]
In-Reply-To: <CANs4HCQt8rXumSWvqTkMPkCeN9O9=fg72mb1T1pPvOw_wpo90Q@mail.gmail.com>
References: <CANs4HCQt8rXumSWvqTkMPkCeN9O9=fg72mb1T1pPvOw_wpo90Q@mail.gmail.com>
Message-ID: <e8a298ac-c770-0e6d-c399-9bec264692ab@sixdemonbag.org>

We're going to need a lot more info than this.

"What is an RSA subkey?"  Well, it's a part of a certificate which
provides the capability to do some or all of signing, certifying,
authenticating, and/or encryption, using the RSA algorithm to provide
its cryptographic needs.

If that answer is helpful to you, you're quite welcome.  :)  But if it's
not, you really need to drill down and tell us what precisely you're
looking to learn.


From samir at samirnassar.com  Tue May  2 21:46:35 2017
From: samir at samirnassar.com (Samir Nassar)
Date: Tue, 02 May 2017 21:46:35 +0200
Subject: How to export private ed25519 subkey to the SSH format
In-Reply-To: <CAK89=vZ-7PP0uSxuVynQ_yxU98yxSpkHHp0wgGU=ngSamL8+bw@mail.gmail.com>
References: <fc07609c-2762-adca-bd73-930adf8d3938@softvisio.net>
 <CAK89=vZ-7PP0uSxuVynQ_yxU98yxSpkHHp0wgGU=ngSamL8+bw@mail.gmail.com>
Message-ID: <1591110.vKMUB9ih8y@lathe>

On Monday, May 1, 2017 2:18:11 AM CEST Jon Gorrono wrote:
> https://incenp.org/notes/2014/gnupg-for-ssh-authentication.html

The author has an updated version covering GnuPG 2.1 :

https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html

I tried it out and it works really well and GnuPG has made it very easy to do:

$ gpg -K
~/.gnupg/pubring.kbx
--------------------------------

sec   ed25519 2017-04-16 [SC] [expires: 2019-04-16]
      DEADBEEFDEAFBIN5A000000000000BADB0B1337
uid           [ultimate] Samir Nassar
ssb   cv25519 2017-04-16 [E] [expires: 2020-04-16]
ssb   ed25519 2017-04-16 [A] [expires: 2020-04-16]

I control my gpg-agent with a systemd user service and that is pretty nice 
too.

Samir Nassar


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20170502/ab92c243/attachment.sig>

From jpgorrono at ucdavis.edu  Wed May  3 02:42:29 2017
From: jpgorrono at ucdavis.edu (Jon Gorrono)
Date: Tue, 2 May 2017 17:42:29 -0700
Subject: How to export private ed25519 subkey to the SSH format
In-Reply-To: <1591110.vKMUB9ih8y@lathe>
References: <fc07609c-2762-adca-bd73-930adf8d3938@softvisio.net>
 <CAK89=vZ-7PP0uSxuVynQ_yxU98yxSpkHHp0wgGU=ngSamL8+bw@mail.gmail.com>
 <1591110.vKMUB9ih8y@lathe>
Message-ID: <CAK89=vZnLuQvpQxdXX-dw2mBeQgc3_93=55ZtAWTVb4JEC_q3Q@mail.gmail.com>

oh, nice... thanks

no monkey(sphere) business anymore

On Tue, May 2, 2017 at 12:46 PM, Samir Nassar <samir at samirnassar.com> wrote:

> On Monday, May 1, 2017 2:18:11 AM CEST Jon Gorrono wrote:
> > https://incenp.org/notes/2014/gnupg-for-ssh-authentication.html
>
> The author has an updated version covering GnuPG 2.1 :
>
> https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
>
> I tried it out and it works really well and GnuPG has made it very easy to
> do:
>
> $ gpg -K
> ~/.gnupg/pubring.kbx
> --------------------------------
>
> sec   ed25519 2017-04-16 [SC] [expires: 2019-04-16]
>       DEADBEEFDEAFBIN5A000000000000BADB0B1337
> uid           [ultimate] Samir Nassar
> ssb   cv25519 2017-04-16 [E] [expires: 2020-04-16]
> ssb   ed25519 2017-04-16 [A] [expires: 2020-04-16]
>
> I control my gpg-agent with a systemd user service and that is pretty nice
> too.
>
> Samir Nassar
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>


-- 

Jon Gorrono
PGP Key:
0x5434509D - *** KEY REVOKED *** - http{
pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index}
New key (signed by revoked key): 0xEFE6A913 - http{
pgp.mit.edu:11371/pks/lookup?search=
<http://pgp.mit.edu:11371/pks/lookup?search=0xEFE6A913&op=index>0xEFE6A913
&op=index <http://pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index>}

http{middleware.ucdavis.edu}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170502/05316ec7/attachment-0001.html>

From fboiteux at prosodie.com  Thu May  4 15:33:27 2017
From: fboiteux at prosodie.com (BOITEUX, Frederic)
Date: Thu, 4 May 2017 13:33:27 +0000
Subject: Is it possible to encrypt a stream on the fly ?
Message-ID: <AM4PR0202MB280285DCC54D9DE5192A6604B2EA0@AM4PR0202MB2802.eurprd02.prod.outlook.com>

	Hello,

  I've a program producing some sound records,  I'd like to use GPGME to encrypt this records (using RSA key) and I have some questions about this :

- the records are produced continuously and handled regurlarly through  small data blocks (in memory), and I?have to encrypt data before to write it in a file. I wonder if I?could encrypt data on the fly, small blocks by small blocks, or if all input data should be here to run encryption (using gpgme_op_encrypt() or gpgme_op_encrypt_start() functions) ? I've read "Callback Based Data Buffers" page in documentation, but it seems gpgme_data_read_cb_t function should be blocking when if data isn't available...

- moreover, this program is multi-threaded and can process multiple records in the same time :?could these encryptions be done asynchronously, using only one gpgme_wait() call (by a specific thread I?guess) ? Do you have some sample codes doing this kind of stuff ? I've read the GPGME documentation, but I'm confused about how to do this.

	Any help would be appreciated, thanks?!
		Fred.

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.



From cpollock at embarqmail.com  Mon May  8 15:58:59 2017
From: cpollock at embarqmail.com (Chris)
Date: Mon, 08 May 2017 08:58:59 -0500
Subject: Error verifying signature: Cannot verify message signature:
 Incorrect message format
Message-ID: <1494251939.24601.6.camel@embarqmail.com>

I've noticed the above recently when I see a post from certain users
including myself in a couple of the Ubuntu mailing lists. I don't see
issues in other lists I'm on nor does it happen if I ask the sender of
the post to send me a signed private message. I also see this:

Error verifying signature: parse error

I'm not sure what else to post here for anyone to look at that may help
but I believe it's something to do with the list that changed and not
on my end. If I can post any more information please let me know.

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:46:36 up 6 days, 15:29, 1 user, load average: 0.85, 0.49, 0.29
Description:	Ubuntu 16.04.2 LTS, kernel 4.4.0-77-generic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20170508/b7b29450/attachment.sig>

From fa-ml at ariis.it  Mon May  8 18:52:43 2017
From: fa-ml at ariis.it (Francesco Ariis)
Date: Mon, 8 May 2017 18:52:43 +0200
Subject: Error verifying signature: Cannot verify message signature:
 Incorrect message format
In-Reply-To: <1494251939.24601.6.camel@embarqmail.com>
References: <1494251939.24601.6.camel@embarqmail.com>
Message-ID: <20170508165243.GA8248@casa.casa>

On Mon, May 08, 2017 at 08:58:59AM -0500, Chris wrote:
> I've noticed the above recently when I see a post from certain users
> including myself in a couple of the Ubuntu mailing lists. I don't see
> issues in other lists I'm on nor does it happen if I ask the sender of
> the post to send me a signed private message. I also see this:
> 
> Error verifying signature: parse error

Hello Chris, more often than not mailing lists mangle messages in a
subtle way, thus breaking the signature.
At least that's what happened the last time I tried to verify a ML
message.


From cpollock at embarqmail.com  Mon May  8 19:52:13 2017
From: cpollock at embarqmail.com (Chris)
Date: Mon, 08 May 2017 12:52:13 -0500
Subject: Error verifying signature: Cannot verify message signature:
 Incorrect message format
In-Reply-To: <20170508165243.GA8248@casa.casa>
References: <1494251939.24601.6.camel@embarqmail.com>
 <20170508165243.GA8248@casa.casa>
Message-ID: <1494265933.24601.14.camel@embarqmail.com>

On Mon, 2017-05-08 at 18:52 +0200, Francesco Ariis wrote:
> On Mon, May 08, 2017 at 08:58:59AM -0500, Chris wrote:
> > 
> > I've noticed the above recently when I see a post from certain
> > users
> > including myself in a couple of the Ubuntu mailing lists. I don't
> > see
> > issues in other lists I'm on nor does it happen if I ask the sender
> > of
> > the post to send me a signed private message. I also see this:
> > 
> > Error verifying signature: parse error
> Hello Chris, more often than not mailing lists mangle messages in a
> subtle way, thus breaking the signature.
> At least that's what happened the last time I tried to verify a ML
> message.
> 
Thanks Francesco, that's what I figured is going on but wanted to make
sure it wasn't something wrong on my end.

Chris


-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
12:49:56 up 6 days, 19:33, 1 user, load average: 0.65, 0.37, 0.30
Description:	Ubuntu 16.04.2 LTS, kernel 4.4.0-77-generic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20170508/87ff8bc0/attachment.sig>

From rjmorris.list at zoho.com  Tue May  9 04:34:35 2017
From: rjmorris.list at zoho.com (Joey Morris)
Date: Mon, 8 May 2017 22:34:35 -0400
Subject: gpg hangs when asking for passphrase
Message-ID: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>

I'm pretty new to GnuPG, having installed it a couple months ago for use with
the pass password manager. Everything was working fine until I rebooted my
computer yesterday, and now gpg hangs at the point where I believe it should ask
me for my key's passphrase. For example, the following command hangs:

  $ cat test.encrypted | gpg --decrypt

After several minutes I kill it with Ctrl-C.

I've tried several things without figuring out the problem:

  - Verified that gpg-agent is running with `pgrep -u "${USER}" gpg-agent`.
  - Restarted gpg-agent with `killall gpg-agent`.
  - Verified that the socket referenced by $GPG_AGENT_INFO exists.
  - Ran `export GPG_TTY=$(tty)` in my terminal.
  - Tried several pinentry variants (tty, curses, qt, gtk). Before rebooting,
    I'd been using pinentry-tty without a problem.

A couple other examples of commands that hang:

  $ gpg-connect-agent reloadagent /bye
  $ gpg --edit-key userid

I'm running version 2.1.18 on debian sid. Does anyone have thoughts on what
might be happening or suggestions for additional troubleshooting?

Thanks.
Joey



From peter at digitalbrains.com  Tue May  9 11:50:33 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 9 May 2017 11:50:33 +0200
Subject: gpg hangs when asking for passphrase
In-Reply-To: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
Message-ID: <a5bb609b-aee1-2c2a-cc68-e938588e7a13@digitalbrains.com>

On 09/05/17 04:34, Joey Morris wrote:
> I'm running version 2.1.18 on debian sid. Does anyone have thoughts on what
> might be happening or suggestions for additional troubleshooting?

Is it possible that this started occuring after upgrading the gnupg
package? 2.1.17-4 (from 10 Jan) introduced using systemd user sessions
for gpg-agent and dirmngr by default. When I had this enabled on Debian
jessie, a connection to the agent would just hang. I figured this had to
do with a difference in systemd between jessie and stretch/sid. But
perhaps you're experiencing a variant of it. Do you have the package
dbus-user-session installed?

I don't know much about systemd, and I don't run stretch or sid. So I
can't help you much. I just recognised your description of connections
hanging. However, that change was introduced several months ago. Perhaps
something else changed more recently that still broke the user session
thingy for you?

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170509/8e727e80/attachment.sig>

From rjmorris.list at zoho.com  Tue May  9 15:32:43 2017
From: rjmorris.list at zoho.com (Joey Morris)
Date: Tue, 9 May 2017 09:32:43 -0400
Subject: gpg hangs when asking for passphrase
In-Reply-To: <a5bb609b-aee1-2c2a-cc68-e938588e7a13@digitalbrains.com>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
 <a5bb609b-aee1-2c2a-cc68-e938588e7a13@digitalbrains.com>
Message-ID: <20170509133243.i5kbuw3mtx6xk6q6@conquistador.dnsalias.org>

Peter Lebbing <peter at digitalbrains.com> wrote on Tue, May 09, 2017 at 11:50:33AM +0200:
> Is it possible that this started occuring after upgrading the gnupg
> package? 2.1.17-4 (from 10 Jan) introduced using systemd user sessions
> for gpg-agent and dirmngr by default. When I had this enabled on Debian
> jessie, a connection to the agent would just hang. I figured this had to
> do with a difference in systemd between jessie and stretch/sid. But
> perhaps you're experiencing a variant of it. Do you have the package
> dbus-user-session installed?

Thanks Peter, I think this is indeed related to the systemd user sessions. Just
to clarify, did you solve your problem by disabling the systemd units, or did
you end up getting it working with them?

Checking my apt logs, I upgraded from gnupg-1.4.19-3 and gnupg2-2.0.28-3 to just
gnupg2-2.1.18-6 on March 18. (So it wasn't a new install of gnupg as I implied
originally.) March 18 is the day I installed pass and started using it, and by
extension, gpg, succesfully. I didn't install dbus-user-session. Then I rebooted
on May 7. My guess is that gpg-agent didn't start running through systemd until
I rebooted.

I installed dbus-user-session this morning, logged out and back in, and the
agent connection still hung. Then I masked the systemd user units per the Debian
README for gpg-agent, and now everything is working again.

I have a working setup now, which is my top priority, although I'm also
interested in figuring out why the default method isn't working. But perhaps
that's more of a question for Debian.

Joey



From peter at digitalbrains.com  Tue May  9 17:19:23 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 9 May 2017 17:19:23 +0200
Subject: gpg hangs when asking for passphrase
In-Reply-To: <20170509133243.i5kbuw3mtx6xk6q6@conquistador.dnsalias.org>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
 <a5bb609b-aee1-2c2a-cc68-e938588e7a13@digitalbrains.com>
 <20170509133243.i5kbuw3mtx6xk6q6@conquistador.dnsalias.org>
Message-ID: <a3154d5c-7191-72d6-a37c-8f6358395aa2@digitalbrains.com>

On 09/05/17 15:32, Joey Morris wrote:
> Thanks Peter, I think this is indeed related to the systemd user sessions. Just
> to clarify, did you solve your problem by disabling the systemd units, or did
> you end up getting it working with them?

I removed the following symlinks (format: destination - space - symlink):

usr/lib/systemd/user/gpg-agent-browser.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent-browser.socket
usr/lib/systemd/user/gpg-agent-extra.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent-extra.socket
usr/lib/systemd/user/gpg-agent-ssh.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
usr/lib/systemd/user/gpg-agent.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent.socket
usr/lib/systemd/user/dirmngr.socket /usr/lib/systemd/user/sockets.target.wants/dirmngr.socket

(To be exact, I prevented them from being installed in the first place.)

So I don't use the user session functionality. In Debian jessie, there also is 
no package dbus-user-session to install in the first place.

> I have a working setup now, which is my top priority, although I'm also
> interested in figuring out why the default method isn't working. But perhaps
> that's more of a question for Debian.

It's a question /I/ can't answer, but Daniel Kahn Gillmor is probably the one 
who introduced the functionality and he also frequents this mailing list.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170509/bbe99a6c/attachment-0001.sig>

From dkg at fifthhorseman.net  Tue May  9 18:38:56 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 09 May 2017 12:38:56 -0400
Subject: gpg hangs when asking for passphrase
In-Reply-To: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
Message-ID: <8760ham1cv.fsf@fifthhorseman.net>

Hi Joey--

On Mon 2017-05-08 22:34:35 -0400, Joey Morris wrote:

> I've tried several things without figuring out the problem:
>
>   - Verified that gpg-agent is running with `pgrep -u "${USER}" gpg-agent`.
>   - Restarted gpg-agent with `killall gpg-agent`.
>   - Verified that the socket referenced by $GPG_AGENT_INFO exists.
>   - Ran `export GPG_TTY=$(tty)` in my terminal.
>   - Tried several pinentry variants (tty, curses, qt, gtk). Before rebooting,
>     I'd been using pinentry-tty without a problem.
>
> A couple other examples of commands that hang:
>
>   $ gpg-connect-agent reloadagent /bye
>   $ gpg --edit-key userid
>
> I'm running version 2.1.18 on debian sid. Does anyone have thoughts on what
> might be happening or suggestions for additional troubleshooting?

are you using systemd?  do you have dbus-user-session installed?  how
are you logged into the machine (e.g. X11 via gdm, wayland with gdm, a
text-mode-only vt console, etc, ssh session only)?  do you have
libpam-systemd installed?  are you logged into the machine in multiple
concurrent sessions?  does "gpg-connect-agent" on its own hang, rather
than giving you a "> " prompt that you can interact with?  what version
of the debian package are you running?  when you say you've tried
several pinentry variants, how did you try them all?

        --dkg


From dkg at fifthhorseman.net  Tue May  9 18:59:44 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 09 May 2017 12:59:44 -0400
Subject: gpg hangs when asking for passphrase
In-Reply-To: <20170509133243.i5kbuw3mtx6xk6q6@conquistador.dnsalias.org>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
 <a5bb609b-aee1-2c2a-cc68-e938588e7a13@digitalbrains.com>
 <20170509133243.i5kbuw3mtx6xk6q6@conquistador.dnsalias.org>
Message-ID: <87vapakltr.fsf@fifthhorseman.net>

On Tue 2017-05-09 09:32:43 -0400, Joey Morris wrote:
>
> Thanks Peter, I think this is indeed related to the systemd user sessions. Just
> to clarify, did you solve your problem by disabling the systemd units, or did
> you end up getting it working with them?
>
> Checking my apt logs, I upgraded from gnupg-1.4.19-3 and gnupg2-2.0.28-3 to just
> gnupg2-2.1.18-6 on March 18. (So it wasn't a new install of gnupg as I implied
> originally.) March 18 is the day I installed pass and started using it, and by
> extension, gpg, succesfully. I didn't install dbus-user-session. Then I rebooted
> on May 7. My guess is that gpg-agent didn't start running through systemd until
> I rebooted.
>
> I installed dbus-user-session this morning, logged out and back in, and the
> agent connection still hung. Then I masked the systemd user units per the Debian
> README for gpg-agent, and now everything is working again.

hm, masking the user units really shouldn't be necessary.  if you can
explain your system setup to me (see the questions asked elsewhere in
the thread), i'd be happy to try to replicate the problem and give a
better diagnosis.

        --dkg


From Dustin.Rogers at capitalone.com  Tue May  9 19:12:22 2017
From: Dustin.Rogers at capitalone.com (Rogers, Dustin)
Date: Tue, 9 May 2017 17:12:22 +0000
Subject: undeclared function identified during make - gnupg-2.1.20
Message-ID: <BN6P103MB0099052198DD864F3A42CA7F92EF0@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>

Hi Werner and gnupg community:

I am having an issue installing gnupg2-2.1.20 from source, and the error is unclear to me. I am hoping someone may have some advice....

It seems the configure runs clean, identifies needed packages, etc.

When I attempt to make, I receive this error when the compiler tries to evaluate sysutils.c, and locate a function called "IN_EXCL_UNLINK"

gcc -DHAVE_CONFIG_H -I. -I..  -DLOCALEDIR=\"/usr/local/share/locale\" -DGNUPG_BINDIR="\"/usr/local/bin\"" -DGNUPG_LIBEXECDIR="\"/usr/local/libexec\"" -DGNUPG_LIBDIR="\"/usr/local/lib/gnupg\"" -DGNUPG_DATADIR="\"/usr/local/share/gnupg\"" -DGNUPG_SYSCONFDIR="\"/usr/local/etc/gnupg\"" -DGNUPG_LOCALSTATEDIR="\"/usr/local/var\""            -DWITHOUT_NPTH=1 -Wall -Wno-pointer-sign -Wpointer-arith  -g -O2 -MT libcommon_a-sysutils.o -MD -MP -MF .deps/libcommon_a-sysutils.Tpo -c -o libcommon_a-sysutils.o `test -f 'sysutils.c' || echo './'`sysutils.c
sysutils.c: In function ?gnupg_inotify_watch_socket?:
sysutils.c:1163: error: ?IN_EXCL_UNLINK? undeclared (first use in this function)
sysutils.c:1163: error: (Each undeclared identifier is reported only once
sysutils.c:1163: error: for each function it appears in.)
make[3]: *** [libcommon_a-sysutils.o] Error 1
make[3]: Leaving directory `/root/gnupg-2.1.20/common'
make[2]: *** [all] Error 2


Being that it identifies a "gnupg_inotify_watch_socket". I am guessing it has to do with the fact that I uninstalled the rpm-based version of gnupg 2.0.18, and somehow it is looking for sockets used by gnupg.

Does anyone know why I receive this error?

Any help is appreciated in advance.
Thank you,
-Dustin Rogers

____________________________________________
Dustin Rogers, MSIA
Data Security
Encryption Services<https://pulse.kdc.capitalone.com/groups/encryption-services> (pulse)
224.404.8919 (office)
218.331.0186 (mobile)
[banner_EncryptionServices]

________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170509/e05ce6d2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2512 bytes
Desc: image001.jpg
URL: </pipermail/attachments/20170509/e05ce6d2/attachment.jpg>

From rjmorris.list at zoho.com  Wed May 10 03:43:47 2017
From: rjmorris.list at zoho.com (Joey Morris)
Date: Tue, 9 May 2017 21:43:47 -0400
Subject: gpg hangs when asking for passphrase
In-Reply-To: <8760ham1cv.fsf@fifthhorseman.net>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
 <8760ham1cv.fsf@fifthhorseman.net>
Message-ID: <20170510014347.5papjllsxyo5xdsy@conquistador.dnsalias.org>

Thanks for thinking about this, Daniel. Answers to your questions below.

Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote on Tue, May 09, 2017 at 12:38:56PM -0400:
> are you using systemd?

Yes.

> do you have dbus-user-session installed?

I didn't at first, but I do now. I saw the hanging behavior both before and
after I installed it.

> how are you logged into the machine (e.g. X11 via gdm, wayland with gdm, a
> text-mode-only vt console, etc, ssh session only)?

X11 via startx. I run openbox-session at the end of .xsession.

> do you have libpam-systemd installed?

Yes. Version 222-1.

> are you logged into the machine in multiple concurrent sessions?

No.

> does "gpg-connect-agent" on its own hang, rather
> than giving you a "> " prompt that you can interact with?

Yes, gpg-connect-agent on its own hangs. (Because I had masked my systemd units
as a workaround, as mentioned in my other email, I unmasked them to reproduce
the hanging scenario in order to test this.)

> what version of the debian package are you running?

Originally 2.1.18-6, and then I upgraded to 2.1.18-7. Same behavior in both
cases.

> when you say you've tried several pinentry variants, how did you try them all?

For a couple of them, I edited ~/.gnupg/gpg-agent.conf. For the others, I put
the generic "pinentry-program /usr/bin/pinentry" in gpg-agent.conf and used
Debian's alternatives to specify the preferred variant. In each case, I re-ran
one of the hanging commands after making the change.

I also tried pinentry-gnome3 just now, because I noticed that it's specifically
mentioned in Debian's gnupg-agent README, but it still hangs.

Joey



From antonino_augusta at hotmail.com  Wed May 10 11:51:32 2017
From: antonino_augusta at hotmail.com (Antonino Augusta)
Date: Wed, 10 May 2017 09:51:32 +0000
Subject: Error on gnupg-2.1.20 installation
Message-ID: <DB6P192MB01170BF4AB2C31B42C5F2377E2EC0@DB6P192MB0117.EURP192.PROD.OUTLOOK.COM>

Hi,

I hope someone can help me with the following.

I have already installed successfully (on linux) the following packages:

     npth
    libgpg-error
    libgcrypt
    libksba
    libassuan


When I try to install the gnupg-2.1.20 package, during the make i receive the following error message:


sysutils.c: In function ???gnupg_inotify_watch_socket???:
sysutils.c:1163: error: ???IN_EXCL_UNLINK??? undeclared (first use in this function)
sysutils.c:1163: error: (Each undeclared identifier is reported only once
sysutils.c:1163: error: for each function it appears in.)
make[2]: *** [libcommon_a-sysutils.o] Error 1
make[2]: Leaving directory `/root/GnuPG_Pkgs/gnupg-2.1.20/common'
make[1]: *** [check] Error 2
make[1]: Leaving directory `/root/GnuPG_Pkgs/gnupg-2.1.20/common'
make: *** [check-recursive] Error 1


Many thanks,

  Antonino
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170510/1a0cba2f/attachment.html>

From dkg at fifthhorseman.net  Wed May 10 17:09:00 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 10 May 2017 11:09:00 -0400
Subject: Error on gnupg-2.1.20 installation
In-Reply-To: <DB6P192MB01170BF4AB2C31B42C5F2377E2EC0@DB6P192MB0117.EURP192.PROD.OUTLOOK.COM>
References: <DB6P192MB01170BF4AB2C31B42C5F2377E2EC0@DB6P192MB0117.EURP192.PROD.OUTLOOK.COM>
Message-ID: <874lwslpf7.fsf@fifthhorseman.net>

On Wed 2017-05-10 09:51:32 +0000, Antonino Augusta wrote:
> When I try to install the gnupg-2.1.20 package, during the make i receive the following error message:
>
>
> sysutils.c: In function ???gnupg_inotify_watch_socket???:
> sysutils.c:1163: error: ???IN_EXCL_UNLINK??? undeclared (first use in this function)
> sysutils.c:1163: error: (Each undeclared identifier is reported only once
> sysutils.c:1163: error: for each function it appears in.)
> make[2]: *** [libcommon_a-sysutils.o] Error 1
> make[2]: Leaving directory `/root/GnuPG_Pkgs/gnupg-2.1.20/common'
> make[1]: *** [check] Error 2
> make[1]: Leaving directory `/root/GnuPG_Pkgs/gnupg-2.1.20/common'
> make: *** [check-recursive] Error 1

On most GNU/Linux systems, this inotify definition is typically made
available by either your libc development package, or by headers
supplied by Linux dev packages.

On debian, you'll need the libc6-dev package, which i can't imagine you
could have even gotten this far without having it available.

This line should also only be compiled if the C preprocessor has defined
HAVE_INOTIFY_INIT, in which case you should already have #include
<sys/inotify.h>, which is where the IN_EXCL_UNLINK definition is
typically located.

So i'm perplexed why you'd be running into this.  perhaps your copy of
inotify.h is really old or something?  what OS are you using?

if you "grep -r IN_EXCL_UNLINK /usr/include" does anything show up?

   --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170510/06f096e9/attachment.sig>

From dkg at fifthhorseman.net  Wed May 10 20:10:27 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 10 May 2017 14:10:27 -0400
Subject: debugging systemd user services for gpg-agent and dirmngr [was: Re:
 gpg hangs when asking for passphrase]
In-Reply-To: <20170510014347.5papjllsxyo5xdsy@conquistador.dnsalias.org>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
 <8760ham1cv.fsf@fifthhorseman.net>
 <20170510014347.5papjllsxyo5xdsy@conquistador.dnsalias.org>
Message-ID: <87a86kk2gc.fsf@fifthhorseman.net>

Hi Joey--

thanks for these details!

On Tue 2017-05-09 21:43:47 -0400, Joey Morris wrote:

> X11 via startx. I run openbox-session at the end of .xsession.

cool, we actually have fairly similar setups -- i'm also running
systemd, debian testing/unstable, with dbus-user-session, and
libpam-systemd, and i use openbox as well :)

However, i'm not seeing the behavior you're seeing.

One difference i note is that you're using ~/.xsession, and i'm just
relying on the alternatives system to launch openbox:

    0 dkg at alice:~$ readlink -f $(which x-session-manager)
    /usr/bin/openbox-session
    0 dkg at alice:~$ 

( For the programs that i want launched per-graphical-session that can't
  be handled as systemd user services, i include them in
  ~/.config/openbox/autostart )

Do you think you could try that approach (with the systemd user services
unmasked) and see whether the agents respond properly?  if so, it'd give
us something specific to debug (we would look into your .xsession to try
to figure out how it differs from the standard startup).

also, when the systemd user services are unmasked, what is shown by:

    journalctl --user-unit gpg-agent dirmngr

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170510/d9ae359b/attachment.sig>

From dkg at fifthhorseman.net  Wed May 10 19:59:51 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 10 May 2017 13:59:51 -0400
Subject: undeclared function identified during make - gnupg-2.1.20
In-Reply-To: <BN6P103MB0099052198DD864F3A42CA7F92EF0@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>
References: <BN6P103MB0099052198DD864F3A42CA7F92EF0@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>
Message-ID: <87bmr0k2y0.fsf@fifthhorseman.net>

Hi Dustin--

On Tue 2017-05-09 17:12:22 +0000, Rogers, Dustin wrote:
> When I attempt to make, I receive this error when the compiler tries to evaluate sysutils.c, and locate a function called "IN_EXCL_UNLINK"
>
> gcc -DHAVE_CONFIG_H -I. -I..  -DLOCALEDIR=\"/usr/local/share/locale\" -DGNUPG_BINDIR="\"/usr/local/bin\"" -DGNUPG_LIBEXECDIR="\"/usr/local/libexec\"" -DGNUPG_LIBDIR="\"/usr/local/lib/gnupg\"" -DGNUPG_DATADIR="\"/usr/local/share/gnupg\"" -DGNUPG_SYSCONFDIR="\"/usr/local/etc/gnupg\"" -DGNUPG_LOCALSTATEDIR="\"/usr/local/var\""            -DWITHOUT_NPTH=1 -Wall -Wno-pointer-sign -Wpointer-arith  -g -O2 -MT libcommon_a-sysutils.o -MD -MP -MF .deps/libcommon_a-sysutils.Tpo -c -o libcommon_a-sysutils.o `test -f 'sysutils.c' || echo './'`sysutils.c
> sysutils.c: In function ?gnupg_inotify_watch_socket?:
> sysutils.c:1163: error: ?IN_EXCL_UNLINK? undeclared (first use in this function)
> sysutils.c:1163: error: (Each undeclared identifier is reported only once
> sysutils.c:1163: error: for each function it appears in.)
> make[3]: *** [libcommon_a-sysutils.o] Error 1
> make[3]: Leaving directory `/root/gnupg-2.1.20/common'
> make[2]: *** [all] Error 2

Please see my response on-list to Antonino Augusta
<antonino_augusta at hotmail.com> earlier today -- it sounds like y'all are
seeing the same issue.

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170510/8a7d4371/attachment.sig>

From Dustin.Rogers at capitalone.com  Wed May 10 13:41:04 2017
From: Dustin.Rogers at capitalone.com (Rogers, Dustin)
Date: Wed, 10 May 2017 11:41:04 +0000
Subject: undeclared function identified during make - gnupg-2.1.20
In-Reply-To: <BN6P103MB0099052198DD864F3A42CA7F92EF0@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>
References: <BN6P103MB0099052198DD864F3A42CA7F92EF0@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>
Message-ID: <BN6P103MB0099630F7EB6E8B7DF83144D92EC0@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>

Hi again:

I just removed the call to IN_EXCL_UNLINK function since it doesn't exist anyway. Then it compiled fine.

Thank you,
-Dustin

____________________________________________
Dustin Rogers, MSIA
Data Security
Encryption Services<https://pulse.kdc.capitalone.com/groups/encryption-services> (pulse)
224.404.8919 (office)
218.331.0186 (mobile)
[banner_EncryptionServices]

From: Rogers, Dustin
Sent: Tuesday, May 09, 2017 12:12 PM
To: 'gnupg-users at gnupg.org' <gnupg-users at gnupg.org>
Subject: undeclared function identified during make - gnupg-2.1.20

Hi Werner and gnupg community:

I am having an issue installing gnupg2-2.1.20 from source, and the error is unclear to me. I am hoping someone may have some advice....

It seems the configure runs clean, identifies needed packages, etc.

When I attempt to make, I receive this error when the compiler tries to evaluate sysutils.c, and locate a function called "IN_EXCL_UNLINK"

gcc -DHAVE_CONFIG_H -I. -I..  -DLOCALEDIR=\"/usr/local/share/locale\" -DGNUPG_BINDIR="\"/usr/local/bin\"" -DGNUPG_LIBEXECDIR="\"/usr/local/libexec\"" -DGNUPG_LIBDIR="\"/usr/local/lib/gnupg\"" -DGNUPG_DATADIR="\"/usr/local/share/gnupg\"" -DGNUPG_SYSCONFDIR="\"/usr/local/etc/gnupg\"" -DGNUPG_LOCALSTATEDIR="\"/usr/local/var\""            -DWITHOUT_NPTH=1 -Wall -Wno-pointer-sign -Wpointer-arith  -g -O2 -MT libcommon_a-sysutils.o -MD -MP -MF .deps/libcommon_a-sysutils.Tpo -c -o libcommon_a-sysutils.o `test -f 'sysutils.c' || echo './'`sysutils.c
sysutils.c: In function ?gnupg_inotify_watch_socket?:
sysutils.c:1163: error: ?IN_EXCL_UNLINK? undeclared (first use in this function)
sysutils.c:1163: error: (Each undeclared identifier is reported only once
sysutils.c:1163: error: for each function it appears in.)
make[3]: *** [libcommon_a-sysutils.o] Error 1
make[3]: Leaving directory `/root/gnupg-2.1.20/common'
make[2]: *** [all] Error 2


Being that it identifies a "gnupg_inotify_watch_socket". I am guessing it has to do with the fact that I uninstalled the rpm-based version of gnupg 2.0.18, and somehow it is looking for sockets used by gnupg.

Does anyone know why I receive this error?

Any help is appreciated in advance.
Thank you,
-Dustin Rogers

____________________________________________
Dustin Rogers, MSIA
Data Security
Encryption Services<https://pulse.kdc.capitalone.com/groups/encryption-services> (pulse)
224.404.8919 (office)
218.331.0186 (mobile)
[banner_EncryptionServices]

________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170510/594321f7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2512 bytes
Desc: image001.jpg
URL: </pipermail/attachments/20170510/594321f7/attachment-0001.jpg>

From justus at gnupg.org  Wed May 10 14:56:20 2017
From: justus at gnupg.org (Justus Winter)
Date: Wed, 10 May 2017 14:56:20 +0200
Subject: Keyring corruption with GnuPG 2.1.20
Message-ID: <877f1ona4r.fsf@europa.jade-hamburg.de>

Hello,

unfortunately, GnuPG 2.1.20 has a bug that can lead to keyring
corruptions when updating or deleting keys.

GnuPG supports two ways to store public keys.  The classic one is the
'keyring' format.  The new one is called a 'keybox'.  Only the 'keyring'
format is affected.  Long-term users will likely use the keyring format.

To find out whether you are using keyring or keybox, look into your
.gnupg directory.  If a file named 'pubring.gpg' is present, you are
using the keyring format.

If you are using GnuPG 2.1.20 with the keyring format, a workaround is
to convert your keyring to a keybox.  For this, follow:

https://www.gnupg.org/faq/whats-new-in-2.1.html#keybox

(Hat-tip to bmhatfield for the idea.)

For more information see:

https://dev.gnupg.org/T3123

Packagers, please cherry-pick the following fix:

https://dev.gnupg.org/rG22739433e98be80e46fe7d01d52a9627c1aebaae


Sorry for that :(
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: </pipermail/attachments/20170510/7352c1f2/attachment.sig>

From rjmorris.list at zoho.com  Thu May 11 04:17:28 2017
From: rjmorris.list at zoho.com (Joey Morris)
Date: Wed, 10 May 2017 22:17:28 -0400
Subject: debugging systemd user services for gpg-agent and dirmngr [was:
 Re: gpg hangs when asking for passphrase]
In-Reply-To: <87a86kk2gc.fsf@fifthhorseman.net>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
 <8760ham1cv.fsf@fifthhorseman.net>
 <20170510014347.5papjllsxyo5xdsy@conquistador.dnsalias.org>
 <87a86kk2gc.fsf@fifthhorseman.net>
Message-ID: <20170511021728.3t3anc6hgcqup7np@conquistador.dnsalias.org>

Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote on Wed, May 10, 2017 at 02:10:27PM -0400:
> One difference i note is that you're using ~/.xsession, and i'm just
> relying on the alternatives system to launch openbox:
> 
>     0 dkg at alice:~$ readlink -f $(which x-session-manager)
>     /usr/bin/openbox-session
>     0 dkg at alice:~$ 
> 
> ( For the programs that i want launched per-graphical-session that can't
>   be handled as systemd user services, i include them in
>   ~/.config/openbox/autostart )

I've been using my .xession setup for a number of years, and actually when this
issue came up it was the first I'd heard of systemd user services. (I was aware
of the system-level systemd, just not the user-specific part.) I'll spend some
time getting up to speed on it.

> Do you think you could try that approach (with the systemd user services
> unmasked) and see whether the agents respond properly?  if so, it'd give
> us something specific to debug (we would look into your .xsession to try
> to figure out how it differs from the standard startup).

Sure, I'll give it a try. It will probably be a few days before I can spend more
time on this, though.

> also, when the systemd user services are unmasked, what is shown by:
> 
>     journalctl --user-unit gpg-agent dirmngr

I get:

    No journal files were found.
    Failed to add match 'dirmngr': Invalid argument

Running just `journalctl --user-unit gpg-agent`, I get:

    No journal files were found.
    Failed to get journal fields: Cannot assign requested address

I have systemd version 222-1 installed, which appears to be wildly out of date.
The first thing I'll try when I get back to this is to upgrade systemd.

Thanks!
Joey



From dkg at fifthhorseman.net  Thu May 11 04:58:21 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 10 May 2017 22:58:21 -0400
Subject: debugging systemd user services for gpg-agent and dirmngr [was:
 Re: gpg hangs when asking for passphrase]
In-Reply-To: <20170511021728.3t3anc6hgcqup7np@conquistador.dnsalias.org>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
 <8760ham1cv.fsf@fifthhorseman.net>
 <20170510014347.5papjllsxyo5xdsy@conquistador.dnsalias.org>
 <87a86kk2gc.fsf@fifthhorseman.net>
 <20170511021728.3t3anc6hgcqup7np@conquistador.dnsalias.org>
Message-ID: <87tw4shzg2.fsf@fifthhorseman.net>

On Wed 2017-05-10 22:17:28 -0400, Joey Morris wrote:
> I've been using my .xession setup for a number of years, and actually when this
> issue came up it was the first I'd heard of systemd user services. (I was aware
> of the system-level systemd, just not the user-specific part.) I'll spend some
> time getting up to speed on it.

i wasn't trying to suggest that you should transition ~/.xsession
entirely to systemd user services.  I was aiming to suggest that you
could move most of whatever's in your ~/.xsession to
~/.config/openbox/autostart and see whether that changes anything.  Feel
free to ignore creation of any new systemd user services in the meantime
:)


> Running just `journalctl --user-unit gpg-agent`, I get:

as you guessed, this was the command i meant to have you run.  thanks!

>     No journal files were found.
>     Failed to get journal fields: Cannot assign requested address

my guess is that you have no /var/log/journal directory, so everything
stored by the journal will be in the ephemeral /run/log/journal.
/run/log/journal (even the per-user stuff) isn't readable by non-root
users (this is an outstanding request for enhancement for systemd:
https://github.com/systemd/systemd/issues/2744)

That said, you can still examine the stuff in /run/log/journal as root
with:

    journalctl _SYSTEMD_USER_UNIT=gpg-agent.service _UID=1000

(assuming that your non-privileged user ID is 1000).

> I have systemd version 222-1 installed, which appears to be wildly out of date.
> The first thing I'll try when I get back to this is to upgrade systemd.

yes, please!

thanks for checking up on this,

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170510/1be26813/attachment.sig>

From dkg at fifthhorseman.net  Thu May 11 22:28:43 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Thu, 11 May 2017 16:28:43 -0400
Subject: Keyring corruption with GnuPG 2.1.20
In-Reply-To: <877f1ona4r.fsf@europa.jade-hamburg.de>
References: <877f1ona4r.fsf@europa.jade-hamburg.de>
Message-ID: <878tm3i1dw.fsf@fifthhorseman.net>

On Wed 2017-05-10 14:56:20 +0200, Justus Winter wrote:

> unfortunately, GnuPG 2.1.20 has a bug that can lead to keyring
> corruptions when updating or deleting keys.
 [...]
> If you are using GnuPG 2.1.20 with the keyring format, a workaround is
> to convert your keyring to a keybox.  For this, follow:
>
> https://www.gnupg.org/faq/whats-new-in-2.1.html#keybox
>
> (Hat-tip to bmhatfield for the idea.)

on debian and derived systems, you can also use the helper tool:

   migrate-pubring-from-classic-gpg

which should be slightly more robust and also simpler to use than the
multistep sequence outlined in the FAQ.

> For more information see:
>
> https://dev.gnupg.org/T3123
>
> Packagers, please cherry-pick the following fix:
>
> https://dev.gnupg.org/rG22739433e98be80e46fe7d01d52a9627c1aebaae

Debian-specific note: 2.1.20 is only in debian's experimental
repository; the above patch should be present in 2.1.20-4, which was
uploaded to the experimental repo yesterday.  If you're running any
previous version of 2.1.20 from experimental, please upgrade!

thanks for the heads-up, Justus!

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170511/5e0c5645/attachment.sig>

From roger.qiu at matrix.ai  Thu May 11 11:26:20 2017
From: roger.qiu at matrix.ai (Roger Qiu)
Date: Thu, 11 May 2017 19:26:20 +1000
Subject: Compilation of libgcrypt 1.7.5 on cygwin 64 bit fails
Message-ID: <e891df79-d127-370e-cf53-44d16fb1cc1d@matrix.ai>

Hi Gcrypt devs,

I just tried compiling from source libgcrypt 1.7.5 (and I also tried 
earlier versions).

It always comes to this:

```

libtool: link: ranlib .libs/libgcrypt.alibtool: link: rm -fr 
.libs/libgcrypt.laxlibtool: link: ( cd ".libs" && rm -f "libgcrypt.la" 
&& ln -s "../libgcrypt.la" "libgcrypt.la" )gcc -DHAVE_CONFIG_H -I. 
-I..    -I/usr/local/include -g -O2 -Wall -MT mpicalc-mpicalc.o -MD -MP 
-MF .deps/mpicalc-mpicalc.Tpo -c -o mpicalc-mpicalc.o `test -f 
'mpicalc.c' || echo './'`mpicalc.cmv -f .deps/mpicalc-mpicalc.Tpo 
.deps/mpicalc-mpicalc.Po/bin/sh ../libtool  --tag=CC   --mode=link gcc 
-I/usr/local/include -g -O2 -Wall   -o mpicalc.exe mpicalc-mpicalc.o 
libgcrypt.la  -L/usr/local/lib -lgpg-errorlibtool: link: gcc 
-I/usr/local/include -g -O2 -Wall -o .libs/mpicalc.exe 
mpicalc-mpicalc.o  ./.libs/libgcrypt.a -L/usr/local/lib 
/usr/local/lib/libgpg-error.a -lintl./.libs/libgcrypt.a(rijndael.o): In 
function 
`do_encrypt':/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/rijndael.c:747:(.text+0x9f): 
relocation truncated to fit: R_X86_64_32S against 
`.rdata'./.libs/libgcrypt.a(rijndael.o): In function 
`do_decrypt':/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/rijndael.c:1130:(.text+0x110): 
relocation truncated to fit: R_X86_64_32S against 
`.rdata'./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:201:(.text+0x9): 
relocation truncated to fit: R_X86_64_32S against symbol 
`_gcry_cast5_s1to4' defined in .rdata section in 
./.libs/libgcrypt.a(cast5.o)./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:241:(.text+0x429): 
relocation truncated to fit: R_X86_64_32S against symbol 
`_gcry_cast5_s1to4' defined in .rdata section in 
./.libs/libgcrypt.a(cast5.o)./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:376:(.text+0x844): 
relocation truncated to fit: R_X86_64_32S against symbol 
`_gcry_cast5_s1to4' defined in .rdata section in 
./.libs/libgcrypt.a(cast5.o)./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:404:(.text+0x177c): 
relocation truncated to fit: R_X86_64_32S against symbol 
`_gcry_cast5_s1to4' defined in .rdata section in 
./.libs/libgcrypt.a(cast5.o)collect2: error: ld returned 1 exit 
statusmake[2]: *** [Makefile:712: mpicalc.exe] Error 1make[2]: Leaving 
directory 
'/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/src'make[1]: *** 
[Makefile:477: all-recursive] Error 1make[1]: Leaving directory 
'/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5'make: *** 
[Makefile:408: all] Error 2

```

Please cc me as I am not subscribed to the mailing list.

All other dependencies of gnupg works on cygwin 64 bit, this is the only 
one that fails, and thus prevents building gpg2 on Cygwin 64 bit.

Thanks,

Roger

-- 
Founder of Matrix AI
https://matrix.ai/
+61420925975



From jussi.kivilinna at iki.fi  Sat May 13 17:47:47 2017
From: jussi.kivilinna at iki.fi (Jussi Kivilinna)
Date: Sat, 13 May 2017 18:47:47 +0300
Subject: Compilation of libgcrypt 1.7.5 on cygwin 64 bit fails
In-Reply-To: <e891df79-d127-370e-cf53-44d16fb1cc1d@matrix.ai>
References: <e891df79-d127-370e-cf53-44d16fb1cc1d@matrix.ai>
Message-ID: <01451413-6ed6-c3c7-6247-aa60d59441a8@iki.fi>

Hello,

On 11.05.2017 12:26, Roger Qiu wrote:
> Hi Gcrypt devs,
> 
> I just tried compiling from source libgcrypt 1.7.5 (and I also tried earlier versions).
> 
> It always comes to this:
> 
> ```
> 
> libtool: link: ranlib .libs/libgcrypt.alibtool: link: rm -fr .libs/libgcrypt.laxlibtool: link: ( cd ".libs" && rm -f "libgcrypt.la" && ln -s "../libgcrypt.la" "libgcrypt.la" )gcc -DHAVE_CONFIG_H -I. -I..    -I/usr/local/include -g -O2 -Wall -MT mpicalc-mpicalc.o -MD -MP -MF .deps/mpicalc-mpicalc.Tpo -c -o mpicalc-mpicalc.o `test -f 'mpicalc.c' || echo './'`mpicalc.cmv -f .deps/mpicalc-mpicalc.Tpo .deps/mpicalc-mpicalc.Po/bin/sh ../libtool  --tag=CC   --mode=link gcc -I/usr/local/include -g -O2 -Wall   -o mpicalc.exe mpicalc-mpicalc.o libgcrypt.la  -L/usr/local/lib -lgpg-errorlibtool: link: gcc -I/usr/local/include -g -O2 -Wall -o .libs/mpicalc.exe mpicalc-mpicalc.o  ./.libs/libgcrypt.a -L/usr/local/lib /usr/local/lib/libgpg-error.a -lintl./.libs/libgcrypt.a(rijndael.o): In function `do_encrypt':/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/rijndael.c:747:(.text+0x9f): relocation truncated to fit: R_X86_64_32S against `.rdata'./.libs/libgcrypt.a(rijndael.o): In
> function `do_decrypt':/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/rijndael.c:1130:(.text+0x110): relocation truncated to fit: R_X86_64_32S against `.rdata'./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:201:(.text+0x9): relocation truncated to fit: R_X86_64_32S against symbol `_gcry_cast5_s1to4' defined in .rdata section in ./.libs/libgcrypt.a(cast5.o)./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:241:(.text+0x429): relocation truncated to fit: R_X86_64_32S against symbol `_gcry_cast5_s1to4' defined in .rdata section in ./.libs/libgcrypt.a(cast5.o)./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:376:(.text+0x844): relocation truncated to fit: R_X86_64_32S against symbol `_gcry_cast5_s1to4' defined in .rdata section in
> ./.libs/libgcrypt.a(cast5.o)./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:404:(.text+0x177c): relocation truncated to fit: R_X86_64_32S against symbol `_gcry_cast5_s1to4' defined in .rdata section in ./.libs/libgcrypt.a(cast5.o)collect2: error: ld returned 1 exit statusmake[2]: *** [Makefile:712: mpicalc.exe] Error 1make[2]: Leaving directory '/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/src'make[1]: *** [Makefile:477: all-recursive] Error 1make[1]: Leaving directory '/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5'make: *** [Makefile:408: all] Error 2
> 
> ```
> 
> Please cc me as I am not subscribed to the mailing list.
> 
> All other dependencies of gnupg works on cygwin 64 bit, this is the only one that fails, and thus prevents building gpg2 on Cygwin 64 bit.

Does attached patch solve the problem? Patch is made on top of libgcrypt development branch, but I think it should apply to 1.7.5 too.

-Jussi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 01-fix-building-on-64-bit-cygwin.patch
Type: text/x-patch
Size: 2008 bytes
Desc: not available
URL: </pipermail/attachments/20170513/ac338f32/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 671 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170513/ac338f32/attachment-0001.sig>

From rmcdorm at cobizfinancial.com  Fri May 12 16:15:51 2017
From: rmcdorm at cobizfinancial.com (Ryk McDorman)
Date: Fri, 12 May 2017 14:15:51 +0000
Subject: Newbie can't get --passphrase option to work
Message-ID: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F691C@EXMHC01-OPS.cobizinc.net>

I was tasked with automating the decryption (and more) of files, so I've written a PowerShell program that does everything I need it to do, except that I can't get the decryption to decrypt without prompting for our passphrase. I'm using a default installation of GnuPG 2.1.19 on Windows 7 (it may go on a Win Server 2012 box for production). 

In the program I'm passing the output and input filenames as parameters to a one-line batch file consisting of this command:
echo <mypassphrase>| "C:\Program Files (x86)\gnuPG\bin\gpg.exe" --batch  --output %1  --passphrase-fd 0 --decrypt %2

I've also tried the -passphrase-file and -passphrase <mypassphrase> options with the same results: when the program runs I'm prompted to enter the passphrase. 

I've done a thorough search for a solution for this, but haven't come up with much: a vague reference to a bug in 2.1.x that may have to do with it, and at the end of my day yesterday I came across someone who used the "--pinentry-mode loopback" option. Interestingly, when I add that to my command, it DOES decrypt one file without prompting me, but then inexplicably stops. (My program logic is fine, as without the -pinentry option, it prompts me once for each file and decrypts each file.)  I haven't yet had time to investigate that option; it's my next action but I've literally been working on this for days now and needed to send out a plea for help!

I'm a total GPG newbie here, so, as they say on Reddit "Explain like I'm 5."  Thanks!

Ryk 

CONFIDENTIALITY NOTICE:

This e-mail contains confidential information and is intended only for the 
individual named. If you are not the named addressee, you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately if you have received this e-mail by mistake and delete this 
e-mail from your system. E-mail cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. Neither the 
sender nor CoBiz Financial and its subsidiaries accept liability for any 
errors or omissions in the contents of this message which arise as a 
result of e-mail transmission.




From kristian.fiskerstrand at sumptuouscapital.com  Sat May 13 22:46:46 2017
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Sat, 13 May 2017 22:46:46 +0200
Subject: Newbie can't get --passphrase option to work
In-Reply-To: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F691C@EXMHC01-OPS.cobizinc.net>
References: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F691C@EXMHC01-OPS.cobizinc.net>
Message-ID: <8d8a8c53-6d73-0fa9-1f22-ae02f48e422b@sumptuouscapital.com>

On 05/12/2017 04:15 PM, Ryk McDorman wrote:
> I was tasked with automating the decryption (and more) of files, so I've written a PowerShell program that does everything I need it to do, except that I can't get the decryption to decrypt without prompting for our passphrase. I'm using a default installation of GnuPG 2.1.19 on Windows 7 (it may go on a Win Server 2012 box for production). 

look into --pinentry-mode loopback

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Amantes sunt amentes
Lovers are lunatics

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170513/df9e6c8a/attachment.sig>

From kristian.fiskerstrand at sumptuouscapital.com  Sat May 13 22:49:35 2017
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Sat, 13 May 2017 22:49:35 +0200
Subject: Newbie can't get --passphrase option to work
In-Reply-To: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F691C@EXMHC01-OPS.cobizinc.net>
References: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F691C@EXMHC01-OPS.cobizinc.net>
Message-ID: <1aa5bbfc-161a-b5ee-0a10-78d00607b9cc@sumptuouscapital.com>

On 05/12/2017 04:15 PM, Ryk McDorman wrote:
> I've done a thorough search for a solution for this, but haven't come up with much: a vague reference to a bug in 2.1.x that may have to do with it, and at the end of my day yesterday I came across someone who used the "--pinentry-mode loopback" option. Interestingly, when I add that to my command, it DOES decrypt one file without prompting me, but then inexplicably stops. (My program logic is fine, as without the -pinentry option, it prompts me once for each file and decrypts each file.)  I haven't yet had time to investigate that option; it's my next action but I've literally been working on this for days now and needed to send out a plea for help!

And here you discuss it :p .. yes, pinentry-mode loopback is necessary
for 2.1 use of --passphrase-fd and the likes , in earlier versions of
2.1 this requires allow-pinentry-loopback for the gpg-agent but in
recent versions that is defaulted to on.

Can you provide the information when this argument is used and the
scenario that fails including explicit error messages?

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Amantes sunt amentes
Lovers are lunatics

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170513/a3dd74cc/attachment.sig>

From dank at kegel.com  Sat May 13 23:00:40 2017
From: dank at kegel.com (Dan Kegel)
Date: Sat, 13 May 2017 14:00:40 -0700
Subject: Newbie can't get --passphrase option to work
In-Reply-To: <1aa5bbfc-161a-b5ee-0a10-78d00607b9cc@sumptuouscapital.com>
References: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F691C@EXMHC01-OPS.cobizinc.net>
 <1aa5bbfc-161a-b5ee-0a10-78d00607b9cc@sumptuouscapital.com>
Message-ID: <CAPF-yOb_C_uJpyLOQYZyxtNPAMYtd7M8xiu1a-5nAWjJRT5sPw@mail.gmail.com>

Did you see my walkthrough of all the problems I ran into while
getting gpg to not prompt?

https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058158.html
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058162.html

That's for Linux, but it might still have a trick you're missing.


From wk at gnupg.org  Sun May 14 22:41:44 2017
From: wk at gnupg.org (Werner Koch)
Date: Sun, 14 May 2017 22:41:44 +0200
Subject: Compilation of libgcrypt 1.7.5 on cygwin 64 bit fails
In-Reply-To: <e891df79-d127-370e-cf53-44d16fb1cc1d@matrix.ai> (Roger Qiu's
 message of "Thu, 11 May 2017 19:26:20 +1000")
References: <e891df79-d127-370e-cf53-44d16fb1cc1d@matrix.ai>
Message-ID: <87a86fcgs7.fsf@wheatstone.g10code.de>

On Thu, 11 May 2017 11:26, roger.qiu at matrix.ai said:

> All other dependencies of gnupg works on cygwin 64 bit, this is the
> only one that fails, and thus prevents building gpg2 on Cygwin 64 bit.

You will not be able to build a working GnUPG for 64 bit Windows - if
that is what Cygwin 64 bit is about.  The reason for this is that we
coerce a HANDLE (64 bit) into an int (32 bit on 64 bit Windows) at
several places.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170514/5bb42f6d/attachment.sig>

From roger.qiu at matrix.ai  Sun May 14 13:12:38 2017
From: roger.qiu at matrix.ai (Roger Qiu)
Date: Sun, 14 May 2017 21:12:38 +1000
Subject: Compilation of libgcrypt 1.7.5 on cygwin 64 bit fails
In-Reply-To: <01451413-6ed6-c3c7-6247-aa60d59441a8@iki.fi>
References: <e891df79-d127-370e-cf53-44d16fb1cc1d@matrix.ai>
 <01451413-6ed6-c3c7-6247-aa60d59441a8@iki.fi>
Message-ID: <4642d5ae-e83c-f65a-1db8-2c8489e62f0c@matrix.ai>

Just tried it, and it successfully allows compilation of libgcrypt.

Now just tried building gpg2.

But it now gives this error:

```

Making all in g10
make[2]: Entering directory 
'/cygdrive/c/Users/CMCDragonkai/.src/gnupg-2.1.20/g10'
gcc  -I/usr/local/include -I/usr/local/include -I/usr/local/include 
-Wall -Wno-pointer-sign -Wpointer-arith  -g -O2   -o gpg.exe gpg.o 
keyedit.o server.o build-packet.o compress.o  free-packet.o getkey.o 
keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o 
textfilter.o progress.o misc.o rmd160.o openfile.o keyid.o 
parse-packet.o cpr.o plaintext.o sig-check.o keylist.o pkglue.o ecdh.o 
pkclist.o skclist.o pubkey-enc.o passphrase.o decrypt.o decrypt-data.o 
cipher.o encrypt.o sign.o verify.o revoke.o dearmor.o import.o export.o 
migrate.o delkey.o keygen.o helptext.o keyserver.o call-dirmngr.o 
photoid.o call-agent.o trust.o trustdb.o tdbdump.o tdbio.o tofu.o 
gpgsql.o sqrtu32.o card-util.o exec.o ../kbx/libkeybox.a 
../common/libcommon.a ../common/libgpgrl.a -lz -lintl   -lsqlite3 
-L/usr/local/lib -lgcrypt -lgpg-error -lreadline -L/usr/local/lib 
-lassuan -lgpg-error -L/usr/local/lib -lgpg-error -liconv
/usr/local/lib/libgpg-error.a(libgpg_error_la-strsource.o): In function 
`_gpg_strsource':
/cygdrive/c/Users/CMCDragonkai/.src/libgpg-error-1.27/src/strsource.c:36: 
undefined reference to `libintl_dgettext'
/cygdrive/c/Users/CMCDragonkai/.src/libgpg-error-1.27/src/strsource.c:36:(.text+0x40): 
relocation truncated to fit: R_X86_64_PC32 against undefined symbol 
`libintl_dgettext'
/usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function 
`_gpg_strerror_r':
/cygdrive/c/Users/CMCDragonkai/.src/libgpg-error-1.27/src/strerror.c:161: 
undefined reference to `libintl_dgettext'
/cygdrive/c/Users/CMCDragonkai/.src/libgpg-error-1.27/src/strerror.c:161:(.text+0x3f8): 
relocation truncated to fit: R_X86_64_PC32 against undefined symbol 
`libintl_dgettext'
/usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function 
`_gpg_strerror':
/cygdrive/c/Users/CMCDragonkai/.src/libgpg-error-1.27/src/strerror.c:50: 
undefined reference to `libintl_dgettext'
/cygdrive/c/Users/CMCDragonkai/.src/libgpg-error-1.27/src/strerror.c:50:(.text+0x129): 
relocation truncated to fit: R_X86_64_PC32 against undefined symbol 
`libintl_dgettext'
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:770: gpg.exe] Error 1
make[2]: Leaving directory 
'/cygdrive/c/Users/CMCDragonkai/.src/gnupg-2.1.20/g10'
make[1]: *** [Makefile:580: all-recursive] Error 1
make[1]: Leaving directory 
'/cygdrive/c/Users/CMCDragonkai/.src/gnupg-2.1.20'
make: *** [Makefile:499: all] Error 2

```

Perhaps Cygwin's libintl is too old?

This is the current version of libintl libraries in Cygwin:

  * gettext-devel-0.19.8.1-1
    <https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Fgettext-devel%2Fgettext-devel-0.19.8.1-1&grep=libintl>-
    gettext-devel: GNU Internationalization development utilities
    (installed binaries and support files)
  * gettext-devel-0.19.8.1-2
    <https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Fgettext-devel%2Fgettext-devel-0.19.8.1-2&grep=libintl>-
    gettext-devel: GNU Internationalization development utilities
    (installed binaries and support files)
  * libintl-devel-0.19.8.1-1
    <https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Flibintl-devel%2Flibintl-devel-0.19.8.1-1&grep=libintl>-
    libintl-devel: GNU Internationalization runtime library (installed
    binaries and support files)
  * libintl-devel-0.19.8.1-2
    <https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Flibintl-devel%2Flibintl-devel-0.19.8.1-2&grep=libintl>-
    libintl-devel: GNU Internationalization runtime library (installed
    binaries and support files)
  * libintl8-0.19.8.1-1
    <https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Flibintl8%2Flibintl8-0.19.8.1-1&grep=libintl>-
    libintl8: GNU Internationalization runtime library (installed
    binaries and support files)
  * libintl8-0.19.8.1-2
    <https://cygwin.com/cgi-bin2/package-cat.cgi?file=x86_64%2Flibintl8%2Flibintl8-0.19.8.1-2&grep=libintl>-
    libintl8: GNU Internationalization runtime library (installed
    binaries and support files)

Thanks,

Roger

On 14/05/2017 1:47 AM, Jussi Kivilinna wrote:
> Hello,
>
> On 11.05.2017 12:26, Roger Qiu wrote:
>> Hi Gcrypt devs,
>>
>> I just tried compiling from source libgcrypt 1.7.5 (and I also tried earlier versions).
>>
>> It always comes to this:
>>
>> ```
>>
>> libtool: link: ranlib .libs/libgcrypt.alibtool: link: rm -fr .libs/libgcrypt.laxlibtool: link: ( cd ".libs" && rm -f "libgcrypt.la" && ln -s "../libgcrypt.la" "libgcrypt.la" )gcc -DHAVE_CONFIG_H -I. -I..    -I/usr/local/include -g -O2 -Wall -MT mpicalc-mpicalc.o -MD -MP -MF .deps/mpicalc-mpicalc.Tpo -c -o mpicalc-mpicalc.o `test -f 'mpicalc.c' || echo './'`mpicalc.cmv -f .deps/mpicalc-mpicalc.Tpo .deps/mpicalc-mpicalc.Po/bin/sh ../libtool  --tag=CC   --mode=link gcc -I/usr/local/include -g -O2 -Wall   -o mpicalc.exe mpicalc-mpicalc.o libgcrypt.la  -L/usr/local/lib -lgpg-errorlibtool: link: gcc -I/usr/local/include -g -O2 -Wall -o .libs/mpicalc.exe mpicalc-mpicalc.o  ./.libs/libgcrypt.a -L/usr/local/lib /usr/local/lib/libgpg-error.a -lintl./.libs/libgcrypt.a(rijndael.o): In function `do_encrypt':/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/rijndael.c:747:(.text+0x9f): relocation truncated to fit: R_X86_64_32S against `.rdata'./.libs/libgcrypt.a(rijndael.o): In
>> function `do_decrypt':/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/rijndael.c:1130:(.text+0x110): relocation truncated to fit: R_X86_64_32S against `.rdata'./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:201:(.text+0x9): relocation truncated to fit: R_X86_64_32S against symbol `_gcry_cast5_s1to4' defined in .rdata section in ./.libs/libgcrypt.a(cast5.o)./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:241:(.text+0x429): relocation truncated to fit: R_X86_64_32S against symbol `_gcry_cast5_s1to4' defined in .rdata section in ./.libs/libgcrypt.a(cast5.o)./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:376:(.text+0x844): relocation truncated to fit: R_X86_64_32S against symbol `_gcry_cast5_s1to4' defined in .rdata section in
>> ./.libs/libgcrypt.a(cast5.o)./.libs/libgcrypt.a(cast5-amd64.o):/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/cipher/cast5-amd64.S:404:(.text+0x177c): relocation truncated to fit: R_X86_64_32S against symbol `_gcry_cast5_s1to4' defined in .rdata section in ./.libs/libgcrypt.a(cast5.o)collect2: error: ld returned 1 exit statusmake[2]: *** [Makefile:712: mpicalc.exe] Error 1make[2]: Leaving directory '/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5/src'make[1]: *** [Makefile:477: all-recursive] Error 1make[1]: Leaving directory '/cygdrive/c/Users/CMCDragonkai/.src/libgcrypt-1.7.5'make: *** [Makefile:408: all] Error 2
>>
>> ```
>>
>> Please cc me as I am not subscribed to the mailing list.
>>
>> All other dependencies of gnupg works on cygwin 64 bit, this is the only one that fails, and thus prevents building gpg2 on Cygwin 64 bit.
> Does attached patch solve the problem? Patch is made on top of libgcrypt development branch, but I think it should apply to 1.7.5 too.
>
> -Jussi
>

-- 
Founder of Matrix AI
https://matrix.ai/
+61420925975

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170514/2f2a8c1a/attachment-0001.html>

From wk at gnupg.org  Mon May 15 19:44:38 2017
From: wk at gnupg.org (Werner Koch)
Date: Mon, 15 May 2017 19:44:38 +0200
Subject: [Announce] GnuPG 2.1.21 released
Message-ID: <87bmquvwu1.fsf@wheatstone.g10code.de>

Hello!

The GnuPG team is pleased to announce the availability of a new release
of GnuPG: version 2.1.21.  See below for a list of new features and bug
fixes.

Note: This release fixes a keyring corruption bug introduced
      with last release.  Users of 2.1.20, who are using the
      old "pubring.gpg" file to store their public keys, are
      asked to update to this new release.


About GnuPG
=============

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  As an Universal Crypto
Engine GnuPG provides support for S/MIME and Secure Shell in addition to
OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.1.21
====================================

  * gpg,gpgsm: Fix corruption of old style keyring.gpg files.  This
    bug was introduced with version 2.1.20.  Note that the default
    pubring.kbx format was not affected.

  * gpg,dirmngr: Removed the skeleton config file support.  The
    system's standard methods for providing default configuration
    files should be used instead.

  * w32: The Windows installer now allows installion of GnuPG without
    Administrator permissions.

  * gpg: Fixed import filter property match bug.

  * scd: Removed Linux support for Cardman 4040 PCMCIA reader.

  * scd: Fixed some corner case bugs in resume/suspend handling.

  * Many minor bug fixes and code cleanup.

A detailed description of the changes found in this 2.1 branch can be
found at <https://gnupg.org/faq/whats-new-in-2.1.html>.


Getting the Software
====================

Please follow the instructions found at <https://gnupg.org/download/> or
read on:

GnuPG 2.1.21 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
<https://gnupg.org/download/mirrors.html>.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.21.tar.bz2 (6321k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.21.tar.bz2.sig

or via FTP:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.21.tar.bz2
 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.21.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.21_20170515.exe (3762k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.21_20170515.exe.sig

or via FTP:

 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.21_20170515.exe
 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.21_20170515.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.  The Windows installer comes with
TOFU support, many translations, support for Tor, and support for HKPS
and the Web Key Directory.


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.1.21.tar.bz2 you would use this command:

     gpg --verify gnupg-2.1.21.tar.bz2.sig gnupg-2.1.21.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.1.21.tar.bz2, you run the command like this:

     sha1sum gnupg-2.1.21.tar.bz2

   and check that the output matches the next line:

1852c066bc21893bc52026ead78edf50fdf15e13  gnupg-2.1.21.tar.bz2
f8a75914e8d82375a89e39fbf45d9f72ed8ab92c  gnupg-w32-2.1.21_20170515.exe
91591e0f197b18b04671c2ca1377f0d195d1fa21  gnupg-w32-2.1.21_20170515.tar.xz


Internationalization
====================

This version of GnuPG has support for 26 languages with Chinese, Czech,
French, German, Japanese, Norwegian, Russian, and Ukrainian being almost
completely translated.  Due to expected changes in forthcoming releases
some strings pertaining to the TOFU code are not yet translated.


Documentation
=============

If you used GnuPG in the past you should read the description of
changes and new features at doc/whats-new-in-2.1.txt or online at

  https://gnupg.org/faq/whats-new-in-2.1.html

The file gnupg.info has the complete user manual of the system.
Separate man pages are included as well but they have not all the
details available as are the manual.  It is also possible to read the
complete manual online in HTML format at

  https://gnupg.org/documentation/manuals/gnupg/

or in Portable Document Format at

  https://gnupg.org/documentation/manuals/gnupg.pdf .

The chapters on gpg-agent, gpg and gpgsm include information on how
to set up the whole thing.  You may also want search the GnuPG mailing
list archives or ask on the gnupg-users mailing lists for advise on
how to solve problems.  Many of the new features are around for
several years and thus enough public knowledge is already available.

You may also want to follow our postings at <https://gnupg.org/blob/>
and <https://twitter.com/gnupg>.


Support
========

Please consult the archive of the gnupg-users mailing list before
reporting a bug <https://gnupg.org/documentation/mailing-lists.html>.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at <https://bugs.gnupg.org>.  If you need commercial
support check out <https://gnupg.org/service.html>.

If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.

Maintenance and development of GnuPG is mostly financed by donations.
The GnuPG project employs 4 full-time developers, one part-timer, and
one contractor.  They all work exclusivly on GnuPG and closely related
software like Libgcrypt, GPGME, and GPA.  Please consider to donate via:

                  https://gnupg.org/donate/


Thanks
======

We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, answering questions on the mailing
lists, and donating money.


The GnuPG hackers,

   Andre, dkg, gniibe, Justus, Kai, Marcus, Neal, and Werner



p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-users'at'gnupg.org mailing list.

p.p.s
List of Release Signing Keys:

To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these five keys:

  2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
  Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
  Werner Koch (dist sig)

  rsa2048/E0856959 2014-10-29 [expires: 2019-12-31]
  Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
  David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com>

  rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28]
  Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
  NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org>

  rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31]
  Key fingerprint = D238 EA65 D64C 67ED 4C30  73F2 8A86 1B1C 7EFD 60D9
  Werner Koch (Release Signing Key)

  rsa3072/4B092E28 2017-03-17 [expires: 2027-03-15]
  Key fingerprint = 5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
  Andre Heinecke (Release Signing Key)

You may retrieve these keys from a keyserver using this command

  gpg --keyserver hkp://keys.gnupg.net --recv-keys  \
                  249B39D24F25E3B6 04376F3EE0856959 \
                  2071B08A33BD3F06 8A861B1C7EFD60D9 BCEF7E294B092E28

The keys are also available at https://gnupg.org/signature_key.html and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20170515/5f11253b/attachment.sig>
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

From guru at unixarea.de  Mon May 15 19:25:12 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Mon, 15 May 2017 19:25:12 +0200
Subject: Using a GnuPG CCID card in another computer
Message-ID: <20170515172512.GA3555@c720-r314251>


Hello,

I have a GnuPG smart card OMNIKEY 6121 Mobile USB and configured its
use in my FreeBSD 12-CURRENT netbook, generated keys and I'm able to use
it to login with SSH into other servers (after moving the pub key to
the server into ~/.ssh/authorized_keys); the only tricky part was to figure
out how to enter the PIN behind 'ssh' --> 'gpg-agent' --> /usr/local/bin/pinentry

So far so good.

Now I wanted the same SIM in another FreeBSD workstation (at work), but when
I do use it there, for example with 'gpg2 --card-status', there is no key in the
card and as well 'gpg2 --export-ssh-key guru' does not know how to
export the key due to missing pub key. 

Should I move the full content of ~/.gnupg as well to the 2nd computer?
And if so, why? I was thinking that all the key material (apart of the
backup) is on the SIM and I only need its PIN...

Thanks

	matthias
-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045


From Dustin.Rogers at capitalone.com  Mon May 15 19:00:24 2017
From: Dustin.Rogers at capitalone.com (Rogers, Dustin)
Date: Mon, 15 May 2017 17:00:24 +0000
Subject: command 'LEARN' failed: No inquire callback in IPC
Message-ID: <BN6P103MB0099F3667B704CC35A400A6C92E10@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>

Hi GnuPG community:

I have recently installed gnupg 2.1.20 from source on a centos6.8 box. For some reason I cannot get the pinentry prompt to appear on the terminal with this newest version.

gpg-connect-agent works as expected and asks for the PIN, but gpg-agent will not.

I have configured the gpg-agent.conf to use pinentry-curses

Here is output from gpg --card-edit

[root at system1 ~]# gpg --card-edit

gpg-agent[5158]: DBG: chan_8 -> OK Pleased to meet you, process 5159
gpg-agent[5158]: DBG: chan_8 <- RESET
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION ttyname=/dev/pts/0
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION ttytype=xterm
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- GETINFO version
gpg-agent[5158]: DBG: chan_8 -> D 2.1.20
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION allow-pinentry-notify
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- OPTION agent-awareness=2.1.0
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- SCD GETINFO version
gpg-agent[5158]: no running SCdaemon - starting it
gpg-agent[5158]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready
gpg-agent[5158]: DBG: first connection to SCdaemon established
gpg-agent[5158]: DBG: chan_9 -> GETINFO socket_name
gpg-agent[5158]: DBG: chan_9 <- D /tmp/gnupg-pkcs11-scd.uTRBtO/agent.S
gpg-agent[5158]: DBG: chan_9 <- OK
gpg-agent[5158]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.uTRBtO/agent.S'
gpg-agent[5158]: DBG: chan_9 -> OPTION event-signal=12
gpg-agent[5158]: DBG: chan_9 <- OK
gpg-agent[5158]: DBG: chan_9 -> GETINFO version
gpg-agent[5158]: DBG: chan_9 <- D 0.7.5
gpg-agent[5158]: DBG: chan_9 <- OK
gpg-agent[5158]: DBG: chan_8 -> D 0.7.5
gpg-agent[5158]: DBG: chan_8 -> OK
gpg: WARNING: server 'scdaemon' is older than us (0.7.5 < 2.1.20)
gpg-agent[5158]: DBG: chan_8 <- SCD SERIALNO openpgp
gpg-agent[5158]: DBG: chan_9 -> SERIALNO openpgp
gpg-agent[5158]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[5158]: DBG: chan_8 -> S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[5158]: DBG: chan_9 <- OK
gpg-agent[5158]: DBG: chan_8 -> OK
gpg-agent[5158]: DBG: chan_8 <- LEARN --sendinfo
gpg-agent[5158]: DBG: chan_9 -> LEARN --force
gpg-agent[5158]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[5158]: DBG: chan_9 <- S APPTYPE PKCS11
gpg-agent[5158]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0)
gpg-agent[5158]: DBG: chan_9 -> END
gpg-agent[5158]: DBG: chan_9 <- OK
gpg-agent[5158]: DBG: agent_card_learn failed: No inquire callback in IPC
gpg-agent[5158]: command 'LEARN' failed: No inquire callback in IPC
gpg-agent[5158]: DBG: chan_8 -> ERR 67109130 No inquire callback in IPC <GPG Agent>
gpg: OpenPGP card not available: No inquire callback in IPCI have tried to set the GPG_TTY variable, but I still don't get the PIN prompt. GPG_TTY=`tty`

I have this working with manual pinentry in a gnupg 2.0 environment, but eventually I would like to use the unattended pinentry-mode loopback, which seems to be available in the gnupg 2.1.20 version only. I am trying to automate batch operations of gpg.

Thus, SCD LEARN will dutifully prompt for PIN when I launch the gpg-agent alongside the gpg-connect-agent like this:
gpg-agent --debug-level=guru --debug 1024 --debug-pinentry --pinentry-program=/usr/bin/pinentry-curses --daemon gpg-connect-agent

But SCD LEARN does not dutifully prompt for PIN, if I launch without the gpg-connect-agent
gpg-agent --debug-level=guru --debug 1024 --debug-pinentry --pinentry-program=/usr/bin/pinentry-curses --daemon

I have a feeling I have a small configuration error, or am not understanding something. But I have reviewed bug reports which seem similar to this issue I am having also. Can anyone tell me why the gpg-connect-agent can invoke the pinentry, but gpg-agent cannot? I am trying su'd as root, but I have the same issue when Im not su as root.

Thank you,
-Dustin Rogers


________________________________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170515/d4c76b97/attachment-0001.html>

From rmcdorm at cobizfinancial.com  Mon May 15 19:26:19 2017
From: rmcdorm at cobizfinancial.com (Ryk McDorman)
Date: Mon, 15 May 2017 17:26:19 +0000
Subject: Newbie can't get --passphrase option to work
Message-ID: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F7D89@EXMHC01-OPS.cobizinc.net>

Kristian,

Thanks for the quick confirmation that I need to use --pinentry-mode loopback. I reviewed my program and found that I'd forgotten that I'd inserted an Exit statement (to troubleshoot something else), and that's what was causing only the first decryption to work. So, problem resolved!  Thanks again.

Ryk 

-----Original Message-----
From: Kristian Fiskerstrand [mailto:kristian.fiskerstrand at sumptuouscapital.com] 
Sent: Saturday, May 13, 2017 2:50 PM
To: Ryk McDorman <rmcdorm at cobizfinancial.com>; gnupg-users at gnupg.org
Subject: RE: [EXT]:Newbie can't get --passphrase option to work

On 05/12/2017 04:15 PM, Ryk McDorman wrote:
> I've done a thorough search for a solution for this, but haven't come up with much: a vague reference to a bug in 2.1.x that may have to do with it, and at the end of my day yesterday I came across someone who used the "--pinentry-mode loopback" option. Interestingly, when I add that to my command, it DOES decrypt one file without prompting me, but then inexplicably stops. (My program logic is fine, as without the -pinentry option, it prompts me once for each file and decrypts each file.)  I haven't yet had time to investigate that option; it's my next action but I've literally been working on this for days now and needed to send out a plea for help!

And here you discuss it :p .. yes, pinentry-mode loopback is necessary for 2.1 use of --passphrase-fd and the likes , in earlier versions of
2.1 this requires allow-pinentry-loopback for the gpg-agent but in recent versions that is defaulted to on.

Can you provide the information when this argument is used and the scenario that fails including explicit error messages?

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Amantes sunt amentes
Lovers are lunatics

CONFIDENTIALITY NOTICE:

This e-mail contains confidential information and is intended only for the 
individual named. If you are not the named addressee, you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately if you have received this e-mail by mistake and delete this 
e-mail from your system. E-mail cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. Neither the 
sender nor CoBiz Financial and its subsidiaries accept liability for any 
errors or omissions in the contents of this message which arise as a 
result of e-mail transmission.


From rjmorris.list at zoho.com  Tue May 16 01:10:35 2017
From: rjmorris.list at zoho.com (Joey Morris)
Date: Mon, 15 May 2017 19:10:35 -0400
Subject: debugging systemd user services for gpg-agent and dirmngr [was:
 Re: gpg hangs when asking for passphrase]
In-Reply-To: <87tw4shzg2.fsf@fifthhorseman.net>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
 <8760ham1cv.fsf@fifthhorseman.net>
 <20170510014347.5papjllsxyo5xdsy@conquistador.dnsalias.org>
 <87a86kk2gc.fsf@fifthhorseman.net>
 <20170511021728.3t3anc6hgcqup7np@conquistador.dnsalias.org>
 <87tw4shzg2.fsf@fifthhorseman.net>
Message-ID: <20170515231035.fgcnpaatixxpcrih@conquistador.dnsalias.org>

Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote on Wed, May 10, 2017 at 10:58:21PM -0400:
> On Wed 2017-05-10 22:17:28 -0400, Joey Morris wrote:
> > I have systemd version 222-1 installed, which appears to be wildly out of date.
> > The first thing I'll try when I get back to this is to upgrade systemd.
> 
> yes, please!

After upgrading systemd, I'm happy to report that my agent connections no longer
hang and everything seems to be working well. (Because the upgrade fixed my
problem, I didn't attempt your other suggestion of moving my .xsession startup
tasks to .config/openbox/autostart.) Thank you for the assistance!

Joey



From guru at unixarea.de  Tue May 16 07:55:54 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Tue, 16 May 2017 07:55:54 +0200
Subject: Using a GnuPG CCID card in another computer (follow-up)
In-Reply-To: <20170515172512.GA3555@c720-r314251>
References: <20170515172512.GA3555@c720-r314251>
Message-ID: <20170516055554.GA2484@c720-r314251>

El d?a lunes, mayo 15, 2017 a las 07:25:12p. m. +0200, Matthias Apitz escribi?:

> 
> Hello,
> 
> I have a GnuPG smart card OMNIKEY 6121 Mobile USB and configured its
> use in my FreeBSD 12-CURRENT netbook, generated keys and I'm able to use
> it to login with SSH into other servers (after moving the pub key to
> the server into ~/.ssh/authorized_keys); the only tricky part was to figure
> out how to enter the PIN behind 'ssh' --> 'gpg-agent' --> /usr/local/bin/pinentry
> 
> So far so good.
> 
> Now I wanted the same SIM in another FreeBSD workstation (at work), but when
> I do use it there, for example with 'gpg2 --card-status', there is no key in the
> card and as well 'gpg2 --export-ssh-key guru' does not know how to
> export the key due to missing pub key. 
> 
> Should I move the full content of ~/.gnupg as well to the 2nd computer?
> And if so, why? I was thinking that all the key material (apart of the
> backup) is on the SIM and I only need its PIN...

Follow-up.

I have now copied all the files below to the other workstation and now all is
fine there too, i.e. I can export the pub key with 'gpg2 --export-ssh-key guru'
and use it for SSH being asked for the PIN of the card. The files are:

$ ls -lR .gnupg
total 52
-rw-------  1 guru  wheel  2649 12 may.  22:41 dirmngr.conf
-rw-r--r--  1 guru  wheel    19 15 may.  11:41 gpg-agent.conf
-rw-------  1 guru  wheel  5191 12 may.  22:41 gpg.conf
drwx------  2 guru  wheel   512 14 may.  20:30 openpgp-revocs.d
drwx------  2 guru  wheel   512 14 may.  20:29 private-keys-v1.d
-rw-r--r--  1 guru  wheel  3573 14 may.  20:30 pubring.kbx
-rw-------  1 guru  wheel    32 12 may.  22:41 pubring.kbx~
-rw-------  1 guru  wheel   600 15 may.  09:58 random_seed
-rw-r--r--  1 guru  wheel     7 15 may.  15:21 reader_0.status
-rw-------  1 guru  wheel  1865 14 may.  20:29 sk_61F1ECB625C9A6C3.gpg
-rw-r-----  1 guru  wheel   676 15 may.  11:45 sshcontrol
-rw-------  1 guru  wheel  1280 15 may.  09:23 trustdb.gpg

.gnupg/openpgp-revocs.d:
total 4
-rw-------  1 guru  wheel  1799 14 may.  20:30 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11.rev

.gnupg/private-keys-v1.d:
total 24
-rw-------  1 guru  wheel  1873 14 may.  20:17 147F71A678B411855B4BCCC48FAEC8689B5E1C23.key
-rw-------  1 guru  wheel   615 14 may.  20:29 314DE72F03D41683E06A504769970A1643825B38.key
-rw-------  1 guru  wheel   617 14 may.  20:09 45BDBABA30A3511D507B8A08A28D425F7CD417C6.key
-rw-------  1 guru  wheel   615 14 may.  20:29 7E22A904DB3BE5A98F98AFDEED61DF1364DD949B.key
-rw-------  1 guru  wheel   615 14 may.  20:29 937BA1F6A95F68222EC2C6F9573100E17EE9522E.key
-rw-------  1 guru  wheel   617 14 may.  20:17 B0E0BFC22F116B541848DF6593B418BBB63C0CC0.key

When I generated the keys on the card (gpg2 --cardedit --> admin --> generate)
on May 14, I have had to do this twice because I was logged out from the card due to
to long thinking about the passphrase for the backup of the key to the file
sk_61F1ECB625C9A6C3.gpg; one can see this on the time of the files below
.gnupg/private-keys-v1.d; the 2nd run started around 20:20 and was
successful at 20:29.

The question remains: Why I do have to move the files below .gnupg/ to
the other workstation? And, what are the files below .gnupg/private-keys-v1.d
are exactly?

Thanks

	matthias
-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045


From gniibe at fsij.org  Tue May 16 09:24:00 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Tue, 16 May 2017 16:24:00 +0900
Subject: command 'LEARN' failed: No inquire callback in IPC
In-Reply-To: <BN6P103MB0099F3667B704CC35A400A6C92E10@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>
References: <BN6P103MB0099F3667B704CC35A400A6C92E10@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>
Message-ID: <874lwli7sf.fsf@fsij.org>

"Rogers, Dustin" <Dustin.Rogers at capitalone.com> wrote:
> I have recently installed gnupg 2.1.20 from source on a centos6.8 box.

What's the configure option?  Did you enable smart card support with
libusb?

> [root at system1 ~]# gpg --card-edit
>
> gpg-agent[5158]: DBG: chan_8 -> OK Pleased to meet you, process 5159
[...]
> gpg-agent[5158]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready

This is not the scdaemon from GnuPG.

Please install scdaemon of GnuPG and try again with that.
-- 


From peter at digitalbrains.com  Tue May 16 09:31:42 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 16 May 2017 09:31:42 +0200
Subject: Newbie can't get --passphrase option to work
In-Reply-To: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F691C@EXMHC01-OPS.cobizinc.net>
References: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F691C@EXMHC01-OPS.cobizinc.net>
Message-ID: <b2723da1-9524-f276-3fd1-dd2c3419731c@digitalbrains.com>

On 12/05/17 16:15, Ryk McDorman wrote:
> In the program I'm passing the output and input filenames as parameters to a one-line batch file consisting of this command:
> echo <mypassphrase>| "C:\Program Files (x86)\gnuPG\bin\gpg.exe" --batch  --output %1  --passphrase-fd 0 --decrypt %2

You should also ask yourself what the purpose of the passphrase is other
than to make your life difficult. Your disk holds a file with an
encrypted private key as well as a file containing the plaintext
password. Why would an attacker that is able to access the encrypted
private key not also be able to access the PowerShell script with the
password? What purpose does the password serve in this scenario?

You should probably just remove the passphrase from the key. That way
any decryption or signature will just succeed without jumping through
hoops to pass the passphrase to GnuPG.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170516/f14b9c08/attachment.sig>

From peter at digitalbrains.com  Tue May 16 11:12:18 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 16 May 2017 11:12:18 +0200
Subject: Using a GnuPG CCID card in another computer (follow-up)
In-Reply-To: <20170516055554.GA2484@c720-r314251>
References: <20170515172512.GA3555@c720-r314251>
 <20170516055554.GA2484@c720-r314251>
Message-ID: <f849a401-3756-40c9-1c55-752693b09aca@digitalbrains.com>

On 16/05/17 07:55, Matthias Apitz wrote:
> The question remains: Why I do have to move the files below .gnupg/ to
> the other workstation?

The card only holds the basic cryptographic material. But a certificate
("public key") holds much more information: your name, the relations
between the cryptographic keys and how they are used, your preferences
with regard to algorithms, how long the key is valid, and certifications
by other users who have signed your key, to name some important ones.

So before you can use the smartcard, you need to import your
certificate/public key. You could publish this to the keyserver network,
or put it on the web. If the latter, you /can/ enter the URL in a data
field on the smartcard, enabling you to use the "fetch" command of
--card-edit.

> And, what are the files below .gnupg/private-keys-v1.d
> are exactly?

Either the real cryptograhic material for a private key, or simply a
note telling GnuPG "that key is on card X". However, I'm surprised by
the size of these files you show. All my "notes saying card X", stubs,
on this laptop are around a mere 360 bytes. I know these files are
S-Expressions, but I haven't checked the exact construction. I would
expect OpenPGP smartcard stubs to generally come down to very comparable
sizes.

You can ask GnuPG to list all the OpenPGP private keys it knows about
along with the keygrip. The keygrip corresponds to the file name in
private-keys-v1.d. It will also indicate when a key is on a card:

> $ gpg2 --with-keygrip -K
> /home/peter/.gnupg/pubring.kbx
> ------------------------------
> sec>  rsa2048 2009-11-12 [C] [expires: 2017-10-19]
>       8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E
>       Keygrip = 13790148EEE34BC5140DD31B6F95EABA8A19E419
>       Card serial no. = 0005 00000274
> uid           [ultimate] Peter Lebbing <peter at digitalbrains.com>
> ssb>  rsa2048 2009-11-12 [S] [expires: 2017-10-19]
>       Keygrip = 46E61BB13BF429980D89B6B7BDE0F70E55E41A03
> ssb>  rsa2048 2009-11-12 [E] [expires: 2017-10-19]
>       Keygrip = A9C7C73653BEDAF478E4956FCF4C3AFC7CB9A00C
> ssb>  rsa2048 2009-12-05 [A] [expires: 2017-10-19]
>       Keygrip = 2DD5CC89FE601845C8C4F74F9643724A08D878FD
> 
> sec   rsa1024 2012-03-17 [SC] [expired: 2017-03-29]
>       825472F37172B95ADC7349BE98B67DE4DCDFDFA4
>       Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
> uid           [ expired] Test Teststra <test at work.invalid>
> uid           [ expired] Test Teststra (Koning van Wezel) <test at example.invalid>
> ssb   rsa1024 2012-03-17 [E] [expired: never     ]
>       Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
> ssb   rsa2048 2016-01-12 [A] [expired: never     ]
>       Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
> ssb   rsa1024 2017-03-22 [S] [expired: 2017-03-29]
>       Keygrip = B93CA4F1A44FAD92D45DC836DEC653769421E703

A '>' after 'sec' or 'ssb' indicates it is on a card. A '#' indicates
the key is unavailable.

You could do this to check what GnuPG thinks those files represent.

Note it only mentions the card serial number for the primary key, even
though the E and S subkeys are on a different card.

I have to admit I cheated a bit for the above output; I had to specify
"--list-options show-unusable-subkeys" because the test key was expired,
and I removed an awful lot of test keys from the output.

private-keys-v1.d also contains keys for gpgsm, which will not show up
when invoking "gpg2 -K" as above.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170516/385dffae/attachment.sig>

From gnu at otterhall.com  Tue May 16 09:36:16 2017
From: gnu at otterhall.com (=?UTF-8?Q?Albin_Otterh=c3=a4ll?=)
Date: Tue, 16 May 2017 09:36:16 +0200
Subject: Some questions regarding generating RSA keys
Message-ID: <8cd59d47-1069-5758-769a-e77e761f43af@otterhall.com>

Hi!

I'm currently doing a high school project by studying RSA keys for
better understanding them theoretically and practically. A part of the
project consist of an experiment, and I choose to test and see how big
the workload will be for the CPU when generating RSA keys of different
length. I would also like to save the time as a data point, if I need to
come to an conclusion.

The plan is to use GnuPG to generate RSA keys of different length (1024,
2048, and 4096) and GNU Time to get the CPU's workload and the time to
execute the process. The process will be automated with a python script.
The process will be in something like this:

1. For length in [1024, 2048, 4096]:
  1.1. For X times:
    1.1.1. Execute Gnu PG command and monitor system resources
    1.1.2. Write use of system resources to file

I will thereafter plot some graphs to see if my hypothesis is correct.

But I got some questions regarding the implementation of my GnuPG test.
An explanation of how my implementation will come after the questions.
My questions are:

* Does this settings do what I want to do?
* Can I someway disable the automatic creation of revoke certificates?
* Why does it take much longer to generate some keys?
* Why does GnuPG give the answer that the it took 0 CPU-seconds in
userspace for the creation of the keys? Is it done in another process?
* Why does the CPU workload parameter only show a value (0 < CPU) when
it took less than a second (wall clock > 1) for creating the keys?

Reading the manual it seems that the simplest way to generate the keys
is with the `--batch` option turned on. I've set the options in a file
with the following instructions:

========== Begin GnuPG Instruction File ==========
# Text syntax in this file
#%dry-run

%echo Generating RSA key...

# Don't ask after passphrase
%no-protection

Key-type: RSA
Key-Length: 1024
Name-Real: Real Name
Name-Email: user at localhost.se
Expire-Date: 0

# Generate RSA key
%commit

%echo Done!
========== End GnuPG Instruction File ==========

The command that executes this file has two parts, the Gnu Time part and
the GnuPG part. The GNU Time command is looking as follows:

$ time --format="Wall clock: %e[s], CPU (userspace): %U[s], CPU
(workload): %P%"

And the GnuPG command is the following.

$ gpg2 --gen-key --homedir=./rsa-keys --batch [filename]

The command that I execute in my shell (fish shell if it's important) is
the following (GNU Time + GnuPG):

$ time --format="Wall clock: %e[s], CPU (userspace): %U[s], CPU
(workload): %P%" gpg2 --gen-key --homedir=./rsa-keys --batch [filename]

Output from command:

Wall clock: 36.83[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 0.04[s], CPU (userspace): 0.00[s], CPU (workload): 8%%
Wall clock: 4.76[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 72.39[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 57.52[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 84.71[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 63.32[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 51.10[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 47.58[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 64.72[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 0.05[s], CPU (userspace): 0.00[s], CPU (workload): 6%%
Wall clock: 0.03[s], CPU (userspace): 0.00[s], CPU (workload): 11%%
Wall clock: 29.62[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 55.02[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 36.08[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 42.92[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 40.41[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 204.36[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 246.42[s], CPU (userspace): 0.00[s], CPU (workload): 0%%
Wall clock: 51.50[s], CPU (userspace): 0.00[s], CPU (workload): 0%%

Thanks in advance!

Regards,
Albin


From guru at unixarea.de  Tue May 16 11:56:59 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Tue, 16 May 2017 11:56:59 +0200
Subject: Using a GnuPG CCID card in another computer (follow-up)
In-Reply-To: <f849a401-3756-40c9-1c55-752693b09aca@digitalbrains.com>
References: <20170515172512.GA3555@c720-r314251>
 <20170516055554.GA2484@c720-r314251>
 <f849a401-3756-40c9-1c55-752693b09aca@digitalbrains.com>
Message-ID: <20170516095659.GA7017@c720-r314251>

El d?a martes, mayo 16, 2017 a las 11:12:18a. m. +0200, Peter Lebbing escribi?:

> On 16/05/17 07:55, Matthias Apitz wrote:
> > The question remains: Why I do have to move the files below .gnupg/ to
> > the other workstation?
> 
> The card only holds the basic cryptographic material. But a certificate
> ("public key") holds much more information: your name, the relations
> between the cryptographic keys and how they are used, your preferences
> with regard to algorithms, how long the key is valid, and certifications
> by other users who have signed your key, to name some important ones.
> 
> So before you can use the smartcard, you need to import your
> certificate/public key. You could publish this to the keyserver network,
> or put it on the web. If the latter, you /can/ enter the URL in a data
> field on the smartcard, enabling you to use the "fetch" command of
> --card-edit.

Thanks for the two tips re/ the pub key; I did so and now it works:

I exported the pub key with:

$ gpg2 --export --armor > ccid--export-key-guru.pub

placed it on my webserver and configured its URL with the card's url-command
as

URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub

On the 2nd workstation I moved away the GNUPGHOME:
$ env | grep GNU
GNUPGHOME=/home/guru/.gnupg-ccid
$ mv .gnupg-ccid .gnupg-ccid-saved

gpg2 is unwilling to start due to missing dir and I have had
to create it with mkdir:

$ gpg2 --card-status
gpg: keyblock resource '/home/guru/.gnupg-ccid/pubring.kbx': No such file or directory
gpg: failed to create temporary file '/home/guru/.gnupg-ccid/.#lk0x0000000802616210.r314251-amd64.65213': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: OpenPGP card not available: No agent running

$ mkdir /home/guru/.gnupg-ccid
$ chmod 0700 /home/guru/.gnupg-ccid

As you can see the keys are completely missing in the card's status:

$ gpg2 --card-status
gpg: keybox '/home/guru/.gnupg-ccid/pubring.kbx' created
Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
      created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
      created ....: 2017-05-14 18:20:07
General key info..: [none]

but after fetching the pub key, all is fine:

[guru at r314251-amd64 ~]$ gpg2 --card-edit  

Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
      created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
      created ....: 2017-05-14 18:20:07
General key info..: [none]

gpg/card> fetch
gpg: requesting key from 'http://www.unixarea.de/ccid--export-key-guru.pub'
gpg: /home/guru/.gnupg-ccid/trustdb.gpg: trustdb created
gpg: key 47CCF7E476FE9D11: public key "Matthias Apitz (GnuPG CCID) <guru at unixarea.de>" imported
gpg: Total number processed: 1
gpg:               imported: 1


gpg/card> list

Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
      created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
      created ....: 2017-05-14 18:20:07
General key info..: pub  rsa4096/47CCF7E476FE9D11 2017-05-14 Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
sec>  rsa4096/47CCF7E476FE9D11  created: 2017-05-14  expires: never
                                card-no: 0005 0000532B
ssb>  rsa4096/6AA5C5C451A1CD1C  created: 2017-05-14  expires: never
                                card-no: 0005 0000532B
ssb>  rsa4096/61F1ECB625C9A6C3  created: 2017-05-14  expires: never
                                card-no: 0005 0000532B

> > And, what are the files below .gnupg/private-keys-v1.d
> > are exactly?
> 
> Either the real cryptograhic material for a private key, or simply a
> note telling GnuPG "that key is on card X". However, I'm surprised by
> the size of these files you show. All my "notes saying card X", stubs,
> on this laptop are around a mere 360 bytes. I know these files are
> S-Expressions, but I haven't checked the exact construction. I would
> expect OpenPGP smartcard stubs to generally come down to very comparable
> sizes.

I run strings for these files and it shows for example:

$ strings -n8 314DE72F03D41683E06A504769970A1643825B38.key
(20:shadowed-private-key(3:rsa(1:n513:
)(8:shadowed5:t1-v1(16:
9:OPENPGP.2))))




> 
> You can ask GnuPG to list all the OpenPGP private keys it knows about
> along with the keygrip. The keygrip corresponds to the file name in
> private-keys-v1.d. It will also indicate when a key is on a card:
> 
> > $ gpg2 --with-keygrip -K
> > /home/peter/.gnupg/pubring.kbx

I did so and it seems that the keys are on the card:

$ gpg2 --with-keygrip -K
/home/guru/.gnupg-ccid/pubring.kbx
----------------------------------
sec>  rsa4096 2017-05-14 [SC]
      5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
      Keygrip = 937BA1F6A95F68222EC2C6F9573100E17EE9522E
      Card serial no. = 0005 0000532B
uid           [ultimate] Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
ssb>  rsa4096 2017-05-14 [A]
      Keygrip = 7E22A904DB3BE5A98F98AFDEED61DF1364DD949B
ssb>  rsa4096 2017-05-14 [E]
      Keygrip = 314DE72F03D41683E06A504769970A1643825B38


Thanks for your explanations and help. Maybe the FAQ should be expanded
with this.

	matthias
-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045


From dgouttegattat at incenp.org  Tue May 16 10:10:28 2017
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Tue, 16 May 2017 10:10:28 +0200
Subject: Using a GnuPG CCID card in another computer (follow-up)
In-Reply-To: <20170516055554.GA2484@c720-r314251>
References: <20170515172512.GA3555@c720-r314251>
 <20170516055554.GA2484@c720-r314251>
Message-ID: <e452f50a-ab75-54e0-4105-578b41e77f36@incenp.org>

On 05/16/2017 07:55 AM, Matthias Apitz wrote:
> The question remains: Why I do have to move the files below .gnupg/ to
> the other workstation?

The card only contains the private keys. GnuPG also needs some 
informations that are only contained in the public parts, such as the 
User IDs associated with the key and the bindings between a primary key 
and its subkeys.

So while you no not have to move *all* the files below .gnupg, you at 
least need to import your *public* key onto your other workstation.

(That's why the card editor of GnuPG has a "fetch" command. The idea is 
that you put your public key in a publicly-accessible location, and make 
the "URL" field of your card point to that location. With that, upon 
arriving onto a new computer--with an empty or inexisting .gnupg--, you 
can get a working setup just by inserting your card, firing up the card 
editor, and using the "fetch" command".)


> And, what are the files below .gnupg/private-keys-v1.d are exactly?

They normally contain the private key themselves. When the private keys 
are stored on a smartcard, they are "stubs", whose purpose is to inform 
GnuPG that the keys are on a smartcard (notably, they contain the serial 
number of said smartcard).

GnuPG should normally re-create those stubs automatically if they do not 
exist when you run the --card-status command, so you should not have to 
copy them over manually.

What is troubling in your experience is that you said there was "no key 
in the card" when you first run "gpg2 --card-status" on the new 
workstation. I have no explanation for that.

Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170516/cc2b98c4/attachment.sig>

From dank at kegel.com  Tue May 16 13:31:33 2017
From: dank at kegel.com (Dan Kegel)
Date: Tue, 16 May 2017 04:31:33 -0700
Subject: Newbie can't get --passphrase option to work
In-Reply-To: <b2723da1-9524-f276-3fd1-dd2c3419731c@digitalbrains.com>
References: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F691C@EXMHC01-OPS.cobizinc.net>
 <b2723da1-9524-f276-3fd1-dd2c3419731c@digitalbrains.com>
Message-ID: <CAPF-yObBVsQeN6NKLMpo_ma0t_-yfapAxr5Nq37eFb1XKNm3MA@mail.gmail.com>

On Tue, May 16, 2017 at 12:31 AM, Peter Lebbing <peter at digitalbrains.com> wrote:
> You should also ask yourself what the purpose of the passphrase is other
> than to make your life difficult....
> You should probably just remove the passphrase from the key. That way
> any decryption or signature will just succeed without jumping through
> hoops to pass the passphrase to GnuPG.

That wasn't my experience.  I used keys with no passphrase,
and *still* had to use loopback (and jump through other hoops) to get
gpg to work unattended.
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058158.html
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058162.html
describe my travails.  It was several days of learning curve.  In fairness,
I needed a solution that worked with all versions of gpg that shipped
with any LTS version of ubuntu, not just the current release, which
made things a bit harder.
- Dan


From peter at digitalbrains.com  Tue May 16 13:41:40 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 16 May 2017 13:41:40 +0200
Subject: Newbie can't get --passphrase option to work
In-Reply-To: <CAPF-yObBVsQeN6NKLMpo_ma0t_-yfapAxr5Nq37eFb1XKNm3MA@mail.gmail.com>
References: <D2BDF08D5C4A9A4A92FB30F8AAD0DF8C021F0F691C@EXMHC01-OPS.cobizinc.net>
 <b2723da1-9524-f276-3fd1-dd2c3419731c@digitalbrains.com>
 <CAPF-yObBVsQeN6NKLMpo_ma0t_-yfapAxr5Nq37eFb1XKNm3MA@mail.gmail.com>
Message-ID: <3c914521-e148-df68-bd29-0c69d0999754@digitalbrains.com>

On 16/05/17 13:31, Dan Kegel wrote:
> That wasn't my experience.  I used keys with no passphrase,
> and *still* had to use loopback (and jump through other hoops) to get
> gpg to work unattended.

I was talking about the things one usually does on a headless server,
which is decryption and data signatures. I'm unaware of this having any
issues, and I don't see you mention them in your referenced posts either.

I haven't ever heard unattended certifications being discussed, I don't
know if it is straightforward.

With regards to key management, this is often something a logged in
human user does and can hence do without having to wrestle unattended
stuff. I understand this doesn't always apply, but the OP here was
talking about decryption, not key management. That should be
straightforward.

When I say, by the way, that having no passphrase is better than using a
passphrase which is literally contained in a script, I'm saying that it
is usually better, not that it is always appropriate. It might be
appropriate to solve it in a different way, but a passphrase literally
in a script is probably not it.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170516/c5bdedc0/attachment.sig>

From janne.inkila at iki.fi  Tue May 16 15:47:50 2017
From: janne.inkila at iki.fi (=?UTF-8?Q?Janne_Inkil=c3=a4?=)
Date: Tue, 16 May 2017 16:47:50 +0300
Subject: suspicious key found
Message-ID: <c1ba0caa-28da-8a81-dc0e-9495ac9290af@iki.fi>

I made a key search with my name and found something suspicious.

The search:

https://pgp.mit.edu/pks/lookup?search=janne+inkila&op=index&fingerprint=on

I have used my old key since 2007. Fingerprint F4DB 40F8 BF22 8B9D 9B8F  
F679 A482 4C9A 033E 22A2. I know this is quite old key and maybe I 
should revoke it.

BUT

I also found another key with fingerprint 87C4 F4C8 16D1 3CC3 03E0 7977 
1A9C 6259 033E 22A2. The key ID is the same 033E 22A2 on both keys. 
There's also signatures in this key. Looks like same persons and same 
key ID's but fingerprints doesn't match. For some reason this key has 
been revoked.

Did someone really generated same looking key? And why? Any ideas? 
Someone tries to capture my emails? I would like to see some sort of 
theory what is going on, thanks :)

Janne Inkil?


From andrewg at andrewg.com  Tue May 16 17:28:23 2017
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Tue, 16 May 2017 16:28:23 +0100
Subject: suspicious key found
In-Reply-To: <c1ba0caa-28da-8a81-dc0e-9495ac9290af@iki.fi>
References: <c1ba0caa-28da-8a81-dc0e-9495ac9290af@iki.fi>
Message-ID: <4aa13c56-ecb9-8591-6d4e-c8217abd4d6d@andrewg.com>

On 2017/05/16 14:47, Janne Inkil? wrote:
> Did someone really generated same looking key? And why? Any ideas?

Yes, they did. Most of the strong set was duplicated by the Evil32
project in order to demonstrate the danger of relying on short key IDs
(because on modern hardware it takes mere seconds to generate a fake key
with the same short ID). Unfortunately the fake keys got uploaded to an
SKS server and polluted the database. The authors then mass-revoked all
the offending keys, but since SKS is append-only they still appear in
search results.

https://evil32.com/

The fact that invalid (even suspicious) keys exist on the SKS servers
(or anywhere on the internet for that matter) is in itself not a problem
- any decent public-key infrastructure must be designed under the
assumption that forgeries are inevitable and use some other method
(signatures, out of band verification) to determine the validity of keys.

The moral of the story is: don't believe everything you see on the
internet. ;-)

Andrew.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170516/b85362d0/attachment-0001.sig>

From dustincr at hotmail.com  Tue May 16 15:26:40 2017
From: dustincr at hotmail.com (Dustin Rogers)
Date: Tue, 16 May 2017 13:26:40 +0000
Subject: command 'LEARN' failed: No inquire callback in IPC
In-Reply-To: <874lwli7sf.fsf@fsij.org>
References: <BN6P103MB0099F3667B704CC35A400A6C92E10@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>,
 <874lwli7sf.fsf@fsij.org>
Message-ID: <DM5PR12MB183556613B5FB68EA801DC23CFE60@DM5PR12MB1835.namprd12.prod.outlook.com>


Hi Mr. Yutaka:


Thank you for your input and all the dev work you have done.


This is a cloud environment so I dont have the luxury of physical access to a usb port. I do not leverage libusb because this is using network attached Safenet Luna SA HSM (gemalto brand) PKCS11 smart card provider.


I just gave the native scdaemon a try. It doesnt seem to recognize this card provider at all.

LEARN
ERR 100663404 Card error <SCD>

In fact the native support for smart cards does not seem to support network attached HSM "virtual tokens" devices at all. It could be possible that I need to specify the local port the installed HSM agent is running on, but I dont think I will be that lucky.

Perhaps I could help build the support into the native scdaemon, but you are an expert at this, so I dont want to come off rude.  I know the work isnt simple.

I have this  other scdaemon (gnupg-pkcs11-scd) working fine with gnupg 2.0, but with manual pinentry for each operation. I cant get it working with gnupg 2.1. (again, I am looking for the unattended pinentry support the later version seems to have) Thus, I really dont think this is an issue with the scdaemon I am using. Moreover, I can see the INQUIRE PIN callback is there, the pinentry is just not appearing. Really I would like to understand why the gpg-connect-agent is allowing the pin call back through, and the gpg-agent itself is not?

Thank you,
-Dustin Rogers

Here is my config file thus far for native scdaemon:

#Debug Level
debug-level guru
#Smartcard Provider SO object
pcsc-driver /usr/lib/libCryptoki2_64.so
#pcsc-driver /usr/lib/libCryptoki2.so
log-file scdaemon.log
#card-timeout 1



________________________________
From: Gnupg-users <gnupg-users-bounces at gnupg.org> on behalf of NIIBE Yutaka <gniibe at fsij.org>
Sent: Tuesday, May 16, 2017 2:24 AM
To: Rogers, Dustin; gnupg-users at gnupg.org
Subject: Re: command 'LEARN' failed: No inquire callback in IPC

"Rogers, Dustin" <Dustin.Rogers at capitalone.com> wrote:
> I have recently installed gnupg 2.1.20 from source on a centos6.8 box.

What's the configure option?  Did you enable smart card support with
libusb?

> [root at system1 ~]# gpg --card-edit
>
> gpg-agent[5158]: DBG: chan_8 -> OK Pleased to meet you, process 5159
[...]
> gpg-agent[5158]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready

This is not the scdaemon from GnuPG.

Please install scdaemon of GnuPG and try again with that.
--

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Gnupg-users Info Page<http://lists.gnupg.org/mailman/listinfo/gnupg-users>
lists.gnupg.org
GnuPG user help mailing list. The topic of this is list is help and discussion among users of GnuPG. This includes questions on how to script GnuPG, how to create or ...



-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170516/8798f74e/attachment.html>

From felix at audiofair.de  Tue May 16 17:26:20 2017
From: felix at audiofair.de (Felix Winterhalter)
Date: Tue, 16 May 2017 17:26:20 +0200
Subject: suspicious key found
In-Reply-To: <c1ba0caa-28da-8a81-dc0e-9495ac9290af@iki.fi>
References: <c1ba0caa-28da-8a81-dc0e-9495ac9290af@iki.fi>
Message-ID: <e30f393b-7559-8dbb-792f-2fe1fc50b61f@audiofair.de>

There was a proof of concept attack on the fingerprints a couple of 
years ago. The keys were revoked afterwards.

TL;DR short key fingerprints are not secure at all. Also the web of 
trust is your friend here.

Cheers,

Felix


On 16/05/17 15:47, Janne Inkil? wrote:
> I made a key search with my name and found something suspicious.
>
> The search:
>
> https://pgp.mit.edu/pks/lookup?search=janne+inkila&op=index&fingerprint=on 
>
>
> I have used my old key since 2007. Fingerprint F4DB 40F8 BF22 8B9D 
> 9B8F  F679 A482 4C9A 033E 22A2. I know this is quite old key and maybe 
> I should revoke it.
>
> BUT
>
> I also found another key with fingerprint 87C4 F4C8 16D1 3CC3 03E0 
> 7977 1A9C 6259 033E 22A2. The key ID is the same 033E 22A2 on both 
> keys. There's also signatures in this key. Looks like same persons and 
> same key ID's but fingerprints doesn't match. For some reason this key 
> has been revoked.
>
> Did someone really generated same looking key? And why? Any ideas? 
> Someone tries to capture my emails? I would like to see some sort of 
> theory what is going on, thanks :)
>
> Janne Inkil?
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



From dshaw at jabberwocky.com  Tue May 16 17:37:13 2017
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 16 May 2017 11:37:13 -0400
Subject: suspicious key found
In-Reply-To: <c1ba0caa-28da-8a81-dc0e-9495ac9290af@iki.fi>
References: <c1ba0caa-28da-8a81-dc0e-9495ac9290af@iki.fi>
Message-ID: <8241FFDA-9419-4A10-814C-5107CF1E2D14@jabberwocky.com>

On May 16, 2017, at 9:47 AM, Janne Inkil? <janne.inkila at iki.fi> wrote:
> 
> I made a key search with my name and found something suspicious.
> 
> The search:
> 
> https://pgp.mit.edu/pks/lookup?search=janne+inkila&op=index&fingerprint=on
> 
> I have used my old key since 2007. Fingerprint F4DB 40F8 BF22 8B9D 9B8F  F679 A482 4C9A 033E 22A2. I know this is quite old key and maybe I should revoke it.
> 
> BUT
> 
> I also found another key with fingerprint 87C4 F4C8 16D1 3CC3 03E0 7977 1A9C 6259 033E 22A2. The key ID is the same 033E 22A2 on both keys. There's also signatures in this key. Looks like same persons and same key ID's but fingerprints doesn't match. For some reason this key has been revoked.
> 
> Did someone really generated same looking key? And why? Any ideas? Someone tries to capture my emails? I would like to see some sort of theory what is going on, thanks :)

There are many such fake keys on the keyservers.  I have one as well.  It's trivial to forge the short (8 hex digit) key ID - just keep generating keys over and over until you match the lower 32 bits.  Note that the fingerprints do not match, as there is no (current) way to forge an entire fingerprint.

See https://evil32.com - they made the keys as a demonstration, but didn't upload them.  It's an excellent demonstration why people should never trust the short key ID for anything.

David



From grossws at gmail.com  Tue May 16 20:35:53 2017
From: grossws at gmail.com (Konstantin Gribov)
Date: Tue, 16 May 2017 18:35:53 +0000
Subject: SSH RSA comment lost when imported to gpg-agent
Message-ID: <CALvb29ywsZO3dfcotexZNfZm+dwd3vM-rt8EUynUZckat14XiQ@mail.gmail.com>

Hi, folks.

I've found strange `gpg-agent` behavior. When I import `~/.ssh/id_ed25519`
with `ssh-add` it takes comment from its public counterpart. But when I do
the same with `id_rsa` it just use `.ssh/id_rsa` instead of actual comment.

Is there any way to change that comment via `gpg-connect-agent`?

Env: Arch Linux, GnuPG 2.1.20.

-- 

Best regards,
Konstantin Gribov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170516/5ddbe26f/attachment-0001.html>

From dkg at fifthhorseman.net  Wed May 17 05:26:38 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 16 May 2017 23:26:38 -0400
Subject: debugging systemd user services for gpg-agent and dirmngr [was:
 Re: gpg hangs when asking for passphrase]
In-Reply-To: <20170515231035.fgcnpaatixxpcrih@conquistador.dnsalias.org>
References: <20170509023434.i555tlb7or37wrz2@conquistador.dnsalias.org>
 <8760ham1cv.fsf@fifthhorseman.net>
 <20170510014347.5papjllsxyo5xdsy@conquistador.dnsalias.org>
 <87a86kk2gc.fsf@fifthhorseman.net>
 <20170511021728.3t3anc6hgcqup7np@conquistador.dnsalias.org>
 <87tw4shzg2.fsf@fifthhorseman.net>
 <20170515231035.fgcnpaatixxpcrih@conquistador.dnsalias.org>
Message-ID: <87bmqsduz5.fsf@fifthhorseman.net>

On Mon 2017-05-15 19:10:35 -0400, Joey Morris wrote:
> Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote on Wed, May 10, 2017 at 10:58:21PM -0400:
>> On Wed 2017-05-10 22:17:28 -0400, Joey Morris wrote:
>> > I have systemd version 222-1 installed, which appears to be wildly out of date.
>> > The first thing I'll try when I get back to this is to upgrade systemd.
>> 
>> yes, please!
>
> After upgrading systemd, I'm happy to report that my agent connections no longer
> hang and everything seems to be working well. (Because the upgrade fixed my
> problem, I didn't attempt your other suggestion of moving my .xsession startup
> tasks to .config/openbox/autostart.) Thank you for the assistance!

yay, glad to hear it!  I'm still a bit perplexed by what happened there,
but hopefully having this note in the archives will help folks find it
if they have a similar problem with an older version of systemd.

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170516/3ffe056c/attachment.sig>

From gniibe at fsij.org  Wed May 17 08:31:44 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Wed, 17 May 2017 15:31:44 +0900
Subject: command 'LEARN' failed: No inquire callback in IPC
In-Reply-To: <DM5PR12MB183556613B5FB68EA801DC23CFE60@DM5PR12MB1835.namprd12.prod.outlook.com>
References: <BN6P103MB0099F3667B704CC35A400A6C92E10@BN6P103MB0099.NAMP103.PROD.OUTLOOK.COM>
 <874lwli7sf.fsf@fsij.org>
 <DM5PR12MB183556613B5FB68EA801DC23CFE60@DM5PR12MB1835.namprd12.prod.outlook.com>
Message-ID: <87efvom1tb.fsf@fsij.org>

Dustin Rogers <dustincr at hotmail.com> wrote:
> In fact the native support for smart cards does not seem to support
> network attached HSM "virtual tokens" devices at all. It could be
> possible that I need to specify the local port the installed HSM agent
> is running on, but I dont think I will be that lucky.

No, scdaemon doesn't support it.

> I have this  other scdaemon (gnupg-pkcs11-scd) working fine with gnupg 2.0,

Well, I think that gnupg-pkcs11-scd is not supported by GnuPG, 2.0 or
2.1.  It is a kind of... independently developed program, unfortunately.
It was just coincidence (from my view point) it worked with GnuPG 2.0.

It would be good if someone around gnupg-pkcs11-scd shares developement
information with GnuPG.

> but with manual pinentry for each operation. I cant get it working
> with gnupg 2.1. (again, I am looking for the unattended pinentry
> support the later version seems to have) Thus, I really dont think
> this is an issue with the scdaemon I am using. Moreover, I can see the
> INQUIRE PIN callback is there, the pinentry is just not
> appearing. Really I would like to understand why the gpg-connect-agent
> is allowing the pin call back through, and the gpg-agent itself is
> not?

Well, it's the detail of protocol between gpg-agent and scdaemon.
INQUIRE NEEDPIN from scdaemon is not expected by gpg-agent when LEARN
--force is issued.  This situation is same in GnuPG 2.0.

We don't know how gnupg-pkcs11-scd works, according to your log, it
breaks the protocol for LEARN.

gpg-agent only delegates back the INQUIRE NEEDPIN request to gpg when it
is prepared: PKSIGN, PKDECRYPT, WRITEKEY, and generic SCD.

For gpg-connect-agent with SCD command, it is prepared, thus it works.

I think that it would be good to check why gnupg-pkcs11-scd called back
with INQUIRE NEEDPIN for LEARN command.
-- 


From pjlists at netzkommune.com  Thu May 18 09:10:59 2017
From: pjlists at netzkommune.com (Philip Jocks)
Date: Thu, 18 May 2017 09:10:59 +0200
Subject: Did exit codes change in 2.1.21?
Message-ID: <0F4DC5E2-464C-4999-857F-672D1956488C@netzkommune.com>

Hi,

we're using duply/duplicity with gnupg on FreeBSD and upgraded a few machines to gnupg 2.1.21 yesterday. That made the backups stop working, as some selftest doesn't work.
Running this:

echo "passphrase" | gpg --sign --default-key AAAAAAAA --passphrase-fd 0 --batch -r AAAAAAAA -r BBBBBBBB -r CCCCCCCC -r DDDDDDDD --status-fd 1 --pinentry-mode=loopback --compress-algo=bzip2 --bzip2-compress-level=9 -o /tmp/duply.2979.1495090227_ENC -e /usr/local/bin/duply ; echo $?

on 2.1.20 returns 0 and on 2.1.21, it now returns 2

I posted this message on the duply/duplicty mailing list, but given that gpg's exit code changed, it's probably not a problem in duply:

http://lists.gnu.org/archive/html/duplicity-talk/2017-05/msg00041.html

What seems to be "new" in the 2.1.21 output is

gpg: error getting version from 'scdaemon': Not supported
[GNUPG:] CARDCTRL 6

We don't build the FreeBSD port with SCDAEMON support. To verify, we built it for one box with SCDAEMON support, but the error is still the same.

Is there anything else we can try?

Cheers,

Philip

From gniibe at fsij.org  Thu May 18 12:27:24 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Thu, 18 May 2017 19:27:24 +0900
Subject: Did exit codes change in 2.1.21?
In-Reply-To: <0F4DC5E2-464C-4999-857F-672D1956488C@netzkommune.com>
References: <0F4DC5E2-464C-4999-857F-672D1956488C@netzkommune.com>
Message-ID: <87o9uqh33n.fsf@fsij.org>

Philip Jocks <pjlists at netzkommune.com> wrote:
> gpg: error getting version from 'scdaemon': Not supported
> [GNUPG:] CARDCTRL 6

This is due to my badness.  I wrongly assumed everyone uses smartcard.
:-)

> Is there anything else we can try?

Here is my fix:
   https://dev.gnupg.org/rGa8dd96826f8484c0ae93c954035b95c2a75c80f2

Please try this patch.
-- 


From pjlists at netzkommune.com  Fri May 19 11:26:05 2017
From: pjlists at netzkommune.com (Philip Jocks)
Date: Fri, 19 May 2017 11:26:05 +0200
Subject: Did exit codes change in 2.1.21?
In-Reply-To: <87o9uqh33n.fsf@fsij.org>
References: <0F4DC5E2-464C-4999-857F-672D1956488C@netzkommune.com>
 <87o9uqh33n.fsf@fsij.org>
Message-ID: <FE1548A5-33CD-4B9A-A6E7-1E96143D8318@netzkommune.com>

Hej,

> Here is my fix:
>   https://dev.gnupg.org/rGa8dd96826f8484c0ae93c954035b95c2a75c80f2
> 
> Please try this patch.

seems to work. Now the exit code is 0 again, as expected. When building without SCDAEMON support, I get 

gpg: WARNING: server 'scdaemon' is older than us ((null) < 2.1.21)
[GNUPG:] WARNING server_version_mismatch 0 server 'scdaemon' is older than us ((null) < 2.1.21)

When building with SCDAEMON support, this warning disappears as expected.

With or without SCDAEMON support, gpg now properly exits 0 again.

Will there be a 2.1.22 soon to fix this?

Cheers,

Philip

From mlpenguinhq at gmail.com  Fri May 19 20:36:08 2017
From: mlpenguinhq at gmail.com (Marc Curry)
Date: Fri, 19 May 2017 14:36:08 -0400
Subject: Reviving a userid with revoked key
Message-ID: <CAAPFOTdJ9wf7TbDbGXgT9tAtUP5PVtgzUr790m51ZGaTP-VP1A@mail.gmail.com>

Maybe a dumb question, but I'm looking for help thinking through how to
best "revive" an old gpg key's userid after I revoked it a few years ago,
thinking I wouldn't need to use it, again.

1) was at a company (e.g. marc at company-a.com)
2) went to company-b and revoked key for marc at company-a
3) now I'm back at company-a, and want to start using marc at company-a.com
userid again

Thoughts on the best/recommended way to do this?  I still remember my
secret key's password.

Should I just delete the (revoked) key from my keyring and re-do a
--gen-key using the same/original e-mail address as the userid?

Thanks for any suggestions,

Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170519/0943a9d4/attachment.html>

From kristian.fiskerstrand at sumptuouscapital.com  Fri May 19 21:58:34 2017
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Fri, 19 May 2017 21:58:34 +0200
Subject: Reviving a userid with revoked key
In-Reply-To: <CAAPFOTdJ9wf7TbDbGXgT9tAtUP5PVtgzUr790m51ZGaTP-VP1A@mail.gmail.com>
References: <CAAPFOTdJ9wf7TbDbGXgT9tAtUP5PVtgzUr790m51ZGaTP-VP1A@mail.gmail.com>
Message-ID: <7c718ac6-d857-08fe-1ad9-cb19b0aebac1@sumptuouscapital.com>

On 05/19/2017 08:36 PM, Marc Curry wrote:
> Maybe a dumb question, but I'm looking for help thinking through how to
> best "revive" an old gpg key's userid after I revoked it a few years ago,
> thinking I wouldn't need to use it, again.
> 
> 1) was at a company (e.g. marc at company-a.com)
> 2) went to company-b and revoked key for marc at company-a
> 3) now I'm back at company-a, and want to start using marc at company-a.com
> userid again

Nothing wrong with that, just add a new user id using adduid from
--edit-key, it wont have the old signatures from other users, those got
lost at the revocation point, but your new contacts can sign the new UID
without issue.

Deleting the old UID will have no practical effect if it has been
distributed to a keyserver historically.

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"If you choose to sail upon the seas of banking, build your bank as you
would your boat, with the strength to sail safely through any storm."
(Jacob Safra (1891?1963))

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170519/ee829ef0/attachment.sig>

From michael at englehorn.com  Fri May 19 21:56:58 2017
From: michael at englehorn.com (Michael Englehorn)
Date: Fri, 19 May 2017 14:56:58 -0500
Subject: Reviving a userid with revoked key
In-Reply-To: <CAAPFOTdJ9wf7TbDbGXgT9tAtUP5PVtgzUr790m51ZGaTP-VP1A@mail.gmail.com>
 (Marc Curry's message of "Fri, 19 May 2017 14:36:08 -0400")
References: <CAAPFOTdJ9wf7TbDbGXgT9tAtUP5PVtgzUr790m51ZGaTP-VP1A@mail.gmail.com>
Message-ID: <tp1i29efvkliwl.fsf@menglehorn-lt.lan.zayoms.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Marc Curry <mlpenguinhq at gmail.com> writes:

> 1) was at a company (e.g. marc at company-a.com)
> 2) went to company-b and revoked key for marc at company-a
> 3) now I'm back at company-a, and want to start using marc at company-a.com userid again
If you revoked the key, and not just the user id, you have to start over
with a new key, especially if you published the revocation anywhere.

Once you send a revoked key to the keyservers, it's game over for that
key, by design.

> Thoughts on the best/recommended way to do this? I still remember my secret key's password.
>
> Should I just delete the (revoked) key from my keyring and re-do a --gen-key using the same/original e-mail address as the userid?
You don't really have to delete it, you can just generate a new one
using the same name and e-mail address.

- -Michael Englehorn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZH04KAAoJEFiya/FkvZyB4xQP/1fMgxCOCY11A0uFU+lcdVXD
ZHbu2rxsToO/q4Kruymu28J21SwbDhRFjK1jAOJRJN0CyWPOP4A4jVmt/VVfLy5t
eZNEw2coLdzqqLeXDYx4YYsjXNxcc2TYfPSKVOkMkOm8rozXXpwFrZXaHTsL1PGt
OlcEFLXdPj3IL8dFcAJh3WIVjCkJr8WH/kMz5VauUx7BFnb2+8L4C33roVshZjys
U5GsOeHWBQeleygh+kirjCr8wHN30V1NOS3f1NsUgeRZuY6tLXbwkZrtEGRDz40g
VO16iL9qcM4xhMDmgliUZZ0NiKR9rzgDxYAyLWNlhK8q6w6OUAzZtbEvMeErzPAF
EUpUZeznlqzWx4w3xSj4l2oLmjeM/QvwD80LaL+LG2nH91tOu9ByNzn7R5CaevSR
HDLv3m421Y68qDnfwL1O8bDtd5t9hz00pzMy8NEZaG4fMUTvrjs9UO9rA28M8J1w
RuDR/HHxZHRgJLjAKRVbiQh4IYLs6a4F9+Xyra8X5N//SH6wBkJNZMYKBwNbd6Kn
AzlJIToHQmAzOuT6UyGUjbl0OWwkkIPT7m+N2n0peOmuPfPynoIG7SS2nqw0A/lM
tOqIKGthRcJIuuox64+uyGJ5v9VnpCm5T4l6fN+ut5g+eXXN+0NeBQdpoK0qCMQO
ndx1D0V18wEFApLwDULO
=jFrF
-----END PGP SIGNATURE-----


From dkg at fifthhorseman.net  Sat May 20 19:27:29 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Sat, 20 May 2017 13:27:29 -0400
Subject: Reviving a userid with revoked key
In-Reply-To: <7c718ac6-d857-08fe-1ad9-cb19b0aebac1@sumptuouscapital.com>
References: <CAAPFOTdJ9wf7TbDbGXgT9tAtUP5PVtgzUr790m51ZGaTP-VP1A@mail.gmail.com>
 <7c718ac6-d857-08fe-1ad9-cb19b0aebac1@sumptuouscapital.com>
Message-ID: <87fufzxwu6.fsf@fifthhorseman.net>

On Fri 2017-05-19 21:58:34 +0200, Kristian Fiskerstrand wrote:
> On 05/19/2017 08:36 PM, Marc Curry wrote:
>> Maybe a dumb question, but I'm looking for help thinking through how to
>> best "revive" an old gpg key's userid after I revoked it a few years ago,
>> thinking I wouldn't need to use it, again.
>> 
>> 1) was at a company (e.g. marc at company-a.com)
>> 2) went to company-b and revoked key for marc at company-a
>> 3) now I'm back at company-a, and want to start using marc at company-a.com
>> userid again
>
> Nothing wrong with that, just add a new user id using adduid from
> --edit-key

This is the case if the *user-id* was revoked, while the key itself was
not revoked.  If the OP revoked the old key itself, then they need to
just make a new key.


> it wont have the old signatures from other users, those got
> lost at the revocation point, but your new contacts can sign the new UID
> without issue.

The old contacts should also be able to re-certify, no?

     --dkg


From fabian.hammerle at gmail.com  Sat May 20 19:06:32 2017
From: fabian.hammerle at gmail.com (Fabian Peter Hammerle)
Date: Sat, 20 May 2017 19:06:32 +0200
Subject: gpgsm: create cert for client authentication with single batch command
Message-ID: <20170520170632.GA31036@arma-nova>

Hi,

I would like to use gpgsm to create x509 certificates for HTTPS client authentication.

Currently I follow these steps:
1. create RSA key
    $ gpgsm --gen-key --batch <<EOF
    > Key-Type: RSA
    > Key-Length: 2048
    > Name-DN: CN=temporary to create key
    > EOF
2. determine keygrip in ~/.gnupg/private-keys-v1.d
3. create / sign cert
    $ gpgsm --gen-key --batch --output cert.der <<EOF
    > Key-Type: RSA
    > Key-Grip: [keygrip determined in step 2]
    > Key-Usage: sign
    > Serial: random
    > Name-DN: CN=client
    > Hash-Algo: SHA256
    > Subject-Key-Id: [keygrip determined in step 2]
    > Issuer-DN: CN=my ca
    > Signing-Key: [keygrip of CA]
    > Authority-Key-Id: [keygrip of CA]
    > Extension: 2.5.29.19 c 3003010100
    > # X509v3 Extended Key Usage:
    > #   TLS Web Client Authentication
    > Extension: 2.5.29.37 n 300A06082B06010505070302
    > EOF

generated cert in gpgsm:
>            ID: 0xC5F39AEF
>           S/N: 3956F9C7E8AC6D90
>        Issuer: /CN=my ca
>       Subject: /CN=client
>      validity: 2017-05-20 16:44:33 through 2063-04-05 17:00:00
>      key type: 2048 bit RSA
>     key usage: digitalSignature nonRepudiation
> ext key usage: clientAuth (suggested)
>   fingerprint: A7:D1:FE:1C:FA:CD:0B:EE:2F:05:B5:4B:2D:4E:89:DD:C5:F3:9A:EF
>       keygrip: [keygrip determined in step 2]
>   [certificate is good]


$ openssl x509 -inform der -in cert.der -text -outform pem -out cert.pem
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 4131764345156431248 (0x3956f9c7e8ac6d90)
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C=AT, CN=Fabian Peter Hammerle
>         Validity
>             Not Before: May 20 16:44:33 2017 GMT
>             Not After : Apr  5 17:00:00 2063 GMT
>         Subject: CN=client
>         Subject Public Key Info:
>             [...]
>         X509v3 extensions:
>             X509v3 Basic Constraints: critical
>                 CA:FALSE
>             X509v3 Extended Key Usage:
>                 TLS Web Client Authentication
>             X509v3 Subject Key Identifier:
>                 [keygrip determined in step 2]
>             X509v3 Authority Key Identifier:
>                 keyid:[keygrip of CA]
> 
>             X509v3 Key Usage: critical
>                 Digital Signature, Non Repudiation
>     Signature Algorithm: sha256WithRSAEncryption
>         [...]

$ openssl verify -verbose cert.pem
> cert.pem: OK

My problem:
Currently I have to call gpgsm twice in order to set the Subject Key Identifier extension.
In the first step I don't know the keygrip yet, so I can't set:
> Subject-Key-Id: 12345...CDEF

Can I tell gpgsm to set the Subject Key ID according to the newly created RSA key?

I am looking for a solution like:
$ gpgsm --gen-key --batch --output cert.der <<EOF
> Key-Type: RSA
> Key-Length: 2048
> Key-Usage: sign
> Serial: random
> Name-DN: CN=client
> Hash-Algo: SHA256
> Subject-Key-Id: magic-keyword
> Issuer-DN: CN=my ca
> Signing-Key: [keygrip of CA]
> Authority-Key-Id: [keygrip of CA]
> Extension: 2.5.29.19 c 3003010100
> # X509v3 Extended Key Usage:
> #   TLS Web Client Authentication
> Extension: 2.5.29.37 n 300A06082B06010505070302
> EOF

I would prefer creating the cert in a single step.

Fabian

--

fabian.hammerle.me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170520/bac807ef/attachment.sig>

From 2014-667rhzu3dc-lists-groups at riseup.net  Sun May 21 12:41:00 2017
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Sun, 21 May 2017 11:41:00 +0100
Subject: [Announce] GnuPG 2.1.21 released
In-Reply-To: <87bmquvwu1.fsf@wheatstone.g10code.de>
References: <87bmquvwu1.fsf@wheatstone.g10code.de>
Message-ID: <82096920.20170521114100@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 15 May 2017 at 6:44:38 PM, in
<mid:87bmquvwu1.fsf at wheatstone.g10code.de>, Werner Koch wrote:-


> The GnuPG team is pleased to announce the
> availability of a new release
> of GnuPG: version 2.1.21.

Unfortunately, I find I have to stick with 2.1.19 because of
<https://dev.gnupg.org/T3097>.


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Only dead fish go with the flow
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWSFuvF8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5MEkAQCt0nOizwhcHmNFiYHO4DTTHauHr/VpnUO2RT381rFdggEA10EFeBQrFeGu
/6NoWJqbM2lBzaHYyg2BQeopr9QrHgiJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWSFuvV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8NTyCACjG1Oi+X1lFSs8O0RBT4ZO81pz
jNlF/Jq0ELO+KgLMs+mHdislZuwiZE2+iVuyT8po6PlacXQ1tw5ROxdW+l2Pz7Zz
kHB3tc0VBycSux9vw4iEwbRE50R3yC5Ft57TBQUa3WiCTgRqgq5FpzJ1e9dYo0rI
Rb4aSjoaadzBEiwUsirN2TnYpIblNcqpAyW/QSLrWpD/W4BhJQTZ6AKEmLMYWZOs
252XMlouFcOmZIewAC7lvml4+/Rv2et7YAaRwE01/mMFaa0slEnrlTLl/CXviNwL
Iu4xzF+GiTy/WWWBRbG7V8OTx+kAuZDDowHxdV3bBHEj+vQiNQO7ORYYQQCJ
=dSuw
-----END PGP SIGNATURE-----



From 2014-667rhzu3dc-lists-groups at riseup.net  Mon May 22 01:38:22 2017
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Mon, 22 May 2017 00:38:22 +0100
Subject: [Announce] GnuPG 2.1.21 released
In-Reply-To: <82096920.20170521114100@riseup.net>
References: <87bmquvwu1.fsf@wheatstone.g10code.de>
 <82096920.20170521114100@riseup.net>
Message-ID: <1816785341.20170522003822@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Sunday 21 May 2017 at 11:41:00 AM, in
<mid:82096920.20170521114100 at riseup.net>, I wrote:-


> Unfortunately, I find I have to stick with 2.1.19
> because of
> <https://dev.gnupg.org/T3097>.

Although this has possibly been solved by renaming my old pubring.kbx
file and importing all the keys from it into GnuPG, thereby generating
a new pubring.kbx. At least, 2.1.21 seems to work for me at the
moment.

- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Look, it's a hat! It's not going to hurt you.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWSIk8F8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5C1pAQD1IxZ981wSMKU4SdcExO8O3Jjt4bQyV/6MuROfrUjwaAD/X5xnqo5iuSuI
7fqT+DIrc07SrZPV+q56BccULktmdwqJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWSIk8F8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8BcJCAC9KuSp8XNxrxMOgQrWO+0MXP5x
ojUmu8sNQMhdqZ/bhpfpwQGAcTSasSX4lti7CZVGhF5PTZWYazN/78YHf0skkAEB
wSiOewoR8NX6Hgaip9fgOQQnMg9Iar2tJHEaEM68De0Sf/1P26yvSt21NU7GYUgr
X2m7kNPPRgmbknjXn4U83psMTCUhIg0OmHqvO5IlK77S0BVnlNKjjGk93edgGsoi
Tvz1g1ahwKcwC9W8awDBjlDeqTuzo5YiGGPC7sLKi4POs/AFJ2CpfwowHrYLGTLt
JX7r5QZy20UO+3GgzIJW+zj34ZBidc9T6UgwHzMVNIs/lZSyjeRd8R0tYZ1B
=NY2d
-----END PGP SIGNATURE-----



From timemaster at sillydog.org  Mon May 22 18:07:39 2017
From: timemaster at sillydog.org (David Vallier)
Date: Mon, 22 May 2017 10:07:39 -0600
Subject: Unknown key type
Message-ID: <e20e61bb-3b6a-d4f4-c452-dbfe2570968b@sillydog.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Can someone please explain why I am getting a yellow bar on  a LOT of
signed msgs saying that the key type is unknown??

the exact msg is "Part of the message signed with unknown key; the key
type is not supported by your version of GnuPG"

I am running GnuPG 2.0.30 (Gpg4Win 2.3.3) on a win 7 box.


-----BEGIN PGP SIGNATURE-----
Comment: TANSTAAFL
 
iQEcBAEBCAAGBQJZIwzLAAoJELKZ6kIbmiwWt3kIAJKgKOCzF+6eyTCQZ4+5oizb
J2A6/M3HhqTCSf/nJTqI99U7Od21yp7ZqeUOMb1r2t8RVp+k2NDN7TahjNr5/HEb
Q567BZ44CgiaXY1W+UzLMsnq5q5qbKBkLXyr5EAngqJyTVfRoqkZsf+Q1ymp7pqv
auAyZSVa0aMc7Kom3vqDR8w3mj1vYpxwAdykv1zxVz282/jOeW3Y5Kdi+gi7yd9z
yQhkSudNfhD0lq/uryzXVmdNwQIdlogVPrrF8GxZC3I619nbYrh80nsVPy2ErkH7
TuNF/T73H1zriUE55g75cGOPaF2WdW52i/5l7ZbutkZiNNt5tRp2jb6KFJPLC0Q=
=loEw
-----END PGP SIGNATURE-----



From antony at blazrsoft.com  Mon May 22 20:49:36 2017
From: antony at blazrsoft.com (antony at blazrsoft.com)
Date: Mon, 22 May 2017 14:49:36 -0400
Subject: Unknown key type
In-Reply-To: <e20e61bb-3b6a-d4f4-c452-dbfe2570968b@sillydog.org>
References: <e20e61bb-3b6a-d4f4-c452-dbfe2570968b@sillydog.org>
Message-ID: <6C31A095-5D62-4000-BA1E-84E752695B9B@blazrsoft.com>

On May 22, 2017 12:07:39 PM EDT, David Vallier <timemaster at sillydog.org> wrote:
>Can someone please explain why I am getting a yellow bar on  a LOT of
>signed msgs saying that the key type is unknown??
>
>the exact msg is "Part of the message signed with unknown key; the key
>type is not supported by your version of GnuPG"
>
>I am running GnuPG 2.0.30 (Gpg4Win 2.3.3) on a win 7 box.

They are probably signed with elliptic curve keys which are not supported by the version of libgcrypt used in that version of gnupg IIRC.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


From brian at minton.name  Mon May 22 20:06:56 2017
From: brian at minton.name (Brian Minton)
Date: Mon, 22 May 2017 14:06:56 -0400
Subject: Unknown key type
In-Reply-To: <e20e61bb-3b6a-d4f4-c452-dbfe2570968b@sillydog.org>
References: <e20e61bb-3b6a-d4f4-c452-dbfe2570968b@sillydog.org>
Message-ID: <CANyOob25TWxXB6t9OxEhx4XxBhuOf+Op7aMYfa7FyVB44NtrZw@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, May 22, 2017 at 12:07 PM, David Vallier <timemaster at sillydog.org>
wrote:
>  Can someone please explain why I am getting a yellow bar on  a LOT of
>  signed msgs saying that the key type is unknown??
>
>  the exact msg is "Part of the message signed with unknown key; the key
>  type is not supported by your version of GnuPG"
>
>  I am running GnuPG 2.0.30 (Gpg4Win 2.3.3) on a win 7 box.


If I had to guess, Id say the sender of those messages is using ECC keys.
 They are only supported in GnuPG 2.1.  In fact, Im using such a key to
sign this message (but my key also has a DSA subkey, so gpg 2.0 should
still verify the signature). So, you may see the warning on this message.
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQTu0BWAE9wubW4AHqQ3uVB6z/IBbgUCWSMoqQAKCRA3uVB6z/IB
bphCAQDgR8N3EWlJX5sfzfXCVHFi3rWpXfinGtRbl8tlVxEm8AEA7gwKWQ5f3Z5s
F20WPXhNIxnHF+UnIY4T829pSim4TQiIdQQBEQgAHRYhBPnEu3YOeD8N7BCmimuO
s6Blz7qpBQJZIyipAAoJEGuOs6Blz7qpeN0A/R8IwSrOQreTFVB4gga79xz6XIKA
MdBvmMhXY8LSuUhNAP0Z8bv/rQWSOtf7dGPTEDYPKRCs1kYguHULVlhs/Bcc3Q==
=MOy5
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170522/96167aa0/attachment-0001.html>

From guru at unixarea.de  Mon May 22 21:28:27 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Mon, 22 May 2017 21:28:27 +0200
Subject: Unknown key type
In-Reply-To: <CANyOob25TWxXB6t9OxEhx4XxBhuOf+Op7aMYfa7FyVB44NtrZw@mail.gmail.com>
References: <e20e61bb-3b6a-d4f4-c452-dbfe2570968b@sillydog.org>
 <CANyOob25TWxXB6t9OxEhx4XxBhuOf+Op7aMYfa7FyVB44NtrZw@mail.gmail.com>
Message-ID: <20170522192827.GA10168@c720-r314251>

El d?a lunes, mayo 22, 2017 a las 02:06:56p. m. -0400, Brian Minton escribi?:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On Mon, May 22, 2017 at 12:07 PM, David Vallier <timemaster at sillydog.org>
> wrote:
> >  Can someone please explain why I am getting a yellow bar on  a LOT of
> >  signed msgs saying that the key type is unknown??
> >
> >  the exact msg is "Part of the message signed with unknown key; the key
> >  type is not supported by your version of GnuPG"
> >
> >  I am running GnuPG 2.0.30 (Gpg4Win 2.3.3) on a win 7 box.
> 
> 
> If I had to guess, Id say the sender of those messages is using ECC keys.
>  They are only supported in GnuPG 2.1.  In fact, Im using such a key to
> sign this message (but my key also has a DSA subkey, so gpg 2.0 should
> still verify the signature). So, you may see the warning on this message.
> -----BEGIN PGP SIGNATURE-----
> 
> iHUEARYIAB0WIQTu0BWAE9wubW4AHqQ3uVB6z/IBbgUCWSMoqQAKCRA3uVB6z/IB
> bphCAQDgR8N3EWlJX5sfzfXCVHFi3rWpXfinGtRbl8tlVxEm8AEA7gwKWQ5f3Z5s
> F20WPXhNIxnHF+UnIY4T829pSim4TQiIdQQBEQgAHRYhBPnEu3YOeD8N7BCmimuO
> s6Blz7qpBQJZIyipAAoJEGuOs6Blz7qpeN0A/R8IwSrOQreTFVB4gga79xz6XIKA
> MdBvmMhXY8LSuUhNAP0Z8bv/rQWSOtf7dGPTEDYPKRCs1kYguHULVlhs/Bcc3Q==
> =MOy5
> -----END PGP SIGNATURE-----

piping the above mail to gpg2 (2.1.19) gives:

If I had to guess, Id say the sender of those messages is using ECC keys.
 They are only supported in GnuPG 2.1.  In fact, Im using such a key to
sign this message (but my key also has a DSA subkey, so gpg 2.0 should
still verify the signature). So, you may see the warning on this message.
gpg: Signature made Mon May 22 20:06:33 2017 CEST
gpg:                using EDDSA key EED0158013DC2E6D6E001EA437B9507ACFF2016E
gpg: Can't check signature: No public key
gpg: Signature made Mon May 22 20:06:33 2017 CEST
gpg:                using DSA key F9C4BB760E783F0DEC10A68A6B8EB3A065CFBAA9
gpg: Can't check signature: No public key

	matthias

-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdi? la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170522/6285c3ab/attachment.sig>

From wk at gnupg.org  Thu May 25 20:15:07 2017
From: wk at gnupg.org (Werner Koch)
Date: Thu, 25 May 2017 20:15:07 +0200
Subject: Unknown key type
In-Reply-To: <e20e61bb-3b6a-d4f4-c452-dbfe2570968b@sillydog.org> (David
 Vallier's message of "Mon, 22 May 2017 10:07:39 -0600")
References: <e20e61bb-3b6a-d4f4-c452-dbfe2570968b@sillydog.org>
Message-ID: <87inkols5w.fsf@wheatstone.g10code.de>

On Mon, 22 May 2017 18:07, timemaster at sillydog.org said:
> Can someone please explain why I am getting a yellow bar on  a LOT of
> signed msgs saying that the key type is unknown??

Some of these mails are probably also from me.  By default I sign my
messages with an Ed25519 subkey which is a Curve25519 based ECC key
using the EdDSA algorithm.  Agreed, this algorithm is not yet officially
specified by OpenPGP and thus other software does not know about it and
tells you "unknown key type".

For other ECC keys, which use the ECDH or ECDSA algorithm, GnuPG 2.0.30
can display the algorithm but not use them (i.e. verify a signature).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: </pipermail/attachments/20170525/1d035886/attachment.sig>

From raspac at gmail.com  Fri May 26 09:52:36 2017
From: raspac at gmail.com (Rastislav Pacuta)
Date: Fri, 26 May 2017 09:52:36 +0200
Subject: GnuPG compile error
Message-ID: <CAAoVLeMmptfWHq_Z0R+vm4fiDAWEnDONg7jRhsd5SC6FesWqTg@mail.gmail.com>

Hi All,

I am trying to install gnupg-2.1.21 on Red Hat Enterprise Linux Server
release 6.8

        GnuPG v2.1.21 has been configured as follows:

        Revision:  9574820  (38260)
        Platform:  GNU/Linux (x86_64-pc-linux-gnu)

        OpenPGP:   yes
        S/MIME:    yes
        Agent:     yes
        Smartcard: yes (without internal CCID driver)
        G13:       no
        Dirmngr:   yes
        Gpgtar:    yes
        WKS tools: no

        Protect tool:      (default)
        LDAP wrapper:      (default)
        Default agent:     (default)
        Default pinentry:  (default)
        Default scdaemon:  (default)
        Default dirmngr:   (default)

        Dirmngr auto start:  yes
        Readline support:    no
        LDAP support:        no
        TLS support:         no
        TOFU support:        no
        Tor support:         yes

During make command I get this error output:

sysutils.c: In function ?gnupg_inotify_watch_socket?:
sysutils.c:1163: error: ?IN_EXCL_UNLINK? undeclared (first use in this
function)
sysutils.c:1163: error: (Each undeclared identifier is reported only once
sysutils.c:1163: error: for each function it appears in.)
make[3]: *** [libcommon_a-sysutils.o] Error 1
make[3]: Leaving directory `/tmp/gnupg-2.1.21/common'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/tmp/gnupg-2.1.21/common'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/gnupg-2.1.21'
make: *** [all] Error 2

I checked bug reports and haven't found anything similar...

Rasti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170526/0ad9bb47/attachment.html>

From ben at adversary.org  Sat May 27 11:56:09 2017
From: ben at adversary.org (Ben McGinnes)
Date: Sat, 27 May 2017 19:56:09 +1000
Subject: Unicode and --with-colons
In-Reply-To: <fb500b0d-9201-485b-0583-4eab5fc886a1@sixdemonbag.org>
References: <fb500b0d-9201-485b-0583-4eab5fc886a1@sixdemonbag.org>
Message-ID: <20170527095609.ob5foolkqcrwtllq@adversary.org>

On Sat, Apr 01, 2017 at 04:57:04AM -0400, Robert J. Hansen wrote:
> C:\Users\Robert J. Hansen\Desktop> gpg --fixed-list-mode --with-colons
> --list-key 0x3ADBFA6D00A1E6FE
> 
> =====
> [... trimmed ...]
> uid:-::::1436536488::100E4A12486A5261E374B3B0CA16CF0516F4367C::Ludwig
> H??gelsch??fer <ludwig at hammernoch.net>:
> =====
> 
> "That's an odd encoding," I said to myself.  "It must be UTF-8 presented
> as ASCII or Windows-1252.  Let's look, shall we?"

I've never noticed anything like that with Ludwig's key.

Either regularly or with the flags you used here.  That said, if you
ever do need to be absolutely certain that the output is in UTF-8,
there is a way to guarantee it.  Just use GPGME's little known or
noticed XML output with gpgme-tool:

echo "KEYLIST 0x3ADBFA6D00A1E6FE /bye" | gpgme-tool > 0x3ADBFA6D00A1E6FE.xml

The output will need to be trimmed of the GPGME header at the top, the
"OK" disconnection at the bottom, the "D " at the beginning of each
line and the "%0A" at the end of each line.  I'm sure you can script
it to trim all that for you before writing the file anyway.  Although
I've attached that example here.

On a semi-related note; a bit over a year ago I generated W3C XML
Schema (XSD) and Relax-NG Schema (RNG) files for the GPGME XML data.
From these I also generated Relax-NG Compact (RNC), DTDs, Docbook 5
documentation (from the XSD) and XHTML docs (from the Docbook); in
case anyone finds a need for validating the XML files.  There isn't
currently a formal XML namespace setup for the schemas since it
doesn't appear that anyone's done anything with it (i.e. no one
noticed and thus no one asked for it).

Anyway, if they're of use, the schemas and docs are in one of my
branches on the git server, here:

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=tree;f=lang/xml-schemas;h=06dfd4c925294cffba88f4f451bdef39dd2b4e4d;hb=6e9d5a5800fa8da96c706748bf60a8a074818af6

I'd recommend using either the XSD or the RNG rather than the others.
They're generally going to be better or more accurate.  The RNC and
DTD are there because I figured I may as well generate them at the
same time.


Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x3ADBFA6D00A1E6FE.xml
Type: application/xml
Size: 2031 bytes
Desc: not available
URL: </pipermail/attachments/20170527/88d1eb5f/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: </pipermail/attachments/20170527/88d1eb5f/attachment.sig>

From wub at partyvan.eu  Sun May 28 09:07:35 2017
From: wub at partyvan.eu (Juuso Lapinlampi)
Date: Sun, 28 May 2017 07:07:35 +0000
Subject: Planned GnuPG mirror shutdown: mirror.se.partyvan.eu
Message-ID: <20170528070735.GA84874@partyvan.eu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi list.

I'm the operator of a GnuPG mirror at Partyvan. We've had a listed
GnuPG mirror for ~1.5 years now. [1]

Partyvan is shutting down next week or next month. There's some hardware
issues at remote colocation which aren't easy, timely or cheap to fix.

All of the following mirrors are affected:

- - http://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/
- - https://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/
- - http://tpvj6abq225m5pcf.onion/pub/ftp.gnupg.org/gcrypt/
- - rsync://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/

I don't know yet if or when we could return to providing this mirror
server to the public and GnuPG. For the time being, you may want to
delist the mirror from the web pages. [2] The mirror will be online
until the contract with our colocation host is terminated soon.

Sorry for this unexpected issue. Hoping to be back in the future!

[1]: https://lists.gnupg.org/pipermail/gnupg-users/2016-January/055020.html
[2]: https://gnupg.org/download/mirrors.html
-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEE6WUHsIGJcKrZ7x3kmJlxsqa3r0sFAlkqdowQHHd1YkBwYXJ0
eXZhbi5ldQAKCRCYmXGyprevS3shD/9AgW0Wp7PMeTWNt7sgtreVXkSQHIR6Dnb7
a4F6qv4Wx0iK/FEZwfE4DEuG3t1PKpzB5hUe9+xTaeAB96IsamaZ/6e1wPiHz347
IHNdpYpzXTwCTkAw7EJElGEWb5yKd7v6sa0L2MSSbeUcmX3JkmAvxfJF6xHyrb0p
wBuGAyA3U2bFeoRJbGR5Tdmdvd3ls1e2lidc0oLrHWng4XGUp1iHxZhJizizKIjg
lPMM2+TbHhQCgdjFYSioU6aCd7EAQ35pMoPhgak1GPLXr3XRY4EN0JwZiFNiMvYu
Eu9LhMog5I14qqPjAaKVqjadyvpw1WvRT2HG5N+sE9e1QXWgua3xsHKYkJ70QHlU
Onm+Jf/wEuzp9LbncN49w1LS49Mr6VIjqQEb2JkE0Z63YBfux1iDAmMWXnehCFqz
C7oRvSwJTNg4htj6elUy/IziW38cnMrG0a12fAnSuCbBDL8b+5qZ2P6boucdOThq
r5We1JWyYFZTnBr/eyTdy/hx8L5MsV9ItPVcvbkB/tFOfBfr6U3HDQfaThcT69AH
PWQ4m/339pOF7S7YkGRte3F0cHQbIfJRbyVK5JPYWMxdHUdeF9+tj8OZmi1Ye0a8
mQheMh4vsaiBuahmGSLJetSiUV8UDbWg823FE3U3WmAdIdD23LgWupNy+FIn9u2H
v7UdGQzqag==
=+pKT
-----END PGP SIGNATURE-----


From wdignazio at gmail.com  Sun May 28 09:41:52 2017
From: wdignazio at gmail.com (Will Dignazio)
Date: Sun, 28 May 2017 00:41:52 -0700
Subject: Trouble encrypting/decrypting with ecc in libgrcypt
Message-ID: <53F29982-25CA-4B67-877C-CE652AF48498@gmail.com>

Hello gnupg-users,

I?m stuck trying to decrypt a simple string in a test program. I seem to correctly go through all of steps to generate a key pair, use the public key of the pair to encrypt, and the secret key to decrypt. However, the value returned after decryption seems to be mangled.

Would anyone be willing to lend a moment to explain what I?m doing wrong, or any misunderstanding I may have?

My program is as follows (please forgive the lack of resource deallocation, this is just a test program):

#include <gcrypt.h>

int main(void) {
    gcry_error_t err = 0;
    gcry_ctx_t ctx = NULL;
    gcry_sexp_t keyparams = NULL;
    gcry_sexp_t keypair = NULL;
    gcry_sexp_t pubkey = NULL;
    gcry_sexp_t seckey = NULL;
    gcry_sexp_t encrypted_data = NULL;
    gcry_sexp_t decrypted_data = NULL;
    gcry_sexp_t enc_data = NULL;
    gcry_mpi_t datampi = NULL;
    const char *sexp = "(genkey (ecc (curve \"NIST P-256\") (flags param eddsa)))";
    size_t erroff = 0;

    /* Tell Libgcrypt that initialization has completed. */
    gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
    
    err = gcry_sexp_build(&keyparams, &erroff, sexp);
    if (err) {
        fprintf(stderr, "Failed to build keypair sexp: %s\n", gcry_strerror(err));
        return 1;
    }

    err = gcry_pk_genkey(&keypair, keyparams);
    if (err) {
        fprintf(stderr, "Error initializing keypair: %s\n", gcry_strerror(err));
        return 1;
    }

    err = gcry_pk_testkey(keypair);
    if (err) {
        fprintf(stderr, "testkey failed\n");
        return 1;
    }

    err = gcry_mpi_ec_new(&ctx, keypair, "NIST P-256");
    if (err) {
        fprintf(stderr, "Failed to allocate mpi context: %s\n", gcry_strerror(err));
        return 1;
    }

    err = gcry_pubkey_get_sexp(&pubkey, GCRY_PK_GET_PUBKEY, ctx);
    if (err) {
        fprintf(stderr, "Failed to parse public key from keypair sexp: %s\n", gcry_strerror(err));
        return 1;
    }

    err = gcry_pubkey_get_sexp(&seckey, GCRY_PK_GET_SECKEY, ctx);
    if (err) {
        fprintf(stderr, "Failed to parse secret key from keypair sexp: %s\n", gcry_strerror(err));
        return 1;
    }

    const char *data = "This is the data";
    size_t len = strlen(data);
    
    err = gcry_mpi_scan(&datampi, GCRYMPI_FMT_STD, (const char*)data, len, NULL);
    if (err) {
        fprintf(stderr, "Failed to scan data for ecnryption: %s\n", gcry_strerror(err));
        return 1;
    }
    
    err = gcry_sexp_build(&enc_data, &erroff, "(data (flags raw) (value %m))", datampi);
    if (err || erroff) {
        fprintf(stderr, "Failed to build encryption sexp: %s\n", gcry_strerror(err));
        return 1;
    }

    err = gcry_pk_encrypt(&encrypted_data, enc_data, pubkey);
    if (err) {
        fprintf(stderr, "Failed to encrypt data sexp: %s\n", gcry_strerror(err));
        return 1;
    }

    gcry_sexp_dump(encrypted_data);
    printf("\n");

    err = gcry_pk_decrypt(&decrypted_data, encrypted_data, seckey);
    if (err) {
        fprintf(stderr, "Failed to decrypt data%s\n", gcry_strerror(err));
        return 1;
    }

    gcry_sexp_dump(decrypted_data);
    printf("\n");

    datampi = gcry_sexp_nth_mpi(decrypted_data, 1, GCRYMPI_FMT_USG);
    if (datampi == NULL) {
        fprintf(stderr, "Failed to extract value: %s\n", gcry_strerror(err));
        return 1;
    }

    size_t written;
    unsigned char *buffer;
    gcry_mpi_aprint(GCRYMPI_FMT_USG, &buffer, &written, datampi);

    printf("%s\n", buffer);
}



From herbert at mailbox.org  Sun May 28 10:25:28 2017
From: herbert at mailbox.org (Herbert J. Skuhra)
Date: Sun, 28 May 2017 10:25:28 +0200
Subject: GnuPG compile error
In-Reply-To: <CAAoVLeMmptfWHq_Z0R+vm4fiDAWEnDONg7jRhsd5SC6FesWqTg@mail.gmail.com>
References: <CAAoVLeMmptfWHq_Z0R+vm4fiDAWEnDONg7jRhsd5SC6FesWqTg@mail.gmail.com>
Message-ID: <8760gltmkn.wl-herbert@mailbox.org>

Rastislav Pacuta skrev:
> 
> Hi All,
> I am trying to install gnupg-2.1.21 on Red Hat Enterprise Linux Server
> release 6.8
> 
>         GnuPG v2.1.21 has been configured as follows:
> 
>         Revision:  9574820  (38260)
>         Platform:  GNU/Linux (x86_64-pc-linux-gnu)
> 
>         OpenPGP:   yes
>         S/MIME:    yes
>         Agent:     yes
>         Smartcard: yes (without internal CCID driver)
>         G13:       no
>         Dirmngr:   yes
>         Gpgtar:    yes
>         WKS tools: no
> 
>         Protect tool:      (default)
>         LDAP wrapper:      (default)
>         Default agent:     (default)
>         Default pinentry:  (default)
>         Default scdaemon:  (default)
>         Default dirmngr:   (default)
> 
>         Dirmngr auto start:  yes
>         Readline support:    no
>         LDAP support:        no
>         TLS support:         no
>         TOFU support:        no
>         Tor support:         yes
> 
> During make command I get this error output:
> 
> sysutils.c: In function ?gnupg_inotify_watch_socket?:
> sysutils.c:1163: error: ?IN_EXCL_UNLINK? undeclared (first use in this
> function)
> sysutils.c:1163: error: (Each undeclared identifier is reported only once
> sysutils.c:1163: error: for each function it appears in.)
> make[3]: *** [libcommon_a-sysutils.o] Error 1
> make[3]: Leaving directory `/tmp/gnupg-2.1.21/common'
> make[2]: *** [all] Error 2
> make[2]: Leaving directory `/tmp/gnupg-2.1.21/common'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/tmp/gnupg-2.1.21'
> make: *** [all] Error 2
> 
> I checked bug reports and haven't found anything similar...

Your kernel/OS is probably too old. According to inotify(7) you
need at least kernel 2.6.36.

You can try:

% ./configure ac_cv_func_inotify_init=no

Emacs uses:

/* Ignore bits that might be undefined on old GNU/Linux systems.  */
#ifndef IN_EXCL_UNLINK
# define IN_EXCL_UNLINK 0
#endif

--
Herbert


From justus at g10code.com  Mon May 29 09:51:08 2017
From: justus at g10code.com (Justus Winter)
Date: Mon, 29 May 2017 09:51:08 +0200
Subject: Planned GnuPG mirror shutdown: mirror.se.partyvan.eu
In-Reply-To: <20170528070735.GA84874@partyvan.eu>
References: <20170528070735.GA84874@partyvan.eu>
Message-ID: <87h904w177.fsf@europa.jade-hamburg.de>

Juuso Lapinlampi <wub at partyvan.eu> writes:

> I'm the operator of a GnuPG mirror at Partyvan. We've had a listed
> GnuPG mirror for ~1.5 years now. [1]
> [...]
> I don't know yet if or when we could return to providing this mirror
> server to the public and GnuPG. For the time being, you may want to
> delist the mirror from the web pages. [2] The mirror will be online
> until the contract with our colocation host is terminated soon.
>
> Sorry for this unexpected issue. Hoping to be back in the future!

Done.  Thanks for providing a mirror :)

Cheers,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: </pipermail/attachments/20170529/81661bf0/attachment.sig>

From duane at nofroth.com  Mon May 29 13:24:40 2017
From: duane at nofroth.com (Duane Whitty)
Date: Mon, 29 May 2017 08:24:40 -0300
Subject: Mailvelope browser extension for webmail
Message-ID: <5507157f-8186-2f74-68bc-156bb859da30@nofroth.com>

Hi list,

Thoughts on the Mailvelope browser extension...?

Here's some of their material:

https://www.mailvelope.com/en/faq

"What is the purpose of this project?

Mailvelope is an easy-to-use web-browser extension which brings OpenPGP
encryption to webmail services such as Gmail?, Yahoo? and others. With
its unintrusive interface fully integrated into your webmail service,
Mailvelope instantly secures your personal and professional email
communications."

Next one seems a little concerning to me but I'm no browser expert:

"Where are my keys stored?

Mailvelope stores the keys in the local storage of the browser and only
there. This is a file in the user data directory of Chrome or the
profiles folder of Firefox. If you clear temporary browsing data this
will not affect the key storage of Mailvelope. If you delete the
Mailvelope Chrome extension, then the key storage will also be removed
from your file system. On Firefox there is an additional confirmation
dialog once you remove the Mailvelope add-on that allows to delete all
keys or leave them in the profile folder of the system."

https://www.mailvelope.com/en/blog/security-warning-mailvelope-in-firefox

"15/05/2017 | Security notice: Mailvelope in the current version of
Firefox browser.

We are in the possession of a security audit that was requested by the
email provider Posteo and conducted by Cure53, which has revealed that
the Firefox security structure is currently unable to offer a
sufficiently safe environment for the Mailvelope browser extension.

Mailvelope naturally relies on the security of the underlying browser
platform. In the present case, we are unable to offer a remedy
ourselves. Nevertheless, Mozilla is already working on a fundamental
improvement of the add-on system. In November 2017, Firefox is scheduled
to finally switch to an overhauled add-on structure, which will then
offer sufficient protection against attacks.

A new Mailvelope version for the new, improved Firefox structure is
already in the making.

Until Mozilla has modified the architecture, the following safety
recommendations apply:

    Be sure to use a separate Firefox profile for Mailvelope with no
other extensions installed.
    Make sure your password for your PGP key is as secure as possible.
    Take care that you do not accidentally install any other add-ons in
this profile, which may make you vulnerable to attacks.

The security audit also demonstrated some positive results regarding
Mailvelope. Posteo writes about this:

    There was a check made as to whether email providers for which
Mailvelope is used could access a Mailvelope user?s private keys saved
in the browser ? this was not possible. All other attempts made by the
security engineers to access private keys saved in Mailvelope, such as
operating third party websites or man-in-the-middle attacks, were also
unsuccessful.

Security Audits such as the one performed by Posteo serve as an
important indicator that shows how we can further improve Mailvelope. At
this point, we?d like to thank Posteo for conducting the audit and thus
their contribution to the Mailvelope project."

I didn't see any Google related security information or notices.

Best Regards,
Duane

-- 
Duane Whitty
duane at nofroth.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170529/0c6bb577/attachment.sig>

From duane at nofroth.com  Mon May 29 13:00:59 2017
From: duane at nofroth.com (Duane Whitty)
Date: Mon, 29 May 2017 08:00:59 -0300
Subject: Don't send encrypted messages to random users to test your gpg
Message-ID: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>

Hi list,

When I checked my email this morning I had an encrypted message from
someone I didn't know and had never heard of signed with a signature for
which no public key was available.

When I saw the email with a subject "test, test, hello" (or something to
that effect" I decided not to let Thunderbird/Enigmail process it but
rather I copy and pasted the cypher text into a file and used the
command line to look at it..

The message and relevant gpg output was:

"Subject: test, test - hello

hey, i hope you don't mind - I just wanted to test using GPG and I
picked you at random."

gpg: Signature made Mon 29 May 2017 02:59:23 AM ADT
gpg:                using RSA key (deleting for email to list)
gpg: Can't check signature: No public key"

To the person who sent me this my reply is that yes I do mind.  I tend
to believe no harm is intended and I'm not terribly upset over it but I
consider it to be bad Internet etiquette.  It would be only a little
more acceptable if you had published your public key so that the
signature you used to sign with could at least be verified.

Having hashed that out welcome to the community :-)

To test your setup try this link, https://emailselfdefense.fsf.org/en/
I haven't used it myself but unless someone from the list knows why it
shouldn't be used it should fine.

I also highly recommend reading https://www.gnupg.org/faq/gnupg-faq.html

The above links are just to get started.  Happy pgp'ing

Best Regards,
Duane

-- 
Duane Whitty
duane at nofroth.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170529/e086dc2d/attachment.sig>

From marcus.brinkmann at ruhr-uni-bochum.de  Mon May 29 15:18:18 2017
From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann)
Date: Mon, 29 May 2017 15:18:18 +0200
Subject: Don't send encrypted messages to random users to test your gpg
In-Reply-To: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
Message-ID: <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>

For people who want to communicate with other people rather than bots,
there is also this:

https://www.reddit.com/r/GPGpractice/
https://www.reddit.com/r/publickeyexchange/

On 05/29/2017 01:00 PM, Duane Whitty wrote:
> Hi list,
> 
> When I checked my email this morning I had an encrypted message from
> someone I didn't know and had never heard of signed with a signature for
> which no public key was available.
> 
> When I saw the email with a subject "test, test, hello" (or something to
> that effect" I decided not to let Thunderbird/Enigmail process it but
> rather I copy and pasted the cypher text into a file and used the
> command line to look at it..
> 
> The message and relevant gpg output was:
> 
> "Subject: test, test - hello
> 
> hey, i hope you don't mind - I just wanted to test using GPG and I
> picked you at random."
> 
> gpg: Signature made Mon 29 May 2017 02:59:23 AM ADT
> gpg:                using RSA key (deleting for email to list)
> gpg: Can't check signature: No public key"
> 
> To the person who sent me this my reply is that yes I do mind.  I tend
> to believe no harm is intended and I'm not terribly upset over it but I
> consider it to be bad Internet etiquette.  It would be only a little
> more acceptable if you had published your public key so that the
> signature you used to sign with could at least be verified.
> 
> Having hashed that out welcome to the community :-)
> 
> To test your setup try this link, https://emailselfdefense.fsf.org/en/
> I haven't used it myself but unless someone from the list knows why it
> shouldn't be used it should fine.
> 
> I also highly recommend reading https://www.gnupg.org/faq/gnupg-faq.html
> 
> The above links are just to get started.  Happy pgp'ing
> 
> Best Regards,
> Duane
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170529/ffedef3f/attachment.sig>

From 2014-667rhzu3dc-lists-groups at riseup.net  Mon May 29 16:45:57 2017
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Mon, 29 May 2017 15:45:57 +0100
Subject: Don't send encrypted messages to random users to test your gpg
In-Reply-To: <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com> 
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
Message-ID: <419259931.20170529154557@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 29 May 2017 at 2:18:18 PM, in
<mid:a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58 at ruhr-uni-bochum.de>, Marcus
Brinkmann via Gnupg-users wrote:-


> For people who want to communicate with other people
> rather than bots,
> there is also this:

> https://www.reddit.com/r/GPGpractice/
> https://www.reddit.com/r/publickeyexchange/


And there is PGPNET <https://groups.yahoo.com/neo/groups/pgpnet/info>
which is an encrypted discussion group - members send messages signed
and encrypted to all the members). You subscribe by emailing
<pgpnet-subscribe at yahoogroups.com> and replying to the email yahoo
sends you (unless you want to join with a Yahoo ID). For new members,
Yahoo's group emails default to a heavily HTML-polluted format that
does not play nice with pgp-inline encrypted messages, but once you
have joined an email to <PGPNET-traditional at yahoogroups.com> removes
this silliness.

- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Another person's secret is like another person's money:
you are not as careful with it as you are with your own
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWSw0OF8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5KZWAP98nqevY0/tF8hQ9cia6R+LSwaiMXi2uzCxYZw77waH1wD/T/8GV35GIEV5
Re34sTAb/MBxjUO66et2czullKkXhwmJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWSw0OF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8GxzB/wNZcrYXw87HL4Go4WV2VpRj+0r
3la5F+ORShvAv6IE7U+oQaIB4vbdRbd/oCzhrvTVwexkM2mScvAagFgQqrnkZCyk
BMHscHB5ARYvjH3ibc1FVNSH0hdPFpdXNTmzFQ3fBSjrpuGU8SXzFvpCj8X4nK7I
7iWAWLiCx6h5Y3kUVbF6YeSaEOCVKna4zkAb+pv3POe+XDSDG8xaoys5sHcqc6ej
yIOwufCjgQRks8t2VfZBvA23c4NJKw9JF/nj/x5z6FptqbQeTsYDI6BqdZmDmSxV
EZwzy9UIUssriMkkQejEkiRyjwVCqQqXePI9tXgkdv5gGcrb8BsN7m2rt/8p
=H+D/
-----END PGP SIGNATURE-----



From listofactor at mail.ru  Mon May 29 20:58:11 2017
From: listofactor at mail.ru (listo factor)
Date: Mon, 29 May 2017 18:58:11 +0000
Subject: Don't send encrypted messages to random users
In-Reply-To: <419259931.20170529154557@riseup.net>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
 <419259931.20170529154557@riseup.net>
Message-ID: <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>

This I find surprising: if one does not want receiving
encrypted messages from those that he does not have
existing relationship with, why does he publish his
public key on public keyservers?


From rjh at sixdemonbag.org  Tue May 30 01:49:09 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 29 May 2017 19:49:09 -0400
Subject: Don't send encrypted messages to random users
In-Reply-To: <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
 <419259931.20170529154557@riseup.net>
 <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
Message-ID: <953be8de-4694-3aeb-dcb1-b3af8b89802c@sixdemonbag.org>

> This I find surprising: if one does not want receiving
> encrypted messages from those that he does not have
> existing relationship with, why does he publish his
> public key on public keyservers?

All presence on the keyservers says is, "if you have something to send
me, you may send it securely".  It is not a permission to send someone
email they'd prefer to avoid.

Further, the conduct the OP is talking about amounts to dragooning
someone into helping you without first asking them whether they're
willing to help you.


From grossws at gmail.com  Tue May 30 01:52:27 2017
From: grossws at gmail.com (Konstantin Gribov)
Date: Mon, 29 May 2017 23:52:27 +0000
Subject: Don't send encrypted messages to random users
In-Reply-To: <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
 <419259931.20170529154557@riseup.net>
 <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
Message-ID: <CALvb29yfc7KrUYGuRybCM7hQGN7MgmOMQUfs+PxbD44U-gMOEQ@mail.gmail.com>

Primary reason to publish a key is to make it available for fetching. It
isn't a permission for anyone to annoy a person anyhow.

As an example, many open source devs are publishing their keys which they
use for signing software releases but rarely for encrypted communication.

On Tue, May 30, 2017 at 2:28 AM listo factor via Gnupg-users <
gnupg-users at gnupg.org> wrote:

> This I find surprising: if one does not want receiving
> encrypted messages from those that he does not have
> existing relationship with, why does he publish his
> public key on public keyservers?
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-- 

Best regards,
Konstantin Gribov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170529/18f0bcf3/attachment.html>

From ineiev at gnu.org  Tue May 30 07:46:14 2017
From: ineiev at gnu.org (Ineiev)
Date: Tue, 30 May 2017 01:46:14 -0400
Subject: Don't send encrypted messages to random users
In-Reply-To: <CALvb29yfc7KrUYGuRybCM7hQGN7MgmOMQUfs+PxbD44U-gMOEQ@mail.gmail.com>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
 <419259931.20170529154557@riseup.net>
 <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
 <CALvb29yfc7KrUYGuRybCM7hQGN7MgmOMQUfs+PxbD44U-gMOEQ@mail.gmail.com>
Message-ID: <20170530054614.GL25850@gnu.org>

On Mon, May 29, 2017 at 11:52:27PM +0000, Konstantin Gribov wrote:
> 
> As an example, many open source devs are publishing their keys which they
> use for signing software releases but rarely for encrypted communication.

On the other hand, they could publish certificates without encrypting
subkeys.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170530/65fc84b2/attachment.sig>

From daniel at pocock.pro  Tue May 30 08:05:07 2017
From: daniel at pocock.pro (Daniel Pocock)
Date: Tue, 30 May 2017 08:05:07 +0200
Subject: PGP for official documents / eIDAS and ZertES
Message-ID: <065c726e-7922-0352-938a-bf2aa274d390@pocock.pro>


Hi all,

Can PGP / GnuPG be used in a way that makes signatures compliant with
the European eIDAS[1] or Switzerland's ZertES[2]?

Do those standards explicitly require X.509 based solutions?  Or could a
certificate authority sign people's PGP keys and their PGP key could
then be used for signing official documents?

Does anybody know of certificate authorities who are willing to sign PGP
keys or has anybody ever looked into making that happen?

Regards,

Daniel



1. https://en.wikipedia.org/wiki/EIDAS
2. https://en.wikipedia.org/wiki/ZertES


From grossws at gmail.com  Tue May 30 11:44:09 2017
From: grossws at gmail.com (Konstantin Gribov)
Date: Tue, 30 May 2017 09:44:09 +0000
Subject: Don't send encrypted messages to random users
In-Reply-To: <20170530054614.GL25850@gnu.org>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
 <419259931.20170529154557@riseup.net>
 <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
 <CALvb29yfc7KrUYGuRybCM7hQGN7MgmOMQUfs+PxbD44U-gMOEQ@mail.gmail.com>
 <20170530054614.GL25850@gnu.org>
Message-ID: <CALvb29xYd4Dh0SuXs4b4rZds5rb0bhmxSBWn32Kd8j8rJxAYUA@mail.gmail.com>

Yes, they could. But publishing all subkeys is simpler than publishing some
of them. And key is usually generated with both sign and encryption subkey
as many guides, howtos etc guide people to.

To look at such test emails from the other point of view just imagine that
someone found your email on public repo/bugtracker/ml starts to spam you
with test emails. Such an event certainly would upset me.

Another thing which shocked me is statistics from Golang folks [1]. Brad
Fitzpatrick said:
> 99% of the PGP-encrypted emails we get to security at golang.org are bogus
security reports. Whereas "cleartext" security reports are only about 5-10%
bogus. Getting a PGP-encrypted email to security at golang.org has basically
become a reliable signal that the report is going to be bogus, so I stopped
caring about spending the 5 minutes decrypting the damn thing (logging in
to the key server to get the key, remembering how to use gpg).
> ...
> In summary, the PGP tooling sucks (especially in gmail, but really
everywhere) and it's too often used by people who are more interested in
using PGP than reporting valid security issues.

When he says "cleartext" it's plain text send over TLS MTA-to-MTA
connections. Almost all mail providers use starttls now.

[1]: https://news.ycombinator.com/item?id=14123388

??, 30 ??? 2017, 8:46 Ineiev <ineiev at gnu.org>:

> On Mon, May 29, 2017 at 11:52:27PM +0000, Konstantin Gribov wrote:
> >
> > As an example, many open source devs are publishing their keys which they
> > use for signing software releases but rarely for encrypted communication.
>
> On the other hand, they could publish certificates without encrypting
> subkeys.
>
-- 

Best regards,
Konstantin Gribov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170530/01b0a9a5/attachment.html>

From listofactor at mail.ru  Tue May 30 17:53:44 2017
From: listofactor at mail.ru (listo factor)
Date: Tue, 30 May 2017 15:53:44 +0000
Subject: Don't send encrypted messages to random users
In-Reply-To: <CALvb29yfc7KrUYGuRybCM7hQGN7MgmOMQUfs+PxbD44U-gMOEQ@mail.gmail.com>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
 <419259931.20170529154557@riseup.net>
 <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
 <CALvb29yfc7KrUYGuRybCM7hQGN7MgmOMQUfs+PxbD44U-gMOEQ@mail.gmail.com>
Message-ID: <9610eaf5-4fe8-774e-b735-a81b0f674bd3@mail.ru>

On 05/29/2017 11:52 PM, Konstantin Gribov - grossws at gmail.com wrote:
> Primary reason to publish a key is to make it available for fetching. It
> isn't a permission for anyone to annoy a person anyhow.

Keservers have every characteristic of a public directory.

What possible reason there could be for placing one's
e-mail in the public key if not to make it possible
for anyone to send an e-mail to the owner. To make
a piece of information publicly available on the net
and then depend on "netiquette" for that piece of
information not be used in a manner the owner finds
objectionable strikes me as a rather outdated notion.



From mschoch at gmail.com  Tue May 30 17:16:10 2017
From: mschoch at gmail.com (Martin Schoch)
Date: Tue, 30 May 2017 17:16:10 +0200
Subject: GnuPG 2.1.19 output
Message-ID: <CAPquFE4GM_fx2fjyA+t-jutSE0eOAw8V2=RuVjLjmTRtE+3n+A@mail.gmail.com>

Second try - first was rejected

Hi list

What does this output form GnuPG 2.1.19 mean when checking a signed
message?

gpg: skipped packet of type 12 in keybox
gpg: skipped packet of type 12 in keybox
gpg: skipped packet of type 12 in keybox
gpg: skipped packet of type 12 in keybox
gpg: skipped packet of type 12 in keybox
gpg: skipped packet of type 12 in keybox
gpg: skipped packet of type 12 in keybox
gpg: skipped packet of type 12 in keybox
gpg: skipped packet of type 12 in keybox
...

BTW. Back to 2.1.19 because of problems with .20 and .21 on Windows

-- 
Best regards,
 Martin                          mailto:mschoch at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170530/c4d3ac1e/attachment.html>

From yumkam at gmail.com  Tue May 30 18:20:20 2017
From: yumkam at gmail.com (Yuriy M. Kaminskiy)
Date: Tue, 30 May 2017 19:20:20 +0300
Subject: cdaemon crashes (was: coredumps)
In-Reply-To: <592D60EE.7070909@gmail.com>
References: <592D60EE.7070909@gmail.com>
Message-ID: <592D9BC4.6000908@gmail.com>

Typo: of course, it crashes; it needs some persuasion to dump core :-)

On 30.05.2017 15:09, Yuriy M. Kaminskiy wrote:
> When I tried to rebuild gnupg2 2.1.21-2 debian package from
> experimental in pbuilder, I got a number of sigsegv's from scdaemon
> while running tests:
>
> XXX XX XX:22:40 $host kernel: pipe-connection[14829]: segfault at 24 ip
> 00000
> 000f7652da6 sp 00000000f7498040 error 4 in
> libpthread-2.19.so[f764a000+17000]
> XXX XX XX:22:46 $host kernel: pipe-connection[14975]: segfault at 24 ip
> 00000
> 000f7634da6 sp 00000000f747a040 error 4 in
> libpthread-2.19.so[f762c000+17000]
> (and a lot more).
>
> Annoyingly, test-suite does not catch this as error, it has not left any
> core, and name of executable was masked, so after twiddling here and
> there, I got core and discovered that scdaemon dies when it tries to use
> libusb after libusb intiialization failed:
 >
> (gdb) bt
> #0  __GI___pthread_mutex_lock (mutex=0x18) at
> ../nptl/pthread_mutex_lock.c:66
> #1  0xf7e61cb6 in libusb_get_device_list (ctx=0x0,
>      list=0x565c7800 <ccid_usb_dev_list>) at ../../libusb/core.c:671
> #2  0x56567a53 in ccid_dev_scan (idx_max_p=0xf7301514, t_p=0xf7301508)
>      at ../../scd/ccid-driver.c:1301
> #3  0x56563fad in apdu_dev_list_start (portstr=0x0, l_p=0xf7cc61cc)
>      at ../../scd/apdu.c:1857
> #4  0x5656db06 in select_application (ctrl=0x565d1268, name=0xf730052d
> "openpgp", r_app=0x565d1270, scan=1, serialno_bin=0x0,
> serialno_bin_len=0) at ../../scd/app.c:329
> #5  0x5655d392 in open_card_with_request (serialno=<optimized out>,
> apptype=<optimized out>, ctrl=0x565d1268) at ../../scd/command.c:235
> #6  cmd_serialno (ctx=0xf7300468, line=<optimized out>)
>      at ../../scd/command.c:294
> #7  0xf7e9ee96 in ?? () from /usr/lib/i386-linux-gnu/libassuan.so.0
> (gdb) up
> #1  0xf7e61cb6 in libusb_get_device_list (ctx=0x0,
>      list=0x565c7800 <ccid_usb_dev_list>) at ../../libusb/core.c:671
> 671            usbi_mutex_lock(&ctx->usb_devs_lock);
> (gdb) p ctx
> $3 = (libusb_context *) 0x0
> (gdb) p usbi_default_context
> $4 = (struct libusb_context *) 0x0
>
> (when application does not specify context (ctx=NULL), libusb uses
> "default context"; but as initialization failed, it is NULL too).
>
> (this is on debian jessie, i386, libusb-1.0 1.0.19, and various related
> libraries from backports [Build-Depends])
>
> With patch below, it just freezes at
> === cut ===
> ...
> PASS: tests/openpgp/decrypt-unwrap-verify.scm
> Checking signing with the default hash algorithm
>       > plain-1 plain-2 <<< [here]
> === cut ===
> Have no idea why.
>
> --- gnupg2-2.1.21/scd/ccid-driver.c.orig    2017-05-15
> 15:13:22.000000000 +0300
> +++ gnupg2-2.1.21/scd/ccid-driver.c    2017-05-30 14:36:35.000000000 +0300
> @@ -1228,7 +1228,12 @@
>      if (!initialized_usb)
>       {
> -      libusb_init (NULL);
> +      int rc;
> +      if ((rc = libusb_init (NULL)) != 0)
> +        {
> +          fprintf(stderr, "libusb_init failed: %s/%s\n",
> libusb_error_name(rc), libusb_strerror(rc));
(obviously, this debug print code should be replaced with:
              DEBUGOUT_1 ("usb_init failed: %s\n", libusb_error_name(rc));
for consistency).
> +          return NULL;
> +        }
>         initialized_usb = 1;
>       }
>   @@ -1294,7 +1299,14 @@
>      if (!initialized_usb)
>       {
> -      libusb_init (NULL);
> +      int rc;
> +      if ((rc = libusb_init (NULL)) != 0)
> +        {
> +           fprintf(stderr, "libusb_init failed: %s/%s\n",
> libusb_error_name(rc), libusb_strerror(rc));
               DEBUGOUT_1 ("usb_init failed: %s\n", libusb_error_name(rc));
> +          *idx_max_p = 0;
> +          *t_p = NULL;
> +          return gpg_err_make(GPG_ERR_SOURCE_SCD, GPG_ERR_HARDWARE);
> +        }
>         initialized_usb = 1;
>       }

E.g. in chrtoot (or other container) without /dev/bus or /proc/bus/usb 
present:
Before:
$ ../scd/scdaemon --server --homedir /tmp/gpgscm-...-run-tests-...
scdaemon[24322]: DBG: changed working directory to '/tmp'
OK GNU Privacy Guard's Smartcard server ready
learn
Segmentation fault

After:
$ ../scd/scdaemon --server --homedir /tmp/gpgscm-...-run-tests-...
scdaemon[24267]: DBG: changed working directory to '/tmp'
OK GNU Privacy Guard's Smartcard server ready
learn
ccid_dev_scan: libusb_init failed (LIBUSB_ERROR_OTHER): Other error
ERR 100663425 Hardware problem <SCD>
^D
scdaemon[24267]: scdaemon (GnuPG) 2.1.21 stopped


From brad at fineby.me.uk  Tue May 30 18:14:17 2017
From: brad at fineby.me.uk (Brad Rogers)
Date: Tue, 30 May 2017 17:14:17 +0100
Subject: Don't send encrypted messages to random users
In-Reply-To: <9610eaf5-4fe8-774e-b735-a81b0f674bd3@mail.ru>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
 <419259931.20170529154557@riseup.net>
 <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
 <CALvb29yfc7KrUYGuRybCM7hQGN7MgmOMQUfs+PxbD44U-gMOEQ@mail.gmail.com>
 <9610eaf5-4fe8-774e-b735-a81b0f674bd3@mail.ru>
Message-ID: <20170530171045.0bf37b1f@abydos.stargate.org.uk>

On Tue, 30 May 2017 15:53:44 +0000
listo factor via Gnupg-users <gnupg-users at gnupg.org> wrote:

Hello listo,

>a piece of information publicly available on the net
>and then depend on "netiquette" for that piece of
>information not be used in a manner the owner finds

To paraphrase what's been said by others (and you appear to have
ignored).  Just because a thing *can* be done, doesn't mean it _should_
be done.

To explain further;

Do you telephone people selected, at random, from a phone directory?
Probably not.  It's the same thing here.

-- 
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
Did you do it for fame, did you do it in a fit?
Identity - X-Ray Spex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170530/d407a011/attachment.sig>

From idmsdba at nycap.rr.com  Tue May 30 18:37:16 2017
From: idmsdba at nycap.rr.com (Michael A. Yetto)
Date: Tue, 30 May 2017 12:37:16 -0400
Subject: Don't send encrypted messages to random users
In-Reply-To: <9610eaf5-4fe8-774e-b735-a81b0f674bd3@mail.ru>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
 <419259931.20170529154557@riseup.net>
 <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
 <CALvb29yfc7KrUYGuRybCM7hQGN7MgmOMQUfs+PxbD44U-gMOEQ@mail.gmail.com>
 <9610eaf5-4fe8-774e-b735-a81b0f674bd3@mail.ru>
Message-ID: <20170530123716.4abf8528@braetac.lighthouse.yetnet>

On Tue, 30 May 2017 15:53:44 +0000
listo factor via Gnupg-users <gnupg-users at gnupg.org> writes, and having
writ moves on:

>On 05/29/2017 11:52 PM, Konstantin Gribov - grossws at gmail.com wrote:
>> Primary reason to publish a key is to make it available for
>> fetching. It isn't a permission for anyone to annoy a person
>> anyhow.  
>
>Keservers have every characteristic of a public directory.
>
>What possible reason there could be for placing one's
>e-mail in the public key if not to make it possible
>for anyone to send an e-mail to the owner. To make
>a piece of information publicly available on the net
>and then depend on "netiquette" for that piece of
>information not be used in a manner the owner finds
>objectionable strikes me as a rather outdated notion.
>

Would you find it acceptable for someone to randomly call you and ask
your opinion on a topic of their choosing just because your phone
number happens to be on a public directory that person happened upon?

The reason, not only possible, but likely, would be to let someone with
a reason to send message to that e-mail have the necessary data to
encrypt it and keep it as private as is needed.

Mike Yetto
-- 
"The fact that a believer is happier than a skeptic is no more to the
point than the fact that a drunken man is happier than a sober one."
 - George Bernard Shaw
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170530/d9ce1686/attachment.sig>

From michael at englehorn.com  Tue May 30 21:42:04 2017
From: michael at englehorn.com (Michael Englehorn)
Date: Tue, 30 May 2017 14:42:04 -0500
Subject: Don't send encrypted messages to random users
In-Reply-To: <20170530123716.4abf8528@braetac.lighthouse.yetnet> (Michael A.
 Yetto's message of "Tue, 30 May 2017 12:37:16 -0400")
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
 <419259931.20170529154557@riseup.net>
 <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
 <CALvb29yfc7KrUYGuRybCM7hQGN7MgmOMQUfs+PxbD44U-gMOEQ@mail.gmail.com>
 <9610eaf5-4fe8-774e-b735-a81b0f674bd3@mail.ru>
 <20170530123716.4abf8528@braetac.lighthouse.yetnet>
Message-ID: <tp1i29fufmf7xv.fsf@menglehorn-lt.lan.zayoms.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

"Michael A. Yetto" <idmsdba at nycap.rr.com> writes:

> On Tue, 30 May 2017 15:53:44 +0000
> listo factor via Gnupg-users <gnupg-users at gnupg.org> writes, and having
> writ moves on:
>
>>On 05/29/2017 11:52 PM, Konstantin Gribov - grossws at gmail.com wrote:
>>> Primary reason to publish a key is to make it available for
>>> fetching. It isn't a permission for anyone to annoy a person
>>> anyhow.  
>>
>>Keservers have every characteristic of a public directory.
>>
>>What possible reason there could be for placing one's
>>e-mail in the public key if not to make it possible
>>for anyone to send an e-mail to the owner. To make
>>a piece of information publicly available on the net
>>and then depend on "netiquette" for that piece of
>>information not be used in a manner the owner finds
>>objectionable strikes me as a rather outdated notion.
>>
>
> Would you find it acceptable for someone to randomly call you and ask
> your opinion on a topic of their choosing just because your phone
> number happens to be on a public directory that person happened upon?
>
> The reason, not only possible, but likely, would be to let someone with
> a reason to send message to that e-mail have the necessary data to
> encrypt it and keep it as private as is needed.
>
> Mike Yetto

Depending on what the content of the e-mail is about, I don't think it
would be inappropriate for someone who I didn't know to contact me,
especially if it was about something I normally work on such as an
opensource project that has my name and e-mail attached to it.

My e-mail address is easy to find in places other than the keyservers,
and if you don't put your key on the keyserver it may be dificult for
someone to send me something like a security impacting bug report using
encryption.

Also, it would be strange to only publish your key's "name only" UID to the
keyserver, because then at a keysigning event I wouldn't know where to
send your public key back to, and I couldn't certify any of your e-mail
addresses.

The same goes for phone calls, though I do heavily filter my home phone
line with some IVR scripts and such to prevent autodialer spam.

That being said, sending 'hey, I'm just testing' messages to me would be weird.

- -Michael Englehorn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZLcsMAAoJEFiya/FkvZyBgsAP/1Fz7A5sN5QcKhzvt2RCVF2m
EdlqzuCe4czIIkztGgmg6mFJUVB6S9W1jzPCRh9x/rYY50laFMw5VyOireYVRcJX
RPecjnYsw29N0C6r8/n8eg+8wMsW/vmMwF0Xd4S70QtXEAD+/IlMlOuxqaNARbcB
9vQj/dr/XKLef3sOKAZ8DS4uKcoxRo/4QZNI9hYb9lqIlVlhpoq3ak6MLf0fk1OF
SiQcAXVxPjHUzMcC4yClSn+6NoIMpOaKlBwWRcKQ+mwBev8Zw4bW7Twbk67f+ibZ
cGtBIBmxIucRe4eV4XDbEj3EO2WFsfV1qgQBs0WlBY5XERB++rIdIXcfJeBQuZU0
THQsbQpXpFYaGKWKcveNVSkT2ncYqe0gOTKdLQYcIkslqLQ/1eewG06oT2AV9wFi
sYqjARtRjIDMp8w35nwtqthKZHY3hGgpLvIjDwIFsS2L81g5IPo664sVgnQGejsw
FCd3JyCc0DWk0dScPtlatrsKYWHKMnJVifuGy8rx4R4SWkVO7ezSSblZP2Z7OusQ
+1OFHiJmHhM/+feN9OydT1jCKKQlxvi9XZgGM6Lrh9mMQzhWMUVFFMFKqsvulTMJ
ZbWqfcTBLdQzOKG7PWSDT9e64TI+vVKTgbOj73AVurLEWkOuXWP46sX8IRgyEyUh
3/rVgv44hVSfmVl6e+gc
=ceKU
-----END PGP SIGNATURE-----


From dkg at fifthhorseman.net  Tue May 30 22:05:57 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 30 May 2017 16:05:57 -0400
Subject: GnuPG 2.1.19 output
In-Reply-To: <CAPquFE4GM_fx2fjyA+t-jutSE0eOAw8V2=RuVjLjmTRtE+3n+A@mail.gmail.com>
References: <CAPquFE4GM_fx2fjyA+t-jutSE0eOAw8V2=RuVjLjmTRtE+3n+A@mail.gmail.com>
Message-ID: <87efv6kt3u.fsf@fifthhorseman.net>

On Tue 2017-05-30 17:16:10 +0200, Martin Schoch wrote:

> What does this output form GnuPG 2.1.19 mean when checking a signed
> message?
>
> gpg: skipped packet of type 12 in keybox
> gpg: skipped packet of type 12 in keybox
> gpg: skipped packet of type 12 in keybox
> gpg: skipped packet of type 12 in keybox
> gpg: skipped packet of type 12 in keybox
> gpg: skipped packet of type 12 in keybox
> gpg: skipped packet of type 12 in keybox
> gpg: skipped packet of type 12 in keybox
> gpg: skipped packet of type 12 in keybox
> ...
>
> BTW. Back to 2.1.19 because of problems with .20 and .21 on Windows

please see my earlier message on gnupg-devel, complete with a
patch:

Message-ID: 87shkioevw.fsf at fifthhorseman.net
Subject: sharing a keybox between 2.1.20 and 2.1.18 : "skipped packet of
         type 12 in keybox" (and a proposed patch for 2.1.18)

Archived (with followup discussion) at:
https://lists.gnupg.org/pipermail/gnupg-devel/2017-May/032846.html

Regards,

        --dkg


From stefan.claas at posteo.de  Tue May 30 21:25:24 2017
From: stefan.claas at posteo.de (Stefan Claas)
Date: Tue, 30 May 2017 21:25:24 +0200
Subject: Obtaining sig2 and sig3 signatures
Message-ID: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>

Hi all,

while i am not new to GnuPG i must admit that i did not used it very often
and when i had signed/encrypted email communications i usually had the
"Untrusted Good Signature" from person x,x,z, because i am not a member
of the classic Web-of-Trust. So far so good. I'm interested about your
thoughts (especially from people living in Germany) about the following:

A couple of days ago i came along the CA Service of Governikus KG at:

https://pgp.governikus-eid.de/pgp/

where i obtained a  sig3 signature for my new pub key:

pub   2048R/82EC52B4 2017-05-26 [verf?llt: 2021-05-26]
  Schl.-Fingerabdruck = 2BAF 85F9 281A BD54 3823  C7C5 981E B7C3 82EC 52B4
uid       [ uneing.] Stefan Claas <stefan.claas at posteo.de>
sub   2048R/64C48933 2017-05-26 [verf?llt: 2021-05-26]

I also received my X.509 classIII certificate from the "Volkverschl?sselung"
initiative from Fraunhofer SIT:

https://www.volksverschluesselung.de

Additionally i have a reset keybase account, due to the upload of my new
pub key, where people could have seen that i had there a Facebook, Twitter
and github proof and i am running the PGP/GnuPG Forum at Facebook.

Let's assume we would exchange signed emails (PGP/SMIME) would these proofs
be enough for you to warrant a sig2? And for a sig3 an additional video
conference?

The classical procedure would be to sign a key with a sig3 after seeing
the persons id-card in a real meeting. But who guarantees that the
id-card is not fake (if the person is a complete stranger)?

Please note, i don't want to ask people here to sign my pub key, i just
want to know what your thoughts are. :-)

Regards
Stefan


From stefan.claas at posteo.de  Tue May 30 22:17:47 2017
From: stefan.claas at posteo.de (Stefan Claas)
Date: Tue, 30 May 2017 22:17:47 +0200
Subject: PGP for official documents / eIDAS and ZertES
In-Reply-To: <065c726e-7922-0352-938a-bf2aa274d390@pocock.pro>
References: <065c726e-7922-0352-938a-bf2aa274d390@pocock.pro>
Message-ID: <a985e769-a7b3-8bad-47bf-d4cf1161c4ef@posteo.de>



On 30.05.17 08:05, Daniel Pocock wrote:
>
> Does anybody know of certificate authorities who are willing to sign PGP
> keys or has anybody ever looked into making that happen?
Hi Daniel,

please check those two links:

https://pgp.governikus-eid.de/pgp/
https://www.heise.de/security/dienste/PGP-Schluessel-der-c-t-CA-473386.html

Regards
Stefan





From yumkam at gmail.com  Tue May 30 14:09:18 2017
From: yumkam at gmail.com (Yuriy M. Kaminskiy)
Date: Tue, 30 May 2017 15:09:18 +0300
Subject: scdaemon coredumps
Message-ID: <592D60EE.7070909@gmail.com>

When I tried to rebuild gnupg2 2.1.21-2 debian package from
experimental in pbuilder, I got a number of sigsegv's from scdaemon
while running tests:

XXX XX XX:22:40 $host kernel: pipe-connection[14829]: segfault at 24 ip 
00000
000f7652da6 sp 00000000f7498040 error 4 in 
libpthread-2.19.so[f764a000+17000]
XXX XX XX:22:46 $host kernel: pipe-connection[14975]: segfault at 24 ip 
00000
000f7634da6 sp 00000000f747a040 error 4 in 
libpthread-2.19.so[f762c000+17000]
(and a lot more).

Annoyingly, test-suite does not catch this as error, it has not left any 
core, and name of executable was masked, so after twiddling here and
there, I got core and discovered that scdaemon dies when it tries to use
libusb after libusb intiialization failed:

(gdb) bt
#0  __GI___pthread_mutex_lock (mutex=0x18) at 
../nptl/pthread_mutex_lock.c:66
#1  0xf7e61cb6 in libusb_get_device_list (ctx=0x0,
     list=0x565c7800 <ccid_usb_dev_list>) at ../../libusb/core.c:671
#2  0x56567a53 in ccid_dev_scan (idx_max_p=0xf7301514, t_p=0xf7301508)
     at ../../scd/ccid-driver.c:1301
#3  0x56563fad in apdu_dev_list_start (portstr=0x0, l_p=0xf7cc61cc)
     at ../../scd/apdu.c:1857
#4  0x5656db06 in select_application (ctrl=0x565d1268, 
name=0xf730052d "openpgp", r_app=0x565d1270, scan=1, serialno_bin=0x0, 
    serialno_bin_len=0) at ../../scd/app.c:329
#5  0x5655d392 in open_card_with_request (serialno=<optimized out>, 
apptype=<optimized out>, ctrl=0x565d1268) at ../../scd/command.c:235
#6  cmd_serialno (ctx=0xf7300468, line=<optimized out>)
     at ../../scd/command.c:294
#7  0xf7e9ee96 in ?? () from /usr/lib/i386-linux-gnu/libassuan.so.0
(gdb) up
#1  0xf7e61cb6 in libusb_get_device_list (ctx=0x0,
     list=0x565c7800 <ccid_usb_dev_list>) at ../../libusb/core.c:671
671			usbi_mutex_lock(&ctx->usb_devs_lock);
(gdb) p ctx
$3 = (libusb_context *) 0x0
(gdb) p usbi_default_context
$4 = (struct libusb_context *) 0x0

(when application does not specify context (ctx=NULL), libusb uses 
"default context"; but as initialization failed, it is NULL too).

(this is on debian jessie, i386, libusb-1.0 1.0.19, and various related
libraries from backports [Build-Depends])

With patch below, it just freezes at
=== cut ===
...
PASS: tests/openpgp/decrypt-unwrap-verify.scm
Checking signing with the default hash algorithm
      > plain-1 plain-2 <<< [here]
=== cut ===
Have no idea why.

--- gnupg2-2.1.21/scd/ccid-driver.c.orig	2017-05-15 15:13:22.000000000 +0300
+++ gnupg2-2.1.21/scd/ccid-driver.c	2017-05-30 14:36:35.000000000 +0300
@@ -1228,7 +1228,12 @@
     if (!initialized_usb)
      {
-      libusb_init (NULL);
+      int rc;
+      if ((rc = libusb_init (NULL)) != 0)
+        {
+          fprintf(stderr, "libusb_init failed: %s/%s\n", 
libusb_error_name(rc), libusb_strerror(rc));
+	  return NULL;
+        }
        initialized_usb = 1;
      }
  @@ -1294,7 +1299,14 @@
     if (!initialized_usb)
      {
-      libusb_init (NULL);
+      int rc;
+      if ((rc = libusb_init (NULL)) != 0)
+        {
+          fprintf(stderr, "libusb_init failed: %s/%s\n", 
libusb_error_name(rc), libusb_strerror(rc));
+          *idx_max_p = 0;
+          *t_p = NULL;
+          return gpg_err_make(GPG_ERR_SOURCE_SCD, GPG_ERR_HARDWARE);
+        }
        initialized_usb = 1;
      }

P.S. when I posted this message via news.gmane.org, I got:

 > A message that you sent could not be delivered to one or more of its
 > recipients. This is a permanent error. The following address(es) failed:
 >
 >   gnupg-users at gnupg.org
 >    SMTP error from remote mail server after RCPT TO:<gnupg-> 
users at gnupg.org>:
 >     host kerckhoffs.g10code.com [217.69.77.222]: 550 Reverse DNS 
lookup failed for host 195.159.176.226.


From rjh at sixdemonbag.org  Tue May 30 19:43:05 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 30 May 2017 13:43:05 -0400
Subject: Don't send encrypted messages to random users
In-Reply-To: <9610eaf5-4fe8-774e-b735-a81b0f674bd3@mail.ru>
Message-ID: <d88f4dd2-d887-45b8-a622-fee2bd56769a@email.android.com>

An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170530/009c95ca/attachment.html>

From dkg at fifthhorseman.net  Tue May 30 23:25:46 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 30 May 2017 17:25:46 -0400
Subject: Obtaining sig2 and sig3 signatures
In-Reply-To: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>
References: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>
Message-ID: <874lw2kpet.fsf@fifthhorseman.net>

On Tue 2017-05-30 21:25:24 +0200, Stefan Claas wrote:
> Let's assume we would exchange signed emails (PGP/SMIME) would these proofs
> be enough for you to warrant a sig2? And for a sig3 an additional video
> conference?
>
> The classical procedure would be to sign a key with a sig3 after seeing
> the persons id-card in a real meeting. But who guarantees that the
> id-card is not fake (if the person is a complete stranger)?

I don't recommend that anyone make a sig1, sig2, or sig3 for any
third-party certification (sig3 is fine for self-signatures, where the
keyholder asserts their own identity).  

sig0 -- the default, generic certification -- is fine, does what people
need of it, and doesn't intentionally leak any more of the social graph
than it needs to.

In GnuPG, this is accessed via the "--ask-cert-level" flag.  I explain
my reasoning further in a blog post titled "gpg --ask-cert-level
considered harmful":

     https://debian-administration.org/users/dkg/weblog/98

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170530/bf6e6d3c/attachment.sig>

From dkg at fifthhorseman.net  Wed May 31 00:48:04 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 30 May 2017 18:48:04 -0400
Subject: scdaemon coredumps
In-Reply-To: <592D60EE.7070909@gmail.com>
References: <592D60EE.7070909@gmail.com>
Message-ID: <87vaoij717.fsf@fifthhorseman.net>

Hi Yuriy--

On Tue 2017-05-30 15:09:18 +0300, Yuriy M. Kaminskiy wrote:
> When I tried to rebuild gnupg2 2.1.21-2 debian package from
> experimental in pbuilder, I got a number of sigsegv's from scdaemon
> while running tests:
 [...]
> (this is on debian jessie, i386, libusb-1.0 1.0.19, and various related
> libraries from backports [Build-Depends])

So we're not seeing that crash on the experimental build daemons in
debian.  that makes me think that something is amiss with the
dependencies in jessie, or maybe we've failed to indicate some
dependency correctly.

gniibe (cc'ed) is usually the person to sort out scdaemon issues --
perhaps he can suggest some next-steps for debugging?

> P.S. when I posted this message via news.gmane.org, I got:
>
>  > A message that you sent could not be delivered to one or more of its
>  > recipients. This is a permanent error. The following address(es) failed:
>  >
>  >   gnupg-users at gnupg.org
>  >    SMTP error from remote mail server after RCPT TO:<gnupg-users at gnupg.org>:
>  >     host kerckhoffs.g10code.com [217.69.77.222]: 550 Reverse DNS lookup failed for host 195.159.176.226.

fwiw, my messages were recently bouncing from this mailserver too -- i
had to fiddle with some DNS records for my own mail relay to get
kerckhoffs to accept mail.  it's possible that the spamfiltering rules
have been tightened up recently, or the DNS resolver has changed.

I note that 195.159.176.226 has no PTR record at all.  maybe the gmane
folks need to add a reverse DNS record via their hosts at powertech.no?

          --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170530/c6cece12/attachment.sig>

From dgouttegattat at incenp.org  Wed May 31 01:22:15 2017
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Wed, 31 May 2017 01:22:15 +0200
Subject: Obtaining sig2 and sig3 signatures
In-Reply-To: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>
References: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>
Message-ID: <ef7c87be-a026-f735-2629-7b4eac4a8acd@incenp.org>

Hi,

On 05/30/2017 09:25 PM, Stefan Claas wrote:
> The classical procedure would be to sign a key with a sig3 after seeing
> the persons id-card in a real meeting. But who guarantees that the
> id-card is not fake (if the person is a complete stranger)?

Well, no one. You rely on the ability of the signer to distinguish 
between a real ID-card and a fake ID-card. Of course, not everyone can 
spot a well-crafted fake ID (I certainly cannot).

That's one reason why some people actually object to key-signing parties 
where participants are required to show an ID-card. Another reason is 
that requiring an ID-card is equivalent to trusting the government 
emitting those cards, and not everyone is OK with that (after all one of 
the goals of the web-of-trust is to avoid the need for centralized 
authorities).


> Please note, i don't want to ask people here to sign my pub key, i just
> want to know what your thoughts are. :-)

I think that, for most users, certification levels are actually useless 
due to the fact that the different certification levels don't have an 
universally recognized meaning.

The OpenPGP standard (RFC 4880) says nothing about the meaning of 
certification levels 2 and 3. It is up to the signing user to decide 
what is a "casual certification" (level 2) and what is a "positive 
certification" (level 3).

With the meaning of a sig2 or a sig3 depending on the certification 
policy of the signer, the whole feature is quite pointless in my opinion.

(Maybe certification levels can still be useful when OpenPGP is used in 
a closed, controlled setup--e.g. within an organization which can define 
its own rules, to be followed by all its members. Maybe.)

Incidentally, I also think that many users will be much happier with the 
TOFU trust model, where they won't have to care about all this "key 
signing stuff" (unless they want to). Discussing about certification 
levels will likely be irrelevant when TOFU will become the default trust 
model.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170531/b910cffd/attachment.sig>

From ben at adversary.org  Wed May 31 02:02:16 2017
From: ben at adversary.org (Ben McGinnes)
Date: Wed, 31 May 2017 10:02:16 +1000
Subject: scdaemon coredumps
In-Reply-To: <87vaoij717.fsf@fifthhorseman.net>
References: <592D60EE.7070909@gmail.com>
 <87vaoij717.fsf@fifthhorseman.net>
Message-ID: <20170531000216.z6qc62alxzdfdzr7@adversary.org>

On Tue, May 30, 2017 at 06:48:04PM -0400, Daniel Kahn Gillmor wrote:
> 
> On Tue 2017-05-30 15:09:18 +0300, Yuriy M. Kaminskiy wrote:
>>
>>> SMTP error from remote mail server after RCPT
>>> TO:<gnupg-users at gnupg.org>: host kerckhoffs.g10code.com >>
>>> [217.69.77.222]: 550 Reverse DNS lookup failed for host >>
>>> 195.159.176.226.
> 
> fwiw, my messages were recently bouncing from this mailserver too --
> i had to fiddle with some DNS records for my own mail relay to get
> kerckhoffs to accept mail.  it's possible that the spamfiltering
> rules have been tightened up recently, or the DNS resolver has
> changed.
> 
> I note that 195.159.176.226 has no PTR record at all.  maybe the
> gmane folks need to add a reverse DNS record via their hosts at
> powertech.no?

It is pretty standard (and IIRC part of the SMTP RFCs) that the
forward and reverse DNS records must match.  The PTR record does not
have to match the hostname, but it does have to resolve to a hostname
with an A record pointing back to the IP.

That lack of a PTR record for 195.159.176.226 will definitely cause
problems with any number of SMTP servers.


Regards,
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: </pipermail/attachments/20170531/23c280ee/attachment-0001.sig>

From yumkam at gmail.com  Wed May 31 02:32:28 2017
From: yumkam at gmail.com (Yuriy M. Kaminskiy)
Date: Wed, 31 May 2017 03:32:28 +0300
Subject: scdaemon coredumps
In-Reply-To: <87vaoij717.fsf@fifthhorseman.net>
References: <592D60EE.7070909@gmail.com> <87vaoij717.fsf@fifthhorseman.net>
Message-ID: <592E0F1C.2000802@gmail.com>

On 31.05.2017 01:48, Daniel Kahn Gillmor wrote:

> On Tue 2017-05-30 15:09:18 +0300, Yuriy M. Kaminskiy wrote:
>> When I tried to rebuild gnupg2 2.1.21-2 debian package from
>> experimental in pbuilder, I got a number of sigsegv's from scdaemon
>> while running tests:
>   [...]
>> (this is on debian jessie, i386, libusb-1.0 1.0.19, and various related
>> libraries from backports [Build-Depends])
>
> So we're not seeing that crash on the experimental build daemons in
> debian.

Are you *sure*? Testsuite successfully finishes, as if nothing wrong
(and that's probably can be called a bug too); it is only visible by 
noise from kernel in system logs.

 > that makes me think that something is amiss with the
> dependencies in jessie, or maybe we've failed to indicate some
> dependency correctly.

And from first look at sources, it looks like this SIGSEGV is a scdaemon 
bug (and likely an old one), not a missed dependency (FWIW, I looked at 
difference between libusb versions between jessie and sid, I don't see 
anything that can affect this).

What is probably a *new* bug is that gnupg-agent now invokes scdaemon 
(about month earlier, I tried to build gnupg2 2.1.20-3 package, and 
there were no SIGSEGV messages in kernel logs).

> gniibe (cc'ed) is usually the person to sort out scdaemon issues --
> perhaps he can suggest some next-steps for debugging?

[...]

P.S. more from debian backports dept: I also noticed that 
npth_1.3-1~bpo8+1 is FTBFS on buildd's:
https://buildd.debian.org/status/package.php?p=npth&suite=jessie-backports
It seems buildd's for some reason prefers automake1.11 over automake 
(1.14) on jessie. Probably, explicit
Build-Depends: automake (>= 1.14)
would help.


From gniibe at fsij.org  Wed May 31 03:12:35 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Wed, 31 May 2017 10:12:35 +0900
Subject: scdaemon coredumps
In-Reply-To: <592D60EE.7070909@gmail.com>
References: <592D60EE.7070909@gmail.com>
Message-ID: <87k24xkews.fsf@iwagami.gniibe.org>

Hello,

Thank you for your report.

"Yuriy M. Kaminskiy" <yumkam at gmail.com> wrote:
> When I tried to rebuild gnupg2 2.1.21-2 debian package from
> experimental in pbuilder, I got a number of sigsegv's from scdaemon
> while running tests:
[...]
> Annoyingly, test-suite does not catch this as error, it has not left any 
> core, and name of executable was masked, so after twiddling here and
> there, I got core and discovered that scdaemon dies when it tries to use
> libusb after libusb intiialization failed:

There are two things here.  The selection of default key by gpg frontend
was not good.  It was fixed in:

    fbb2259d22e6c6eadc2af722bdc52922da348677
    g10: Fix default-key selection for signing, possibly by card.

And by your report, scdaemon core dump is fixed in:

   5c33649782bf255af5a55f16eac5e85f059b00bf
   scd: Handle a failure of libusb_init.

   8defb21d34410d000c8b776e0e3a1edd04762638
   scd: Fix error code on failure at usb_init.

> With patch below, it just freezes at
> === cut ===
> ...
> PASS: tests/openpgp/decrypt-unwrap-verify.scm
> Checking signing with the default hash algorithm
>       > plain-1 plain-2 <<< [here]
> === cut ===
> Have no idea why.

I don't know what's going here.  Let's see...
-- 


From dkg at fifthhorseman.net  Wed May 31 03:33:48 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 30 May 2017 21:33:48 -0400
Subject: scdaemon coredumps
In-Reply-To: <592E0F1C.2000802@gmail.com>
References: <592D60EE.7070909@gmail.com> <87vaoij717.fsf@fifthhorseman.net>
 <592E0F1C.2000802@gmail.com>
Message-ID: <87h901kdxf.fsf@fifthhorseman.net>

On Wed 2017-05-31 03:32:28 +0300, Yuriy M. Kaminskiy wrote:
> On 31.05.2017 01:48, Daniel Kahn Gillmor wrote:
>
>> On Tue 2017-05-30 15:09:18 +0300, Yuriy M. Kaminskiy wrote:
>>> When I tried to rebuild gnupg2 2.1.21-2 debian package from
>>> experimental in pbuilder, I got a number of sigsegv's from scdaemon
>>> while running tests:
>>   [...]
>>> (this is on debian jessie, i386, libusb-1.0 1.0.19, and various related
>>> libraries from backports [Build-Depends])
>>
>> So we're not seeing that crash on the experimental build daemons in
>> debian.
>
> Are you *sure*? Testsuite successfully finishes, as if nothing wrong
> (and that's probably can be called a bug too); it is only visible by 
> noise from kernel in system logs.

I'm not entirely sure about the build daemons, but when i build it on
amd64, i definitely get no segmentation faults.  I suppose i can try
firing up an i386 builder and see if i can replicate the problem from
unstable directly.  have you tried to build the experimental package
against unstable yourself, or only on jessie?

> P.S. more from debian backports dept: I also noticed that 
> npth_1.3-1~bpo8+1 is FTBFS on buildd's:
> https://buildd.debian.org/status/package.php?p=npth&suite=jessie-backports
> It seems buildd's for some reason prefers automake1.11 over automake 
> (1.14) on jessie. Probably, explicit
> Build-Depends: automake (>= 1.14)
> would help.

ugh, right, that seems like something worth noting to Eric Dorland
(cc'ed), who is maintaining both automake and npth for debian, iirc.

   --dkg


From dkg at fifthhorseman.net  Wed May 31 03:27:30 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 30 May 2017 21:27:30 -0400
Subject: scdaemon coredumps
In-Reply-To: <20170531000216.z6qc62alxzdfdzr7@adversary.org>
References: <592D60EE.7070909@gmail.com> <87vaoij717.fsf@fifthhorseman.net>
 <20170531000216.z6qc62alxzdfdzr7@adversary.org>
Message-ID: <87k24xke7x.fsf@fifthhorseman.net>

On Wed 2017-05-31 10:02:16 +1000, Ben McGinnes wrote:
> It is pretty standard (and IIRC part of the SMTP RFCs) that the
> forward and reverse DNS records must match.  The PTR record does not
> have to match the hostname, but it does have to resolve to a hostname
> with an A record pointing back to the IP.
>
> That lack of a PTR record for 195.159.176.226 will definitely cause
> problems with any number of SMTP servers.

i'm aware of this common convention (without commenting on how useful it
is at actually defeating spammers), but i'm surprised to see it
happening with two mail servers that both have sent messages to GnuPG
mailing lists in the not-too-distant past.  it's possible that both of
those mailservers have changed at the same time, i guess.  there
certainly was a recent change for my own mail relay.

         --dkg


From gnupg-users at spodhuis.org  Wed May 31 03:34:04 2017
From: gnupg-users at spodhuis.org (Phil Pennock)
Date: Tue, 30 May 2017 21:34:04 -0400
Subject: Don't send encrypted messages to random users
In-Reply-To: <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
References: <766aba77-2c3b-c2e5-fdf6-5a495a4f8eb6@nofroth.com>
 <a9cf3ce8-6f8a-b188-dc19-6b36d4fc5f58@ruhr-uni-bochum.de>
 <419259931.20170529154557@riseup.net>
 <4d639920-8c42-e255-e9fa-1344fb00d3b6@mail.ru>
Message-ID: <20170531013403.GA3226@breadbox.private.spodhuis.org>

On 2017-05-29 at 18:58 +0000, listo factor via Gnupg-users wrote:
> This I find surprising: if one does not want receiving
> encrypted messages from those that he does not have
> existing relationship with, why does he publish his
> public key on public keyservers?

(1) Who says they published it?  If person A has a PGP key and shares it
    with a group of people, anyone in that group can upload it to the
    keyservers.  The keyservers are a _swamp_.  Smelly and polluted.
    Still useful (I run one and help others) but presence of data in the
    keyservers means very little.

(2) I sign software releases of security-sensitive code (Exim,
    sieve-connect, etc); lots of people need to be able to validate the
    signatures upon that code.  I'm quite proud of Exim's history of
    making sure that signatures upon releases can be verified, with keys
    in the Strong Set, etc.

(3) If I publish just signing subkeys, not encryption subkeys, but
    someone uses finger(1) to get the full key and uploads it to the
    keyservers, then inconsistent old data is present if I don't then
    keep the keyserver data at least "current".

(4) Very occasionally I receive security reports of potential issues
    relating to Exim, or mail other people and want them to be able to
    reply encrypted.  Having the encryption key present allows
    encryption to take place.  This does not mean that I'm willing to be
    Everyone's Test Oracle That Things Work When They Learn.  There are
    seven billion people on the planet but I have little interest in
    being the unpaid test subject for most of those people.  I am
    interested in the one or two encrypted messages I get per year from
    strangers which are actually sensitive and where it benefits _me_ to
    decrypt it.

(5) If talking encrypted requires work from person A and person B, then
    talking encrypted had better benefit both person A and person B.  If
    person A benefits but person B doesn't but person B isn't given any
    choice in the matter, this becomes a tax drain on time and resources
    and a sense of entitlement from A that they're some special
    snowflake who should be able to demand free time and attention from
    anyone on the Internet that they feel like pestering does not make
    it right for them to do so.

If I need to talk to someone in person at a party and they don't know
me, I might go up, cough discreetly, wait for them to acknowledge and
ask me what's up, then chat and see how things go from there.  I don't
go up and interrupt what they're doing and shout in their face that they
must drop everything and help me out Right Now.  Not unless lives are on
the line and to date, I've been fortunate that they never have been.

It's called good manners.

-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 996 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170530/1858cb9c/attachment.sig>

From gnupg-users at spodhuis.org  Wed May 31 03:43:30 2017
From: gnupg-users at spodhuis.org (Phil Pennock)
Date: Tue, 30 May 2017 21:43:30 -0400
Subject: Obtaining sig2 and sig3 signatures
In-Reply-To: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>
References: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>
Message-ID: <20170531014330.GA82870@tower.spodhuis.org>

On 2017-05-30 at 21:25 +0200, Stefan Claas wrote:
> Let's assume we would exchange signed emails (PGP/SMIME) would these proofs
> be enough for you to warrant a sig2? And for a sig3 an additional video
> conference?

No.  A public signature is an attestation to others of identity.  If
it's based on the same data visible to others, then it adds nothing.  If
there's really a strong case for such signatures to matter, then someone
running an auditable auto-signing bot-service using one PGP key, with
published rules and logs, _might_ be worthwhile.

Instead, those proofs might well be enough for me to make a
non-exportable signature for my local keyring (GnuPG --lsign-key).  I
have several local signatures, backed up locally, for stuff where I've
decided that a key not in the strong set is "probably good" based on a
balance of evidence such as you describe.

It's unfortunate really that the default is to make public attestations,
telling the world "trust me, this key belongs to this person" instead of
locally useful data and then, only once someone knows what they're
doing, offering them the option to act as a Notary Public
(German "Nurnotar" ?) if they so choose.

-Phil


From stefan.claas at posteo.de  Wed May 31 11:31:05 2017
From: stefan.claas at posteo.de (Stefan Claas)
Date: Wed, 31 May 2017 11:31:05 +0200
Subject: Obtaining sig2 and sig3 signatures
In-Reply-To: <874lw2kpet.fsf@fifthhorseman.net>
References: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>
 <874lw2kpet.fsf@fifthhorseman.net>
Message-ID: <58f731b1-e5ce-917a-ece6-dd039be05dd5@posteo.de>


> I don't recommend that anyone make a sig1, sig2, or sig3 for any
> third-party certification (sig3 is fine for self-signatures, where the
> keyholder asserts their own identity).
>
> sig0 -- the default, generic certification -- is fine, does what people
> need of it, and doesn't intentionally leak any more of the social graph
> than it needs to.
>
Thank you! I will keep that in mind in case i sign somebody else's 
public key.

Regards
Stefan


From stefan.claas at posteo.de  Wed May 31 11:54:10 2017
From: stefan.claas at posteo.de (Stefan Claas)
Date: Wed, 31 May 2017 11:54:10 +0200
Subject: Obtaining sig2 and sig3 signatures
In-Reply-To: <ef7c87be-a026-f735-2629-7b4eac4a8acd@incenp.org>
References: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>
 <ef7c87be-a026-f735-2629-7b4eac4a8acd@incenp.org>
Message-ID: <632e8feb-5818-96e9-d190-a11c28ac2ecd@posteo.de>

Am 31.05.2017 um 01:22 schrieb Damien Goutte-Gattat:

> Hi,
>
> On 05/30/2017 09:25 PM, Stefan Claas wrote:
>> The classical procedure would be to sign a key with a sig3 after seeing
>> the persons id-card in a real meeting. But who guarantees that the
>> id-card is not fake (if the person is a complete stranger)?
>
> Well, no one. You rely on the ability of the signer to distinguish 
> between a real ID-card and a fake ID-card. Of course, not everyone can 
> spot a well-crafted fake ID (I certainly cannot).
I cannot  either, and that's why i like the mentioned german Governikus 
CA. To obtain a sig3 from them it requires
that you authenticate online with you id-card, an id-card reader and the 
german AusweisApp2 software.

Regards
Stefan




From stefan.claas at posteo.de  Wed May 31 12:00:25 2017
From: stefan.claas at posteo.de (Stefan Claas)
Date: Wed, 31 May 2017 12:00:25 +0200
Subject: Obtaining sig2 and sig3 signatures
In-Reply-To: <20170531014330.GA82870@tower.spodhuis.org>
References: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>
 <20170531014330.GA82870@tower.spodhuis.org>
Message-ID: <32c01e04-b6e0-b7a8-5fc9-8e7dfcf8bd2a@posteo.de>

Am 31.05.2017 um 03:43 schrieb Phil Pennock:
> It's unfortunate really that the default is to make public attestations,
> telling the world "trust me, this key belongs to this person" instead of
> locally useful data and then, only once someone knows what they're
> doing, offering them the option to act as a Notary Public
> (German "Nurnotar" ?) if they so choose.
>
>
Agreed.

Regards
Stefan



From daniel at pocock.pro  Wed May 31 12:18:17 2017
From: daniel at pocock.pro (Daniel Pocock)
Date: Wed, 31 May 2017 12:18:17 +0200
Subject: PGP for official documents / eIDAS and ZertES
In-Reply-To: <a985e769-a7b3-8bad-47bf-d4cf1161c4ef@posteo.de>
References: <065c726e-7922-0352-938a-bf2aa274d390@pocock.pro>
 <a985e769-a7b3-8bad-47bf-d4cf1161c4ef@posteo.de>
Message-ID: <7a6ff952-835b-9a30-5176-1e06cebb4783@pocock.pro>



On 30/05/17 22:17, Stefan Claas wrote:
> 
> 
> On 30.05.17 08:05, Daniel Pocock wrote:
>>
>> Does anybody know of certificate authorities who are willing to sign PGP
>> keys or has anybody ever looked into making that happen?
> Hi Daniel,
> 
> please check those two links:
> 
> https://pgp.governikus-eid.de/pgp/
> https://www.heise.de/security/dienste/PGP-Schluessel-der-c-t-CA-473386.html
> 

Hi Stefan,

Thanks for sharing these.  Unfortunately my German skills are not great,
could you make any comment about those companies?

In particular,

- does a signature from either of these comply with eIDAS (and therefore
ZertES)?

- what effort is required to get the signature (e.g. somebody must come
to Germany?)

Regards,

Daniel


From stefan.claas at posteo.de  Wed May 31 12:46:28 2017
From: stefan.claas at posteo.de (Stefan Claas)
Date: Wed, 31 May 2017 12:46:28 +0200
Subject: PGP for official documents / eIDAS and ZertES
In-Reply-To: <7a6ff952-835b-9a30-5176-1e06cebb4783@pocock.pro>
References: <065c726e-7922-0352-938a-bf2aa274d390@pocock.pro>
 <a985e769-a7b3-8bad-47bf-d4cf1161c4ef@posteo.de>
 <7a6ff952-835b-9a30-5176-1e06cebb4783@pocock.pro>
Message-ID: <1db3339f-7b71-8279-3330-b45c99b7f65c@posteo.de>



Am 31.05.2017 um 12:18 schrieb Daniel Pocock:
>
> Hi Stefan,
>
> Thanks for sharing these.  Unfortunately my German skills are not great,
> could you make any comment about those companies?
>
> In particular,
>
> - does a signature from either of these comply with eIDAS (and therefore
> ZertES)?
>
> - what effort is required to get the signature (e.g. somebody must come
> to Germany?)
>
> Regards,
>
> Daniel
>
Hi Daniel,

i'm not (yet) familar with eIDAS and can't answer that question.

For your second question. To obtain a sig3 from Governikus you need
a german id-card an id-card card reader and the software AusweisApp2.

For a sig3 from the well known CT Magazin in Germany you have to show
up at their booth (like CeBit Fair, Hannover Fair or Funkaustellung in
Berlin) with your id-card and a filled out form (downloadable at their
web site)

Regards
Stefan




From rainer at hoerbe.at  Wed May 31 13:54:50 2017
From: rainer at hoerbe.at (Rainer Hoerbe)
Date: Wed, 31 May 2017 13:54:50 +0200
Subject: PGP for official documents / eIDAS and ZertES
In-Reply-To: <1db3339f-7b71-8279-3330-b45c99b7f65c@posteo.de>
References: <065c726e-7922-0352-938a-bf2aa274d390@pocock.pro>
 <a985e769-a7b3-8bad-47bf-d4cf1161c4ef@posteo.de>
 <7a6ff952-835b-9a30-5176-1e06cebb4783@pocock.pro>
 <1db3339f-7b71-8279-3330-b45c99b7f65c@posteo.de>
Message-ID: <98C1E414-7CE6-4EFC-BF70-B9106D0F182A@hoerbe.at>

Hi Daniel,

The eIDAS regulation is replacing the national e-signature laws to make signatures (besides other other things) interoperable across borders. While the law is fairly technology-neutral, the implementation acts have to reference specific technologies, which are CMS, PDF- and XML signature, but not PGP-signature.

Beyond that, even if the EU would include PGP signatures, the technical interoperability would just be the beginning. There are quite heavy legal and organization layers on top of the technology that assure security levels, notification (mutual acceptance) and cooperation procedures. IMHU none of these exist in the PGP world.

- Rainer


> Am 31.05.2017 um 12:46 schrieb Stefan Claas <stefan.claas at posteo.de>:
> 
> 
> 
> Am 31.05.2017 um 12:18 schrieb Daniel Pocock:
>> 
>> Hi Stefan,
>> 
>> Thanks for sharing these.  Unfortunately my German skills are not great,
>> could you make any comment about those companies?
>> 
>> In particular,
>> 
>> - does a signature from either of these comply with eIDAS (and therefore
>> ZertES)?
>> 
>> - what effort is required to get the signature (e.g. somebody must come
>> to Germany?)
>> 
>> Regards,
>> 
>> Daniel
>> 
> Hi Daniel,
> 
> i'm not (yet) familar with eIDAS and can't answer that question.
> 
> For your second question. To obtain a sig3 from Governikus you need
> a german id-card an id-card card reader and the software AusweisApp2.
> 
> For a sig3 from the well known CT Magazin in Germany you have to show
> up at their booth (like CeBit Fair, Hannover Fair or Funkaustellung in
> Berlin) with your id-card and a filled out form (downloadable at their
> web site)
> 
> Regards
> Stefan
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org <mailto:Gnupg-users at gnupg.org>
> http://lists.gnupg.org/mailman/listinfo/gnupg-users <http://lists.gnupg.org/mailman/listinfo/gnupg-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170531/2fdb07f7/attachment.html>

From dkg at fifthhorseman.net  Wed May 31 15:05:00 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 31 May 2017 09:05:00 -0400
Subject: Obtaining sig2 and sig3 signatures
In-Reply-To: <32c01e04-b6e0-b7a8-5fc9-8e7dfcf8bd2a@posteo.de>
References: <c035a6b7-b340-8bc3-a2a6-238311540845@posteo.de>
 <20170531014330.GA82870@tower.spodhuis.org>
 <32c01e04-b6e0-b7a8-5fc9-8e7dfcf8bd2a@posteo.de>
Message-ID: <8760ghjhxf.fsf@fifthhorseman.net>

On Wed 2017-05-31 12:00:25 +0200, Stefan Claas wrote:
> Am 31.05.2017 um 03:43 schrieb Phil Pennock:
>> It's unfortunate really that the default is to make public attestations,
>> telling the world "trust me, this key belongs to this person" instead of
>> locally useful data and then, only once someone knows what they're
>> doing, offering them the option to act as a Notary Public
>> (German "Nurnotar" ?) if they so choose.
>
> Agreed.

also agreed.  I'd love to see someone spec out how to encourage the use
of this more sensible workflow.

   --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170531/02b6eae0/attachment-0001.sig>

From daniel at pocock.pro  Wed May 31 15:14:19 2017
From: daniel at pocock.pro (Daniel Pocock)
Date: Wed, 31 May 2017 15:14:19 +0200
Subject: PGP for official documents / eIDAS and ZertES
In-Reply-To: <98C1E414-7CE6-4EFC-BF70-B9106D0F182A@hoerbe.at>
References: <065c726e-7922-0352-938a-bf2aa274d390@pocock.pro>
 <a985e769-a7b3-8bad-47bf-d4cf1161c4ef@posteo.de>
 <7a6ff952-835b-9a30-5176-1e06cebb4783@pocock.pro>
 <1db3339f-7b71-8279-3330-b45c99b7f65c@posteo.de>
 <98C1E414-7CE6-4EFC-BF70-B9106D0F182A@hoerbe.at>
Message-ID: <cd858aa9-7dd7-30d6-f957-3088698929ad@pocock.pro>



On 31/05/17 13:54, Rainer Hoerbe wrote:
> Hi Daniel,
> 
> The eIDAS regulation is replacing the national e-signature laws to make
> signatures (besides other other things) interoperable across borders.
> While the law is fairly technology-neutral, the implementation acts have
> to reference specific technologies, which are CMS, PDF- and XML
> signature, but not PGP-signature.
>

Are the CMS, PDF or XML standards flexible enough that a PGP signature
could be used within any of them and thereby satisfy the legislation?
Or could any of those standards potentially be amended/extended to allow
use of PGP signatures?


> Beyond that, even if the EU would include PGP signatures, the technical
> interoperability would just be the beginning. There are quite heavy
> legal and organization layers on top of the technology that assure
> security levels, notification (mutual acceptance) and cooperation
> procedures. IMHU none of these exist in the PGP world.
> 

Thanks for the feedback about that.  Are all users likely to depend on
all of those things, or is it possible that a PGP signature would be
sufficient in some use cases?

In Switzerland, a number of state organizations are now accepting
digital signatures and the Swiss Post is promoting a ZertES/eIDAS
compliant solution, SuisseID.  However, the price[1] is quite expensive
and even people who know nothing about PKI look at it and think it is a
rip-off (Deutsch: ein teurer Flop[2]) and start looking for
alternatives.  Many organizations are afraid to fully depend on it,
especially when dealing with consumers.

It would be good to see PGP-based solutions grabbing market share before
things like SuisseID eventually gain traction.

Does eIDAS require people to obtain their smart card or certificate in
the country where they reside?  Or will they potentially be able to shop
around, e.g. a Swiss person would be able to go to a German or French
post office and get a cheaper alternative?

Regards,

Daniel



1. https://postsuisseid.ch/en/
2.
https://www.srf.ch/sendungen/kassensturz-espresso/themen/geld/suisseid-mehr-als-ein-teurer-flop


From lionel at mamane.lu  Wed May 31 14:52:09 2017
From: lionel at mamane.lu (Lionel Elie Mamane)
Date: Wed, 31 May 2017 14:52:09 +0200
Subject: Certification-only key
In-Reply-To: <4CAA129E.6080105@dougbarton.us>
References: <20050905144140.GA27381@tofu.mamane.lu>
 <20050905174607.GB1750@jabberwocky.com>
 <20050905193550.GB2713@tofu.mamane.lu>
 <20050905204646.GC1750@jabberwocky.com>
 <20050905230300.GB7834@tofu.mamane.lu>
 <20101004152225.GA15991@capsaicin.mamane.lu>
 <4CAA129E.6080105@dougbarton.us>
Message-ID: <20170531125209.ynfowhtxyfwujw2u@capsaicin.mamane.lu>

On Mon, Oct 04, 2010 at 10:45:02AM -0700, Doug Barton wrote:
> On 10/4/2010 8:22 AM, Lionel Elie Mamane wrote:

>> Also, when my signature subkey expires, it would (I guess) silently
>> start using the primary. Which makes me_very_  happy I chose to make
>> my primary certification-only, because signatures started to fail
>> instead, which gave me notice and allowed me to issue a new signature
>> subkey:)

> Why did you choose to make your signature subkey expire, and why
> would you not simply extend the expiration date of the existing key
> rather than create a new one?

Right to be forgotten. The signatures I made a long time ago were made
by a different person, although there is a continuity between the
two.

-- 
Lionel


From peter at digitalbrains.com  Wed May 31 17:42:10 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 31 May 2017 17:42:10 +0200
Subject: Certification-only key
In-Reply-To: <20170531125209.ynfowhtxyfwujw2u@capsaicin.mamane.lu>
References: <20050905144140.GA27381@tofu.mamane.lu>
 <20050905174607.GB1750@jabberwocky.com>
 <20050905193550.GB2713@tofu.mamane.lu>
 <20050905204646.GC1750@jabberwocky.com>
 <20050905230300.GB7834@tofu.mamane.lu>
 <20101004152225.GA15991@capsaicin.mamane.lu> <4CAA129E.6080105@dougbarton.us>
 <20170531125209.ynfowhtxyfwujw2u@capsaicin.mamane.lu>
Message-ID: <04ec37f5-99a2-8fe6-35bc-d89b6c22a872@digitalbrains.com>

On 31/05/17 14:52, Lionel Elie Mamane wrote:
> Right to be forgotten. The signatures I made a long time ago were made
> by a different person, although there is a continuity between the
> two.

Talking about not forgetting, you answered after seven years?! :-D

I don't think expiring a signing subkey will make anyone forget
anything. Keyservers are append-only, so the expired subkey stays there,
and many of your peers will also not scrub their keyrings and remove
expired subkeys. Those that do might still keep signing subkeys so they
can still now and in the future verify stuff you signed before it
expired. Expired encryption subkeys don't serve a purpose for your peers
anymore, I think, people who like cleaning up might remove those.

As far as I am aware, the only thing that happens when a signing subkey
expires, is that signatures which have an issuing time after the expiry
are flagged as BAD. All signatures made before the key expired will
still show up as valid signatures by you and your certificate.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170531/b1b23bb5/attachment.sig>

From ryru at addere.ch  Wed May 31 18:18:56 2017
From: ryru at addere.ch (Ryru)
Date: Wed, 31 May 2017 18:18:56 +0200
Subject: Errors at ECC key generation in non-interactive mode
Message-ID: <418c3195-b44f-ef27-9ac9-be664241b559@addere.ch>

Hi List

I get these errors while trying to create a new ECC key:

$ gpg --batch --gen-key Desktop/params-ecc.txt
gpg: key ABCDEFABCDEFABCD marked as ultimately trusted
gpg: error reading rest of packet: Invalid argument
gpg: error reading rest of packet: Invalid argument
gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
gpg: revocation certificate stored as
'~/.gnupg/openpgp-revocs.d/ABCDEFABCDEFABCD.rev'

My parameters are:

$ cat params-ecc.txt
Key-Type: EdDSA
Key-Curve: Curve25519
Key-Length: 256
Subkey-Type: ECC
Subkey-Curve: Curve25519
Subkey-Length: 256
Name-Real: <name>
Name-Comment: <comment>
Name-Email: <mail>
Passphrase: <password>
Preferences: S9 S13 S8 S12 S7 S11 S10 H10 H9 H8 Z3 Z2 Z1
%commit

gnupg creates a key though, but I could not find any hints regarding the
errors. Do I use wrong parameters?

Thanks and regards
Pascal


From rainer at hoerbe.at  Wed May 31 20:55:59 2017
From: rainer at hoerbe.at (Rainer Hoerbe)
Date: Wed, 31 May 2017 20:55:59 +0200
Subject: PGP for official documents / eIDAS and ZertES
In-Reply-To: <cd858aa9-7dd7-30d6-f957-3088698929ad@pocock.pro>
References: <065c726e-7922-0352-938a-bf2aa274d390@pocock.pro>
 <a985e769-a7b3-8bad-47bf-d4cf1161c4ef@posteo.de>
 <7a6ff952-835b-9a30-5176-1e06cebb4783@pocock.pro>
 <1db3339f-7b71-8279-3330-b45c99b7f65c@posteo.de>
 <98C1E414-7CE6-4EFC-BF70-B9106D0F182A@hoerbe.at>
 <cd858aa9-7dd7-30d6-f957-3088698929ad@pocock.pro>
Message-ID: <433C026E-310E-4CB6-95EC-A7A075E8943F@hoerbe.at>


> Am 31.05.2017 um 15:14 schrieb Daniel Pocock <daniel at pocock.pro>:
> 
> Are the CMS, PDF or XML standards flexible enough that a PGP signature
> could be used within any of them and thereby satisfy the legislation?
> Or could any of those standards potentially be amended/extended to allow
> use of PGP signatures?

CMS and PGP signatures are similar in concept, but incompatible. GPG-signatures could be added to xmldsig quite easily, but implementing this securely in different libraries would be a major undertaking. In addition, the WoT model is not compatible with the PKI + Trust Status Lists of eIDAS, although one could bridge the models, somehow.

> Thanks for the feedback about that.  Are all users likely to depend on
> all of those things, or is it possible that a PGP signature would be
> sufficient in some use cases?
> 
> In Switzerland, a number of state organizations are now accepting
> digital signatures and the Swiss Post is promoting a ZertES/eIDAS
> compliant solution, SuisseID.  However, the price[1] is quite expensive
> and even people who know nothing about PKI look at it and think it is a
> rip-off (Deutsch: ein teurer Flop[2]) and start looking for
> alternatives.  Many organizations are afraid to fully depend on it,
> especially when dealing with consumers.
> 
> It would be good to see PGP-based solutions grabbing market share before
> things like SuisseID eventually gain traction.

PGP is sufficient - I would say even better and more secure - in use cases where a small community leverages a trust relationship from the physical world. An example are CERT-employees or Federation Operators who know each other directly or with usually one intermediary from conferences and meetings, and are technically versed enough to overcome the learning curve.

eIDAS has a very different scope, trying to make electronic identities of all EU citizens trustworthy between member states.  It is hard to judge if SuisseID is expensive or not. With support and integration a price range of 50?/year is what enterprises pay for an employee smartcard. But I guess that even ?expensive" cards like nPA and SuisseID are somehow subsidized by the taxpayer. We will probably know only in hindsight if it was worth the investment from a macroeconomic point of view.

PGP might grab significant market shares inside specific domains, where its poor usability does not matter or is covered by scripts and shells. However, as a competitor to eIDAS it would need a massive investment and industry + government support.

> 
> Does eIDAS require people to obtain their smart card or certificate in
> the country where they reside?  Or will they potentially be able to shop
> around, e.g. a Swiss person would be able to go to a German or French
> post office and get a cheaper alternative?

Not cheap, because the vetting of persons against public registers requires administrative procedures. AFAIK only Estonia is offering such a service as of now, called the e-Residency program.

- Rainer

From ankostis at gmail.com  Wed May 31 19:34:17 2017
From: ankostis at gmail.com (ankostis)
Date: Wed, 31 May 2017 19:34:17 +0200
Subject: PGP for official documents / eIDAS and ZertES
In-Reply-To: <cd858aa9-7dd7-30d6-f957-3088698929ad@pocock.pro>
References: <065c726e-7922-0352-938a-bf2aa274d390@pocock.pro>
 <a985e769-a7b3-8bad-47bf-d4cf1161c4ef@posteo.de>
 <7a6ff952-835b-9a30-5176-1e06cebb4783@pocock.pro>
 <1db3339f-7b71-8279-3330-b45c99b7f65c@posteo.de>
 <98C1E414-7CE6-4EFC-BF70-B9106D0F182A@hoerbe.at>
 <cd858aa9-7dd7-30d6-f957-3088698929ad@pocock.pro>
Message-ID: <CA+dhYEXCRER-QqE5hx_NKm-aJEUE_D_M892Fe9b10D9FfqGhaw@mail.gmail.com>

On 31 May 2017 at 15:14, Daniel Pocock <daniel at pocock.pro> wrote:
>
> Are the CMS, PDF or XML standards flexible enough that a PGP signature
> could be used within any of them and thereby satisfy the legislation?

IANAL, but I would agree with Reiner that the implementing acts are not
technology-neutral.
More detailed, from the three standards supported, only the last one,
XML-sig, supports PGP: https://www.w3.org/TR/xmldsig-core/#sec-PGPData



> > There are quite heavy
> > legal and organization layers on top of the technology that assure
> > security levels, notification (mutual acceptance) and cooperation
> > procedures.

Regarding organizational issues, there in nothing in eIDAS *in principal"
that forbids a company to use XML-sig with PGP.
But it would be interesting how the "national authorities" would react
in practice,
should they receive such a request from a company.
If it would work, for certain, these 2 German companies would have a head-start.



> Thanks for the feedback about that.  Are all users likely to depend on
> all of those things, or is it possible that a PGP signature would be
> sufficient in some use cases?

Check also the "closed systems" exception in the eIDAS regulation.
Search the legal-text for this term (e.g. Art 2.2) to get a rough
understanding of this.
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910&from=EN

Finally, I believe that a crucial point is whether the interpretation
of "assurance levels"
can also apply to PGP, and Art 16 hints that it does.
This may be the twisting-arm power for PGP to come on board eIDAS.


Thanks for bringing this subject up,
  Kostis


From dkg at fifthhorseman.net  Wed May 31 21:47:08 2017
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 31 May 2017 15:47:08 -0400
Subject: Errors at ECC key generation in non-interactive mode
In-Reply-To: <418c3195-b44f-ef27-9ac9-be664241b559@addere.ch>
References: <418c3195-b44f-ef27-9ac9-be664241b559@addere.ch>
Message-ID: <87lgpcizb7.fsf@fifthhorseman.net>

Hi Ryru--

On Wed 2017-05-31 18:18:56 +0200, Ryru wrote:

> I get these errors while trying to create a new ECC key:
>
> $ gpg --batch --gen-key Desktop/params-ecc.txt
> gpg: key ABCDEFABCDEFABCD marked as ultimately trusted
> gpg: error reading rest of packet: Invalid argument
> gpg: error reading rest of packet: Invalid argument
> gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
> gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
> gpg: revocation certificate stored as
> '~/.gnupg/openpgp-revocs.d/ABCDEFABCDEFABCD.rev'
>
> My parameters are:
>
> $ cat params-ecc.txt
> Key-Type: EdDSA
> Key-Curve: Curve25519
> Key-Length: 256
> Subkey-Type: ECC
> Subkey-Curve: Curve25519
> Subkey-Length: 256
> Name-Real: <name>
> Name-Comment: <comment>
> Name-Email: <mail>
> Passphrase: <password>
> Preferences: S9 S13 S8 S12 S7 S11 S10 H10 H9 H8 Z3 Z2 Z1
> %commit

do you see the same error messages when you use the more modern --quick
command-line syntax?

    fpr=$(gpg --with-colons --quick-gen-key "Test user <test at example.org>" ed25519 | awk -F: '/^fpr:/{ print $10 }')
    gpg --quick-add-key $fpr cv25519

what version of gpg are you running when you see those warnings?

     --dkg


From ryru at addere.ch  Wed May 31 22:15:56 2017
From: ryru at addere.ch (Ryru)
Date: Wed, 31 May 2017 22:15:56 +0200
Subject: Errors at ECC key generation in non-interactive mode
In-Reply-To: <87lgpcizb7.fsf@fifthhorseman.net>
References: <418c3195-b44f-ef27-9ac9-be664241b559@addere.ch>
 <87lgpcizb7.fsf@fifthhorseman.net>
Message-ID: <bbe6b605-c1da-aa4e-5b2a-c21c6ea1b0e3@addere.ch>

Hi Daniel,

On 31.05.2017 21:47, Daniel Kahn Gillmor wrote:
> do you see the same error messages when you use the more modern --quick
> command-line syntax?

I was not aware of this syntax style. Thank you.

  fpr=$(gpg --with-colons --quick-gen-key "Test user <test at example.org>"
ed25519 | awk -F: '/^fpr:/{ print $10 }')

This immediately runs gpg and ask for a password and creates an EdDSA
signing key without any errors.

> what version of gpg are you running when you see those warnings?

I run GnuPG 2.1.15 on Ubuntu 17.04. It is also possible to create an ECC
keypair with gpg --expert --full-gen-key without any errors. I just
would prefer to have a paramter file for later/future use.

Thank you.
Pascal